redline | 8746fa4bd81cd03456f129e177c8a3e3201e39a4c185ed5341502e3975751825

Analysis

max time kernel
167s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae334f9c06fba1aed1dabd8778cfa184.exe
Size

1.1MB
MD5

ae334f9c06fba1aed1dabd8778cfa184
SHA1

b3f95000480ecce5f5903a489d2bee1dd20d4e9b
SHA256

8746fa4bd81cd03456f129e177c8a3e3201e39a4c185ed5341502e3975751825
SHA512

7b79b7be3c94b070e819240b193024a0105b92a936d95da90b669200b4edd2d5759fbd05917b4cd84ee51dc0f18dd7cafba5de79a78467f68eccdc5f2cf739ce
SSDEEP

24576:WyOXwY91jsb0FSiGMV5I6Kx08hdwYZFBeOxL7k:lOgY91jk0FSC5Ix08hpFBeO

Score

10^/10

redline discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Signatures

Detects Redline Stealer samples 3 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/1212-155-0x0000000007EF0000-0x0000000008508000-memory.dmp	redline_stealer
behavioral2/memory/1212-160-0x0000000007CE0000-0x0000000007D46000-memory.dmp	redline_stealer
behavioral2/memory/1212-165-0x0000000008BD0000-0x0000000008D92000-memory.dmp	redline_stealer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	l3804040.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	l3804040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	l3804040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	l3804040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	l3804040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	l3804040.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	l9947857.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	m7538151.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 8 IoCs

pid	Process
1232	y1705132.exe
4328	y5591870.exe
1212	k3040995.exe
736	l3804040.exe
1264	l9947857.exe
4444	oneetx.exe
2844	m7538151.exe
4176	1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	l3804040.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	l3804040.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ae334f9c06fba1aed1dabd8778cfa184.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ae334f9c06fba1aed1dabd8778cfa184.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1705132.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1705132.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5591870.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y5591870.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Windows\\Temp\\1.exe"	m7538151.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 25 IoCs

pid	pid_target	Process	procid_target
3696	1264	WerFault.exe	94
4716	1264	WerFault.exe	94
2188	1264	WerFault.exe	94
2428	1264	WerFault.exe	94
2632	1264	WerFault.exe	94
1484	1264	WerFault.exe	94
3024	1264	WerFault.exe	94
4312	1264	WerFault.exe	94
1820	1264	WerFault.exe	94
4924	1264	WerFault.exe	94
912	4444	WerFault.exe	114
2532	4444	WerFault.exe	114
4504	4444	WerFault.exe	114
3708	4444	WerFault.exe	114
1924	4444	WerFault.exe	114
1904	2844	WerFault.exe	119
3372	4444	WerFault.exe	114
4736	4444	WerFault.exe	114
912	4444	WerFault.exe	114
1932	4444	WerFault.exe	114
2872	4444	WerFault.exe	114
3728	4444	WerFault.exe	114
4828	4444	WerFault.exe	114
4300	4444	WerFault.exe	114
1828	4444	WerFault.exe	114

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1212	k3040995.exe
1212	k3040995.exe
736	l3804040.exe
736	l3804040.exe
4176	1.exe
4176	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	k3040995.exe
Token: SeDebugPrivilege	736	l3804040.exe
Token: SeDebugPrivilege	2844	m7538151.exe
Token: SeDebugPrivilege	4176	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1264	l9947857.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1232	864	ae334f9c06fba1aed1dabd8778cfa184.exe	82
PID 864 wrote to memory of 1232	864	ae334f9c06fba1aed1dabd8778cfa184.exe	82
PID 864 wrote to memory of 1232	864	ae334f9c06fba1aed1dabd8778cfa184.exe	82
PID 1232 wrote to memory of 4328	1232	y1705132.exe	83
PID 1232 wrote to memory of 4328	1232	y1705132.exe	83
PID 1232 wrote to memory of 4328	1232	y1705132.exe	83
PID 4328 wrote to memory of 1212	4328	y5591870.exe	84
PID 4328 wrote to memory of 1212	4328	y5591870.exe	84
PID 4328 wrote to memory of 1212	4328	y5591870.exe	84
PID 4328 wrote to memory of 736	4328	y5591870.exe	93
PID 4328 wrote to memory of 736	4328	y5591870.exe	93
PID 4328 wrote to memory of 736	4328	y5591870.exe	93
PID 1232 wrote to memory of 1264	1232	y1705132.exe	94
PID 1232 wrote to memory of 1264	1232	y1705132.exe	94
PID 1232 wrote to memory of 1264	1232	y1705132.exe	94
PID 1264 wrote to memory of 4444	1264	l9947857.exe	114
PID 1264 wrote to memory of 4444	1264	l9947857.exe	114
PID 1264 wrote to memory of 4444	1264	l9947857.exe	114
PID 864 wrote to memory of 2844	864	ae334f9c06fba1aed1dabd8778cfa184.exe	119
PID 864 wrote to memory of 2844	864	ae334f9c06fba1aed1dabd8778cfa184.exe	119
PID 864 wrote to memory of 2844	864	ae334f9c06fba1aed1dabd8778cfa184.exe	119
PID 2844 wrote to memory of 4176	2844	m7538151.exe	128
PID 2844 wrote to memory of 4176	2844	m7538151.exe	128
PID 2844 wrote to memory of 4176	2844	m7538151.exe	128
PID 4444 wrote to memory of 1648	4444	oneetx.exe	135
PID 4444 wrote to memory of 1648	4444	oneetx.exe	135
PID 4444 wrote to memory of 1648	4444	oneetx.exe	135
PID 4444 wrote to memory of 1676	4444	oneetx.exe	141
PID 4444 wrote to memory of 1676	4444	oneetx.exe	141
PID 4444 wrote to memory of 1676	4444	oneetx.exe	141
PID 1676 wrote to memory of 4344	1676	cmd.exe	145
PID 1676 wrote to memory of 4344	1676	cmd.exe	145
PID 1676 wrote to memory of 4344	1676	cmd.exe	145
PID 1676 wrote to memory of 3856	1676	cmd.exe	146
PID 1676 wrote to memory of 3856	1676	cmd.exe	146
PID 1676 wrote to memory of 3856	1676	cmd.exe	146
PID 1676 wrote to memory of 1708	1676	cmd.exe	147
PID 1676 wrote to memory of 1708	1676	cmd.exe	147
PID 1676 wrote to memory of 1708	1676	cmd.exe	147
PID 1676 wrote to memory of 2836	1676	cmd.exe	148
PID 1676 wrote to memory of 2836	1676	cmd.exe	148
PID 1676 wrote to memory of 2836	1676	cmd.exe	148
PID 1676 wrote to memory of 3872	1676	cmd.exe	149
PID 1676 wrote to memory of 3872	1676	cmd.exe	149
PID 1676 wrote to memory of 3872	1676	cmd.exe	149
PID 1676 wrote to memory of 4872	1676	cmd.exe	150
PID 1676 wrote to memory of 4872	1676	cmd.exe	150
PID 1676 wrote to memory of 4872	1676	cmd.exe	150

C:\Users\Admin\AppData\Local\Temp\ae334f9c06fba1aed1dabd8778cfa184.exe
"C:\Users\Admin\AppData\Local\Temp\ae334f9c06fba1aed1dabd8778cfa184.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1705132.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1705132.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5591870.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5591870.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3040995.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3040995.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1212
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3804040.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3804040.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:736
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9947857.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9947857.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 696
      4⤵
      Program crash
      PID:3696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 780
      4⤵
      Program crash
      PID:4716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 808
      4⤵
      Program crash
      PID:2188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 864
      4⤵
      Program crash
      PID:2428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 812
      4⤵
      Program crash
      PID:2632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 812
      4⤵
      Program crash
      PID:1484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 1216
      4⤵
      Program crash
      PID:3024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 1200
      4⤵
      Program crash
      PID:4312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 1316
      4⤵
      Program crash
      PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 692
        5⤵
        Program crash
        
        PID:912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1004
        5⤵
        Program crash
        
        PID:2532
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1012
        5⤵
        Program crash
        
        PID:4504
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1104
        5⤵
        Program crash
        
        PID:3708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1112
        5⤵
        Program crash
        
        PID:1924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1152
        5⤵
        Program crash
        
        PID:3372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1196
        5⤵
        Program crash
        
        PID:4736
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1648
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 992
        5⤵
        Program crash
        
        PID:912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 888
        5⤵
        Program crash
        
        PID:1932
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4344
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        6⤵
        
        PID:3856
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        6⤵
        
        PID:1708
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2836
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        6⤵
        
        PID:3872
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        6⤵
        
        PID:4872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 988
        5⤵
        Program crash
        
        PID:2872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1012
        5⤵
        Program crash
        
        PID:3728
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 872
        5⤵
        Program crash
        
        PID:4828
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 764
        5⤵
        Program crash
        
        PID:4300
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1448
        5⤵
        Program crash
        
        PID:1828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 1364
      4⤵
      Program crash
      PID:4924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7538151.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7538151.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\Temp\1.exe
    "C:\Windows\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1512
    3⤵
    - Program crash
    PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1264 -ip 1264
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1264 -ip 1264
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1264 -ip 1264
1⤵
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1264 -ip 1264
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1264 -ip 1264
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1264 -ip 1264
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1264 -ip 1264
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1264 -ip 1264
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1264 -ip 1264
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1264 -ip 1264
1⤵
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4444 -ip 4444
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4444 -ip 4444
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4444 -ip 4444
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4444 -ip 4444
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4444 -ip 4444
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2844 -ip 2844
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4444 -ip 4444
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4444 -ip 4444
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4444 -ip 4444
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4444 -ip 4444
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4444 -ip 4444
1⤵
PID:348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4444 -ip 4444
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4444 -ip 4444
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4444 -ip 4444
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4444 -ip 4444
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7538151.exe

Filesize
547KB

MD5
cfed234ec7fde986e4e952843d8083b1

SHA1
b1ced36683e941b2ef6f49f415304d8a6ceffa03

SHA256
ceefa48e6bbf97b99512aa3a3e6464dbc70a18a00710b058b3764dbd1100b2cf

SHA512
19bb198720a997a31799bc744ba88c854d09942c8ca459c3bdeae4d9692d0d9604c2d90d96534f60b857e759475984f7e59e46a9d23a6c80ba14068788ecfdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m7538151.exe

Filesize
547KB

MD5
cfed234ec7fde986e4e952843d8083b1

SHA1
b1ced36683e941b2ef6f49f415304d8a6ceffa03

SHA256
ceefa48e6bbf97b99512aa3a3e6464dbc70a18a00710b058b3764dbd1100b2cf

SHA512
19bb198720a997a31799bc744ba88c854d09942c8ca459c3bdeae4d9692d0d9604c2d90d96534f60b857e759475984f7e59e46a9d23a6c80ba14068788ecfdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1705132.exe

Filesize
600KB

MD5
e36e8744b99f68835fa684e1d461b323

SHA1
492f64006580e3ab6bd56cb31c874986bcb61f41

SHA256
1da95d3311672a9670d12176523cf4faf4270bb74b05f87d55cb2bac1033b760

SHA512
6a81879452e34950b93918438f986993b8cc68004da3b0ace14ba19a701971ca544f1611241e65a04f5d5802a5d1e1f454c3afc436fde81867f43f136bb5f3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1705132.exe

Filesize
600KB

MD5
e36e8744b99f68835fa684e1d461b323

SHA1
492f64006580e3ab6bd56cb31c874986bcb61f41

SHA256
1da95d3311672a9670d12176523cf4faf4270bb74b05f87d55cb2bac1033b760

SHA512
6a81879452e34950b93918438f986993b8cc68004da3b0ace14ba19a701971ca544f1611241e65a04f5d5802a5d1e1f454c3afc436fde81867f43f136bb5f3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9947857.exe

Filesize
339KB

MD5
f06896c8eb617ac61b49496564fdf745

SHA1
c8bf13bb16beb18509377c1d124fe68dc2ad670e

SHA256
dee37f27e4963fb5c080e48ae51432f4f36597388badfef425818d3db7359329

SHA512
b7decc9d2ccf9d7a452d0135ef7fcec4b8226edab30ebccca69c4f7de7b64d77cced7240f37bab761d18ebe94e215fb449fe0bbc188c106fa4035e8a0df0ca87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9947857.exe

Filesize
339KB

MD5
f06896c8eb617ac61b49496564fdf745

SHA1
c8bf13bb16beb18509377c1d124fe68dc2ad670e

SHA256
dee37f27e4963fb5c080e48ae51432f4f36597388badfef425818d3db7359329

SHA512
b7decc9d2ccf9d7a452d0135ef7fcec4b8226edab30ebccca69c4f7de7b64d77cced7240f37bab761d18ebe94e215fb449fe0bbc188c106fa4035e8a0df0ca87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5591870.exe

Filesize
307KB

MD5
b1fe4ae40617ac9fdfd767d9b065fce6

SHA1
9cfe6b1439ff003e20dcd14e92f58f051447c327

SHA256
5774fa835fcc3910f568c8c4781f7779b02c0ba25869fa1a2140daa081a689fd

SHA512
17b2c2ab84f7cae2746b70671f4aa854fa7695005da419142db717ad6bfa6d0f421c1ace8ac3561d8aa579f7d60fe8c0df030f6e7382ce10600a51dc5da53e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5591870.exe

Filesize
307KB

MD5
b1fe4ae40617ac9fdfd767d9b065fce6

SHA1
9cfe6b1439ff003e20dcd14e92f58f051447c327

SHA256
5774fa835fcc3910f568c8c4781f7779b02c0ba25869fa1a2140daa081a689fd

SHA512
17b2c2ab84f7cae2746b70671f4aa854fa7695005da419142db717ad6bfa6d0f421c1ace8ac3561d8aa579f7d60fe8c0df030f6e7382ce10600a51dc5da53e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3040995.exe

Filesize
136KB

MD5
0abd2f8bf0c91db73fd56d76e3cb3759

SHA1
b5fc3068efe1f46d2ea6c1e53c96fc6f3ded2a32

SHA256
a791c3387f411ea542ff9922f13f052bb95dd80c1db23c60408598b5f26c8d56

SHA512
6344e4d2b09b608949084d9816d6da89d11cf22fdf9f03f47b4d6380ac38d464fa95bcfe960f4cfc0815a87857d60920c2965232105607f741464026201e1514

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3040995.exe

Filesize
136KB

MD5
0abd2f8bf0c91db73fd56d76e3cb3759

SHA1
b5fc3068efe1f46d2ea6c1e53c96fc6f3ded2a32

SHA256
a791c3387f411ea542ff9922f13f052bb95dd80c1db23c60408598b5f26c8d56

SHA512
6344e4d2b09b608949084d9816d6da89d11cf22fdf9f03f47b4d6380ac38d464fa95bcfe960f4cfc0815a87857d60920c2965232105607f741464026201e1514

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3804040.exe

Filesize
175KB

MD5
e95816e8d023dbe6b7434688bc310f69

SHA1
97a31cc9ab3d2d49ed9a99bb4409be07f56b9988

SHA256
624e1f00116c35c1119a5aded16cf1cd3b599fd68e13bc365c69103b4d6cf2d4

SHA512
06b0b57021e972ef0451a55cf720b8baaa51e10ef8c1a49e82b65d28de5643f876c692cc666a671bba7504fd892aea4e696ac20f7b2d3995587817fe21eed8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3804040.exe

Filesize
175KB

MD5
e95816e8d023dbe6b7434688bc310f69

SHA1
97a31cc9ab3d2d49ed9a99bb4409be07f56b9988

SHA256
624e1f00116c35c1119a5aded16cf1cd3b599fd68e13bc365c69103b4d6cf2d4

SHA512
06b0b57021e972ef0451a55cf720b8baaa51e10ef8c1a49e82b65d28de5643f876c692cc666a671bba7504fd892aea4e696ac20f7b2d3995587817fe21eed8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
f06896c8eb617ac61b49496564fdf745

SHA1
c8bf13bb16beb18509377c1d124fe68dc2ad670e

SHA256
dee37f27e4963fb5c080e48ae51432f4f36597388badfef425818d3db7359329

SHA512
b7decc9d2ccf9d7a452d0135ef7fcec4b8226edab30ebccca69c4f7de7b64d77cced7240f37bab761d18ebe94e215fb449fe0bbc188c106fa4035e8a0df0ca87

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
f06896c8eb617ac61b49496564fdf745

SHA1
c8bf13bb16beb18509377c1d124fe68dc2ad670e

SHA256
dee37f27e4963fb5c080e48ae51432f4f36597388badfef425818d3db7359329

SHA512
b7decc9d2ccf9d7a452d0135ef7fcec4b8226edab30ebccca69c4f7de7b64d77cced7240f37bab761d18ebe94e215fb449fe0bbc188c106fa4035e8a0df0ca87

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
339KB

MD5
f06896c8eb617ac61b49496564fdf745

SHA1
c8bf13bb16beb18509377c1d124fe68dc2ad670e

SHA256
dee37f27e4963fb5c080e48ae51432f4f36597388badfef425818d3db7359329

SHA512
b7decc9d2ccf9d7a452d0135ef7fcec4b8226edab30ebccca69c4f7de7b64d77cced7240f37bab761d18ebe94e215fb449fe0bbc188c106fa4035e8a0df0ca87

Download Submit
C:\Windows\Temp\1.exe

Filesize
136KB

MD5
6b4ad9c773e164effa4804bf294831a7

SHA1
6a0bfcfaf73aff765b7d515f2527773df326f2cc

SHA256
967d69ee61666a88719486692c18ba56a85516035b6b7dacfde589417d3b5c85

SHA512
accbdf423c36f8d688adeccfc683c6ac5ab983f6f5461554a1cdbfcd8dfb9cf29bfe75cdf6755dd70fa5c29f0fda4a2119f468dd0c42d80c8d0b0aee1a2137d8

Download Submit
C:\Windows\Temp\1.exe

Filesize
136KB

MD5
6b4ad9c773e164effa4804bf294831a7

SHA1
6a0bfcfaf73aff765b7d515f2527773df326f2cc

SHA256
967d69ee61666a88719486692c18ba56a85516035b6b7dacfde589417d3b5c85

SHA512
accbdf423c36f8d688adeccfc683c6ac5ab983f6f5461554a1cdbfcd8dfb9cf29bfe75cdf6755dd70fa5c29f0fda4a2119f468dd0c42d80c8d0b0aee1a2137d8

Download Submit
C:\Windows\Temp\1.exe

Filesize
136KB

MD5
6b4ad9c773e164effa4804bf294831a7

SHA1
6a0bfcfaf73aff765b7d515f2527773df326f2cc

SHA256
967d69ee61666a88719486692c18ba56a85516035b6b7dacfde589417d3b5c85

SHA512
accbdf423c36f8d688adeccfc683c6ac5ab983f6f5461554a1cdbfcd8dfb9cf29bfe75cdf6755dd70fa5c29f0fda4a2119f468dd0c42d80c8d0b0aee1a2137d8

Download Submit
memory/736-203-0x00000000020E0000-0x00000000020F0000-memory.dmp

Filesize
64KB

Download
memory/736-178-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-202-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-204-0x00000000020E0000-0x00000000020F0000-memory.dmp

Filesize
64KB

Download
memory/736-205-0x00000000020E0000-0x00000000020F0000-memory.dmp

Filesize
64KB

Download
memory/736-173-0x00000000020E0000-0x00000000020F0000-memory.dmp

Filesize
64KB

Download
memory/736-174-0x00000000020E0000-0x00000000020F0000-memory.dmp

Filesize
64KB

Download
memory/736-175-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-176-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-200-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-180-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-182-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-184-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-186-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-188-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-190-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-192-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-194-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-196-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/736-198-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/1212-167-0x00000000089B0000-0x00000000089CE000-memory.dmp

Filesize
120KB

Download
memory/1212-156-0x0000000007940000-0x0000000007952000-memory.dmp

Filesize
72KB

Download
memory/1212-166-0x00000000098E0000-0x0000000009E0C000-memory.dmp

Filesize
5.2MB

Download
memory/1212-165-0x0000000008BD0000-0x0000000008D92000-memory.dmp

Filesize
1.8MB

Download
memory/1212-164-0x00000000088D0000-0x0000000008946000-memory.dmp

Filesize
472KB

Download
memory/1212-163-0x0000000008E00000-0x00000000093A4000-memory.dmp

Filesize
5.6MB

Download
memory/1212-162-0x00000000087B0000-0x0000000008842000-memory.dmp

Filesize
584KB

Download
memory/1212-157-0x0000000007A70000-0x0000000007B7A000-memory.dmp

Filesize
1.0MB

Download
memory/1212-155-0x0000000007EF0000-0x0000000008508000-memory.dmp

Filesize
6.1MB

Download
memory/1212-168-0x0000000004FC0000-0x0000000005010000-memory.dmp

Filesize
320KB

Download
memory/1212-161-0x00000000079D0000-0x00000000079E0000-memory.dmp

Filesize
64KB

Download
memory/1212-160-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1212-159-0x00000000079D0000-0x00000000079E0000-memory.dmp

Filesize
64KB

Download
memory/1212-154-0x0000000000AD0000-0x0000000000AF8000-memory.dmp

Filesize
160KB

Download
memory/1212-158-0x00000000079E0000-0x0000000007A1C000-memory.dmp

Filesize
240KB

Download
memory/1264-213-0x0000000000A70000-0x0000000000AA5000-memory.dmp

Filesize
212KB

Download
memory/1264-230-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/1264-212-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/1264-211-0x0000000000A70000-0x0000000000AA5000-memory.dmp

Filesize
212KB

Download
memory/2844-243-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-258-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-240-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-244-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2844-246-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2844-247-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-248-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/2844-250-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-252-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-254-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-256-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-242-0x0000000002380000-0x00000000023DC000-memory.dmp

Filesize
368KB

Download
memory/2844-260-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-262-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-264-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-266-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-268-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-270-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-238-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-235-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-236-0x0000000002900000-0x0000000002961000-memory.dmp

Filesize
388KB

Download
memory/2844-2437-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/4176-2438-0x0000000000990000-0x00000000009B8000-memory.dmp

Filesize
160KB

Download
memory/4176-2440-0x0000000007A80000-0x0000000007A90000-memory.dmp

Filesize
64KB

Download