xred | 0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe

Analysis

max time kernel
145s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2025 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
Size

10.9MB
MD5

f7e1cfc6c7f7ff4dd762af36588cda54
SHA1

583e0bfed1a770d4d60fcdb3ed9abe701b7f0f49
SHA256

0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe
SHA512

77f775a2a001a2cbf2146d1c0200f158a7217cf96bc796678b3d1879f0705115239c72c5530cbf930aed57eed18080c7d7dfb784e3d17799f9578cd911530820
SSDEEP

196608:y0I9SsDPwSQZmqFcfpckEi3+9Yq2AyqRZ6VkdLko5pxK13gmli:y0I9HDPwjZ3FAbEdm1qRdlWBgmli

Score

10^/10

xred backdoor discovery persistence upx vmprotect

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	csrss1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\International\Geo\Nation	csrss3.exe

Executes dropped EXE 18 IoCs

pid	Process
388	csrss1.exe
4824	csrss2.exe
4260	svchost.exe
3920	svchost.exe
3092	svchost.exe
1020	._cache_csrss1.exe
2624	Synaptics.exe
3484	csrss3.exe
3180	WinStore.Ap.exe
4300	svchost.exe
1504	svchost.exe
1260	svchost.exe
2644	._cache_Synaptics.exe
1904	._cache_csrss3.exe
5044	WinStore.Ap.exe
3556	svchost.exe
2904	svchost.exe
2900	svchost.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4592-11-0x0000000000400000-0x000000000194F000-memory.dmp	vmprotect
behavioral2/memory/4592-12-0x0000000000400000-0x000000000194F000-memory.dmp	vmprotect
behavioral2/memory/4592-357-0x0000000000400000-0x000000000194F000-memory.dmp	vmprotect
behavioral2/memory/4592-380-0x0000000000400000-0x000000000194F000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	csrss1.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000d000000023c07-15.dat	upx
behavioral2/memory/388-16-0x0000000000400000-0x00000000009E4000-memory.dmp	upx
behavioral2/memory/388-18-0x0000000000400000-0x00000000009E4000-memory.dmp	upx
behavioral2/memory/2624-154-0x0000000000400000-0x00000000009E4000-memory.dmp	upx
behavioral2/memory/388-155-0x0000000000400000-0x00000000009E4000-memory.dmp	upx
behavioral2/memory/1020-218-0x0000000002950000-0x000000000295B000-memory.dmp	upx
behavioral2/memory/1020-217-0x0000000002920000-0x000000000293E000-memory.dmp	upx
behavioral2/memory/2644-310-0x00000000026F0000-0x00000000026FB000-memory.dmp	upx
behavioral2/memory/2644-309-0x00000000026D0000-0x00000000026EE000-memory.dmp	upx
behavioral2/memory/2624-382-0x0000000000400000-0x00000000009E4000-memory.dmp	upx
behavioral2/memory/2624-381-0x0000000000400000-0x00000000009E4000-memory.dmp	upx
behavioral2/memory/2624-408-0x0000000000400000-0x00000000009E4000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	csrss2.exe
File opened for modification	C:\Windows\svchost.exe	csrss2.exe
File opened for modification	C:\Windows\svchost.exe	WinStore.Ap.exe
File opened for modification	C:\Windows\svchost.exe	WinStore.Ap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4512	4260	WerFault.exe	83
2352	4300	WerFault.exe	93
3396	3556	WerFault.exe	104
644	1020	WerFault.exe	89
404	2644	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_csrss1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinStore.Ap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_csrss3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	csrss1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	csrss3.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1248	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
1020	._cache_csrss1.exe
2644	._cache_Synaptics.exe
1020	._cache_csrss1.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
1020	._cache_csrss1.exe
2644	._cache_Synaptics.exe
2644	._cache_Synaptics.exe
1248	EXCEL.EXE
2644	._cache_Synaptics.exe
1248	EXCEL.EXE
1904	._cache_csrss3.exe
1904	._cache_csrss3.exe
1248	EXCEL.EXE
1248	EXCEL.EXE
1248	EXCEL.EXE
1248	EXCEL.EXE
1248	EXCEL.EXE
1248	EXCEL.EXE

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 388	4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	81
PID 4592 wrote to memory of 388	4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	81
PID 4592 wrote to memory of 388	4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	81
PID 4592 wrote to memory of 4824	4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	82
PID 4592 wrote to memory of 4824	4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	82
PID 4592 wrote to memory of 4824	4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	82
PID 4260 wrote to memory of 3920	4260	svchost.exe	84
PID 4260 wrote to memory of 3920	4260	svchost.exe	84
PID 4260 wrote to memory of 3920	4260	svchost.exe	84
PID 4260 wrote to memory of 3092	4260	svchost.exe	85
PID 4260 wrote to memory of 3092	4260	svchost.exe	85
PID 4260 wrote to memory of 3092	4260	svchost.exe	85
PID 388 wrote to memory of 1020	388	csrss1.exe	89
PID 388 wrote to memory of 1020	388	csrss1.exe	89
PID 388 wrote to memory of 1020	388	csrss1.exe	89
PID 388 wrote to memory of 2624	388	csrss1.exe	90
PID 388 wrote to memory of 2624	388	csrss1.exe	90
PID 388 wrote to memory of 2624	388	csrss1.exe	90
PID 4592 wrote to memory of 3484	4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	91
PID 4592 wrote to memory of 3484	4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	91
PID 4592 wrote to memory of 3484	4592	0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe	91
PID 1020 wrote to memory of 3180	1020	._cache_csrss1.exe	92
PID 1020 wrote to memory of 3180	1020	._cache_csrss1.exe	92
PID 1020 wrote to memory of 3180	1020	._cache_csrss1.exe	92
PID 4300 wrote to memory of 1504	4300	svchost.exe	94
PID 4300 wrote to memory of 1504	4300	svchost.exe	94
PID 4300 wrote to memory of 1504	4300	svchost.exe	94
PID 4300 wrote to memory of 1260	4300	svchost.exe	95
PID 4300 wrote to memory of 1260	4300	svchost.exe	95
PID 4300 wrote to memory of 1260	4300	svchost.exe	95
PID 2624 wrote to memory of 2644	2624	Synaptics.exe	98
PID 2624 wrote to memory of 2644	2624	Synaptics.exe	98
PID 2624 wrote to memory of 2644	2624	Synaptics.exe	98
PID 3484 wrote to memory of 1904	3484	csrss3.exe	101
PID 3484 wrote to memory of 1904	3484	csrss3.exe	101
PID 3484 wrote to memory of 1904	3484	csrss3.exe	101
PID 2644 wrote to memory of 5044	2644	._cache_Synaptics.exe	103
PID 2644 wrote to memory of 5044	2644	._cache_Synaptics.exe	103
PID 2644 wrote to memory of 5044	2644	._cache_Synaptics.exe	103
PID 3556 wrote to memory of 2900	3556	svchost.exe	105
PID 3556 wrote to memory of 2900	3556	svchost.exe	105
PID 3556 wrote to memory of 2900	3556	svchost.exe	105
PID 3556 wrote to memory of 2904	3556	svchost.exe	106
PID 3556 wrote to memory of 2904	3556	svchost.exe	106
PID 3556 wrote to memory of 2904	3556	svchost.exe	106

C:\Users\Admin\AppData\Local\Temp\0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe
"C:\Users\Admin\AppData\Local\Temp\0332f856f89265c4e07f109108afdc3a68effd45a570a1a837c8f7b5b875f4fe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\csrss1.exe
  C:\Users\Admin\AppData\Local\Temp\csrss1.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\._cache_csrss1.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_csrss1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\WinStore.Ap.exe
      C:\Users\Admin\AppData\Local\Temp\WinStore.Ap.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:3180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 1360
      4⤵
      Program crash
      PID:644
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\WinStore.Ap.exe
        
        C:\Users\Admin\AppData\Local\Temp\WinStore.Ap.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 1360
        5⤵
        Program crash
        
        PID:404
- C:\Users\Admin\AppData\Local\Temp\csrss2.exe
  C:\Users\Admin\AppData\Local\Temp\csrss2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4824
- C:\Users\Admin\AppData\Local\Temp\csrss3.exe
  C:\Users\Admin\AppData\Local\Temp\csrss3.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Users\Admin\AppData\Local\Temp\._cache_csrss3.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_csrss3.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1904

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 428
  2⤵
  - Program crash
  PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4260 -ip 4260
1⤵
PID:2408

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 376
  2⤵
  - Program crash
  PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4300 -ip 4300
1⤵
PID:840

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1248

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 336
  2⤵
  - Program crash
  PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3556 -ip 3556
1⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2644 -ip 2644
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1020 -ip 1020
1⤵
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_csrss1.exe

Filesize
5.0MB

MD5
044d17f97d75da98e9eb2aa62ec7b75a

SHA1
0115b76acb7424b55252416f5f96dfcbd8575c17

SHA256
d9161c71e9aa4ed4cbe22b6fda94e18c85b43125fc5cee102daa0db5f9b60a34

SHA512
f3e3d0ec861a0ee5aedf45b2d05c0a4de4cece59ce7c848e1294885a22409a8d88ab045c52606a4bd60585d7ac8ec084b200886f518cafb691eb0333385f2200

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_csrss3.exe

Filesize
700KB

MD5
e90eddc4db34ec03b80c552e53b5c69c

SHA1
885cff8c7f6fcc362332dcaec0beadb73ea28eba

SHA256
7e7825184c8bd575fac683ee957fc530100de3399e22d611d12ddf155d62e336

SHA512
3e9fae21e9a528072fc8add9bb3bd8a2f6183fc4375beebe05e4ae0383cfc4619dbd1061737eeea439caea1f9bb81dab1cf9c5b887077024b8d92bb1a5807095

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBE75E00

Filesize
22KB

MD5
9bcee6b4e5ea0a063853898f9ff706fa

SHA1
d642d7e262f7c07cfc370070a88cee0831d5a6fc

SHA256
c915fa48041b332c85a6090a27e53a07fe94bd51bb7c3be20cac24800f261a41

SHA512
8419d5a365c12903856eb5722d8d446ccf2f760abeaa0b7207de3568cfec81608c91f33b6a422b265ca9d20e940ca7c2cb5e65e8f99ec4a7090e087fd1ed0511

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinStore.Ap.exe

Filesize
36KB

MD5
6bcfc02cec27994f21fbd864eab7cced

SHA1
941469f26107f8e5576943b8a6f1338a2a0694b8

SHA256
aac2fcb25f1022e52ca001f655c50e94f59b8cb1447a3a89b31f5b51b1c1cbc3

SHA512
1988fe89ccd35335927ec444b6d0c178d28198f3270bb12bad89fc5a9e70527a5a03b9c7c89330dc7dafc141d2156eb2795288454c74c9a8c8e0abcdd5378fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss1.exe

Filesize
5.1MB

MD5
f33b166aa53dcbdb6ee38dbc041ed51b

SHA1
fd77e28afa1008b7a2d43191fea2a42bbab37df2

SHA256
aa5fe8561ad9325981bd6f514c25b8a15571120638fb37ad6e151b8f4defe135

SHA512
8f3a82e3921796c092c31b1e7aefa15776b277810f5248bb39988af7cb1576aafc974e9046a2defa5f2e959269f4dbcba8244afc67463348afc8c66a675cf619

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss2.exe

Filesize
36KB

MD5
1c47934968624092ab9d889aa6c42f89

SHA1
6371c0b5bf568225e637a9049d3b7b2888e7ec1f

SHA256
ee8f0bab814a672f624ed59f157806229cc194aaf3704aea7f49e6f5fd70c0b0

SHA512
d35c84a17e29d401a563dfa7b9b0c56d3a266a5bdc00dc85ee2e35b44931639c4b1ddd08ef178797144086fa3a09c3daad35340e0c99217f06adfdecc069752c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss3.exe

Filesize
1.4MB

MD5
948ef47cbef691ed14da3dd81fd12d99

SHA1
3d495e706c9456d76d19013cb89ff87c874f2e8e

SHA256
ef700e93e37470b99acbcd35e450bf63f03b19a362d3821350c62abacd6c9d54

SHA512
9f0b5268794f4b168fb6ae0197a1f56acba6d9820f295cc24947354b8cece0dadfca0f5f7967f607f578125de39232a801e17c6f1f14b35288c98c16d6a37d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\lGDT1FqC.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/388-16-0x0000000000400000-0x00000000009E4000-memory.dmp

Filesize
5.9MB

Download
memory/388-155-0x0000000000400000-0x00000000009E4000-memory.dmp

Filesize
5.9MB

Download
memory/388-18-0x0000000000400000-0x00000000009E4000-memory.dmp

Filesize
5.9MB

Download
memory/1020-209-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1020-218-0x0000000002950000-0x000000000295B000-memory.dmp

Filesize
44KB

Download
memory/1020-208-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1020-210-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/1020-129-0x0000000010000000-0x0000000010891000-memory.dmp

Filesize
8.6MB

Download
memory/1020-211-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1020-212-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1020-215-0x0000000010000000-0x0000000010891000-memory.dmp

Filesize
8.6MB

Download
memory/1020-213-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/1020-217-0x0000000002920000-0x000000000293E000-memory.dmp

Filesize
120KB

Download
memory/1248-297-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1248-295-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1248-303-0x00007FF828A80000-0x00007FF828A90000-memory.dmp

Filesize
64KB

Download
memory/1248-298-0x00007FF828A80000-0x00007FF828A90000-memory.dmp

Filesize
64KB

Download
memory/1248-293-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1248-294-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1248-296-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1904-321-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1904-410-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2624-382-0x0000000000400000-0x00000000009E4000-memory.dmp

Filesize
5.9MB

Download
memory/2624-408-0x0000000000400000-0x00000000009E4000-memory.dmp

Filesize
5.9MB

Download
memory/2624-381-0x0000000000400000-0x00000000009E4000-memory.dmp

Filesize
5.9MB

Download
memory/2624-154-0x0000000000400000-0x00000000009E4000-memory.dmp

Filesize
5.9MB

Download
memory/2644-300-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2644-310-0x00000000026F0000-0x00000000026FB000-memory.dmp

Filesize
44KB

Download
memory/2644-299-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2644-306-0x0000000010000000-0x0000000010891000-memory.dmp

Filesize
8.6MB

Download
memory/2644-305-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/2644-304-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2644-302-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2644-301-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2644-309-0x00000000026D0000-0x00000000026EE000-memory.dmp

Filesize
120KB

Download
memory/3484-322-0x0000000000400000-0x0000000000571000-memory.dmp

Filesize
1.4MB

Download
memory/4592-3-0x0000000001C20000-0x0000000001C21000-memory.dmp

Filesize
4KB

Download
memory/4592-5-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/4592-4-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/4592-2-0x0000000001C10000-0x0000000001C11000-memory.dmp

Filesize
4KB

Download
memory/4592-6-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/4592-357-0x0000000000400000-0x000000000194F000-memory.dmp

Filesize
21.3MB

Download
memory/4592-7-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/4592-370-0x0000000000B3C000-0x0000000000E6B000-memory.dmp

Filesize
3.2MB

Download
memory/4592-380-0x0000000000400000-0x000000000194F000-memory.dmp

Filesize
21.3MB

Download
memory/4592-12-0x0000000000400000-0x000000000194F000-memory.dmp

Filesize
21.3MB

Download
memory/4592-1-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

Filesize
4KB

Download
memory/4592-0-0x0000000000B3C000-0x0000000000E6B000-memory.dmp

Filesize
3.2MB

Download
memory/4592-11-0x0000000000400000-0x000000000194F000-memory.dmp

Filesize
21.3MB

Download