amadey | 988881d6b5554563391986f4cc019b18e36274597fdb3bd54ef7c5603a516bdf

Analysis

max time kernel
114s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2023 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b89b0313a1d0a4e65bfb1473359484b.exe
Size

1.0MB
MD5

2b89b0313a1d0a4e65bfb1473359484b
SHA1

a0f14ba607856a9ca814290a4a72259cbb1d753b
SHA256

988881d6b5554563391986f4cc019b18e36274597fdb3bd54ef7c5603a516bdf
SHA512

7e0097b4188b8cbf03861b7cd17823ca22225552c49774d29b84c942d06374336a22c68fb62c3ba6c46fa978bd97b8238a19a56695609914f199fd5bbc1ceef4
SSDEEP

24576:Hyv5Q9s+UGZ/nLIyaeCu+MJ6ZB9vJHNBtyWG7Bo9:Sv5ANUGZ/nLjamKB9vJHNLyWGN

Score

10^/10

amadey redline funka kk1 ronur discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

ronur

193.233.20.20:4134

Attributes

auth_value
f88f86755a528d4b25f6f3628c460965

Extracted

Family

redline

Botnet

funka

193.233.20.20:4134

Attributes

auth_value
cdb395608d7ec633dce3d2f0c7fb0741

Extracted

Family

amadey

Version

3.67

193.233.20.15/dF30Hn4m/index.php

Extracted

Family

redline

Botnet

kk1

176.113.115.17:4132

Attributes

auth_value
df169d3f7f631272f7c6bd9a1bb603c3

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

iMy25eF.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	iMy25eF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	iMy25eF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	iMy25eF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	iMy25eF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	iMy25eF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	iMy25eF.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2392-203-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-204-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-206-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-208-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-210-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-212-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-214-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-216-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-218-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-220-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-222-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-224-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-226-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-228-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-230-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-232-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-234-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-236-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral2/memory/2392-1121-0x0000000004C70000-0x0000000004C80000-memory.dmp	family_redline
behavioral2/memory/2392-1122-0x0000000004C70000-0x0000000004C80000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rXl19NM.exemnolyk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	rXl19NM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	mnolyk.exe

Executes dropped EXE 11 IoCs

Processes:

sih08nH.exesrR36CI.exestB61Fy.exeiMy25eF.exekJI93AH.exemfi54OW.exenWU70EL.exerXl19NM.exemnolyk.exemnolyk.exemnolyk.exe

pid	process
816	sih08nH.exe
4804	srR36CI.exe
3996	stB61Fy.exe
1744	iMy25eF.exe
2392	kJI93AH.exe
4420	mfi54OW.exe
784	nWU70EL.exe
1056	rXl19NM.exe
1216	mnolyk.exe
3508	mnolyk.exe
4668	mnolyk.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4444 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4444	rundll32.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

iMy25eF.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	iMy25eF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	iMy25eF.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sih08nH.exesrR36CI.exestB61Fy.exe2b89b0313a1d0a4e65bfb1473359484b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sih08nH.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	srR36CI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	srR36CI.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	stB61Fy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	stB61Fy.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2b89b0313a1d0a4e65bfb1473359484b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b89b0313a1d0a4e65bfb1473359484b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	sih08nH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

nWU70EL.exe

description pid process target process

PID 784 set thread context of 1924 784 nWU70EL.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

844 1744 WerFault.exe iMy25eF.exe
2352 2392 WerFault.exe kJI93AH.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1364 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

iMy25eF.exekJI93AH.exemfi54OW.exeAppLaunch.exe

pid process

1744 iMy25eF.exe
1744 iMy25eF.exe
2392 kJI93AH.exe
2392 kJI93AH.exe
4420 mfi54OW.exe
4420 mfi54OW.exe
1924 AppLaunch.exe
1924 AppLaunch.exe

description	pid	process	target process
PID 784 set thread context of 1924	784	nWU70EL.exe	AppLaunch.exe

pid	pid_target	process	target process
844	1744	WerFault.exe	iMy25eF.exe
2352	2392	WerFault.exe	kJI93AH.exe

pid	process
1364	schtasks.exe

pid	process
1744	iMy25eF.exe
1744	iMy25eF.exe
2392	kJI93AH.exe
2392	kJI93AH.exe
4420	mfi54OW.exe
4420	mfi54OW.exe
1924	AppLaunch.exe
1924	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

iMy25eF.exekJI93AH.exemfi54OW.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1744	iMy25eF.exe
Token: SeDebugPrivilege	2392	kJI93AH.exe
Token: SeDebugPrivilege	4420	mfi54OW.exe
Token: SeDebugPrivilege	1924	AppLaunch.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

2b89b0313a1d0a4e65bfb1473359484b.exesih08nH.exesrR36CI.exestB61Fy.exenWU70EL.exerXl19NM.exemnolyk.execmd.exe

description	pid	process	target process
PID 2832 wrote to memory of 816	2832	2b89b0313a1d0a4e65bfb1473359484b.exe	sih08nH.exe
PID 2832 wrote to memory of 816	2832	2b89b0313a1d0a4e65bfb1473359484b.exe	sih08nH.exe
PID 2832 wrote to memory of 816	2832	2b89b0313a1d0a4e65bfb1473359484b.exe	sih08nH.exe
PID 816 wrote to memory of 4804	816	sih08nH.exe	srR36CI.exe
PID 816 wrote to memory of 4804	816	sih08nH.exe	srR36CI.exe
PID 816 wrote to memory of 4804	816	sih08nH.exe	srR36CI.exe
PID 4804 wrote to memory of 3996	4804	srR36CI.exe	stB61Fy.exe
PID 4804 wrote to memory of 3996	4804	srR36CI.exe	stB61Fy.exe
PID 4804 wrote to memory of 3996	4804	srR36CI.exe	stB61Fy.exe
PID 3996 wrote to memory of 1744	3996	stB61Fy.exe	iMy25eF.exe
PID 3996 wrote to memory of 1744	3996	stB61Fy.exe	iMy25eF.exe
PID 3996 wrote to memory of 1744	3996	stB61Fy.exe	iMy25eF.exe
PID 3996 wrote to memory of 2392	3996	stB61Fy.exe	kJI93AH.exe
PID 3996 wrote to memory of 2392	3996	stB61Fy.exe	kJI93AH.exe
PID 3996 wrote to memory of 2392	3996	stB61Fy.exe	kJI93AH.exe
PID 4804 wrote to memory of 4420	4804	srR36CI.exe	mfi54OW.exe
PID 4804 wrote to memory of 4420	4804	srR36CI.exe	mfi54OW.exe
PID 4804 wrote to memory of 4420	4804	srR36CI.exe	mfi54OW.exe
PID 816 wrote to memory of 784	816	sih08nH.exe	nWU70EL.exe
PID 816 wrote to memory of 784	816	sih08nH.exe	nWU70EL.exe
PID 816 wrote to memory of 784	816	sih08nH.exe	nWU70EL.exe
PID 784 wrote to memory of 1924	784	nWU70EL.exe	AppLaunch.exe
PID 784 wrote to memory of 1924	784	nWU70EL.exe	AppLaunch.exe
PID 784 wrote to memory of 1924	784	nWU70EL.exe	AppLaunch.exe
PID 784 wrote to memory of 1924	784	nWU70EL.exe	AppLaunch.exe
PID 784 wrote to memory of 1924	784	nWU70EL.exe	AppLaunch.exe
PID 2832 wrote to memory of 1056	2832	2b89b0313a1d0a4e65bfb1473359484b.exe	rXl19NM.exe
PID 2832 wrote to memory of 1056	2832	2b89b0313a1d0a4e65bfb1473359484b.exe	rXl19NM.exe
PID 2832 wrote to memory of 1056	2832	2b89b0313a1d0a4e65bfb1473359484b.exe	rXl19NM.exe
PID 1056 wrote to memory of 1216	1056	rXl19NM.exe	mnolyk.exe
PID 1056 wrote to memory of 1216	1056	rXl19NM.exe	mnolyk.exe
PID 1056 wrote to memory of 1216	1056	rXl19NM.exe	mnolyk.exe
PID 1216 wrote to memory of 1364	1216	mnolyk.exe	schtasks.exe
PID 1216 wrote to memory of 1364	1216	mnolyk.exe	schtasks.exe
PID 1216 wrote to memory of 1364	1216	mnolyk.exe	schtasks.exe
PID 1216 wrote to memory of 3164	1216	mnolyk.exe	cmd.exe
PID 1216 wrote to memory of 3164	1216	mnolyk.exe	cmd.exe
PID 1216 wrote to memory of 3164	1216	mnolyk.exe	cmd.exe
PID 3164 wrote to memory of 2548	3164	cmd.exe	cmd.exe
PID 3164 wrote to memory of 2548	3164	cmd.exe	cmd.exe
PID 3164 wrote to memory of 2548	3164	cmd.exe	cmd.exe
PID 3164 wrote to memory of 3188	3164	cmd.exe	cacls.exe
PID 3164 wrote to memory of 3188	3164	cmd.exe	cacls.exe
PID 3164 wrote to memory of 3188	3164	cmd.exe	cacls.exe
PID 3164 wrote to memory of 4644	3164	cmd.exe	cacls.exe
PID 3164 wrote to memory of 4644	3164	cmd.exe	cacls.exe
PID 3164 wrote to memory of 4644	3164	cmd.exe	cacls.exe
PID 3164 wrote to memory of 3784	3164	cmd.exe	cmd.exe
PID 3164 wrote to memory of 3784	3164	cmd.exe	cmd.exe
PID 3164 wrote to memory of 3784	3164	cmd.exe	cmd.exe
PID 3164 wrote to memory of 3056	3164	cmd.exe	cacls.exe
PID 3164 wrote to memory of 3056	3164	cmd.exe	cacls.exe
PID 3164 wrote to memory of 3056	3164	cmd.exe	cacls.exe
PID 3164 wrote to memory of 64	3164	cmd.exe	cacls.exe
PID 3164 wrote to memory of 64	3164	cmd.exe	cacls.exe
PID 3164 wrote to memory of 64	3164	cmd.exe	cacls.exe
PID 1216 wrote to memory of 4444	1216	mnolyk.exe	rundll32.exe
PID 1216 wrote to memory of 4444	1216	mnolyk.exe	rundll32.exe
PID 1216 wrote to memory of 4444	1216	mnolyk.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2b89b0313a1d0a4e65bfb1473359484b.exe
"C:\Users\Admin\AppData\Local\Temp\2b89b0313a1d0a4e65bfb1473359484b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sih08nH.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sih08nH.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srR36CI.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srR36CI.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\stB61Fy.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\stB61Fy.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMy25eF.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMy25eF.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 1084
6⤵
- Program crash
PID:844

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJI93AH.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJI93AH.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1972
6⤵
- Program crash
PID:2352

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfi54OW.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfi54OW.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nWU70EL.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nWU70EL.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rXl19NM.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rXl19NM.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
4⤵
- Creates scheduled task(s)
PID:1364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2548

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
5⤵
PID:3188

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
5⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3784

C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:N"
5⤵
PID:3056

C:\Windows\SysWOW64\cacls.exe
CACLS "..\4f9dd6f8a7" /P "Admin:R" /E
5⤵
PID:64

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1744 -ip 1744
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2392 -ip 2392
1⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
1⤵
- Executes dropped EXE
PID:3508

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
1⤵
- Executes dropped EXE
PID:4668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

Filesize
239KB

MD5
0179181b2d4a5bb1346b67a4be5ef57c

SHA1
556750988b21379fd24e18b31e6cf14f36bf9e99

SHA256
0a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31

SHA512
1adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

Filesize
239KB

MD5
0179181b2d4a5bb1346b67a4be5ef57c

SHA1
556750988b21379fd24e18b31e6cf14f36bf9e99

SHA256
0a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31

SHA512
1adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

Filesize
239KB

MD5
0179181b2d4a5bb1346b67a4be5ef57c

SHA1
556750988b21379fd24e18b31e6cf14f36bf9e99

SHA256
0a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31

SHA512
1adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

Filesize
239KB

MD5
0179181b2d4a5bb1346b67a4be5ef57c

SHA1
556750988b21379fd24e18b31e6cf14f36bf9e99

SHA256
0a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31

SHA512
1adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe

Filesize
239KB

MD5
0179181b2d4a5bb1346b67a4be5ef57c

SHA1
556750988b21379fd24e18b31e6cf14f36bf9e99

SHA256
0a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31

SHA512
1adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rXl19NM.exe

Filesize
239KB

MD5
0179181b2d4a5bb1346b67a4be5ef57c

SHA1
556750988b21379fd24e18b31e6cf14f36bf9e99

SHA256
0a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31

SHA512
1adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rXl19NM.exe

Filesize
239KB

MD5
0179181b2d4a5bb1346b67a4be5ef57c

SHA1
556750988b21379fd24e18b31e6cf14f36bf9e99

SHA256
0a763637206a70a3ec6707fe5728ea673ae3bc11eb5e059d962e99dcc3991f31

SHA512
1adaab4993ec3d1e32b9cc780ab17b5a6acfe352789aaf2872e91bef738dd5aca3115071ac42a21c4fd19a82a522b515243ebef340249115cfbe6951cb3c9cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sih08nH.exe

Filesize
886KB

MD5
69c2b1ab203cd76efc7d8768b2dbdfde

SHA1
557e157c09be0df238e6c150de4ad7765cc3b817

SHA256
b01a03e5d898e24526b0847a2c67638f39f5720e4681ffe7672a7dbf748829c9

SHA512
39d32974f2652ae0c0ba6041beb20b09ab03dcd6b5b12cc5864ddb92ad1cf00d1b6f8af82e8ef92d53b8a980086a44b9e8be8775bd9899248efbf952f01bcba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sih08nH.exe

Filesize
886KB

MD5
69c2b1ab203cd76efc7d8768b2dbdfde

SHA1
557e157c09be0df238e6c150de4ad7765cc3b817

SHA256
b01a03e5d898e24526b0847a2c67638f39f5720e4681ffe7672a7dbf748829c9

SHA512
39d32974f2652ae0c0ba6041beb20b09ab03dcd6b5b12cc5864ddb92ad1cf00d1b6f8af82e8ef92d53b8a980086a44b9e8be8775bd9899248efbf952f01bcba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nWU70EL.exe

Filesize
271KB

MD5
a4d0454fb9c377a8770f883b4e0b4720

SHA1
e27c7ca6c874f1629e1ad3505a3acddab977da9b

SHA256
6ab69ab1f289a34b2283bf5b39d5060f84bd5ec6485bba45a04889a2fefe4892

SHA512
9fedff5d2e5f1add2638e097362376f80422ffb2ca1d8a8ad1040bafcf3ac14aac6ab2e635e714cbd644b9429ee2e0267d12216719b4a5a3f64eb899c2834340

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nWU70EL.exe

Filesize
271KB

MD5
a4d0454fb9c377a8770f883b4e0b4720

SHA1
e27c7ca6c874f1629e1ad3505a3acddab977da9b

SHA256
6ab69ab1f289a34b2283bf5b39d5060f84bd5ec6485bba45a04889a2fefe4892

SHA512
9fedff5d2e5f1add2638e097362376f80422ffb2ca1d8a8ad1040bafcf3ac14aac6ab2e635e714cbd644b9429ee2e0267d12216719b4a5a3f64eb899c2834340

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srR36CI.exe

Filesize
652KB

MD5
0fe03992c80109f0f160777e059b5464

SHA1
1fdeee548dac0720232056f93b3dca809b69c82f

SHA256
f66424f360143c71d1fae92ef47fef15a4c0b733b8d8f2079a2f3e99ead6f265

SHA512
ac5237d59d5fd51842bc681b53e9c7f20ecd52de1da33b2f6e3d539bba1b4f6e551ab329a41e70a2b8061848cef3e8f4008cd5ed9438a430e697b74e2498765f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srR36CI.exe

Filesize
652KB

MD5
0fe03992c80109f0f160777e059b5464

SHA1
1fdeee548dac0720232056f93b3dca809b69c82f

SHA256
f66424f360143c71d1fae92ef47fef15a4c0b733b8d8f2079a2f3e99ead6f265

SHA512
ac5237d59d5fd51842bc681b53e9c7f20ecd52de1da33b2f6e3d539bba1b4f6e551ab329a41e70a2b8061848cef3e8f4008cd5ed9438a430e697b74e2498765f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfi54OW.exe

Filesize
175KB

MD5
2ca336ffac2e58e59bf4ba497e146fd7

SHA1
ab8ebd53709abd15fd7d1df9dd91cbfbecb3ef14

SHA256
8a07fc51578589686a864b2d74ac3c1b02a9ceee8f8a20d432832228d9665459

SHA512
3a42bf9db2ec8fb1851a61e81d93a3a92765036f5aa768a228f8b6988de18a03259e1886c6d87c3549163e8a6c73b69479a3c35f49a87d332a37718d928c5d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mfi54OW.exe

Filesize
175KB

MD5
2ca336ffac2e58e59bf4ba497e146fd7

SHA1
ab8ebd53709abd15fd7d1df9dd91cbfbecb3ef14

SHA256
8a07fc51578589686a864b2d74ac3c1b02a9ceee8f8a20d432832228d9665459

SHA512
3a42bf9db2ec8fb1851a61e81d93a3a92765036f5aa768a228f8b6988de18a03259e1886c6d87c3549163e8a6c73b69479a3c35f49a87d332a37718d928c5d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\stB61Fy.exe

Filesize
507KB

MD5
ee9587fb363ab4e572d8e73811828761

SHA1
6b48d4c32b2c42b835b56525194e2556ba9040a7

SHA256
6ec91872aef31483a572a2c73c9592d75019a61995abdb6bd9d604433ea1d4c6

SHA512
8fd8fe5e41a6c5c31d6e4d9a23988600a15282be5fa7b39ffb82556b86110e6692294e095fc5cf84dc5ffe6df79a166a3a0f69d7eec600593bed59aea90fadfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\stB61Fy.exe

Filesize
507KB

MD5
ee9587fb363ab4e572d8e73811828761

SHA1
6b48d4c32b2c42b835b56525194e2556ba9040a7

SHA256
6ec91872aef31483a572a2c73c9592d75019a61995abdb6bd9d604433ea1d4c6

SHA512
8fd8fe5e41a6c5c31d6e4d9a23988600a15282be5fa7b39ffb82556b86110e6692294e095fc5cf84dc5ffe6df79a166a3a0f69d7eec600593bed59aea90fadfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMy25eF.exe

Filesize
208KB

MD5
6d9ce22445ea63a84dfb10690ebc7ced

SHA1
f26d24cdb278ba5e102d990f996ccc380ed7970b

SHA256
4f4e5d9e73183407553c7e67288679bf83c80a2054a9c342e80489d7319c2a2c

SHA512
35f7189ae6aee1c4d11344bd94b8b6cf3933274140f6f37a32355b05b158f42bf3da5a0cf35ba5dcf62c09ccaa433f0e7da2f5da24ab1e5a7ab339cd6099b343

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMy25eF.exe

Filesize
208KB

MD5
6d9ce22445ea63a84dfb10690ebc7ced

SHA1
f26d24cdb278ba5e102d990f996ccc380ed7970b

SHA256
4f4e5d9e73183407553c7e67288679bf83c80a2054a9c342e80489d7319c2a2c

SHA512
35f7189ae6aee1c4d11344bd94b8b6cf3933274140f6f37a32355b05b158f42bf3da5a0cf35ba5dcf62c09ccaa433f0e7da2f5da24ab1e5a7ab339cd6099b343

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJI93AH.exe

Filesize
267KB

MD5
b097e9e8ba00491672d7c588f5a1dc6c

SHA1
ca40fc57327e159e7f9ab633c492191896a2db6d

SHA256
ea09554bb47d16149144d42b26d9022cdbe753b6026626ebd3ba99be8511777d

SHA512
b9f75414a3b2ab352ca98d78f25e9c5715af6c37eb41b543c8d191c0c799ee4d482b962774b1f31dce340d780c49fa7b262da30e7e692bbb7fa98bbbac26dd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJI93AH.exe

Filesize
267KB

MD5
b097e9e8ba00491672d7c588f5a1dc6c

SHA1
ca40fc57327e159e7f9ab633c492191896a2db6d

SHA256
ea09554bb47d16149144d42b26d9022cdbe753b6026626ebd3ba99be8511777d

SHA512
b9f75414a3b2ab352ca98d78f25e9c5715af6c37eb41b543c8d191c0c799ee4d482b962774b1f31dce340d780c49fa7b262da30e7e692bbb7fa98bbbac26dd63

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
937b902b8ad05afb922313d2341143f4

SHA1
b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1

SHA256
f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849

SHA512
91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
937b902b8ad05afb922313d2341143f4

SHA1
b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1

SHA256
f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849

SHA512
91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
937b902b8ad05afb922313d2341143f4

SHA1
b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1

SHA256
f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849

SHA512
91f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1744-179-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-188-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-177-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-185-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/1744-175-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-190-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-192-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-173-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-195-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/1744-197-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/1744-198-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/1744-181-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-187-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/1744-184-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-194-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-183-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/1744-171-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-169-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-167-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-165-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-162-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/1744-164-0x0000000002440000-0x0000000002452000-memory.dmp

Filesize
72KB

Download
memory/1744-163-0x0000000004DF0000-0x0000000005394000-memory.dmp

Filesize
5.6MB

Download
memory/1924-1149-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1924-1156-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/2392-218-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-1125-0x0000000006900000-0x0000000006950000-memory.dmp

Filesize
320KB

Download
memory/2392-234-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-236-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-622-0x00000000021D0000-0x000000000221B000-memory.dmp

Filesize
300KB

Download
memory/2392-625-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2392-627-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2392-629-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2392-1113-0x0000000005330000-0x0000000005948000-memory.dmp

Filesize
6.1MB

Download
memory/2392-1114-0x0000000005970000-0x0000000005A7A000-memory.dmp

Filesize
1.0MB

Download
memory/2392-1115-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

Filesize
72KB

Download
memory/2392-1116-0x0000000005AD0000-0x0000000005B0C000-memory.dmp

Filesize
240KB

Download
memory/2392-1117-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2392-1118-0x0000000005DC0000-0x0000000005E52000-memory.dmp

Filesize
584KB

Download
memory/2392-1120-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/2392-1121-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2392-1122-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2392-1123-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2392-1124-0x0000000006860000-0x00000000068D6000-memory.dmp

Filesize
472KB

Download
memory/2392-232-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-1126-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2392-1127-0x0000000007C40000-0x0000000007E02000-memory.dmp

Filesize
1.8MB

Download
memory/2392-1128-0x0000000007E10000-0x000000000833C000-memory.dmp

Filesize
5.2MB

Download
memory/2392-203-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-230-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-228-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-226-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-224-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-222-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-220-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-216-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-214-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-212-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-210-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-208-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-206-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/2392-204-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4420-1134-0x0000000000030000-0x0000000000062000-memory.dmp

Filesize
200KB

Download
memory/4420-1135-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download