Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-03-2023 23:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    323KB

  • MD5

    d915386b9f157bed5fb89d1fa6fa6814

  • SHA1

    1a62d4df4127ed31070e49ad00797b886b56eb98

  • SHA256

    15e5d0f3035ddeb19ab45120c125c41d02a4317757d8a67c8545a31826d4b5a9

  • SHA512

    483ceb075b4d42f405cd73797061821a8980c01b64d5d11321f8ee2bded708a9f4c7e081d1dfd407ffeea75d67e6a12a902cd27a4fd1bb1946bb5e2b8fcefacd

  • SSDEEP

    6144:NNONJMM5+mcXt9ACfqadlJWzOPlQyJETGquGwwqVva:7ONJMi+mcXsCiazPwyqOz8

Score
10/10
amadeyredline7evasioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.68

C2

88.218.60.230/7vzZwkv2/index.php

Extracted

Family

redline

Botnet

7

C2

89.22.237.107:44745

Attributes
  • auth_value

    9fb4a4a8b5764119b91a5d9c6a94b401

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 40 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 896
      2⤵
      • Program crash
      PID:3604
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 912
      2⤵
      • Program crash
      PID:4732
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1096
      2⤵
      • Program crash
      PID:5016
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1128
      2⤵
      • Program crash
      PID:1272
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1136
      2⤵
      • Program crash
      PID:772
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1168
      2⤵
      • Program crash
      PID:4032
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1112
      2⤵
      • Program crash
      PID:2684
    • C:\Users\Admin\AppData\Local\Temp\a7fa1426ba\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\a7fa1426ba\oneetx.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4060
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 584
        3⤵
        • Program crash
        PID:4440
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 736
        3⤵
        • Program crash
        PID:4756
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 736
        3⤵
        • Program crash
        PID:588
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 952
        3⤵
        • Program crash
        PID:4168
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 948
        3⤵
        • Program crash
        PID:4544
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 988
        3⤵
        • Program crash
        PID:4788
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 948
        3⤵
        • Program crash
        PID:676
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\a7fa1426ba\oneetx.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:4268
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 892
        3⤵
        • Program crash
        PID:784
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 668
        3⤵
        • Program crash
        PID:3568
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a7fa1426ba" /P "Admin:N"&&CACLS "..\a7fa1426ba" /P "Admin:R" /E&&Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          4⤵
            PID:5088
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "oneetx.exe" /P "Admin:N"
            4⤵
              PID:3204
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:R" /E
              4⤵
                PID:4196
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                4⤵
                  PID:228
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\a7fa1426ba" /P "Admin:N"
                  4⤵
                    PID:1908
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\a7fa1426ba" /P "Admin:R" /E
                    4⤵
                      PID:1256
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1168
                    3⤵
                    • Program crash
                    PID:4012
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1144
                    3⤵
                    • Program crash
                    PID:4228
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 800
                    3⤵
                    • Program crash
                    PID:2428
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 780
                    3⤵
                    • Program crash
                    PID:1220
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1332
                    3⤵
                    • Program crash
                    PID:1668
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1744
                    3⤵
                    • Program crash
                    PID:2996
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1760
                    3⤵
                    • Program crash
                    PID:1980
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1816
                    3⤵
                    • Program crash
                    PID:2272
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1788
                    3⤵
                    • Program crash
                    PID:3304
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1812
                    3⤵
                    • Program crash
                    PID:4344
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1788
                    3⤵
                    • Program crash
                    PID:4620
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1860
                    3⤵
                    • Program crash
                    PID:1452
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 1868
                    3⤵
                    • Program crash
                    PID:4584
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 2072
                    3⤵
                    • Program crash
                    PID:1924
                  • C:\Users\Admin\AppData\Local\Temp\1000037001\7.exe
                    "C:\Users\Admin\AppData\Local\Temp\1000037001\7.exe"
                    3⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:5028
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2224
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 2172
                    3⤵
                    • Program crash
                    PID:1876
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 2036
                    3⤵
                    • Program crash
                    PID:3056
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 980
                    3⤵
                    • Program crash
                    PID:4904
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 996
                    3⤵
                    • Program crash
                    PID:2768
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\eac7b2a78f3eb6\cred64.dll, Main
                    3⤵
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:4104
                    • C:\Windows\system32\rundll32.exe
                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\eac7b2a78f3eb6\cred64.dll, Main
                      4⤵
                      • Loads dropped DLL
                      PID:2304
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -u -p 2304 -s 648
                        5⤵
                        • Program crash
                        PID:4884
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\eac7b2a78f3eb6\clip64.dll, Main
                    3⤵
                    • Loads dropped DLL
                    PID:1968
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 2180
                    3⤵
                    • Program crash
                    PID:2840
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 2260
                    3⤵
                    • Program crash
                    PID:4624
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1248
                  2⤵
                  • Program crash
                  PID:892
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5028 -ip 5028
                1⤵
                  PID:1912
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5028 -ip 5028
                  1⤵
                    PID:1436
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5028 -ip 5028
                    1⤵
                      PID:220
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5028 -ip 5028
                      1⤵
                        PID:5064
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5028 -ip 5028
                        1⤵
                          PID:1848
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5028 -ip 5028
                          1⤵
                            PID:1860
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5028 -ip 5028
                            1⤵
                              PID:2192
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5028 -ip 5028
                              1⤵
                                PID:672
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4060 -ip 4060
                                1⤵
                                  PID:4480
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4060 -ip 4060
                                  1⤵
                                    PID:528
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4060 -ip 4060
                                    1⤵
                                      PID:3576
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4060 -ip 4060
                                      1⤵
                                        PID:3572
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4060 -ip 4060
                                        1⤵
                                          PID:3904
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4060 -ip 4060
                                          1⤵
                                            PID:2880
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4060 -ip 4060
                                            1⤵
                                              PID:1884
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4060 -ip 4060
                                              1⤵
                                                PID:4200
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4060 -ip 4060
                                                1⤵
                                                  PID:4580
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4060 -ip 4060
                                                  1⤵
                                                    PID:2580
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4060 -ip 4060
                                                    1⤵
                                                      PID:2504
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4060 -ip 4060
                                                      1⤵
                                                        PID:636
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4060 -ip 4060
                                                        1⤵
                                                          PID:2596
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4060 -ip 4060
                                                          1⤵
                                                            PID:4368
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4060 -ip 4060
                                                            1⤵
                                                              PID:2040
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4060 -ip 4060
                                                              1⤵
                                                                PID:3772
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4060 -ip 4060
                                                                1⤵
                                                                  PID:1532
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4060 -ip 4060
                                                                  1⤵
                                                                    PID:3932
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4060 -ip 4060
                                                                    1⤵
                                                                      PID:5064
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4060 -ip 4060
                                                                      1⤵
                                                                        PID:2348
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4060 -ip 4060
                                                                        1⤵
                                                                          PID:4624
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4060 -ip 4060
                                                                          1⤵
                                                                            PID:3860
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4060 -ip 4060
                                                                            1⤵
                                                                              PID:4116
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4060 -ip 4060
                                                                              1⤵
                                                                                PID:2516
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4060 -ip 4060
                                                                                1⤵
                                                                                  PID:2684
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4060 -ip 4060
                                                                                  1⤵
                                                                                    PID:4780
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4060 -ip 4060
                                                                                    1⤵
                                                                                      PID:3576
                                                                                    • C:\Users\Admin\AppData\Local\Temp\a7fa1426ba\oneetx.exe
                                                                                      C:\Users\Admin\AppData\Local\Temp\a7fa1426ba\oneetx.exe
                                                                                      1⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:4836
                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 312
                                                                                        2⤵
                                                                                        • Program crash
                                                                                        PID:3964
                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4060 -ip 4060
                                                                                      1⤵
                                                                                        PID:944
                                                                                      • C:\Windows\system32\WerFault.exe
                                                                                        C:\Windows\system32\WerFault.exe -pss -s 656 -p 2304 -ip 2304
                                                                                        1⤵
                                                                                          PID:1676
                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4836 -ip 4836
                                                                                          1⤵
                                                                                            PID:3592
                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4060 -ip 4060
                                                                                            1⤵
                                                                                              PID:5060
                                                                                            • C:\Users\Admin\AppData\Local\Temp\a7fa1426ba\oneetx.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\a7fa1426ba\oneetx.exe
                                                                                              1⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:3564
                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 320
                                                                                                2⤵
                                                                                                • Program crash
                                                                                                PID:5024
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3564 -ip 3564
                                                                                              1⤵
                                                                                                PID:4268

                                                                                              Network

                                                                                              MITRE ATT&CK Matrix ATT&CK v6

                                                                                              Initial Access

                                                                                              Execution

                                                                                              Scheduled Task

                                                                                              1
                                                                                              T1053

                                                                                              Persistence

                                                                                              Scheduled Task

                                                                                              1
                                                                                              T1053

                                                                                              Privilege Escalation

                                                                                              Scheduled Task

                                                                                              1
                                                                                              T1053

                                                                                              Defense Evasion

                                                                                              Virtualization/Sandbox Evasion

                                                                                              2
                                                                                              T1497

                                                                                              Credential Access

                                                                                              Credentials in Files

                                                                                              2
                                                                                              T1081

                                                                                              Discovery

                                                                                              Query Registry

                                                                                              4
                                                                                              T1012

                                                                                              Virtualization/Sandbox Evasion

                                                                                              2
                                                                                              T1497

                                                                                              System Information Discovery

                                                                                              3
                                                                                              T1082

                                                                                              Lateral Movement

                                                                                              Collection

                                                                                              Data from Local System

                                                                                              2
                                                                                              T1005

                                                                                              Exfiltration

                                                                                              Command and Control

                                                                                              Web Service

                                                                                              1
                                                                                              T1102

                                                                                              Impact

                                                                                              Replay Monitor

                                                                                              Loading Replay Monitor...

                                                                                              Downloads

                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000037001\7.exe
                                                                                                Filesize

                                                                                                2.6MB

                                                                                                MD5

                                                                                                aa1340e6de19d9206466a3e46505637a

                                                                                                SHA1

                                                                                                cf2c701eaa0b3d4bb9ee758fe0070a5fdea4f199

                                                                                                SHA256

                                                                                                41d1e68ca8ce71c9900d8e02c93a9e23a1f7ae02aec9b3b61b39fc410262fdad

                                                                                                SHA512

                                                                                                d63ba471591e20cd9d8cd3467ecb7979f262444550288d07b2027ab67fb9147848ce60098a2cd0606e5ba01315e8339abd2a9ebbd014fc446822b3b184f10e90

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000037001\7.exe
                                                                                                Filesize

                                                                                                2.6MB

                                                                                                MD5

                                                                                                aa1340e6de19d9206466a3e46505637a

                                                                                                SHA1

                                                                                                cf2c701eaa0b3d4bb9ee758fe0070a5fdea4f199

                                                                                                SHA256

                                                                                                41d1e68ca8ce71c9900d8e02c93a9e23a1f7ae02aec9b3b61b39fc410262fdad

                                                                                                SHA512

                                                                                                d63ba471591e20cd9d8cd3467ecb7979f262444550288d07b2027ab67fb9147848ce60098a2cd0606e5ba01315e8339abd2a9ebbd014fc446822b3b184f10e90

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\1000037001\7.exe
                                                                                                Filesize

                                                                                                2.6MB

                                                                                                MD5

                                                                                                aa1340e6de19d9206466a3e46505637a

                                                                                                SHA1

                                                                                                cf2c701eaa0b3d4bb9ee758fe0070a5fdea4f199

                                                                                                SHA256

                                                                                                41d1e68ca8ce71c9900d8e02c93a9e23a1f7ae02aec9b3b61b39fc410262fdad

                                                                                                SHA512

                                                                                                d63ba471591e20cd9d8cd3467ecb7979f262444550288d07b2027ab67fb9147848ce60098a2cd0606e5ba01315e8339abd2a9ebbd014fc446822b3b184f10e90

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\a7fa1426ba\oneetx.exe
                                                                                                Filesize

                                                                                                323KB

                                                                                                MD5

                                                                                                d915386b9f157bed5fb89d1fa6fa6814

                                                                                                SHA1

                                                                                                1a62d4df4127ed31070e49ad00797b886b56eb98

                                                                                                SHA256

                                                                                                15e5d0f3035ddeb19ab45120c125c41d02a4317757d8a67c8545a31826d4b5a9

                                                                                                SHA512

                                                                                                483ceb075b4d42f405cd73797061821a8980c01b64d5d11321f8ee2bded708a9f4c7e081d1dfd407ffeea75d67e6a12a902cd27a4fd1bb1946bb5e2b8fcefacd

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\a7fa1426ba\oneetx.exe
                                                                                                Filesize

                                                                                                323KB

                                                                                                MD5

                                                                                                d915386b9f157bed5fb89d1fa6fa6814

                                                                                                SHA1

                                                                                                1a62d4df4127ed31070e49ad00797b886b56eb98

                                                                                                SHA256

                                                                                                15e5d0f3035ddeb19ab45120c125c41d02a4317757d8a67c8545a31826d4b5a9

                                                                                                SHA512

                                                                                                483ceb075b4d42f405cd73797061821a8980c01b64d5d11321f8ee2bded708a9f4c7e081d1dfd407ffeea75d67e6a12a902cd27a4fd1bb1946bb5e2b8fcefacd

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\a7fa1426ba\oneetx.exe
                                                                                                Filesize

                                                                                                323KB

                                                                                                MD5

                                                                                                d915386b9f157bed5fb89d1fa6fa6814

                                                                                                SHA1

                                                                                                1a62d4df4127ed31070e49ad00797b886b56eb98

                                                                                                SHA256

                                                                                                15e5d0f3035ddeb19ab45120c125c41d02a4317757d8a67c8545a31826d4b5a9

                                                                                                SHA512

                                                                                                483ceb075b4d42f405cd73797061821a8980c01b64d5d11321f8ee2bded708a9f4c7e081d1dfd407ffeea75d67e6a12a902cd27a4fd1bb1946bb5e2b8fcefacd

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\a7fa1426ba\oneetx.exe
                                                                                                Filesize

                                                                                                323KB

                                                                                                MD5

                                                                                                d915386b9f157bed5fb89d1fa6fa6814

                                                                                                SHA1

                                                                                                1a62d4df4127ed31070e49ad00797b886b56eb98

                                                                                                SHA256

                                                                                                15e5d0f3035ddeb19ab45120c125c41d02a4317757d8a67c8545a31826d4b5a9

                                                                                                SHA512

                                                                                                483ceb075b4d42f405cd73797061821a8980c01b64d5d11321f8ee2bded708a9f4c7e081d1dfd407ffeea75d67e6a12a902cd27a4fd1bb1946bb5e2b8fcefacd

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Local\Temp\a7fa1426ba\oneetx.exe
                                                                                                Filesize

                                                                                                323KB

                                                                                                MD5

                                                                                                d915386b9f157bed5fb89d1fa6fa6814

                                                                                                SHA1

                                                                                                1a62d4df4127ed31070e49ad00797b886b56eb98

                                                                                                SHA256

                                                                                                15e5d0f3035ddeb19ab45120c125c41d02a4317757d8a67c8545a31826d4b5a9

                                                                                                SHA512

                                                                                                483ceb075b4d42f405cd73797061821a8980c01b64d5d11321f8ee2bded708a9f4c7e081d1dfd407ffeea75d67e6a12a902cd27a4fd1bb1946bb5e2b8fcefacd

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Roaming\eac7b2a78f3eb6\clip64.dll
                                                                                                Filesize

                                                                                                89KB

                                                                                                MD5

                                                                                                bbf1ad7a265522ec74752391dc461a7f

                                                                                                SHA1

                                                                                                884822fed00eb47b86009d468536a48774f15151

                                                                                                SHA256

                                                                                                b89981371e7ac4c1f9dfb4be56158d769a8b2d3dfeb7168df57b51e2d2e6df06

                                                                                                SHA512

                                                                                                44fdfcc1b2d18019b72867b7af5fc7a2935a84fc414b3c26d4d5f959b9a64b948303ceae4d4977d41a4685897fb7919221a8a0de9c3f916c13810a47ed24f1ed

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Roaming\eac7b2a78f3eb6\clip64.dll
                                                                                                Filesize

                                                                                                89KB

                                                                                                MD5

                                                                                                bbf1ad7a265522ec74752391dc461a7f

                                                                                                SHA1

                                                                                                884822fed00eb47b86009d468536a48774f15151

                                                                                                SHA256

                                                                                                b89981371e7ac4c1f9dfb4be56158d769a8b2d3dfeb7168df57b51e2d2e6df06

                                                                                                SHA512

                                                                                                44fdfcc1b2d18019b72867b7af5fc7a2935a84fc414b3c26d4d5f959b9a64b948303ceae4d4977d41a4685897fb7919221a8a0de9c3f916c13810a47ed24f1ed

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Roaming\eac7b2a78f3eb6\clip64.dll
                                                                                                Filesize

                                                                                                89KB

                                                                                                MD5

                                                                                                bbf1ad7a265522ec74752391dc461a7f

                                                                                                SHA1

                                                                                                884822fed00eb47b86009d468536a48774f15151

                                                                                                SHA256

                                                                                                b89981371e7ac4c1f9dfb4be56158d769a8b2d3dfeb7168df57b51e2d2e6df06

                                                                                                SHA512

                                                                                                44fdfcc1b2d18019b72867b7af5fc7a2935a84fc414b3c26d4d5f959b9a64b948303ceae4d4977d41a4685897fb7919221a8a0de9c3f916c13810a47ed24f1ed

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Roaming\eac7b2a78f3eb6\cred64.dll
                                                                                                Filesize

                                                                                                1.0MB

                                                                                                MD5

                                                                                                9ec3ce277f1d46b821f83afbc099f5d0

                                                                                                SHA1

                                                                                                4157370f34a1e24674555376ad14e9a59c49e1b4

                                                                                                SHA256

                                                                                                6ebb4b08f0add9dfb5edcaa0160c0be0685832eb5d5b51c344a4dc82f0230082

                                                                                                SHA512

                                                                                                24f25463f472bfdd6222bd34006a8662703288a4f8ee8a6c91de3df2fdcb6286d7bb3e58d33986c461cbebbb806af3ece80b752fc4b958c6d8528727d80db1a4

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Roaming\eac7b2a78f3eb6\cred64.dll
                                                                                                Filesize

                                                                                                1.0MB

                                                                                                MD5

                                                                                                9ec3ce277f1d46b821f83afbc099f5d0

                                                                                                SHA1

                                                                                                4157370f34a1e24674555376ad14e9a59c49e1b4

                                                                                                SHA256

                                                                                                6ebb4b08f0add9dfb5edcaa0160c0be0685832eb5d5b51c344a4dc82f0230082

                                                                                                SHA512

                                                                                                24f25463f472bfdd6222bd34006a8662703288a4f8ee8a6c91de3df2fdcb6286d7bb3e58d33986c461cbebbb806af3ece80b752fc4b958c6d8528727d80db1a4

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Roaming\eac7b2a78f3eb6\cred64.dll
                                                                                                Filesize

                                                                                                1.0MB

                                                                                                MD5

                                                                                                9ec3ce277f1d46b821f83afbc099f5d0

                                                                                                SHA1

                                                                                                4157370f34a1e24674555376ad14e9a59c49e1b4

                                                                                                SHA256

                                                                                                6ebb4b08f0add9dfb5edcaa0160c0be0685832eb5d5b51c344a4dc82f0230082

                                                                                                SHA512

                                                                                                24f25463f472bfdd6222bd34006a8662703288a4f8ee8a6c91de3df2fdcb6286d7bb3e58d33986c461cbebbb806af3ece80b752fc4b958c6d8528727d80db1a4

                                                                                                Download Submit
                                                                                              • C:\Users\Admin\AppData\Roaming\eac7b2a78f3eb6\cred64.dll
                                                                                                Filesize

                                                                                                1.0MB

                                                                                                MD5

                                                                                                9ec3ce277f1d46b821f83afbc099f5d0

                                                                                                SHA1

                                                                                                4157370f34a1e24674555376ad14e9a59c49e1b4

                                                                                                SHA256

                                                                                                6ebb4b08f0add9dfb5edcaa0160c0be0685832eb5d5b51c344a4dc82f0230082

                                                                                                SHA512

                                                                                                24f25463f472bfdd6222bd34006a8662703288a4f8ee8a6c91de3df2fdcb6286d7bb3e58d33986c461cbebbb806af3ece80b752fc4b958c6d8528727d80db1a4

                                                                                                Download Submit
                                                                                              • memory/2224-190-0x0000000004CE0000-0x0000000004D1C000-memory.dmp
                                                                                                Filesize

                                                                                                240KB

                                                                                                Download
                                                                                              • memory/2224-199-0x0000000007E90000-0x00000000083BC000-memory.dmp
                                                                                                Filesize

                                                                                                5.2MB

                                                                                                Download
                                                                                              • memory/2224-187-0x00000000051E0000-0x00000000057F8000-memory.dmp
                                                                                                Filesize

                                                                                                6.1MB

                                                                                                Download
                                                                                              • memory/2224-188-0x0000000004D50000-0x0000000004E5A000-memory.dmp
                                                                                                Filesize

                                                                                                1.0MB

                                                                                                Download
                                                                                              • memory/2224-189-0x0000000004C80000-0x0000000004C92000-memory.dmp
                                                                                                Filesize

                                                                                                72KB

                                                                                                Download
                                                                                              • memory/2224-181-0x0000000000350000-0x0000000000382000-memory.dmp
                                                                                                Filesize

                                                                                                200KB

                                                                                                Download
                                                                                              • memory/2224-198-0x0000000007790000-0x0000000007952000-memory.dmp
                                                                                                Filesize

                                                                                                1.8MB

                                                                                                Download
                                                                                              • memory/2224-192-0x0000000004D20000-0x0000000004D30000-memory.dmp
                                                                                                Filesize

                                                                                                64KB

                                                                                                Download
                                                                                              • memory/2224-193-0x0000000005DB0000-0x0000000006354000-memory.dmp
                                                                                                Filesize

                                                                                                5.6MB

                                                                                                Download
                                                                                              • memory/2224-194-0x0000000005800000-0x0000000005892000-memory.dmp
                                                                                                Filesize

                                                                                                584KB

                                                                                                Download
                                                                                              • memory/2224-195-0x0000000005130000-0x0000000005196000-memory.dmp
                                                                                                Filesize

                                                                                                408KB

                                                                                                Download
                                                                                              • memory/2224-197-0x0000000004D20000-0x0000000004D30000-memory.dmp
                                                                                                Filesize

                                                                                                64KB

                                                                                                Download
                                                                                              • memory/3564-237-0x0000000000400000-0x0000000002B7E000-memory.dmp
                                                                                                Filesize

                                                                                                39.5MB

                                                                                                Download
                                                                                              • memory/4060-146-0x0000000000400000-0x0000000002B7E000-memory.dmp
                                                                                                Filesize

                                                                                                39.5MB

                                                                                                Download
                                                                                              • memory/4060-191-0x0000000000400000-0x0000000002B7E000-memory.dmp
                                                                                                Filesize

                                                                                                39.5MB

                                                                                                Download
                                                                                              • memory/4060-227-0x0000000000400000-0x0000000002B7E000-memory.dmp
                                                                                                Filesize

                                                                                                39.5MB

                                                                                                Download
                                                                                              • memory/4836-229-0x0000000000400000-0x0000000002B7E000-memory.dmp
                                                                                                Filesize

                                                                                                39.5MB

                                                                                                Download
                                                                                              • memory/5028-179-0x0000000004A90000-0x0000000004A92000-memory.dmp
                                                                                                Filesize

                                                                                                8KB

                                                                                                Download
                                                                                              • memory/5028-178-0x0000000004AB0000-0x0000000004AB1000-memory.dmp
                                                                                                Filesize

                                                                                                4KB

                                                                                                Download
                                                                                              • memory/5028-177-0x0000000004A70000-0x0000000004A71000-memory.dmp
                                                                                                Filesize

                                                                                                4KB

                                                                                                Download
                                                                                              • memory/5028-175-0x0000000000400000-0x00000000009E0000-memory.dmp
                                                                                                Filesize

                                                                                                5.9MB

                                                                                                Download
                                                                                              • memory/5028-176-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
                                                                                                Filesize

                                                                                                4KB

                                                                                                Download
                                                                                              • memory/5028-180-0x0000000004A80000-0x0000000004A81000-memory.dmp
                                                                                                Filesize

                                                                                                4KB

                                                                                                Download
                                                                                              • memory/5028-136-0x0000000002CC0000-0x0000000002CFC000-memory.dmp
                                                                                                Filesize

                                                                                                240KB

                                                                                                Download
                                                                                              • memory/5028-144-0x0000000000400000-0x0000000002B7E000-memory.dmp
                                                                                                Filesize

                                                                                                39.5MB

                                                                                                Download
                                                                                              • memory/5028-186-0x0000000000400000-0x00000000009E0000-memory.dmp
                                                                                                Filesize

                                                                                                5.9MB

                                                                                                Download