amadey | 6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83

Analysis

max time kernel
65s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83.exe
Size

1000KB
MD5

30d419adf9a10471fa407065e3bbbb91
SHA1

5ad5e9490a15f543272fb463bbe3879f4cd32181
SHA256

6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83
SHA512

648814a79b7a7bd52c57f6612d855aa1f5d092d6b298a8b1e218c9aba50ce98f6202e17f5b7f5065387af0f48e0d7f4cc042c65e3a4991713263da2ac4a8f063
SSDEEP

24576:hyrAnm2Ptqth15SrjZvneOjaaroSq5zPclK1T96a:UrAnXcFSvZv1KT

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz1617.exev4948mT.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz1617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz1617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz1617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v4948mT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v4948mT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v4948mT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz1617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz1617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz1617.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v4948mT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v4948mT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v4948mT.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2584-214-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-217-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-215-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-219-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-221-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-223-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-225-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-227-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-229-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-231-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-233-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-235-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-237-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-239-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-241-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-243-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-245-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline
behavioral1/memory/2584-247-0x0000000002610000-0x000000000264F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y46MZ50.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	y46MZ50.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

Processes:

zap0981.exezap6814.exezap6402.exetz1617.exev4948mT.exew66Ce90.exexoytC16.exey46MZ50.exeoneetx.exesvhosts.exe

pid	process
5032	zap0981.exe
820	zap6814.exe
3144	zap6402.exe
1388	tz1617.exe
1420	v4948mT.exe
2584	w66Ce90.exe
3952	xoytC16.exe
5112	y46MZ50.exe
4080	oneetx.exe
3624	svhosts.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v4948mT.exetz1617.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v4948mT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz1617.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v4948mT.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap6402.exe6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83.exezap0981.exezap6814.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6402.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap6402.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0981.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap0981.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap6814.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2836 1420 WerFault.exe v4948mT.exe
2236 2584 WerFault.exe w66Ce90.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4192 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz1617.exev4948mT.exew66Ce90.exexoytC16.exe

pid process

1388 tz1617.exe
1388 tz1617.exe
1420 v4948mT.exe
1420 v4948mT.exe
2584 w66Ce90.exe
2584 w66Ce90.exe
3952 xoytC16.exe
3952 xoytC16.exe

pid	pid_target	process	target process
2836	1420	WerFault.exe	v4948mT.exe
2236	2584	WerFault.exe	w66Ce90.exe

pid	process
4192	schtasks.exe

pid	process
1388	tz1617.exe
1388	tz1617.exe
1420	v4948mT.exe
1420	v4948mT.exe
2584	w66Ce90.exe
2584	w66Ce90.exe
3952	xoytC16.exe
3952	xoytC16.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz1617.exev4948mT.exew66Ce90.exexoytC16.exe

description	pid	process
Token: SeDebugPrivilege	1388	tz1617.exe
Token: SeDebugPrivilege	1420	v4948mT.exe
Token: SeDebugPrivilege	2584	w66Ce90.exe
Token: SeDebugPrivilege	3952	xoytC16.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y46MZ50.exe

pid process

5112 y46MZ50.exe

pid	process
5112	y46MZ50.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83.exezap0981.exezap6814.exezap6402.exey46MZ50.exeoneetx.execmd.exe

description	pid	process	target process
PID 3596 wrote to memory of 5032	3596	6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83.exe	zap0981.exe
PID 3596 wrote to memory of 5032	3596	6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83.exe	zap0981.exe
PID 3596 wrote to memory of 5032	3596	6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83.exe	zap0981.exe
PID 5032 wrote to memory of 820	5032	zap0981.exe	zap6814.exe
PID 5032 wrote to memory of 820	5032	zap0981.exe	zap6814.exe
PID 5032 wrote to memory of 820	5032	zap0981.exe	zap6814.exe
PID 820 wrote to memory of 3144	820	zap6814.exe	zap6402.exe
PID 820 wrote to memory of 3144	820	zap6814.exe	zap6402.exe
PID 820 wrote to memory of 3144	820	zap6814.exe	zap6402.exe
PID 3144 wrote to memory of 1388	3144	zap6402.exe	tz1617.exe
PID 3144 wrote to memory of 1388	3144	zap6402.exe	tz1617.exe
PID 3144 wrote to memory of 1420	3144	zap6402.exe	v4948mT.exe
PID 3144 wrote to memory of 1420	3144	zap6402.exe	v4948mT.exe
PID 3144 wrote to memory of 1420	3144	zap6402.exe	v4948mT.exe
PID 820 wrote to memory of 2584	820	zap6814.exe	w66Ce90.exe
PID 820 wrote to memory of 2584	820	zap6814.exe	w66Ce90.exe
PID 820 wrote to memory of 2584	820	zap6814.exe	w66Ce90.exe
PID 5032 wrote to memory of 3952	5032	zap0981.exe	xoytC16.exe
PID 5032 wrote to memory of 3952	5032	zap0981.exe	xoytC16.exe
PID 5032 wrote to memory of 3952	5032	zap0981.exe	xoytC16.exe
PID 3596 wrote to memory of 5112	3596	6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83.exe	y46MZ50.exe
PID 3596 wrote to memory of 5112	3596	6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83.exe	y46MZ50.exe
PID 3596 wrote to memory of 5112	3596	6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83.exe	y46MZ50.exe
PID 5112 wrote to memory of 4080	5112	y46MZ50.exe	oneetx.exe
PID 5112 wrote to memory of 4080	5112	y46MZ50.exe	oneetx.exe
PID 5112 wrote to memory of 4080	5112	y46MZ50.exe	oneetx.exe
PID 4080 wrote to memory of 4192	4080	oneetx.exe	schtasks.exe
PID 4080 wrote to memory of 4192	4080	oneetx.exe	schtasks.exe
PID 4080 wrote to memory of 4192	4080	oneetx.exe	schtasks.exe
PID 4080 wrote to memory of 1656	4080	oneetx.exe	cmd.exe
PID 4080 wrote to memory of 1656	4080	oneetx.exe	cmd.exe
PID 4080 wrote to memory of 1656	4080	oneetx.exe	cmd.exe
PID 1656 wrote to memory of 880	1656	cmd.exe	cmd.exe
PID 1656 wrote to memory of 880	1656	cmd.exe	cmd.exe
PID 1656 wrote to memory of 880	1656	cmd.exe	cmd.exe
PID 1656 wrote to memory of 776	1656	cmd.exe	cacls.exe
PID 1656 wrote to memory of 776	1656	cmd.exe	cacls.exe
PID 1656 wrote to memory of 776	1656	cmd.exe	cacls.exe
PID 1656 wrote to memory of 1988	1656	cmd.exe	cacls.exe
PID 1656 wrote to memory of 1988	1656	cmd.exe	cacls.exe
PID 1656 wrote to memory of 1988	1656	cmd.exe	cacls.exe
PID 1656 wrote to memory of 2184	1656	cmd.exe	cmd.exe
PID 1656 wrote to memory of 2184	1656	cmd.exe	cmd.exe
PID 1656 wrote to memory of 2184	1656	cmd.exe	cmd.exe
PID 1656 wrote to memory of 2456	1656	cmd.exe	cacls.exe
PID 1656 wrote to memory of 2456	1656	cmd.exe	cacls.exe
PID 1656 wrote to memory of 2456	1656	cmd.exe	cacls.exe
PID 1656 wrote to memory of 1468	1656	cmd.exe	cacls.exe
PID 1656 wrote to memory of 1468	1656	cmd.exe	cacls.exe
PID 1656 wrote to memory of 1468	1656	cmd.exe	cacls.exe
PID 4080 wrote to memory of 3624	4080	oneetx.exe	svhosts.exe
PID 4080 wrote to memory of 3624	4080	oneetx.exe	svhosts.exe
PID 4080 wrote to memory of 3624	4080	oneetx.exe	svhosts.exe

C:\Users\Admin\AppData\Local\Temp\6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83.exe
"C:\Users\Admin\AppData\Local\Temp\6b294e4d225930bc68a29c17f39d00d47476a1722bb76b34bc3f6ba55008ea83.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3596

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0981.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0981.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5032

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6814.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6814.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:820

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6402.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6402.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1617.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1617.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4948mT.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4948mT.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 1088
6⤵
- Program crash
PID:2836

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w66Ce90.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w66Ce90.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1912
5⤵
- Program crash
PID:2236

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xoytC16.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xoytC16.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y46MZ50.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y46MZ50.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:4192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:880

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:776

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:1988

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2184

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe
"C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe"
4⤵
- Executes dropped EXE
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1420 -ip 1420
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2584 -ip 2584
1⤵
PID:3832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe
Filesize
1.8MB

MD5
0a935300ad790ad8d03666b1f14e73a4

SHA1
57bf66e15b0cbf325ce66d4c9d5592088a1a8e00

SHA256
9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12

SHA512
64e7c5e9b0c301a2b4a87dc0189fa55bc7c8690d9148382fd237851348a977376a9772c232f6a898417e92e739add1410d3f143f93547eb99c57fa064ce78096

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe
Filesize
1.8MB

MD5
0a935300ad790ad8d03666b1f14e73a4

SHA1
57bf66e15b0cbf325ce66d4c9d5592088a1a8e00

SHA256
9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12

SHA512
64e7c5e9b0c301a2b4a87dc0189fa55bc7c8690d9148382fd237851348a977376a9772c232f6a898417e92e739add1410d3f143f93547eb99c57fa064ce78096

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\svhosts.exe
Filesize
1.8MB

MD5
0a935300ad790ad8d03666b1f14e73a4

SHA1
57bf66e15b0cbf325ce66d4c9d5592088a1a8e00

SHA256
9b96d15a412a80fb77e790070084ce815945398f9c9b103ece0ed420850ace12

SHA512
64e7c5e9b0c301a2b4a87dc0189fa55bc7c8690d9148382fd237851348a977376a9772c232f6a898417e92e739add1410d3f143f93547eb99c57fa064ce78096

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y46MZ50.exe
Filesize
236KB

MD5
9cfee6cfc3a844e4c00a66fdc98a64d0

SHA1
bf128be17c73f7a1f3e579c516348c8db39e64f0

SHA256
8a0c004d1ac4be68ec7cea9249c5b2fb3e2d61007601242958666aa990c18629

SHA512
358d1c35a7cb7df91e00bce43b792041ddee42d115b9b84e68fe97717f3a7901f691f7a4c33e8100625de1dd32ef5f80f951b82ee3644c8270c0cb151b3d9075

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y46MZ50.exe
Filesize
236KB

MD5
9cfee6cfc3a844e4c00a66fdc98a64d0

SHA1
bf128be17c73f7a1f3e579c516348c8db39e64f0

SHA256
8a0c004d1ac4be68ec7cea9249c5b2fb3e2d61007601242958666aa990c18629

SHA512
358d1c35a7cb7df91e00bce43b792041ddee42d115b9b84e68fe97717f3a7901f691f7a4c33e8100625de1dd32ef5f80f951b82ee3644c8270c0cb151b3d9075

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0981.exe
Filesize
816KB

MD5
e8b78b66ac22df0019a67503a315d095

SHA1
aa83fa7542e5d999e099e77f97065e43020154ab

SHA256
9fc5119b7ae0c91a5296fb4fd054a086dbc90501942e7754815cb6b5f68ac794

SHA512
84dcbf9842cea72205abc659b9c74eefd8223ab3eb35326feff5bc9e5fa7935639883ea394d39fdb7ef710ab331c2bfec4ee034a6bdb502dc6f0162c3a48035f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap0981.exe
Filesize
816KB

MD5
e8b78b66ac22df0019a67503a315d095

SHA1
aa83fa7542e5d999e099e77f97065e43020154ab

SHA256
9fc5119b7ae0c91a5296fb4fd054a086dbc90501942e7754815cb6b5f68ac794

SHA512
84dcbf9842cea72205abc659b9c74eefd8223ab3eb35326feff5bc9e5fa7935639883ea394d39fdb7ef710ab331c2bfec4ee034a6bdb502dc6f0162c3a48035f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xoytC16.exe
Filesize
175KB

MD5
825bb86e5fdfa8102eebbcdd39055af6

SHA1
4b8f9f38b66d2ea282f564763edfe9b0e2caff35

SHA256
077bacc47d6fcb9a8f8cba5b06ae394dfcdee1c3bfa9b88c9ec9ff415a1f60f5

SHA512
be1038b0ca398de96d53f5cc199516f53a8056181a7c278852ef8bd76aebab45f7459db2ff6c195b0f64cbd9dfd0dec9d708859218a178d7fdc7aef301d352b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xoytC16.exe
Filesize
175KB

MD5
825bb86e5fdfa8102eebbcdd39055af6

SHA1
4b8f9f38b66d2ea282f564763edfe9b0e2caff35

SHA256
077bacc47d6fcb9a8f8cba5b06ae394dfcdee1c3bfa9b88c9ec9ff415a1f60f5

SHA512
be1038b0ca398de96d53f5cc199516f53a8056181a7c278852ef8bd76aebab45f7459db2ff6c195b0f64cbd9dfd0dec9d708859218a178d7fdc7aef301d352b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6814.exe
Filesize
673KB

MD5
5273cec45aa71b103744cc4a49c08cf2

SHA1
243d41b791fa9e1965554432de3a7300d1e163e3

SHA256
daa104d898aa66fcad385d5387b807e10b66a0dc5d1c7d2df1e7f8ceb9370ba5

SHA512
a9297cb1a6b056d460e76cb8db1ab59453324779f82c0bba45d7cbe6a42507fe26a6e0a089cc3820580669a374810604de7416053d5938c5fecf68d5517a90bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6814.exe
Filesize
673KB

MD5
5273cec45aa71b103744cc4a49c08cf2

SHA1
243d41b791fa9e1965554432de3a7300d1e163e3

SHA256
daa104d898aa66fcad385d5387b807e10b66a0dc5d1c7d2df1e7f8ceb9370ba5

SHA512
a9297cb1a6b056d460e76cb8db1ab59453324779f82c0bba45d7cbe6a42507fe26a6e0a089cc3820580669a374810604de7416053d5938c5fecf68d5517a90bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w66Ce90.exe
Filesize
318KB

MD5
d2af364e456549287d1abf80d36b4ebc

SHA1
9e528bfc6c51c9c488430c896dd5de94d9e8989f

SHA256
e3ef13c140ed854c787541b1b57771dc1ee6b2dfe581fbffc4ac53bb7e7ed38d

SHA512
e5907748d73a9901b620bd8700dce157e1c1148344d22163e8ec91841dd679a0c07a983f735849c31d9bef026c365c5a57700c9782ff1b13b9424622004e0a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w66Ce90.exe
Filesize
318KB

MD5
d2af364e456549287d1abf80d36b4ebc

SHA1
9e528bfc6c51c9c488430c896dd5de94d9e8989f

SHA256
e3ef13c140ed854c787541b1b57771dc1ee6b2dfe581fbffc4ac53bb7e7ed38d

SHA512
e5907748d73a9901b620bd8700dce157e1c1148344d22163e8ec91841dd679a0c07a983f735849c31d9bef026c365c5a57700c9782ff1b13b9424622004e0a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6402.exe
Filesize
333KB

MD5
dcbd878b34255e151d4546d1d78bb94a

SHA1
0ea29b7941f906d118369e7b6d6f1b5d43fcd38c

SHA256
ebdf5778b33fb1b92b1f2d947deac166bd79347ff50237f94c9a0546422bcedc

SHA512
d05439208e107ca709bd69707b68a8376f55cadf002d3f2c3a1b94927bba416f966dca326619f553ddd724345825a9651bb7e1eb748d440c85e8b952e45bacf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6402.exe
Filesize
333KB

MD5
dcbd878b34255e151d4546d1d78bb94a

SHA1
0ea29b7941f906d118369e7b6d6f1b5d43fcd38c

SHA256
ebdf5778b33fb1b92b1f2d947deac166bd79347ff50237f94c9a0546422bcedc

SHA512
d05439208e107ca709bd69707b68a8376f55cadf002d3f2c3a1b94927bba416f966dca326619f553ddd724345825a9651bb7e1eb748d440c85e8b952e45bacf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1617.exe
Filesize
11KB

MD5
51e67270a039039a4c132037e36ad611

SHA1
3c454da773aa33952510c9c73e9ee562677bf7f7

SHA256
738a535843cdf78cca4d3d1134f5ebcc25ef26f1b878aa83564fca383f7f48d9

SHA512
e1b72101c3980b1abdf17c3c9431a5696f05aaf6603fe31c9b20bf4e6fa5bfd169817ed3e153dab076fe15305e1632d0a265e1d3e80943e211f40fc1f20c87ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1617.exe
Filesize
11KB

MD5
51e67270a039039a4c132037e36ad611

SHA1
3c454da773aa33952510c9c73e9ee562677bf7f7

SHA256
738a535843cdf78cca4d3d1134f5ebcc25ef26f1b878aa83564fca383f7f48d9

SHA512
e1b72101c3980b1abdf17c3c9431a5696f05aaf6603fe31c9b20bf4e6fa5bfd169817ed3e153dab076fe15305e1632d0a265e1d3e80943e211f40fc1f20c87ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4948mT.exe
Filesize
259KB

MD5
f83d718aeafd4df4867a42783e51cf38

SHA1
8f4def5df98e353458958f66d9dd08bd849168cb

SHA256
02444354718caf38a2e39ea3a81f12836475937b901da8b4f116ace9e9a6403d

SHA512
6b2763290cd643f3458023e5d344a78b478e0dad8923481cf7dc1cb3009bf70368edf8056086f9a170ee1712bb46cc8b7674d058d6acdfa58a77f4d07fc867a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4948mT.exe
Filesize
259KB

MD5
f83d718aeafd4df4867a42783e51cf38

SHA1
8f4def5df98e353458958f66d9dd08bd849168cb

SHA256
02444354718caf38a2e39ea3a81f12836475937b901da8b4f116ace9e9a6403d

SHA512
6b2763290cd643f3458023e5d344a78b478e0dad8923481cf7dc1cb3009bf70368edf8056086f9a170ee1712bb46cc8b7674d058d6acdfa58a77f4d07fc867a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
9cfee6cfc3a844e4c00a66fdc98a64d0

SHA1
bf128be17c73f7a1f3e579c516348c8db39e64f0

SHA256
8a0c004d1ac4be68ec7cea9249c5b2fb3e2d61007601242958666aa990c18629

SHA512
358d1c35a7cb7df91e00bce43b792041ddee42d115b9b84e68fe97717f3a7901f691f7a4c33e8100625de1dd32ef5f80f951b82ee3644c8270c0cb151b3d9075

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
9cfee6cfc3a844e4c00a66fdc98a64d0

SHA1
bf128be17c73f7a1f3e579c516348c8db39e64f0

SHA256
8a0c004d1ac4be68ec7cea9249c5b2fb3e2d61007601242958666aa990c18629

SHA512
358d1c35a7cb7df91e00bce43b792041ddee42d115b9b84e68fe97717f3a7901f691f7a4c33e8100625de1dd32ef5f80f951b82ee3644c8270c0cb151b3d9075

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
9cfee6cfc3a844e4c00a66fdc98a64d0

SHA1
bf128be17c73f7a1f3e579c516348c8db39e64f0

SHA256
8a0c004d1ac4be68ec7cea9249c5b2fb3e2d61007601242958666aa990c18629

SHA512
358d1c35a7cb7df91e00bce43b792041ddee42d115b9b84e68fe97717f3a7901f691f7a4c33e8100625de1dd32ef5f80f951b82ee3644c8270c0cb151b3d9075

Download Submit
memory/1388-161-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/1420-181-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-202-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1420-185-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-189-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-193-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-191-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-187-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-177-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-195-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-199-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-197-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-200-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1420-201-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1420-183-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-203-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1420-205-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1420-179-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-175-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-173-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-172-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1420-171-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1420-170-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1420-169-0x0000000002250000-0x0000000002260000-memory.dmp

Filesize
64KB

Download
memory/1420-168-0x0000000004B70000-0x0000000005114000-memory.dmp

Filesize
5.6MB

Download
memory/1420-167-0x00000000005D0000-0x00000000005FD000-memory.dmp

Filesize
180KB

Download
memory/2584-213-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2584-1127-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2584-227-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-229-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-231-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-233-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-235-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-237-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-239-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-241-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-243-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-245-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-247-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-1120-0x00000000051B0000-0x00000000057C8000-memory.dmp

Filesize
6.1MB

Download
memory/2584-1121-0x00000000057D0000-0x00000000058DA000-memory.dmp

Filesize
1.0MB

Download
memory/2584-1122-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

Filesize
72KB

Download
memory/2584-1123-0x00000000058E0000-0x000000000591C000-memory.dmp

Filesize
240KB

Download
memory/2584-1124-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2584-1126-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2584-225-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-1128-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2584-1129-0x0000000005BB0000-0x0000000005C42000-memory.dmp

Filesize
584KB

Download
memory/2584-1130-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/2584-1131-0x0000000006450000-0x00000000064C6000-memory.dmp

Filesize
472KB

Download
memory/2584-1132-0x00000000064E0000-0x0000000006530000-memory.dmp

Filesize
320KB

Download
memory/2584-1133-0x00000000066A0000-0x0000000006862000-memory.dmp

Filesize
1.8MB

Download
memory/2584-1134-0x0000000006870000-0x0000000006D9C000-memory.dmp

Filesize
5.2MB

Download
memory/2584-223-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-1135-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2584-210-0x0000000000620000-0x000000000066B000-memory.dmp

Filesize
300KB

Download
memory/2584-212-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2584-221-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-219-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-215-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-217-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-214-0x0000000002610000-0x000000000264F000-memory.dmp

Filesize
252KB

Download
memory/2584-211-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/3952-1142-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/3952-1141-0x00000000000B0000-0x00000000000E2000-memory.dmp

Filesize
200KB

Download