amadey | 3a00b34b038b52fbb1451356925830559766e618ffc29f3ab29d73d1db3a5612

Analysis

max time kernel
147s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/04/2023, 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a00b34b038b52fbb1451356925830559766e618ffc29f3ab29d73d1db3a5612.exe
Size

1.2MB
MD5

c8f5d8312f7706923491fcfedbc63306
SHA1

e12deff7126d271c6022af9e02f1108736daf14b
SHA256

3a00b34b038b52fbb1451356925830559766e618ffc29f3ab29d73d1db3a5612
SHA512

15ee9f0f192c6c0d0bc88dbf5470b9b5e7c79afe817c2128671a8f06e466f42bcda0729bd538a02da17d97fa8f5d3d895360d17a396a273ae562eaf728405722
SSDEEP

24576:MyHPVLdf7kx5ylMP/5TRX3Y4yMqFohsvMj+dnfccc6w:7HPbwzSY/5TNDqFTvMjknEcc

Score

10^/10

amadey redline dirx soft discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

soft

77.91.124.146:4121

Attributes

auth_value
e65663e455bca3c5699650b66e76ceaa

Extracted

Family

redline

Botnet

dirx

77.91.124.146:4121

Attributes

auth_value
522d988f763be056e53e089f74d464cc

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr330150.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr330150.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr330150.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr330150.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr330150.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr330150.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	qu410163.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	si376031.exe

Executes dropped EXE 9 IoCs

pid	Process
2900	un631799.exe
4892	un029232.exe
4488	pr330150.exe
372	qu410163.exe
4496	1.exe
3264	rk594879.exe
4092	si376031.exe
2296	oneetx.exe
560	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4292	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr330150.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr330150.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un631799.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un631799.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un029232.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un029232.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3a00b34b038b52fbb1451356925830559766e618ffc29f3ab29d73d1db3a5612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a00b34b038b52fbb1451356925830559766e618ffc29f3ab29d73d1db3a5612.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
3840	4488	WerFault.exe	87
3784	372	WerFault.exe	93
2992	4092	WerFault.exe	104
3876	4092	WerFault.exe	104
4116	4092	WerFault.exe	104
4292	4092	WerFault.exe	104
1912	4092	WerFault.exe	104
1536	4092	WerFault.exe	104
1424	4092	WerFault.exe	104
1660	4092	WerFault.exe	104
3348	4092	WerFault.exe	104
1588	4092	WerFault.exe	104
1668	2296	WerFault.exe	124
4932	2296	WerFault.exe	124
3384	2296	WerFault.exe	124
1004	2296	WerFault.exe	124
232	2296	WerFault.exe	124
3684	2296	WerFault.exe	124
3508	2296	WerFault.exe	124
1156	2296	WerFault.exe	124
4404	2296	WerFault.exe	124
4044	2296	WerFault.exe	124
3572	2296	WerFault.exe	124
4684	2296	WerFault.exe	124
2212	2296	WerFault.exe	124
1656	560	WerFault.exe	154
1808	2296	WerFault.exe	124
3812	2296	WerFault.exe	124
1780	2296	WerFault.exe	124

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4488	pr330150.exe
4488	pr330150.exe
3264	rk594879.exe
4496	1.exe
3264	rk594879.exe
4496	1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	pr330150.exe
Token: SeDebugPrivilege	372	qu410163.exe
Token: SeDebugPrivilege	3264	rk594879.exe
Token: SeDebugPrivilege	4496	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4092	si376031.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 2900	4444	3a00b34b038b52fbb1451356925830559766e618ffc29f3ab29d73d1db3a5612.exe	85
PID 4444 wrote to memory of 2900	4444	3a00b34b038b52fbb1451356925830559766e618ffc29f3ab29d73d1db3a5612.exe	85
PID 4444 wrote to memory of 2900	4444	3a00b34b038b52fbb1451356925830559766e618ffc29f3ab29d73d1db3a5612.exe	85
PID 2900 wrote to memory of 4892	2900	un631799.exe	86
PID 2900 wrote to memory of 4892	2900	un631799.exe	86
PID 2900 wrote to memory of 4892	2900	un631799.exe	86
PID 4892 wrote to memory of 4488	4892	un029232.exe	87
PID 4892 wrote to memory of 4488	4892	un029232.exe	87
PID 4892 wrote to memory of 4488	4892	un029232.exe	87
PID 4892 wrote to memory of 372	4892	un029232.exe	93
PID 4892 wrote to memory of 372	4892	un029232.exe	93
PID 4892 wrote to memory of 372	4892	un029232.exe	93
PID 372 wrote to memory of 4496	372	qu410163.exe	95
PID 372 wrote to memory of 4496	372	qu410163.exe	95
PID 372 wrote to memory of 4496	372	qu410163.exe	95
PID 2900 wrote to memory of 3264	2900	un631799.exe	98
PID 2900 wrote to memory of 3264	2900	un631799.exe	98
PID 2900 wrote to memory of 3264	2900	un631799.exe	98
PID 4444 wrote to memory of 4092	4444	3a00b34b038b52fbb1451356925830559766e618ffc29f3ab29d73d1db3a5612.exe	104
PID 4444 wrote to memory of 4092	4444	3a00b34b038b52fbb1451356925830559766e618ffc29f3ab29d73d1db3a5612.exe	104
PID 4444 wrote to memory of 4092	4444	3a00b34b038b52fbb1451356925830559766e618ffc29f3ab29d73d1db3a5612.exe	104
PID 4092 wrote to memory of 2296	4092	si376031.exe	124
PID 4092 wrote to memory of 2296	4092	si376031.exe	124
PID 4092 wrote to memory of 2296	4092	si376031.exe	124
PID 2296 wrote to memory of 212	2296	oneetx.exe	140
PID 2296 wrote to memory of 212	2296	oneetx.exe	140
PID 2296 wrote to memory of 212	2296	oneetx.exe	140
PID 2296 wrote to memory of 4292	2296	oneetx.exe	159
PID 2296 wrote to memory of 4292	2296	oneetx.exe	159
PID 2296 wrote to memory of 4292	2296	oneetx.exe	159

C:\Users\Admin\AppData\Local\Temp\3a00b34b038b52fbb1451356925830559766e618ffc29f3ab29d73d1db3a5612.exe
"C:\Users\Admin\AppData\Local\Temp\3a00b34b038b52fbb1451356925830559766e618ffc29f3ab29d73d1db3a5612.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631799.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631799.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029232.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029232.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr330150.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr330150.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1028
        5⤵
        Program crash
        
        PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu410163.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu410163.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:372
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 1408
        5⤵
        Program crash
        
        PID:3784
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594879.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594879.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si376031.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si376031.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 700
    3⤵
    - Program crash
    PID:2992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 784
    3⤵
    - Program crash
    PID:3876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 860
    3⤵
    - Program crash
    PID:4116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 964
    3⤵
    - Program crash
    PID:4292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 980
    3⤵
    - Program crash
    PID:1912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 980
    3⤵
    - Program crash
    PID:1536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1220
    3⤵
    - Program crash
    PID:1424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1232
    3⤵
    - Program crash
    PID:1660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1320
    3⤵
    - Program crash
    PID:3348
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 696
      4⤵
      Program crash
      PID:1668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 792
      4⤵
      Program crash
      PID:4932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 904
      4⤵
      Program crash
      PID:3384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1056
      4⤵
      Program crash
      PID:1004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1076
      4⤵
      Program crash
      PID:232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1076
      4⤵
      Program crash
      PID:3684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1056
      4⤵
      Program crash
      PID:3508
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:212
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 996
      4⤵
      Program crash
      PID:1156
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 756
      4⤵
      Program crash
      PID:4404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 728
      4⤵
      Program crash
      PID:4044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 780
      4⤵
      Program crash
      PID:3572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1528
      4⤵
      Program crash
      PID:4684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1116
      4⤵
      Program crash
      PID:2212
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1628
      4⤵
      Program crash
      PID:1808
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1576
      4⤵
      Program crash
      PID:3812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1680
      4⤵
      Program crash
      PID:1780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1360
    3⤵
    - Program crash
    PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4488 -ip 4488
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 372 -ip 372
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4092 -ip 4092
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4092 -ip 4092
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4092 -ip 4092
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4092 -ip 4092
1⤵
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4092 -ip 4092
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4092 -ip 4092
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4092 -ip 4092
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4092 -ip 4092
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4092 -ip 4092
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4092 -ip 4092
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2296 -ip 2296
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2296 -ip 2296
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2296 -ip 2296
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2296 -ip 2296
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2296 -ip 2296
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2296 -ip 2296
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2296 -ip 2296
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2296 -ip 2296
1⤵
PID:348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2296 -ip 2296
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2296 -ip 2296
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2296 -ip 2296
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2296 -ip 2296
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2296 -ip 2296
1⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 324
  2⤵
  - Program crash
  PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 560 -ip 560
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2296 -ip 2296
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2296 -ip 2296
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2296 -ip 2296
1⤵
PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
cc057c9e33359007ae6c7eb8e6510745

SHA1
31d57cf599d00235ec4a14453e68f1993253758d

SHA256
ac58a29d76075cb470a03a1ca58afa7c0aaf9ddc1b221996fa286fd5b87b5d1f

SHA512
5c7e6c915d0738bb27d695ebd7a284ac73ff2d0a4e5cdec34a370eabd98c3b0130ab04af5b9c82a7900712a6b538fdce3b721798635fd9792c8550039dbe1f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
cc057c9e33359007ae6c7eb8e6510745

SHA1
31d57cf599d00235ec4a14453e68f1993253758d

SHA256
ac58a29d76075cb470a03a1ca58afa7c0aaf9ddc1b221996fa286fd5b87b5d1f

SHA512
5c7e6c915d0738bb27d695ebd7a284ac73ff2d0a4e5cdec34a370eabd98c3b0130ab04af5b9c82a7900712a6b538fdce3b721798635fd9792c8550039dbe1f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
cc057c9e33359007ae6c7eb8e6510745

SHA1
31d57cf599d00235ec4a14453e68f1993253758d

SHA256
ac58a29d76075cb470a03a1ca58afa7c0aaf9ddc1b221996fa286fd5b87b5d1f

SHA512
5c7e6c915d0738bb27d695ebd7a284ac73ff2d0a4e5cdec34a370eabd98c3b0130ab04af5b9c82a7900712a6b538fdce3b721798635fd9792c8550039dbe1f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
cc057c9e33359007ae6c7eb8e6510745

SHA1
31d57cf599d00235ec4a14453e68f1993253758d

SHA256
ac58a29d76075cb470a03a1ca58afa7c0aaf9ddc1b221996fa286fd5b87b5d1f

SHA512
5c7e6c915d0738bb27d695ebd7a284ac73ff2d0a4e5cdec34a370eabd98c3b0130ab04af5b9c82a7900712a6b538fdce3b721798635fd9792c8550039dbe1f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si376031.exe

Filesize
395KB

MD5
cc057c9e33359007ae6c7eb8e6510745

SHA1
31d57cf599d00235ec4a14453e68f1993253758d

SHA256
ac58a29d76075cb470a03a1ca58afa7c0aaf9ddc1b221996fa286fd5b87b5d1f

SHA512
5c7e6c915d0738bb27d695ebd7a284ac73ff2d0a4e5cdec34a370eabd98c3b0130ab04af5b9c82a7900712a6b538fdce3b721798635fd9792c8550039dbe1f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si376031.exe

Filesize
395KB

MD5
cc057c9e33359007ae6c7eb8e6510745

SHA1
31d57cf599d00235ec4a14453e68f1993253758d

SHA256
ac58a29d76075cb470a03a1ca58afa7c0aaf9ddc1b221996fa286fd5b87b5d1f

SHA512
5c7e6c915d0738bb27d695ebd7a284ac73ff2d0a4e5cdec34a370eabd98c3b0130ab04af5b9c82a7900712a6b538fdce3b721798635fd9792c8550039dbe1f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631799.exe

Filesize
862KB

MD5
8905af9bacb4b75f889ec3e6e83ef6a2

SHA1
73afa646c9867ddd245b94d1ae73417db73ef8ee

SHA256
4a01194580baf1ea50064c78e433eb4f0f9b974e1ba947e6f55586305353a5c2

SHA512
51e8586b285823e3b9eca70a784226044fe99aa6fb37442fac7523ac2de961a2b9ace4a488d8f433707bb8995d991ccdfbb4fd3c60cdc17baf9df8078796403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631799.exe

Filesize
862KB

MD5
8905af9bacb4b75f889ec3e6e83ef6a2

SHA1
73afa646c9867ddd245b94d1ae73417db73ef8ee

SHA256
4a01194580baf1ea50064c78e433eb4f0f9b974e1ba947e6f55586305353a5c2

SHA512
51e8586b285823e3b9eca70a784226044fe99aa6fb37442fac7523ac2de961a2b9ace4a488d8f433707bb8995d991ccdfbb4fd3c60cdc17baf9df8078796403e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594879.exe

Filesize
168KB

MD5
d075d6d7bc9b1d1170691ee4fd850fde

SHA1
e869d61168f85a8e49d78160fc5b4288df2f591b

SHA256
b8241e500e7f61319437d2c1782c03617456f47796e0ed64acac8cc9f2897ef6

SHA512
477e7ed1559b5496427a95b996c07d9829a4af674a5df6bc4ea9a3b910c624c6eac38daeccc182d1eac06c4ac50a5bbb64cf0d2c11cc0e36a5b897bfbbfb0b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk594879.exe

Filesize
168KB

MD5
d075d6d7bc9b1d1170691ee4fd850fde

SHA1
e869d61168f85a8e49d78160fc5b4288df2f591b

SHA256
b8241e500e7f61319437d2c1782c03617456f47796e0ed64acac8cc9f2897ef6

SHA512
477e7ed1559b5496427a95b996c07d9829a4af674a5df6bc4ea9a3b910c624c6eac38daeccc182d1eac06c4ac50a5bbb64cf0d2c11cc0e36a5b897bfbbfb0b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029232.exe

Filesize
709KB

MD5
45205ae5aa00561a04d0145b48ecd53b

SHA1
2079b31b3a26993514d323a48a5026c52b2e21cc

SHA256
547fd3e676b6ce804a783c600b4862a578f337b60d04d0c27d3bcaaf8df5a9bd

SHA512
ca22fbf06f28bee33e989844f94c130446151932b75ddafc9b28b980f6a19898c9f359751c7116764d776964afe21f5ec65e7a581c59fe969796fca22a45fce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un029232.exe

Filesize
709KB

MD5
45205ae5aa00561a04d0145b48ecd53b

SHA1
2079b31b3a26993514d323a48a5026c52b2e21cc

SHA256
547fd3e676b6ce804a783c600b4862a578f337b60d04d0c27d3bcaaf8df5a9bd

SHA512
ca22fbf06f28bee33e989844f94c130446151932b75ddafc9b28b980f6a19898c9f359751c7116764d776964afe21f5ec65e7a581c59fe969796fca22a45fce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr330150.exe

Filesize
403KB

MD5
53f31789d2b8d212a417c4bce49db057

SHA1
db7cfe8731071e2da7a7e2dd44d3cc9aa563aac4

SHA256
f4bd32b09a50d6bfbe5fcb6037de76b418c63189aae0dfa13b493990fc149331

SHA512
89b687d72953d9257e5099b8f87cdf6cb9cf6e2f8c245149f9fdd76914797365d6803445f21d1d3c03f21d6a3478c10b3866604a508dafde7d274e8556aaa954

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr330150.exe

Filesize
403KB

MD5
53f31789d2b8d212a417c4bce49db057

SHA1
db7cfe8731071e2da7a7e2dd44d3cc9aa563aac4

SHA256
f4bd32b09a50d6bfbe5fcb6037de76b418c63189aae0dfa13b493990fc149331

SHA512
89b687d72953d9257e5099b8f87cdf6cb9cf6e2f8c245149f9fdd76914797365d6803445f21d1d3c03f21d6a3478c10b3866604a508dafde7d274e8556aaa954

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu410163.exe

Filesize
587KB

MD5
b4b2bcb2e305dd83b7cc46a796d879f5

SHA1
af6744e13439102aabafd51100e702aa600e6ea7

SHA256
81c86f808c6f8fad9b5242207dd0c50ad34a0f2185c04cc429b0833d499da191

SHA512
74290abda7b6abe4ec820d7888be0b31a508ba770b1dbc834ba56d2aed9bd38cb125c31c7a4c7c070ed42b6c7e591664813efca6432d3941f9fa0615acc281ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu410163.exe

Filesize
587KB

MD5
b4b2bcb2e305dd83b7cc46a796d879f5

SHA1
af6744e13439102aabafd51100e702aa600e6ea7

SHA256
81c86f808c6f8fad9b5242207dd0c50ad34a0f2185c04cc429b0833d499da191

SHA512
74290abda7b6abe4ec820d7888be0b31a508ba770b1dbc834ba56d2aed9bd38cb125c31c7a4c7c070ed42b6c7e591664813efca6432d3941f9fa0615acc281ae

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1eed54a048b387471d40ab1094221ef1

SHA1
5004d555d2e74a72b07a7fe1e512cb8f8ee5ba98

SHA256
c97ba12c976ee628111a13331099e868c64bff78b392fe156662235ce9c4dc19

SHA512
e781886c99944ef136036514f5773eb3566cb0b4f331bd013492ee2cd36fbb6decc1a88d25f21a86ad9205dbac5c53cacd145c9b10b638e3ac04742795c43c13

Download Submit
memory/372-200-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-198-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-229-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-218-0x0000000002490000-0x00000000024EB000-memory.dmp

Filesize
364KB

Download
memory/372-227-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-222-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-225-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-233-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-2341-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/372-202-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-231-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-223-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/372-197-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-204-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-206-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-208-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-210-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-212-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-214-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-216-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-219-0x0000000005520000-0x0000000005580000-memory.dmp

Filesize
384KB

Download
memory/372-221-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/3264-2350-0x0000000000640000-0x0000000000670000-memory.dmp

Filesize
192KB

Download
memory/3264-2352-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/3264-2359-0x0000000008880000-0x0000000008DAC000-memory.dmp

Filesize
5.2MB

Download
memory/3264-2357-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/3264-2356-0x00000000053F0000-0x0000000005482000-memory.dmp

Filesize
584KB

Download
memory/3264-2354-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4092-2367-0x0000000000990000-0x00000000009CB000-memory.dmp

Filesize
236KB

Download
memory/4488-165-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4488-190-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4488-179-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4488-177-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4488-157-0x0000000005100000-0x00000000056A4000-memory.dmp

Filesize
5.6MB

Download
memory/4488-175-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4488-158-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4488-156-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4488-159-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4488-173-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4488-171-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4488-155-0x0000000000960000-0x000000000098D000-memory.dmp

Filesize
180KB

Download
memory/4488-169-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4488-160-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4488-183-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4488-161-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4488-185-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4488-163-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4488-187-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4488-188-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/4488-181-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4488-189-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4488-192-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/4488-167-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/4496-2360-0x00000000063F0000-0x0000000006440000-memory.dmp

Filesize
320KB

Download
memory/4496-2358-0x0000000006440000-0x0000000006602000-memory.dmp

Filesize
1.8MB

Download
memory/4496-2355-0x0000000005470000-0x00000000054E6000-memory.dmp

Filesize
472KB

Download
memory/4496-2353-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4496-2351-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4496-2349-0x0000000005010000-0x000000000504C000-memory.dmp

Filesize
240KB

Download
memory/4496-2345-0x0000000004E80000-0x0000000004E92000-memory.dmp

Filesize
72KB

Download
memory/4496-2343-0x0000000005120000-0x000000000522A000-memory.dmp

Filesize
1.0MB

Download
memory/4496-2342-0x0000000005630000-0x0000000005C48000-memory.dmp

Filesize
6.1MB

Download
memory/4496-2340-0x0000000000640000-0x000000000066E000-memory.dmp

Filesize
184KB

Download