amadey | f04740aef985538f96aac14463bc35225fb9f1fca908a029a484b951d9023fa1

Analysis

max time kernel
147s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2023, 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f04740aef985538f96aac14463bc35225fb9f1fca908a029a484b951d9023fa1.exe
Size

950KB
MD5

c07c50b915780e2bd37578347d919c0c
SHA1

69000311162aa2cba35240f2caa198b42448bd2c
SHA256

f04740aef985538f96aac14463bc35225fb9f1fca908a029a484b951d9023fa1
SHA512

45d7bded9256608aa0b3a2c68b834e2b219c948dcc058d0afd5946ff4661cbff810c97f9f92b0cd4706d1b195366a1c2e8e42d86af4f19d760d3c5b2f5688f47
SSDEEP

24576:gyDTxuycobRWEZBThXsMuJi9Kr1Pr+ckJeWffs:n3x9cobRhbNXVuJ/rhOYc

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it159866.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it159866.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it159866.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it159866.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it159866.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it159866.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lr269692.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
4496	zioX0035.exe
4884	zicx9568.exe
3776	it159866.exe
4800	jr781167.exe
4440	kp208021.exe
1332	lr269692.exe
1036	oneetx.exe
3728	oneetx.exe
768	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
3500	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it159866.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zioX0035.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zioX0035.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zicx9568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zicx9568.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f04740aef985538f96aac14463bc35225fb9f1fca908a029a484b951d9023fa1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f04740aef985538f96aac14463bc35225fb9f1fca908a029a484b951d9023fa1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 28 IoCs

pid	pid_target	Process	procid_target
1536	4800	WerFault.exe	91
4248	1332	WerFault.exe	99
3664	1332	WerFault.exe	99
4372	1332	WerFault.exe	99
4412	1332	WerFault.exe	99
2212	1332	WerFault.exe	99
3196	1332	WerFault.exe	99
2196	1332	WerFault.exe	99
1968	1332	WerFault.exe	99
3520	1332	WerFault.exe	99
3948	1332	WerFault.exe	99
3336	1036	WerFault.exe	118
4428	1036	WerFault.exe	118
3248	1036	WerFault.exe	118
3856	1036	WerFault.exe	118
4656	1036	WerFault.exe	118
3564	1036	WerFault.exe	118
2664	1036	WerFault.exe	118
3544	1036	WerFault.exe	118
460	1036	WerFault.exe	118
2752	1036	WerFault.exe	118
3552	1036	WerFault.exe	118
4040	3728	WerFault.exe	145
1552	1036	WerFault.exe	118
4232	1036	WerFault.exe	118
3024	1036	WerFault.exe	118
3772	768	WerFault.exe	155
564	1036	WerFault.exe	118

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2164	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3776	it159866.exe
3776	it159866.exe
4800	jr781167.exe
4800	jr781167.exe
4440	kp208021.exe
4440	kp208021.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3776	it159866.exe
Token: SeDebugPrivilege	4800	jr781167.exe
Token: SeDebugPrivilege	4440	kp208021.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1332	lr269692.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 4496	544	f04740aef985538f96aac14463bc35225fb9f1fca908a029a484b951d9023fa1.exe	84
PID 544 wrote to memory of 4496	544	f04740aef985538f96aac14463bc35225fb9f1fca908a029a484b951d9023fa1.exe	84
PID 544 wrote to memory of 4496	544	f04740aef985538f96aac14463bc35225fb9f1fca908a029a484b951d9023fa1.exe	84
PID 4496 wrote to memory of 4884	4496	zioX0035.exe	85
PID 4496 wrote to memory of 4884	4496	zioX0035.exe	85
PID 4496 wrote to memory of 4884	4496	zioX0035.exe	85
PID 4884 wrote to memory of 3776	4884	zicx9568.exe	86
PID 4884 wrote to memory of 3776	4884	zicx9568.exe	86
PID 4884 wrote to memory of 4800	4884	zicx9568.exe	91
PID 4884 wrote to memory of 4800	4884	zicx9568.exe	91
PID 4884 wrote to memory of 4800	4884	zicx9568.exe	91
PID 4496 wrote to memory of 4440	4496	zioX0035.exe	97
PID 4496 wrote to memory of 4440	4496	zioX0035.exe	97
PID 4496 wrote to memory of 4440	4496	zioX0035.exe	97
PID 544 wrote to memory of 1332	544	f04740aef985538f96aac14463bc35225fb9f1fca908a029a484b951d9023fa1.exe	99
PID 544 wrote to memory of 1332	544	f04740aef985538f96aac14463bc35225fb9f1fca908a029a484b951d9023fa1.exe	99
PID 544 wrote to memory of 1332	544	f04740aef985538f96aac14463bc35225fb9f1fca908a029a484b951d9023fa1.exe	99
PID 1332 wrote to memory of 1036	1332	lr269692.exe	118
PID 1332 wrote to memory of 1036	1332	lr269692.exe	118
PID 1332 wrote to memory of 1036	1332	lr269692.exe	118
PID 1036 wrote to memory of 2164	1036	oneetx.exe	135
PID 1036 wrote to memory of 2164	1036	oneetx.exe	135
PID 1036 wrote to memory of 2164	1036	oneetx.exe	135
PID 1036 wrote to memory of 3500	1036	oneetx.exe	152
PID 1036 wrote to memory of 3500	1036	oneetx.exe	152
PID 1036 wrote to memory of 3500	1036	oneetx.exe	152

C:\Users\Admin\AppData\Local\Temp\f04740aef985538f96aac14463bc35225fb9f1fca908a029a484b951d9023fa1.exe
"C:\Users\Admin\AppData\Local\Temp\f04740aef985538f96aac14463bc35225fb9f1fca908a029a484b951d9023fa1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioX0035.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioX0035.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicx9568.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicx9568.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it159866.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it159866.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3776
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr781167.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr781167.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1320
        5⤵
        Program crash
        
        PID:1536
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp208021.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp208021.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr269692.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr269692.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 696
    3⤵
    - Program crash
    PID:4248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 780
    3⤵
    - Program crash
    PID:3664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 812
    3⤵
    - Program crash
    PID:4372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 864
    3⤵
    - Program crash
    PID:4412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 976
    3⤵
    - Program crash
    PID:2212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 976
    3⤵
    - Program crash
    PID:3196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1220
    3⤵
    - Program crash
    PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1212
    3⤵
    - Program crash
    PID:1968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 1320
    3⤵
    - Program crash
    PID:3520
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 692
      4⤵
      Program crash
      PID:3336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 884
      4⤵
      Program crash
      PID:4428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 920
      4⤵
      Program crash
      PID:3248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 928
      4⤵
      Program crash
      PID:3856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1100
      4⤵
      Program crash
      PID:4656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 932
      4⤵
      Program crash
      PID:3564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 920
      4⤵
      Program crash
      PID:2664
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1020
      4⤵
      Program crash
      PID:3544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 712
      4⤵
      Program crash
      PID:460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1016
      4⤵
      Program crash
      PID:2752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 912
      4⤵
      Program crash
      PID:3552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 932
      4⤵
      Program crash
      PID:1552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1616
      4⤵
      Program crash
      PID:4232
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1124
      4⤵
      Program crash
      PID:3024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1632
      4⤵
      Program crash
      PID:564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 972
    3⤵
    - Program crash
    PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4800 -ip 4800
1⤵
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1332 -ip 1332
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1332 -ip 1332
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1332 -ip 1332
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1332 -ip 1332
1⤵
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1332 -ip 1332
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1332 -ip 1332
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1332 -ip 1332
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1332 -ip 1332
1⤵
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1332 -ip 1332
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1332 -ip 1332
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1036 -ip 1036
1⤵
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1036 -ip 1036
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1036 -ip 1036
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1036 -ip 1036
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1036 -ip 1036
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1036 -ip 1036
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1036 -ip 1036
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1036 -ip 1036
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1036 -ip 1036
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1036 -ip 1036
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1036 -ip 1036
1⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:3728
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 312
  2⤵
  - Program crash
  PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3728 -ip 3728
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1036 -ip 1036
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1036 -ip 1036
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1036 -ip 1036
1⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 312
  2⤵
  - Program crash
  PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 768 -ip 768
1⤵
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1036 -ip 1036
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
391KB

MD5
ddf04463153f1e5dbc154e5ce336faf9

SHA1
c3dae185f839ef74dcbce57aec93e68551a6aa87

SHA256
d3ac829489becb0b7f4754549b2fe1a4d0894aaebd6517ab8aefbeed262bcc64

SHA512
7d6ac4e64b01aa238bf15f9d64cbca523008795c9ef8d432d9c3ec5df15b294707b13d68b9f2cef23b6e581d39e19eed7e83c6a9de05ccd2890a65951e809eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
391KB

MD5
ddf04463153f1e5dbc154e5ce336faf9

SHA1
c3dae185f839ef74dcbce57aec93e68551a6aa87

SHA256
d3ac829489becb0b7f4754549b2fe1a4d0894aaebd6517ab8aefbeed262bcc64

SHA512
7d6ac4e64b01aa238bf15f9d64cbca523008795c9ef8d432d9c3ec5df15b294707b13d68b9f2cef23b6e581d39e19eed7e83c6a9de05ccd2890a65951e809eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
391KB

MD5
ddf04463153f1e5dbc154e5ce336faf9

SHA1
c3dae185f839ef74dcbce57aec93e68551a6aa87

SHA256
d3ac829489becb0b7f4754549b2fe1a4d0894aaebd6517ab8aefbeed262bcc64

SHA512
7d6ac4e64b01aa238bf15f9d64cbca523008795c9ef8d432d9c3ec5df15b294707b13d68b9f2cef23b6e581d39e19eed7e83c6a9de05ccd2890a65951e809eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
391KB

MD5
ddf04463153f1e5dbc154e5ce336faf9

SHA1
c3dae185f839ef74dcbce57aec93e68551a6aa87

SHA256
d3ac829489becb0b7f4754549b2fe1a4d0894aaebd6517ab8aefbeed262bcc64

SHA512
7d6ac4e64b01aa238bf15f9d64cbca523008795c9ef8d432d9c3ec5df15b294707b13d68b9f2cef23b6e581d39e19eed7e83c6a9de05ccd2890a65951e809eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
391KB

MD5
ddf04463153f1e5dbc154e5ce336faf9

SHA1
c3dae185f839ef74dcbce57aec93e68551a6aa87

SHA256
d3ac829489becb0b7f4754549b2fe1a4d0894aaebd6517ab8aefbeed262bcc64

SHA512
7d6ac4e64b01aa238bf15f9d64cbca523008795c9ef8d432d9c3ec5df15b294707b13d68b9f2cef23b6e581d39e19eed7e83c6a9de05ccd2890a65951e809eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr269692.exe

Filesize
391KB

MD5
ddf04463153f1e5dbc154e5ce336faf9

SHA1
c3dae185f839ef74dcbce57aec93e68551a6aa87

SHA256
d3ac829489becb0b7f4754549b2fe1a4d0894aaebd6517ab8aefbeed262bcc64

SHA512
7d6ac4e64b01aa238bf15f9d64cbca523008795c9ef8d432d9c3ec5df15b294707b13d68b9f2cef23b6e581d39e19eed7e83c6a9de05ccd2890a65951e809eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr269692.exe

Filesize
391KB

MD5
ddf04463153f1e5dbc154e5ce336faf9

SHA1
c3dae185f839ef74dcbce57aec93e68551a6aa87

SHA256
d3ac829489becb0b7f4754549b2fe1a4d0894aaebd6517ab8aefbeed262bcc64

SHA512
7d6ac4e64b01aa238bf15f9d64cbca523008795c9ef8d432d9c3ec5df15b294707b13d68b9f2cef23b6e581d39e19eed7e83c6a9de05ccd2890a65951e809eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioX0035.exe

Filesize
623KB

MD5
cc695e61244dd38b3a10e47ae69acec8

SHA1
b5b4e3d94b4f004667e3791c625c0857126497cc

SHA256
2fa4b449944f574fbb590e576407ebfda9d7b82b054c80b949a68f05ef9466f3

SHA512
201631ec7fedf18918916fb6f4a7286aab9e152dd998f6455ca975e8c7027100d3f90a9ffe3c04f43b9f1b10fd58e5127f928b2dcf4386291f7242f507dcaf5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zioX0035.exe

Filesize
623KB

MD5
cc695e61244dd38b3a10e47ae69acec8

SHA1
b5b4e3d94b4f004667e3791c625c0857126497cc

SHA256
2fa4b449944f574fbb590e576407ebfda9d7b82b054c80b949a68f05ef9466f3

SHA512
201631ec7fedf18918916fb6f4a7286aab9e152dd998f6455ca975e8c7027100d3f90a9ffe3c04f43b9f1b10fd58e5127f928b2dcf4386291f7242f507dcaf5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp208021.exe

Filesize
137KB

MD5
6c057a8a81cc705049db41e54e7ceda3

SHA1
597ada1d26fcaca701022321ff2e9decf493ce5d

SHA256
531a21db54d2e5b46fb10decf88aaf7ea9e84a92add6af2e58fcdb1d1f7aca9b

SHA512
5c03d924f6a8721ea91569e7f434057aa19858c7e4e06b99aeeda90b0a612227691ff5e4da80ba7d0656e62959dba227b361f9dcd1d888935045d1dca11bc689

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp208021.exe

Filesize
137KB

MD5
6c057a8a81cc705049db41e54e7ceda3

SHA1
597ada1d26fcaca701022321ff2e9decf493ce5d

SHA256
531a21db54d2e5b46fb10decf88aaf7ea9e84a92add6af2e58fcdb1d1f7aca9b

SHA512
5c03d924f6a8721ea91569e7f434057aa19858c7e4e06b99aeeda90b0a612227691ff5e4da80ba7d0656e62959dba227b361f9dcd1d888935045d1dca11bc689

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicx9568.exe

Filesize
469KB

MD5
8f97e3f3806ee774e136ab098ef5292d

SHA1
f0fb95b7101c52f8593646741a68cfb8a9eaffd8

SHA256
679e0bca6f12f72bfe145cb44e4c3d2e01d6ff9f82ea2ad2b1978baa34310769

SHA512
5507ad067f154809f88e46466d3b2e7e5f6b71284fd992c9be2292c6c3d231e1c3dd849127098190bed3eb16d74cb6b5f3181b6408076529ca5e78937d051694

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zicx9568.exe

Filesize
469KB

MD5
8f97e3f3806ee774e136ab098ef5292d

SHA1
f0fb95b7101c52f8593646741a68cfb8a9eaffd8

SHA256
679e0bca6f12f72bfe145cb44e4c3d2e01d6ff9f82ea2ad2b1978baa34310769

SHA512
5507ad067f154809f88e46466d3b2e7e5f6b71284fd992c9be2292c6c3d231e1c3dd849127098190bed3eb16d74cb6b5f3181b6408076529ca5e78937d051694

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it159866.exe

Filesize
12KB

MD5
5e83050ab1b5b189f3bf8e756231034c

SHA1
58020a5cc54b5fda9532bb301ed4edd220c5f5c1

SHA256
02a0a071f2b6bb92fa05d76bdfd65fb3a6a60c253209f224fab5e231d1398548

SHA512
66148d61b2ff51b6a2468d7ec96f21d1ff302ab3bc0a5bc029e2caeaadc93e7cfad0d44b305e3c8bf6c9a6061f80ad593e990a2dff2c85ab93f85ec9e286fc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it159866.exe

Filesize
12KB

MD5
5e83050ab1b5b189f3bf8e756231034c

SHA1
58020a5cc54b5fda9532bb301ed4edd220c5f5c1

SHA256
02a0a071f2b6bb92fa05d76bdfd65fb3a6a60c253209f224fab5e231d1398548

SHA512
66148d61b2ff51b6a2468d7ec96f21d1ff302ab3bc0a5bc029e2caeaadc93e7cfad0d44b305e3c8bf6c9a6061f80ad593e990a2dff2c85ab93f85ec9e286fc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr781167.exe

Filesize
481KB

MD5
340eea4c404bb5b1c6de5d33a8131d94

SHA1
16eff9a8db01c0a6b205f56eaa4a8b703622ccc1

SHA256
d70d0195dfe9ef58242794b8caafe1b5da2197e31097c626fa85d7caff1ffdf1

SHA512
ecd79ff82bd165869c490756857a32ff751a30bf799e2a36329c1f6013264a75c07c57dba841ba45c7c8156ca928f1e427ea0f1529f685e103604ff464cf9545

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr781167.exe

Filesize
481KB

MD5
340eea4c404bb5b1c6de5d33a8131d94

SHA1
16eff9a8db01c0a6b205f56eaa4a8b703622ccc1

SHA256
d70d0195dfe9ef58242794b8caafe1b5da2197e31097c626fa85d7caff1ffdf1

SHA512
ecd79ff82bd165869c490756857a32ff751a30bf799e2a36329c1f6013264a75c07c57dba841ba45c7c8156ca928f1e427ea0f1529f685e103604ff464cf9545

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1332-984-0x0000000002450000-0x000000000248B000-memory.dmp

Filesize
236KB

Download
memory/3776-154-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/4440-978-0x0000000007540000-0x0000000007550000-memory.dmp

Filesize
64KB

Download
memory/4440-977-0x0000000000730000-0x0000000000758000-memory.dmp

Filesize
160KB

Download
memory/4800-204-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-228-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-182-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-184-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-186-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-188-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-190-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-192-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-194-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-196-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-198-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-200-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-202-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-178-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-206-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-208-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-210-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-212-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-214-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-216-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-218-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-220-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-222-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-224-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-226-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-180-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-957-0x00000000079F0000-0x0000000008008000-memory.dmp

Filesize
6.1MB

Download
memory/4800-958-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4800-959-0x00000000080D0000-0x00000000081DA000-memory.dmp

Filesize
1.0MB

Download
memory/4800-960-0x0000000008200000-0x000000000823C000-memory.dmp

Filesize
240KB

Download
memory/4800-961-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4800-962-0x00000000084F0000-0x0000000008556000-memory.dmp

Filesize
408KB

Download
memory/4800-963-0x0000000008BB0000-0x0000000008C42000-memory.dmp

Filesize
584KB

Download
memory/4800-964-0x0000000008D80000-0x0000000008DF6000-memory.dmp

Filesize
472KB

Download
memory/4800-965-0x0000000008E20000-0x0000000008E3E000-memory.dmp

Filesize
120KB

Download
memory/4800-966-0x0000000008F40000-0x0000000009102000-memory.dmp

Filesize
1.8MB

Download
memory/4800-176-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-174-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-172-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-170-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-168-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-166-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-165-0x0000000002A20000-0x0000000002A55000-memory.dmp

Filesize
212KB

Download
memory/4800-164-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4800-163-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4800-162-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4800-161-0x0000000002470000-0x00000000024B6000-memory.dmp

Filesize
280KB

Download
memory/4800-160-0x00000000050B0000-0x0000000005654000-memory.dmp

Filesize
5.6MB

Download
memory/4800-967-0x0000000009110000-0x000000000963C000-memory.dmp

Filesize
5.2MB

Download
memory/4800-968-0x0000000009680000-0x00000000096D0000-memory.dmp

Filesize
320KB

Download
memory/4800-971-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4800-972-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download