amadey | b0c0344e368a826ec66e6b8a9ca1eb73d7e32b9df9288de593e47052881d4b1e

Analysis

max time kernel
141s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2023 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0c0344e368a826ec66e6b8a9ca1eb73d7e32b9df9288de593e47052881d4b1e.exe
Size

1.1MB
MD5

e925bb2ce0f432dd09b05dda6c8801a9
SHA1

e631f5b1cdd3fdaf2fc435cc7b3a667f23fe3b25
SHA256

b0c0344e368a826ec66e6b8a9ca1eb73d7e32b9df9288de593e47052881d4b1e
SHA512

8eeb3edb9266e2a9d5bc45e49e4b02dc1f1453bf13426ea03fe8adf5e6d92179269aa225945fc61496d2f8b79988cdef937a8610e737db6bfccbaec2c5528d8b
SSDEEP

24576:Ky5Aqd9cHkL4/CYvaJK+fbA4VGH47b/MOO0gXf5ZAb8+izXXjR:Rnnykc/JvahfMQu47gOO7Xf54f2

Score

10^/10

amadey discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr436611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr436611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr436611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr436611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr436611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr436611.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	si777512.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
4876	un243223.exe
2732	un878462.exe
1792	pr436611.exe
3132	qu562648.exe
1640	rk728931.exe
3984	si777512.exe
100	oneetx.exe
1788	oneetx.exe
2132	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
3020	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr436611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr436611.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b0c0344e368a826ec66e6b8a9ca1eb73d7e32b9df9288de593e47052881d4b1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b0c0344e368a826ec66e6b8a9ca1eb73d7e32b9df9288de593e47052881d4b1e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un243223.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un243223.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un878462.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un878462.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
4416	1792	WerFault.exe	85
1668	3132	WerFault.exe	91
3972	3984	WerFault.exe	96
3856	3984	WerFault.exe	96
3848	3984	WerFault.exe	96
2196	3984	WerFault.exe	96
4888	3984	WerFault.exe	96
388	3984	WerFault.exe	96
4836	3984	WerFault.exe	96
3840	3984	WerFault.exe	96
2468	3984	WerFault.exe	96
4940	3984	WerFault.exe	96
1484	100	WerFault.exe	115
760	100	WerFault.exe	115
3464	100	WerFault.exe	115
2244	100	WerFault.exe	115
4948	100	WerFault.exe	115
4468	100	WerFault.exe	115
1360	100	WerFault.exe	115
3392	100	WerFault.exe	115
1444	100	WerFault.exe	115
708	100	WerFault.exe	115
4312	100	WerFault.exe	115
2888	1788	WerFault.exe	142
3292	100	WerFault.exe	115
2148	100	WerFault.exe	115
1080	100	WerFault.exe	115
2316	2132	WerFault.exe	152
4008	100	WerFault.exe	115

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1792	pr436611.exe
1792	pr436611.exe
3132	qu562648.exe
3132	qu562648.exe
1640	rk728931.exe
1640	rk728931.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	pr436611.exe
Token: SeDebugPrivilege	3132	qu562648.exe
Token: SeDebugPrivilege	1640	rk728931.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3984	si777512.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 4876	2708	b0c0344e368a826ec66e6b8a9ca1eb73d7e32b9df9288de593e47052881d4b1e.exe	83
PID 2708 wrote to memory of 4876	2708	b0c0344e368a826ec66e6b8a9ca1eb73d7e32b9df9288de593e47052881d4b1e.exe	83
PID 2708 wrote to memory of 4876	2708	b0c0344e368a826ec66e6b8a9ca1eb73d7e32b9df9288de593e47052881d4b1e.exe	83
PID 4876 wrote to memory of 2732	4876	un243223.exe	84
PID 4876 wrote to memory of 2732	4876	un243223.exe	84
PID 4876 wrote to memory of 2732	4876	un243223.exe	84
PID 2732 wrote to memory of 1792	2732	un878462.exe	85
PID 2732 wrote to memory of 1792	2732	un878462.exe	85
PID 2732 wrote to memory of 1792	2732	un878462.exe	85
PID 2732 wrote to memory of 3132	2732	un878462.exe	91
PID 2732 wrote to memory of 3132	2732	un878462.exe	91
PID 2732 wrote to memory of 3132	2732	un878462.exe	91
PID 4876 wrote to memory of 1640	4876	un243223.exe	95
PID 4876 wrote to memory of 1640	4876	un243223.exe	95
PID 4876 wrote to memory of 1640	4876	un243223.exe	95
PID 2708 wrote to memory of 3984	2708	b0c0344e368a826ec66e6b8a9ca1eb73d7e32b9df9288de593e47052881d4b1e.exe	96
PID 2708 wrote to memory of 3984	2708	b0c0344e368a826ec66e6b8a9ca1eb73d7e32b9df9288de593e47052881d4b1e.exe	96
PID 2708 wrote to memory of 3984	2708	b0c0344e368a826ec66e6b8a9ca1eb73d7e32b9df9288de593e47052881d4b1e.exe	96
PID 3984 wrote to memory of 100	3984	si777512.exe	115
PID 3984 wrote to memory of 100	3984	si777512.exe	115
PID 3984 wrote to memory of 100	3984	si777512.exe	115
PID 100 wrote to memory of 3584	100	oneetx.exe	132
PID 100 wrote to memory of 3584	100	oneetx.exe	132
PID 100 wrote to memory of 3584	100	oneetx.exe	132
PID 100 wrote to memory of 3020	100	oneetx.exe	149
PID 100 wrote to memory of 3020	100	oneetx.exe	149
PID 100 wrote to memory of 3020	100	oneetx.exe	149

C:\Users\Admin\AppData\Local\Temp\b0c0344e368a826ec66e6b8a9ca1eb73d7e32b9df9288de593e47052881d4b1e.exe
"C:\Users\Admin\AppData\Local\Temp\b0c0344e368a826ec66e6b8a9ca1eb73d7e32b9df9288de593e47052881d4b1e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un243223.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un243223.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un878462.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un878462.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr436611.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr436611.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1792
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 1080
        5⤵
        Program crash
        
        PID:4416
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu562648.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu562648.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3132
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1316
        5⤵
        Program crash
        
        PID:1668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk728931.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk728931.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si777512.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si777512.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 680
    3⤵
    - Program crash
    PID:3972
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 780
    3⤵
    - Program crash
    PID:3856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 856
    3⤵
    - Program crash
    PID:3848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 960
    3⤵
    - Program crash
    PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 948
    3⤵
    - Program crash
    PID:4888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 988
    3⤵
    - Program crash
    PID:388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1220
    3⤵
    - Program crash
    PID:4836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1224
    3⤵
    - Program crash
    PID:3840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1264
    3⤵
    - Program crash
    PID:2468
- - C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 692
      4⤵
      Program crash
      PID:1484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 856
      4⤵
      Program crash
      PID:760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 892
      4⤵
      Program crash
      PID:3464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 1048
      4⤵
      Program crash
      PID:2244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 1068
      4⤵
      Program crash
      PID:4948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 1084
      4⤵
      Program crash
      PID:4468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 1128
      4⤵
      Program crash
      PID:1360
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 916
      4⤵
      Program crash
      PID:3392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 1292
      4⤵
      Program crash
      PID:1444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 1300
      4⤵
      Program crash
      PID:708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 916
      4⤵
      Program crash
      PID:4312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 1152
      4⤵
      Program crash
      PID:3292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 1592
      4⤵
      Program crash
      PID:2148
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:3020
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 1152
      4⤵
      Program crash
      PID:1080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 1620
      4⤵
      Program crash
      PID:4008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 788
    3⤵
    - Program crash
    PID:4940

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 4524 -i 4524 -h 472 -j 476 -s 484 -d 4548
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1792 -ip 1792
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3132 -ip 3132
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3984 -ip 3984
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3984 -ip 3984
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3984 -ip 3984
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3984 -ip 3984
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3984 -ip 3984
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3984 -ip 3984
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3984 -ip 3984
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3984 -ip 3984
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3984 -ip 3984
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3984 -ip 3984
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 100 -ip 100
1⤵
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 100 -ip 100
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 100 -ip 100
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 100 -ip 100
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 100 -ip 100
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 100 -ip 100
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 100 -ip 100
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 100 -ip 100
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 100 -ip 100
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 100 -ip 100
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 100 -ip 100
1⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 320
  2⤵
  - Program crash
  PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1788 -ip 1788
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 100 -ip 100
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 100 -ip 100
1⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 100 -ip 100
1⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:2132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 320
  2⤵
  - Program crash
  PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2132 -ip 2132
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 100 -ip 100
1⤵
PID:3852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
51d1dd7c115deda9f7d3b35aaf489a7c

SHA1
ff26026a3eaf8ddada6bdb78f1bdaca17498555d

SHA256
5ae260d370191e96ceead3b875c7af2acb63e34b091e814f1f0245e0b1180864

SHA512
0078a9f3b9761ed03cf66dba91f8a70f22f4f17101ed420e969956678ac67013ef4a08c8a302c5d503c06a92c6f7a6481f2c06a58b2140224fa22aafa106e3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
51d1dd7c115deda9f7d3b35aaf489a7c

SHA1
ff26026a3eaf8ddada6bdb78f1bdaca17498555d

SHA256
5ae260d370191e96ceead3b875c7af2acb63e34b091e814f1f0245e0b1180864

SHA512
0078a9f3b9761ed03cf66dba91f8a70f22f4f17101ed420e969956678ac67013ef4a08c8a302c5d503c06a92c6f7a6481f2c06a58b2140224fa22aafa106e3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
51d1dd7c115deda9f7d3b35aaf489a7c

SHA1
ff26026a3eaf8ddada6bdb78f1bdaca17498555d

SHA256
5ae260d370191e96ceead3b875c7af2acb63e34b091e814f1f0245e0b1180864

SHA512
0078a9f3b9761ed03cf66dba91f8a70f22f4f17101ed420e969956678ac67013ef4a08c8a302c5d503c06a92c6f7a6481f2c06a58b2140224fa22aafa106e3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
51d1dd7c115deda9f7d3b35aaf489a7c

SHA1
ff26026a3eaf8ddada6bdb78f1bdaca17498555d

SHA256
5ae260d370191e96ceead3b875c7af2acb63e34b091e814f1f0245e0b1180864

SHA512
0078a9f3b9761ed03cf66dba91f8a70f22f4f17101ed420e969956678ac67013ef4a08c8a302c5d503c06a92c6f7a6481f2c06a58b2140224fa22aafa106e3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe

Filesize
395KB

MD5
51d1dd7c115deda9f7d3b35aaf489a7c

SHA1
ff26026a3eaf8ddada6bdb78f1bdaca17498555d

SHA256
5ae260d370191e96ceead3b875c7af2acb63e34b091e814f1f0245e0b1180864

SHA512
0078a9f3b9761ed03cf66dba91f8a70f22f4f17101ed420e969956678ac67013ef4a08c8a302c5d503c06a92c6f7a6481f2c06a58b2140224fa22aafa106e3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si777512.exe

Filesize
395KB

MD5
51d1dd7c115deda9f7d3b35aaf489a7c

SHA1
ff26026a3eaf8ddada6bdb78f1bdaca17498555d

SHA256
5ae260d370191e96ceead3b875c7af2acb63e34b091e814f1f0245e0b1180864

SHA512
0078a9f3b9761ed03cf66dba91f8a70f22f4f17101ed420e969956678ac67013ef4a08c8a302c5d503c06a92c6f7a6481f2c06a58b2140224fa22aafa106e3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si777512.exe

Filesize
395KB

MD5
51d1dd7c115deda9f7d3b35aaf489a7c

SHA1
ff26026a3eaf8ddada6bdb78f1bdaca17498555d

SHA256
5ae260d370191e96ceead3b875c7af2acb63e34b091e814f1f0245e0b1180864

SHA512
0078a9f3b9761ed03cf66dba91f8a70f22f4f17101ed420e969956678ac67013ef4a08c8a302c5d503c06a92c6f7a6481f2c06a58b2140224fa22aafa106e3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un243223.exe

Filesize
764KB

MD5
932a3c1800823d62bddb9dc7c3ee671c

SHA1
bae433e9f4aff5484b09427ea94352cf84168757

SHA256
65c2047da0f26cd9d2e72cce962cf3734f4ab257bc4b3450f84eecd3e0be2912

SHA512
3f19e2e38691179dc5b0fcd154eb09f6e067cd0a34f468c62863c17e142f6da36b5a8054b2e050141edd53e64548b407011b4d636b28c5db58c74d7ef85340fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un243223.exe

Filesize
764KB

MD5
932a3c1800823d62bddb9dc7c3ee671c

SHA1
bae433e9f4aff5484b09427ea94352cf84168757

SHA256
65c2047da0f26cd9d2e72cce962cf3734f4ab257bc4b3450f84eecd3e0be2912

SHA512
3f19e2e38691179dc5b0fcd154eb09f6e067cd0a34f468c62863c17e142f6da36b5a8054b2e050141edd53e64548b407011b4d636b28c5db58c74d7ef85340fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk728931.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk728931.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un878462.exe

Filesize
610KB

MD5
709b1856d0c0402f6b6c1815480cf1c8

SHA1
ef5c9ac9e1098bc8fdbfbc9df95d1049ab6979d4

SHA256
077413ab63c3dbb916b427e8c156374382baf795947c981352db0e5be87c1c73

SHA512
929e869e415cd671e0739b8506bdd51d90581d0e67bc95d319662ef00211bc275d8ff763472a7fcbe37568d2051d1a0f42e4d5354f2a55da128df8ce5d58c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un878462.exe

Filesize
610KB

MD5
709b1856d0c0402f6b6c1815480cf1c8

SHA1
ef5c9ac9e1098bc8fdbfbc9df95d1049ab6979d4

SHA256
077413ab63c3dbb916b427e8c156374382baf795947c981352db0e5be87c1c73

SHA512
929e869e415cd671e0739b8506bdd51d90581d0e67bc95d319662ef00211bc275d8ff763472a7fcbe37568d2051d1a0f42e4d5354f2a55da128df8ce5d58c9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr436611.exe

Filesize
403KB

MD5
7c0c16f91dcb3ae5e2aac53a492bafe7

SHA1
f04ddbac78a8c8a156dff8eeeaeb9d7721cff2d9

SHA256
ff69371eb60086f399016305b6f2c37a00c850bce960d5c00b96ce98aa64b5be

SHA512
4a6460971047e221cd8b6873d6a56e800bbabd30e524bc9b5a5c878bec4d91e51e227d348042d1cc55f620ef4192ffd20dff701bc515eb7d4f96a878431419ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr436611.exe

Filesize
403KB

MD5
7c0c16f91dcb3ae5e2aac53a492bafe7

SHA1
f04ddbac78a8c8a156dff8eeeaeb9d7721cff2d9

SHA256
ff69371eb60086f399016305b6f2c37a00c850bce960d5c00b96ce98aa64b5be

SHA512
4a6460971047e221cd8b6873d6a56e800bbabd30e524bc9b5a5c878bec4d91e51e227d348042d1cc55f620ef4192ffd20dff701bc515eb7d4f96a878431419ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu562648.exe

Filesize
486KB

MD5
2fa8833f3914e09953781ec1fca07cd5

SHA1
0815286a97789ec412c394eba0066dd49e9d110d

SHA256
e87a45fdb87a1a749aa9c18ca802b9a475c863b958981daa7d36b773391da55a

SHA512
e757856eee4b728e3f70a7f7266a35722855d9e24057905ed1e60e00cc5bbed3eaa5b5c5ec5c4434242345c33ad0c89d89f5e0fd3037a8f93c30011f08a05257

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu562648.exe

Filesize
486KB

MD5
2fa8833f3914e09953781ec1fca07cd5

SHA1
0815286a97789ec412c394eba0066dd49e9d110d

SHA256
e87a45fdb87a1a749aa9c18ca802b9a475c863b958981daa7d36b773391da55a

SHA512
e757856eee4b728e3f70a7f7266a35722855d9e24057905ed1e60e00cc5bbed3eaa5b5c5ec5c4434242345c33ad0c89d89f5e0fd3037a8f93c30011f08a05257

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
ee69aeae2f96208fc3b11dfb70e07161

SHA1
5f877b7ca02c4d476f2641bcee9ef5f3a4ab3cf6

SHA256
13ce132c49ab6673a4da35eb9ff11d71f1451ad1351417e99cf41db8d2f474d9

SHA512
94373fb87b58db0bc0462f1b356897b0919615fe5d8f3ec47f1370b6599261562f7b27e8b0faf46f9cba5fdbabceb67c65557c816bd472d72baa1071d8ee5c6f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1640-1009-0x00000000004F0000-0x0000000000518000-memory.dmp

Filesize
160KB

Download
memory/1640-1010-0x00000000073B0000-0x00000000073C0000-memory.dmp

Filesize
64KB

Download
memory/1792-169-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-177-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-179-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-181-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-183-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-185-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-186-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/1792-188-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/1792-175-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-173-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-171-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-167-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-165-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-163-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-161-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-159-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-158-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1792-157-0x0000000004EC0000-0x0000000005464000-memory.dmp

Filesize
5.6MB

Download
memory/1792-156-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1792-155-0x0000000000850000-0x000000000087D000-memory.dmp

Filesize
180KB

Download
memory/3132-212-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-999-0x0000000008DB0000-0x0000000008E00000-memory.dmp

Filesize
320KB

Download
memory/3132-220-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-222-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-224-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-226-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-404-0x00000000009C0000-0x0000000000A06000-memory.dmp

Filesize
280KB

Download
memory/3132-408-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3132-411-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3132-407-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3132-989-0x00000000079B0000-0x0000000007FC8000-memory.dmp

Filesize
6.1MB

Download
memory/3132-990-0x0000000004F10000-0x0000000004F22000-memory.dmp

Filesize
72KB

Download
memory/3132-991-0x0000000007FD0000-0x00000000080DA000-memory.dmp

Filesize
1.0MB

Download
memory/3132-992-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/3132-993-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3132-994-0x00000000083B0000-0x0000000008416000-memory.dmp

Filesize
408KB

Download
memory/3132-995-0x0000000008A80000-0x0000000008B12000-memory.dmp

Filesize
584KB

Download
memory/3132-996-0x0000000008C40000-0x0000000008CB6000-memory.dmp

Filesize
472KB

Download
memory/3132-998-0x0000000008CF0000-0x0000000008D0E000-memory.dmp

Filesize
120KB

Download
memory/3132-218-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-1000-0x0000000008E10000-0x0000000008FD2000-memory.dmp

Filesize
1.8MB

Download
memory/3132-216-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-214-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-210-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-1001-0x0000000008FE0000-0x000000000950C000-memory.dmp

Filesize
5.2MB

Download
memory/3132-1003-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3132-1004-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/3132-193-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-208-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-206-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-204-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-202-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-200-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-198-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-196-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3132-194-0x0000000002870000-0x00000000028A5000-memory.dmp

Filesize
212KB

Download
memory/3984-1016-0x00000000023A0000-0x00000000023DB000-memory.dmp

Filesize
236KB

Download