amadey | 17b8a85528c7289b4abfb794dbd2f45ec98604ee7e40aedcfa471235e7157cc3

Analysis

max time kernel
206s
max time network
226s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17b8a85528c7289b4abfb794dbd2f45ec98604ee7e40aedcfa471235e7157cc3_JC.exe
Size

1.0MB
MD5

793adbd6746cd904c0a5ca5af2795cbf
SHA1

5314d526611334475ba233beb32b7ba443897548
SHA256

17b8a85528c7289b4abfb794dbd2f45ec98604ee7e40aedcfa471235e7157cc3
SHA512

8370d61a9a89254046afe1d9be003cdb15c5edd81ff9c3bf2617cda9303e536e1879095bef6b125d095eb39be70b2f2c0519f823c95537cf64afb4f9133bd263
SSDEEP

24576:zyMtxOXxJAn8IV3fPr/r5rKjRlWTwRT0DZ76nZAl3dSw:GwOXU8I3rKtlWTwRY7j7S

Score

10^/10

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1336-43-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1336-44-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1336-45-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1336-47-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2740-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u7265547.exeexplonde.exelegota.exet0026603.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	u7265547.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	t0026603.exe

Executes dropped EXE 12 IoCs

Processes:

z9192756.exez3264512.exez0201089.exez4358707.exeq0343155.exer9184813.exes2903295.exet0026603.exeexplonde.exeu7265547.exelegota.exew5989773.exe

pid	process
4016	z9192756.exe
1560	z3264512.exe
3828	z0201089.exe
1352	z4358707.exe
4772	q0343155.exe
1940	r9184813.exe
2108	s2903295.exe
3708	t0026603.exe
3740	explonde.exe
4232	u7265547.exe
2648	legota.exe
4428	w5989773.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

17b8a85528c7289b4abfb794dbd2f45ec98604ee7e40aedcfa471235e7157cc3_JC.exez9192756.exez3264512.exez0201089.exez4358707.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	17b8a85528c7289b4abfb794dbd2f45ec98604ee7e40aedcfa471235e7157cc3_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9192756.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z3264512.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0201089.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4358707.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

q0343155.exer9184813.exes2903295.exe

description	pid	process	target process
PID 4772 set thread context of 2740	4772	q0343155.exe	AppLaunch.exe
PID 1940 set thread context of 1336	1940	r9184813.exe	AppLaunch.exe
PID 2108 set thread context of 3972	2108	s2903295.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5032	4772	WerFault.exe	q0343155.exe
3232	1940	WerFault.exe	r9184813.exe
2404	1336	WerFault.exe	AppLaunch.exe
3796	2108	WerFault.exe	s2903295.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1776 schtasks.exe
4068 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2740 AppLaunch.exe
2740 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2740 AppLaunch.exe

pid	process
1776	schtasks.exe
4068	schtasks.exe

pid	process
2740	AppLaunch.exe
2740	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2740	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

17b8a85528c7289b4abfb794dbd2f45ec98604ee7e40aedcfa471235e7157cc3_JC.exez9192756.exez3264512.exez0201089.exez4358707.exeq0343155.exer9184813.exes2903295.exet0026603.exeu7265547.exeexplonde.exe

description	pid	process	target process
PID 364 wrote to memory of 4016	364	17b8a85528c7289b4abfb794dbd2f45ec98604ee7e40aedcfa471235e7157cc3_JC.exe	z9192756.exe
PID 364 wrote to memory of 4016	364	17b8a85528c7289b4abfb794dbd2f45ec98604ee7e40aedcfa471235e7157cc3_JC.exe	z9192756.exe
PID 364 wrote to memory of 4016	364	17b8a85528c7289b4abfb794dbd2f45ec98604ee7e40aedcfa471235e7157cc3_JC.exe	z9192756.exe
PID 4016 wrote to memory of 1560	4016	z9192756.exe	z3264512.exe
PID 4016 wrote to memory of 1560	4016	z9192756.exe	z3264512.exe
PID 4016 wrote to memory of 1560	4016	z9192756.exe	z3264512.exe
PID 1560 wrote to memory of 3828	1560	z3264512.exe	z0201089.exe
PID 1560 wrote to memory of 3828	1560	z3264512.exe	z0201089.exe
PID 1560 wrote to memory of 3828	1560	z3264512.exe	z0201089.exe
PID 3828 wrote to memory of 1352	3828	z0201089.exe	z4358707.exe
PID 3828 wrote to memory of 1352	3828	z0201089.exe	z4358707.exe
PID 3828 wrote to memory of 1352	3828	z0201089.exe	z4358707.exe
PID 1352 wrote to memory of 4772	1352	z4358707.exe	q0343155.exe
PID 1352 wrote to memory of 4772	1352	z4358707.exe	q0343155.exe
PID 1352 wrote to memory of 4772	1352	z4358707.exe	q0343155.exe
PID 4772 wrote to memory of 2740	4772	q0343155.exe	AppLaunch.exe
PID 4772 wrote to memory of 2740	4772	q0343155.exe	AppLaunch.exe
PID 4772 wrote to memory of 2740	4772	q0343155.exe	AppLaunch.exe
PID 4772 wrote to memory of 2740	4772	q0343155.exe	AppLaunch.exe
PID 4772 wrote to memory of 2740	4772	q0343155.exe	AppLaunch.exe
PID 4772 wrote to memory of 2740	4772	q0343155.exe	AppLaunch.exe
PID 4772 wrote to memory of 2740	4772	q0343155.exe	AppLaunch.exe
PID 4772 wrote to memory of 2740	4772	q0343155.exe	AppLaunch.exe
PID 1352 wrote to memory of 1940	1352	z4358707.exe	r9184813.exe
PID 1352 wrote to memory of 1940	1352	z4358707.exe	r9184813.exe
PID 1352 wrote to memory of 1940	1352	z4358707.exe	r9184813.exe
PID 1940 wrote to memory of 1336	1940	r9184813.exe	AppLaunch.exe
PID 1940 wrote to memory of 1336	1940	r9184813.exe	AppLaunch.exe
PID 1940 wrote to memory of 1336	1940	r9184813.exe	AppLaunch.exe
PID 1940 wrote to memory of 1336	1940	r9184813.exe	AppLaunch.exe
PID 1940 wrote to memory of 1336	1940	r9184813.exe	AppLaunch.exe
PID 1940 wrote to memory of 1336	1940	r9184813.exe	AppLaunch.exe
PID 1940 wrote to memory of 1336	1940	r9184813.exe	AppLaunch.exe
PID 1940 wrote to memory of 1336	1940	r9184813.exe	AppLaunch.exe
PID 1940 wrote to memory of 1336	1940	r9184813.exe	AppLaunch.exe
PID 1940 wrote to memory of 1336	1940	r9184813.exe	AppLaunch.exe
PID 3828 wrote to memory of 2108	3828	z0201089.exe	s2903295.exe
PID 3828 wrote to memory of 2108	3828	z0201089.exe	s2903295.exe
PID 3828 wrote to memory of 2108	3828	z0201089.exe	s2903295.exe
PID 2108 wrote to memory of 3972	2108	s2903295.exe	AppLaunch.exe
PID 2108 wrote to memory of 3972	2108	s2903295.exe	AppLaunch.exe
PID 2108 wrote to memory of 3972	2108	s2903295.exe	AppLaunch.exe
PID 2108 wrote to memory of 3972	2108	s2903295.exe	AppLaunch.exe
PID 2108 wrote to memory of 3972	2108	s2903295.exe	AppLaunch.exe
PID 2108 wrote to memory of 3972	2108	s2903295.exe	AppLaunch.exe
PID 2108 wrote to memory of 3972	2108	s2903295.exe	AppLaunch.exe
PID 2108 wrote to memory of 3972	2108	s2903295.exe	AppLaunch.exe
PID 1560 wrote to memory of 3708	1560	z3264512.exe	t0026603.exe
PID 1560 wrote to memory of 3708	1560	z3264512.exe	t0026603.exe
PID 1560 wrote to memory of 3708	1560	z3264512.exe	t0026603.exe
PID 3708 wrote to memory of 3740	3708	t0026603.exe	explonde.exe
PID 3708 wrote to memory of 3740	3708	t0026603.exe	explonde.exe
PID 3708 wrote to memory of 3740	3708	t0026603.exe	explonde.exe
PID 4016 wrote to memory of 4232	4016	z9192756.exe	u7265547.exe
PID 4016 wrote to memory of 4232	4016	z9192756.exe	u7265547.exe
PID 4016 wrote to memory of 4232	4016	z9192756.exe	u7265547.exe
PID 4232 wrote to memory of 2648	4232	u7265547.exe	legota.exe
PID 4232 wrote to memory of 2648	4232	u7265547.exe	legota.exe
PID 4232 wrote to memory of 2648	4232	u7265547.exe	legota.exe
PID 364 wrote to memory of 4428	364	17b8a85528c7289b4abfb794dbd2f45ec98604ee7e40aedcfa471235e7157cc3_JC.exe	w5989773.exe
PID 364 wrote to memory of 4428	364	17b8a85528c7289b4abfb794dbd2f45ec98604ee7e40aedcfa471235e7157cc3_JC.exe	w5989773.exe
PID 364 wrote to memory of 4428	364	17b8a85528c7289b4abfb794dbd2f45ec98604ee7e40aedcfa471235e7157cc3_JC.exe	w5989773.exe
PID 3740 wrote to memory of 4068	3740	explonde.exe	schtasks.exe
PID 3740 wrote to memory of 4068	3740	explonde.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\17b8a85528c7289b4abfb794dbd2f45ec98604ee7e40aedcfa471235e7157cc3_JC.exe
"C:\Users\Admin\AppData\Local\Temp\17b8a85528c7289b4abfb794dbd2f45ec98604ee7e40aedcfa471235e7157cc3_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9192756.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9192756.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3264512.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3264512.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0201089.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0201089.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3828
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4358707.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4358707.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1352
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0343155.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0343155.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 200
        7⤵
        Program crash
        
        PID:5032
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9184813.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9184813.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 540
        8⤵
        Program crash
        
        PID:2404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 552
        7⤵
        Program crash
        
        PID:3232
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2903295.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2903295.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 204
        6⤵
        Program crash
        
        PID:3796
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0026603.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0026603.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3740
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4068
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7265547.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7265547.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2648
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1776
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:4532
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1384
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5989773.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5989773.exe
  2⤵
  - Executes dropped EXE
  PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4772 -ip 4772
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1940 -ip 1940
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1336 -ip 1336
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2108 -ip 2108
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5989773.exe

Filesize
22KB

MD5
4e216c82374a262023f4422c32ebfc29

SHA1
223352fc87d618fd32ebbe0f4c99767a206f15ea

SHA256
0e126b0e7182188d66151a1a58504f78e1b76dab836d0e8866dc9129425dfcf4

SHA512
a7a14e8b363c447316e5fe6b2e750abdedc73c7b8f2735f8f2af8ba990725ac514ffbff4e905b454591d8f7cccd838e9f2c7eb3d8df139e9fd11802670dc2708

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5989773.exe

Filesize
22KB

MD5
4e216c82374a262023f4422c32ebfc29

SHA1
223352fc87d618fd32ebbe0f4c99767a206f15ea

SHA256
0e126b0e7182188d66151a1a58504f78e1b76dab836d0e8866dc9129425dfcf4

SHA512
a7a14e8b363c447316e5fe6b2e750abdedc73c7b8f2735f8f2af8ba990725ac514ffbff4e905b454591d8f7cccd838e9f2c7eb3d8df139e9fd11802670dc2708

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9192756.exe

Filesize
961KB

MD5
128dc26fa4d048bae751c931abbf6044

SHA1
721c247b803ef9a91c97544f003a538848abbe60

SHA256
377e50953464fbbf146fa45cb04953d8eacb15260a8644dadfcbf1a327f0d989

SHA512
cf271d5fab31696a73c705c819cdd9b6152cf1a448ac79690dc1715e91fcda32d878b0ac693bf041f2cff41a329a5124b000752d08ee11a070cfcd38e239758f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9192756.exe

Filesize
961KB

MD5
128dc26fa4d048bae751c931abbf6044

SHA1
721c247b803ef9a91c97544f003a538848abbe60

SHA256
377e50953464fbbf146fa45cb04953d8eacb15260a8644dadfcbf1a327f0d989

SHA512
cf271d5fab31696a73c705c819cdd9b6152cf1a448ac79690dc1715e91fcda32d878b0ac693bf041f2cff41a329a5124b000752d08ee11a070cfcd38e239758f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7265547.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7265547.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3264512.exe

Filesize
778KB

MD5
486b12fd93c5b4fe7a6e90318203641c

SHA1
557cc59e7b77608010ba3a45a06f700d0daba24f

SHA256
9bb0992a16ecddba49638476475dcb05a40eff1e46e5d95221eec02009ad41b7

SHA512
3e560dadeb1dfc8cd84a478ba0b0f57b6e0dd97617e829189315c4b0b00218636d5089425cca4dd080c216f23514c3eec7ddd438f05313ffe1d052dcd179794b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3264512.exe

Filesize
778KB

MD5
486b12fd93c5b4fe7a6e90318203641c

SHA1
557cc59e7b77608010ba3a45a06f700d0daba24f

SHA256
9bb0992a16ecddba49638476475dcb05a40eff1e46e5d95221eec02009ad41b7

SHA512
3e560dadeb1dfc8cd84a478ba0b0f57b6e0dd97617e829189315c4b0b00218636d5089425cca4dd080c216f23514c3eec7ddd438f05313ffe1d052dcd179794b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0026603.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0026603.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0201089.exe

Filesize
596KB

MD5
19f40c7712a957fd6faf36575d711349

SHA1
fec1619520c573b5b4070863f02469f67965d490

SHA256
01c02468d119cdf2ad26866f9db146dca9c623bb7f3385ce199c03ff27147316

SHA512
a67d1e3dbc55dab06138ed00506f2535d182f813731240546c497c7d4d16ba6e2cb790f44945219d6a7e0cbce0b2b6ca36b87f71974bb1e720d20688e6cab7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0201089.exe

Filesize
596KB

MD5
19f40c7712a957fd6faf36575d711349

SHA1
fec1619520c573b5b4070863f02469f67965d490

SHA256
01c02468d119cdf2ad26866f9db146dca9c623bb7f3385ce199c03ff27147316

SHA512
a67d1e3dbc55dab06138ed00506f2535d182f813731240546c497c7d4d16ba6e2cb790f44945219d6a7e0cbce0b2b6ca36b87f71974bb1e720d20688e6cab7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2903295.exe

Filesize
384KB

MD5
f4ccb4bc2a832cfd5e31f93350834df7

SHA1
a2c9f8f860f5306ccef3667f76a230dd20fe77f3

SHA256
1c10a0a9337d3c823b142640e8229d369767d2d8d05b24c45bb2b4d9e4335156

SHA512
382630d45e030e02533aed4617ee97657aa2950fc8eb70645a4214517183d5f7f4350c9845aa51c3114bed67945f0436c1e0596c4839eaea6f8d8eaa1446a793

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2903295.exe

Filesize
384KB

MD5
f4ccb4bc2a832cfd5e31f93350834df7

SHA1
a2c9f8f860f5306ccef3667f76a230dd20fe77f3

SHA256
1c10a0a9337d3c823b142640e8229d369767d2d8d05b24c45bb2b4d9e4335156

SHA512
382630d45e030e02533aed4617ee97657aa2950fc8eb70645a4214517183d5f7f4350c9845aa51c3114bed67945f0436c1e0596c4839eaea6f8d8eaa1446a793

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4358707.exe

Filesize
336KB

MD5
54ef7437eaf855b37bd207b307e3598d

SHA1
4b5f4b8f8476dead2749b52d20de152181fd6b2c

SHA256
53f40dd6a6bc4915130c3c446339ceddb11045023549ad791bc3ecffa1396c1a

SHA512
5b453247cfca0d59e2644ec655ec582c4ed477d4a1625817a26a57004fb3f695638affa315e8e138d5c879748f1941719e2f9869583b36306ba6af350d86b0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4358707.exe

Filesize
336KB

MD5
54ef7437eaf855b37bd207b307e3598d

SHA1
4b5f4b8f8476dead2749b52d20de152181fd6b2c

SHA256
53f40dd6a6bc4915130c3c446339ceddb11045023549ad791bc3ecffa1396c1a

SHA512
5b453247cfca0d59e2644ec655ec582c4ed477d4a1625817a26a57004fb3f695638affa315e8e138d5c879748f1941719e2f9869583b36306ba6af350d86b0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0343155.exe

Filesize
221KB

MD5
34baff5ad7279f05cd62dc36738bcc0f

SHA1
a12341affb648b3dd61c0970484d36cee6dcb5ee

SHA256
faecc8c363deb022cfdfb9b1002b82b25e8717f68135caaad18a77ce29b63dca

SHA512
7ee05388e77f13f02e2100bb202f20a902eb64ba6b302cf1574b4967ad05a6708839cbd32db495e7f2742dab5dc292d4dfff870988a5c26daf99d0960f27b33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0343155.exe

Filesize
221KB

MD5
34baff5ad7279f05cd62dc36738bcc0f

SHA1
a12341affb648b3dd61c0970484d36cee6dcb5ee

SHA256
faecc8c363deb022cfdfb9b1002b82b25e8717f68135caaad18a77ce29b63dca

SHA512
7ee05388e77f13f02e2100bb202f20a902eb64ba6b302cf1574b4967ad05a6708839cbd32db495e7f2742dab5dc292d4dfff870988a5c26daf99d0960f27b33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9184813.exe

Filesize
350KB

MD5
98ca1011e9ef2a4308c59eec39e0ee95

SHA1
1609a62ba623da08037df0f12052f98e916f8277

SHA256
f43fd7c4a5c3bd3442dab898bfbf139f1aee6ae507101385e88a7316ce13c8a7

SHA512
212a1271cff2477950f56d24c06dfb43f8ae637fcc34339fa13eadddc3471080a7433d09876c181463bae1c2db3a026db56d1506756c7c9bd0212bf48d2c1d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9184813.exe

Filesize
350KB

MD5
98ca1011e9ef2a4308c59eec39e0ee95

SHA1
1609a62ba623da08037df0f12052f98e916f8277

SHA256
f43fd7c4a5c3bd3442dab898bfbf139f1aee6ae507101385e88a7316ce13c8a7

SHA512
212a1271cff2477950f56d24c06dfb43f8ae637fcc34339fa13eadddc3471080a7433d09876c181463bae1c2db3a026db56d1506756c7c9bd0212bf48d2c1d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
memory/1336-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1336-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1336-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1336-47-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2740-39-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2740-37-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2740-36-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2740-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3972-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3972-69-0x000000000AC60000-0x000000000AC9C000-memory.dmp

Filesize
240KB

Download
memory/3972-64-0x000000000AC00000-0x000000000AC12000-memory.dmp

Filesize
72KB

Download
memory/3972-63-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/3972-78-0x000000000ADF0000-0x000000000AE3C000-memory.dmp

Filesize
304KB

Download
memory/3972-62-0x000000000ACE0000-0x000000000ADEA000-memory.dmp

Filesize
1.0MB

Download
memory/3972-61-0x000000000B1B0000-0x000000000B7C8000-memory.dmp

Filesize
6.1MB

Download
memory/3972-55-0x0000000073870000-0x0000000074020000-memory.dmp

Filesize
7.7MB

Download
memory/3972-54-0x0000000001620000-0x0000000001626000-memory.dmp

Filesize
24KB

Download
memory/3972-88-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/3972-53-0x0000000073870000-0x0000000074020000-memory.dmp

Filesize
7.7MB

Download