amadey | 0a79ae6a925ed44ddfdd43a5b152ef882b9733e7fa0546e9129783a421618ebc

Analysis

max time kernel
74s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2023 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
Size

393KB
MD5

06e2d86298746110ea703acc31c66323
SHA1

b341bb06c3196103723f44a95f0b0afcb86ce1ce
SHA256

c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce
SHA512

e1452002d3a92b0c56da22a2a88e54f4fc33dce34e494f8efbd239e0b0606486d74b0d20927d1d6997437bd48e5cf03eb57afc7d4302e67e412c600a2fe7605b
SSDEEP

6144:JILhVvboBJDl5mUPknVDzRbIoXMGx8DSPm1bCHU75M9X2l:yNJYl9knBSoJvPm1m0d5

Score

10^/10

amadey trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Utsysc.exec3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe

Executes dropped EXE 2 IoCs

Processes:

Utsysc.exeUtsysc.exe

pid process

3132 Utsysc.exe
3828 Utsysc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3132	Utsysc.exe
3828	Utsysc.exe

Program crash 44 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4464	1724	WerFault.exe	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
4592	1724	WerFault.exe	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
2104	1724	WerFault.exe	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
4496	1724	WerFault.exe	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
2196	1724	WerFault.exe	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
2524	1724	WerFault.exe	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
2368	1724	WerFault.exe	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
4164	1724	WerFault.exe	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
1432	1724	WerFault.exe	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
1508	1724	WerFault.exe	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
456	1724	WerFault.exe	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
3864	1724	WerFault.exe	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
2200	1724	WerFault.exe	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
3876	3132	WerFault.exe	Utsysc.exe
4308	3132	WerFault.exe	Utsysc.exe
2020	3132	WerFault.exe	Utsysc.exe
1064	3132	WerFault.exe	Utsysc.exe
2556	3132	WerFault.exe	Utsysc.exe
2156	3132	WerFault.exe	Utsysc.exe
4696	3132	WerFault.exe	Utsysc.exe
652	3132	WerFault.exe	Utsysc.exe
4760	3132	WerFault.exe	Utsysc.exe
628	3132	WerFault.exe	Utsysc.exe
4236	3132	WerFault.exe	Utsysc.exe
2368	3132	WerFault.exe	Utsysc.exe
4164	3132	WerFault.exe	Utsysc.exe
332	3132	WerFault.exe	Utsysc.exe
4048	3132	WerFault.exe	Utsysc.exe
1392	3828	WerFault.exe	Utsysc.exe
2200	3132	WerFault.exe	Utsysc.exe
4872	3828	WerFault.exe	Utsysc.exe
3856	3132	WerFault.exe	Utsysc.exe
4900	3132	WerFault.exe	Utsysc.exe
4524	3828	WerFault.exe	Utsysc.exe
3172	3828	WerFault.exe	Utsysc.exe
1896	3132	WerFault.exe	Utsysc.exe
2360	3132	WerFault.exe	Utsysc.exe
4764	3132	WerFault.exe	Utsysc.exe
5080	3132	WerFault.exe	Utsysc.exe
4372	2076	WerFault.exe	Utsysc.exe
1984	2076	WerFault.exe	Utsysc.exe
3796	2076	WerFault.exe	Utsysc.exe
4344	2076	WerFault.exe	Utsysc.exe
3024	3132	WerFault.exe	Utsysc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4668 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe

pid process

1724 c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe

pid	process
4668	schtasks.exe

pid	process
1724	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exeUtsysc.exe

description	pid	process	target process
PID 1724 wrote to memory of 3132	1724	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe	Utsysc.exe
PID 1724 wrote to memory of 3132	1724	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe	Utsysc.exe
PID 1724 wrote to memory of 3132	1724	c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe	Utsysc.exe
PID 3132 wrote to memory of 4668	3132	Utsysc.exe	schtasks.exe
PID 3132 wrote to memory of 4668	3132	Utsysc.exe	schtasks.exe
PID 3132 wrote to memory of 4668	3132	Utsysc.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe
"C:\Users\Admin\AppData\Local\Temp\c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 596
2⤵
- Program crash
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 668
2⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 736
2⤵
- Program crash
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 744
2⤵
- Program crash
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 744
2⤵
- Program crash
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 744
2⤵
- Program crash
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1104
2⤵
- Program crash
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1108
2⤵
- Program crash
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1224
2⤵
- Program crash
PID:1432

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 608
3⤵
- Program crash
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 704
3⤵
- Program crash
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 824
3⤵
- Program crash
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 968
3⤵
- Program crash
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 988
3⤵
- Program crash
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 988
3⤵
- Program crash
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1048
3⤵
- Program crash
PID:4696

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 912
3⤵
- Program crash
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 692
3⤵
- Program crash
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 752
3⤵
- Program crash
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1244
3⤵
- Program crash
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1252
3⤵
- Program crash
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1296
3⤵
- Program crash
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1300
3⤵
- Program crash
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1356
3⤵
- Program crash
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 980
3⤵
- Program crash
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1000
3⤵
- Program crash
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1416
3⤵
- Program crash
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1216
3⤵
- Program crash
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1620
3⤵
- Program crash
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1632
3⤵
- Program crash
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1716
3⤵
- Program crash
PID:5080

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
PID:4668

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
PID:1132

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
PID:3372

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
PID:216

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
PID:4508

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
PID:3692

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
PID:1488

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1188
3⤵
- Program crash
PID:3024

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1596
2⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1468
2⤵
- Program crash
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1644
2⤵
- Program crash
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1580
2⤵
- Program crash
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1724 -ip 1724
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1724 -ip 1724
1⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1724 -ip 1724
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1724 -ip 1724
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1724 -ip 1724
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1724 -ip 1724
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1724 -ip 1724
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1724 -ip 1724
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1724 -ip 1724
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1724 -ip 1724
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1724 -ip 1724
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1724 -ip 1724
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1724 -ip 1724
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3132 -ip 3132
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3132 -ip 3132
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3132 -ip 3132
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3132 -ip 3132
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3132 -ip 3132
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3132 -ip 3132
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3132 -ip 3132
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3132 -ip 3132
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3132 -ip 3132
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3132 -ip 3132
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3132 -ip 3132
1⤵
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3132 -ip 3132
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3132 -ip 3132
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3132 -ip 3132
1⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
1⤵
- Executes dropped EXE
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 552
2⤵
- Program crash
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 812
2⤵
- Program crash
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 820
2⤵
- Program crash
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 848
2⤵
- Program crash
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3132 -ip 3132
1⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3828 -ip 3828
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3132 -ip 3132
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3132 -ip 3132
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3828 -ip 3828
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3828 -ip 3828
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3132 -ip 3132
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3828 -ip 3828
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3132 -ip 3132
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3132 -ip 3132
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3132 -ip 3132
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3132 -ip 3132
1⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 552
2⤵
- Program crash
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 812
2⤵
- Program crash
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 820
2⤵
- Program crash
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 856
2⤵
- Program crash
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2076 -ip 2076
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2076 -ip 2076
1⤵
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2076 -ip 2076
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2076 -ip 2076
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3132 -ip 3132
1⤵
PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\350690463354

Filesize
81KB

MD5
7b0508dcc08076ffa308e9fb38d18b9e

SHA1
6c93713b38163c2acf70f2d7a7eec0b532ad64a3

SHA256
f970c0e91392cd4237ae2dda0bba7bb84bdb787ad4edfbe47df0fb6ef7c8a87b

SHA512
b709f66eb60e75dcd1760c7913d4be82330429a4a046c1b4f831186db0a276597acf1fefc1965c3615b44547e588ee7314a3572f862ddf76f75e63dca9a4208e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
393KB

MD5
06e2d86298746110ea703acc31c66323

SHA1
b341bb06c3196103723f44a95f0b0afcb86ce1ce

SHA256
c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce

SHA512
e1452002d3a92b0c56da22a2a88e54f4fc33dce34e494f8efbd239e0b0606486d74b0d20927d1d6997437bd48e5cf03eb57afc7d4302e67e412c600a2fe7605b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
393KB

MD5
06e2d86298746110ea703acc31c66323

SHA1
b341bb06c3196103723f44a95f0b0afcb86ce1ce

SHA256
c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce

SHA512
e1452002d3a92b0c56da22a2a88e54f4fc33dce34e494f8efbd239e0b0606486d74b0d20927d1d6997437bd48e5cf03eb57afc7d4302e67e412c600a2fe7605b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
393KB

MD5
06e2d86298746110ea703acc31c66323

SHA1
b341bb06c3196103723f44a95f0b0afcb86ce1ce

SHA256
c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce

SHA512
e1452002d3a92b0c56da22a2a88e54f4fc33dce34e494f8efbd239e0b0606486d74b0d20927d1d6997437bd48e5cf03eb57afc7d4302e67e412c600a2fe7605b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
393KB

MD5
06e2d86298746110ea703acc31c66323

SHA1
b341bb06c3196103723f44a95f0b0afcb86ce1ce

SHA256
c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce

SHA512
e1452002d3a92b0c56da22a2a88e54f4fc33dce34e494f8efbd239e0b0606486d74b0d20927d1d6997437bd48e5cf03eb57afc7d4302e67e412c600a2fe7605b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
393KB

MD5
06e2d86298746110ea703acc31c66323

SHA1
b341bb06c3196103723f44a95f0b0afcb86ce1ce

SHA256
c3f6354c94ae880d0254f356f2836aaf4aec81b903e4054f75f6e517183e9fce

SHA512
e1452002d3a92b0c56da22a2a88e54f4fc33dce34e494f8efbd239e0b0606486d74b0d20927d1d6997437bd48e5cf03eb57afc7d4302e67e412c600a2fe7605b

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
923KB

MD5
fe5e6c400e4231f2bcd89848f39c422a

SHA1
def37f04b00ef2634f6cd409383d843eec99f56e

SHA256
d9f7d0c9c007a649a97275c7f1847bd3f2b5a9f4dcc74ec48eb5debc3a951a4e

SHA512
1d08d501b41e24d0aaae279d28c5d0fbfb366735531a2158ec9a8a743689d401006e5fdf937aedd33a95a4118ab585d209a36751a67f6216229d19603165f816

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
923KB

MD5
fe5e6c400e4231f2bcd89848f39c422a

SHA1
def37f04b00ef2634f6cd409383d843eec99f56e

SHA256
d9f7d0c9c007a649a97275c7f1847bd3f2b5a9f4dcc74ec48eb5debc3a951a4e

SHA512
1d08d501b41e24d0aaae279d28c5d0fbfb366735531a2158ec9a8a743689d401006e5fdf937aedd33a95a4118ab585d209a36751a67f6216229d19603165f816

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
923KB

MD5
fe5e6c400e4231f2bcd89848f39c422a

SHA1
def37f04b00ef2634f6cd409383d843eec99f56e

SHA256
d9f7d0c9c007a649a97275c7f1847bd3f2b5a9f4dcc74ec48eb5debc3a951a4e

SHA512
1d08d501b41e24d0aaae279d28c5d0fbfb366735531a2158ec9a8a743689d401006e5fdf937aedd33a95a4118ab585d209a36751a67f6216229d19603165f816

Download Submit
memory/1724-1-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/1724-2-0x00000000022C0000-0x000000000232C000-memory.dmp

Filesize
432KB

Download
memory/1724-3-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1724-15-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1724-16-0x00000000022C0000-0x000000000232C000-memory.dmp

Filesize
432KB

Download
memory/2076-81-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/2076-83-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2076-82-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3132-64-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3132-21-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3132-18-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/3132-19-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3132-88-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3132-57-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3132-86-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3132-35-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3132-22-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/3132-84-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3132-67-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3828-29-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3828-34-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3828-28-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download