amadey | f1d0a44fff4e265f76fdfc8b585bfbe54b4662a0edb951d9566f279f2f181f0f

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2023 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe
Size

438KB
MD5

0212113ffcbcd270155711883c54aead
SHA1

d4cd2cf05cdf3860b64935f19a992f54323c941c
SHA256

3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7
SHA512

f8406c2d86767ceba9b68eb1c87cdd327ec61d54c2f4860c6ea286822f962f464b9acde1f33b117eab9620b1bde6275d6e65e879ad066406f385051f46e3d27f
SSDEEP

6144:Qm7ibXH2MT4Ju30WA/ySjIFbld/0d55bodKli2sfFaxDtWHP+vfKYhkp:Qh0Jy0WGTjAZFM5NSutQrYa

Score

10^/10

amadey spyware stealer trojan

Malware Config

Extracted

Family

amadey

http://arrunda.ru

http://soetegem.com

http://tceducn.com

Attributes

strings_key
eb714cabd2548b4a03c45f723f838bdc
url_paths
/forum/index.php

rc4.plain

Extracted

Family

amadey

Version

4.11

http://shohetrc.com

http://sibcomputer.ru

http://tve-mail.com

Attributes

install_dir
d4dd819322
install_file
Utsysc.exe
strings_key
8419b3024d6f72beef8af6915e592308
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

flow pid process

60 1184 rundll32.exe
64 4404 rundll32.exe
70 2660 rundll32.exe
Downloads MZ/PE file

flow	pid	process
60	1184	rundll32.exe
64	4404	rundll32.exe
70	2660	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exeUtsysc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	Utsysc.exe

Executes dropped EXE 3 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exe

pid process

1512 Utsysc.exe
1104 Utsysc.exe
1632 Utsysc.exe

pid	process
1512	Utsysc.exe
1104	Utsysc.exe
1632	Utsysc.exe

Loads dropped DLL 9 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
2976	rundll32.exe
4236	rundll32.exe
768	rundll32.exe
4328	rundll32.exe
4744	rundll32.exe
3664	rundll32.exe
1184	rundll32.exe
4404	rundll32.exe
2660	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 34 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1444	852	WerFault.exe	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe
2232	852	WerFault.exe	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe
2096	852	WerFault.exe	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe
2548	852	WerFault.exe	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe
536	852	WerFault.exe	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe
1152	852	WerFault.exe	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe
3120	852	WerFault.exe	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe
2132	852	WerFault.exe	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe
2928	852	WerFault.exe	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe
4832	852	WerFault.exe	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe
684	1512	WerFault.exe	Utsysc.exe
2804	1512	WerFault.exe	Utsysc.exe
800	1512	WerFault.exe	Utsysc.exe
2800	1512	WerFault.exe	Utsysc.exe
3440	1512	WerFault.exe	Utsysc.exe
4352	1512	WerFault.exe	Utsysc.exe
2600	1512	WerFault.exe	Utsysc.exe
1328	1512	WerFault.exe	Utsysc.exe
456	1512	WerFault.exe	Utsysc.exe
4028	1512	WerFault.exe	Utsysc.exe
4884	1512	WerFault.exe	Utsysc.exe
212	1512	WerFault.exe	Utsysc.exe
8	1512	WerFault.exe	Utsysc.exe
4168	1512	WerFault.exe	Utsysc.exe
4624	1512	WerFault.exe	Utsysc.exe
4768	1512	WerFault.exe	Utsysc.exe
3780	1512	WerFault.exe	Utsysc.exe
396	1512	WerFault.exe	Utsysc.exe
1040	1512	WerFault.exe	Utsysc.exe
4780	1512	WerFault.exe	Utsysc.exe
2800	1104	WerFault.exe	Utsysc.exe
4828	1512	WerFault.exe	Utsysc.exe
2808	1632	WerFault.exe	Utsysc.exe
2096	1512	WerFault.exe	Utsysc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

440 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe

pid process

852 3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe

pid	process
440	schtasks.exe

pid	process
852	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exeUtsysc.exerundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 852 wrote to memory of 1512	852	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe	Utsysc.exe
PID 852 wrote to memory of 1512	852	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe	Utsysc.exe
PID 852 wrote to memory of 1512	852	3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe	Utsysc.exe
PID 1512 wrote to memory of 440	1512	Utsysc.exe	schtasks.exe
PID 1512 wrote to memory of 440	1512	Utsysc.exe	schtasks.exe
PID 1512 wrote to memory of 440	1512	Utsysc.exe	schtasks.exe
PID 1512 wrote to memory of 2976	1512	Utsysc.exe	rundll32.exe
PID 1512 wrote to memory of 2976	1512	Utsysc.exe	rundll32.exe
PID 1512 wrote to memory of 2976	1512	Utsysc.exe	rundll32.exe
PID 2976 wrote to memory of 4236	2976	rundll32.exe	rundll32.exe
PID 2976 wrote to memory of 4236	2976	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 768	1512	Utsysc.exe	rundll32.exe
PID 1512 wrote to memory of 768	1512	Utsysc.exe	rundll32.exe
PID 1512 wrote to memory of 768	1512	Utsysc.exe	rundll32.exe
PID 768 wrote to memory of 4328	768	rundll32.exe	rundll32.exe
PID 768 wrote to memory of 4328	768	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 4744	1512	Utsysc.exe	rundll32.exe
PID 1512 wrote to memory of 4744	1512	Utsysc.exe	rundll32.exe
PID 1512 wrote to memory of 4744	1512	Utsysc.exe	rundll32.exe
PID 4744 wrote to memory of 3664	4744	rundll32.exe	rundll32.exe
PID 4744 wrote to memory of 3664	4744	rundll32.exe	rundll32.exe
PID 1512 wrote to memory of 1184	1512	Utsysc.exe	rundll32.exe
PID 1512 wrote to memory of 1184	1512	Utsysc.exe	rundll32.exe
PID 1512 wrote to memory of 1184	1512	Utsysc.exe	rundll32.exe
PID 1512 wrote to memory of 4404	1512	Utsysc.exe	rundll32.exe
PID 1512 wrote to memory of 4404	1512	Utsysc.exe	rundll32.exe
PID 1512 wrote to memory of 4404	1512	Utsysc.exe	rundll32.exe
PID 1512 wrote to memory of 2660	1512	Utsysc.exe	rundll32.exe
PID 1512 wrote to memory of 2660	1512	Utsysc.exe	rundll32.exe
PID 1512 wrote to memory of 2660	1512	Utsysc.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe
"C:\Users\Admin\AppData\Local\Temp\3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 580
2⤵
- Program crash
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 664
2⤵
- Program crash
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 732
2⤵
- Program crash
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 836
2⤵
- Program crash
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 852
2⤵
- Program crash
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 852
2⤵
- Program crash
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1100
2⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1120
2⤵
- Program crash
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1228
2⤵
- Program crash
PID:2928

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 604
3⤵
- Program crash
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 796
3⤵
- Program crash
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 804
3⤵
- Program crash
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1020
3⤵
- Program crash
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1016
3⤵
- Program crash
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1016
3⤵
- Program crash
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 996
3⤵
- Program crash
PID:2600

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 936
3⤵
- Program crash
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 672
3⤵
- Program crash
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 640
3⤵
- Program crash
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 932
3⤵
- Program crash
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 816
3⤵
- Program crash
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 684
3⤵
- Program crash
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 684
3⤵
- Program crash
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1260
3⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 684
3⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1436
3⤵
- Program crash
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1620
3⤵
- Program crash
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1708
3⤵
- Program crash
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1748
3⤵
- Program crash
PID:4780

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:4236

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:4328

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
4⤵
- Loads dropped DLL
PID:3664

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1184

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4404

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1720
3⤵
- Program crash
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1048
3⤵
- Program crash
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1300
2⤵
- Program crash
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 852 -ip 852
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 852 -ip 852
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 852 -ip 852
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 852 -ip 852
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 852 -ip 852
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 852 -ip 852
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 852 -ip 852
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 852 -ip 852
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 852 -ip 852
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 852 -ip 852
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1512 -ip 1512
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1512 -ip 1512
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1512 -ip 1512
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1512 -ip 1512
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1512 -ip 1512
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1512 -ip 1512
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1512 -ip 1512
1⤵
PID:416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1512 -ip 1512
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1512 -ip 1512
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1512 -ip 1512
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1512 -ip 1512
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1512 -ip 1512
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1512 -ip 1512
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1512 -ip 1512
1⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1512 -ip 1512
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1512 -ip 1512
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1512 -ip 1512
1⤵
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1512 -ip 1512
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1512 -ip 1512
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1512 -ip 1512
1⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 428
2⤵
- Program crash
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1104 -ip 1104
1⤵
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1512 -ip 1512
1⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 428
2⤵
- Program crash
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1632 -ip 1632
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1512 -ip 1512
1⤵
PID:3480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\067295379148
Filesize
74KB

MD5
cf05972270089179ead75156ea194198

SHA1
158bb337d3c76c025430e0b68edac4c277f8c4b9

SHA256
f4ae2f3e582daa15d2673e18d67dfc64125aa7809a2a0ea5fd8149a66d3ac4f5

SHA512
adfb5d8e40d4a34d562384f762dd8d0e2041e3fedc8cd9d32d4df7a4904b174a4274470d129a4166e73d31ad48a7b4ad26a03abbec1bbe4d46d6c1e8268856f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
438KB

MD5
0212113ffcbcd270155711883c54aead

SHA1
d4cd2cf05cdf3860b64935f19a992f54323c941c

SHA256
3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7

SHA512
f8406c2d86767ceba9b68eb1c87cdd327ec61d54c2f4860c6ea286822f962f464b9acde1f33b117eab9620b1bde6275d6e65e879ad066406f385051f46e3d27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
438KB

MD5
0212113ffcbcd270155711883c54aead

SHA1
d4cd2cf05cdf3860b64935f19a992f54323c941c

SHA256
3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7

SHA512
f8406c2d86767ceba9b68eb1c87cdd327ec61d54c2f4860c6ea286822f962f464b9acde1f33b117eab9620b1bde6275d6e65e879ad066406f385051f46e3d27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
438KB

MD5
0212113ffcbcd270155711883c54aead

SHA1
d4cd2cf05cdf3860b64935f19a992f54323c941c

SHA256
3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7

SHA512
f8406c2d86767ceba9b68eb1c87cdd327ec61d54c2f4860c6ea286822f962f464b9acde1f33b117eab9620b1bde6275d6e65e879ad066406f385051f46e3d27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
438KB

MD5
0212113ffcbcd270155711883c54aead

SHA1
d4cd2cf05cdf3860b64935f19a992f54323c941c

SHA256
3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7

SHA512
f8406c2d86767ceba9b68eb1c87cdd327ec61d54c2f4860c6ea286822f962f464b9acde1f33b117eab9620b1bde6275d6e65e879ad066406f385051f46e3d27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
Filesize
438KB

MD5
0212113ffcbcd270155711883c54aead

SHA1
d4cd2cf05cdf3860b64935f19a992f54323c941c

SHA256
3189c4ee9a09485edd30750f14cc1fc4a821c30315c51b17ceeb4285db7a58d7

SHA512
f8406c2d86767ceba9b68eb1c87cdd327ec61d54c2f4860c6ea286822f962f464b9acde1f33b117eab9620b1bde6275d6e65e879ad066406f385051f46e3d27f

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll
Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll
Filesize
1.1MB

MD5
f01f5bc76b9596e0cfeab8a272cba3a5

SHA1
19cab1291e4e518ae636f2fb3d41567e4e6e4722

SHA256
83ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938

SHA512
ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63

Download Submit
memory/852-14-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/852-1-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/852-15-0x00000000008D0000-0x000000000093C000-memory.dmp

Filesize
432KB

Download
memory/852-3-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/852-2-0x00000000008D0000-0x000000000093C000-memory.dmp

Filesize
432KB

Download
memory/1104-53-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

Filesize
1024KB

Download
memory/1104-54-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1512-49-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1512-61-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1512-58-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1512-48-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/1512-35-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1512-73-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1512-23-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1512-75-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1512-18-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1512-77-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1512-17-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/1632-81-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/1632-82-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download