amadey | e926c5d122a75a965696115fcb562eeb434009f8520dc911440d06b33532e842

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2023 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
Size

422KB
MD5

b55804bd3be73d762a80a9776b05a2ba
SHA1

e39751d63cc2327fa4800494ad77fb89215231b7
SHA256

75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692
SHA512

88e8539902b7843f0fc9d1e70d362b32681240a357a3ed95007e4916ffe5f8fb27e08750992fec7dd49c8dc299c0bc0aac7eaf648d6ce1a0556d2e2b04b23aed
SSDEEP

6144:ZO9p234i+WDYd8srnc1nKPM1FeH3c4gMQInwxDh:Y9p2x+WDYdXUKPM18H8M1nUDh

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.11

http://shohetrc.com

http://sibcomputer.ru

http://tve-mail.com

Attributes

install_dir
d4dd819322
install_file
Utsysc.exe
strings_key
8419b3024d6f72beef8af6915e592308
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exeUtsysc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
Key value queried	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation	Utsysc.exe

Executes dropped EXE 4 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exeUtsysc.exe

pid process

2244 Utsysc.exe
632 Utsysc.exe
532 Utsysc.exe
64 Utsysc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2244	Utsysc.exe
632	Utsysc.exe
532	Utsysc.exe
64	Utsysc.exe

Program crash 41 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2020	1992	WerFault.exe	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
2524	1992	WerFault.exe	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
4972	1992	WerFault.exe	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
1124	1992	WerFault.exe	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
1744	1992	WerFault.exe	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
3924	1992	WerFault.exe	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
2596	1992	WerFault.exe	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
4004	1992	WerFault.exe	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
2012	1992	WerFault.exe	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
1680	1992	WerFault.exe	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
4144	1992	WerFault.exe	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
1440	1992	WerFault.exe	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
2360	2244	WerFault.exe	Utsysc.exe
2160	1992	WerFault.exe	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
1736	2244	WerFault.exe	Utsysc.exe
4856	2244	WerFault.exe	Utsysc.exe
1700	2244	WerFault.exe	Utsysc.exe
2272	2244	WerFault.exe	Utsysc.exe
3392	2244	WerFault.exe	Utsysc.exe
676	2244	WerFault.exe	Utsysc.exe
620	2244	WerFault.exe	Utsysc.exe
2940	2244	WerFault.exe	Utsysc.exe
4332	2244	WerFault.exe	Utsysc.exe
976	2244	WerFault.exe	Utsysc.exe
1576	2244	WerFault.exe	Utsysc.exe
744	2244	WerFault.exe	Utsysc.exe
1616	2244	WerFault.exe	Utsysc.exe
1680	2244	WerFault.exe	Utsysc.exe
4052	2244	WerFault.exe	Utsysc.exe
4204	2244	WerFault.exe	Utsysc.exe
1568	2244	WerFault.exe	Utsysc.exe
4752	2244	WerFault.exe	Utsysc.exe
1004	632	WerFault.exe	Utsysc.exe
4124	2244	WerFault.exe	Utsysc.exe
2056	2244	WerFault.exe	Utsysc.exe
2200	532	WerFault.exe	Utsysc.exe
888	2244	WerFault.exe	Utsysc.exe
1240	2244	WerFault.exe	Utsysc.exe
4752	2244	WerFault.exe	Utsysc.exe
5108	2244	WerFault.exe	Utsysc.exe
4148	64	WerFault.exe	Utsysc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4376 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe

pid process

1992 75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe

pid	process
4376	schtasks.exe

pid	process
1992	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exeUtsysc.exe

description	pid	process	target process
PID 1992 wrote to memory of 2244	1992	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe	Utsysc.exe
PID 1992 wrote to memory of 2244	1992	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe	Utsysc.exe
PID 1992 wrote to memory of 2244	1992	75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe	Utsysc.exe
PID 2244 wrote to memory of 4376	2244	Utsysc.exe	schtasks.exe
PID 2244 wrote to memory of 4376	2244	Utsysc.exe	schtasks.exe
PID 2244 wrote to memory of 4376	2244	Utsysc.exe	schtasks.exe
PID 2244 wrote to memory of 3964	2244	Utsysc.exe	rundll32.exe
PID 2244 wrote to memory of 3964	2244	Utsysc.exe	rundll32.exe
PID 2244 wrote to memory of 3964	2244	Utsysc.exe	rundll32.exe
PID 2244 wrote to memory of 4332	2244	Utsysc.exe	rundll32.exe
PID 2244 wrote to memory of 4332	2244	Utsysc.exe	rundll32.exe
PID 2244 wrote to memory of 4332	2244	Utsysc.exe	rundll32.exe
PID 2244 wrote to memory of 1476	2244	Utsysc.exe	rundll32.exe
PID 2244 wrote to memory of 1476	2244	Utsysc.exe	rundll32.exe
PID 2244 wrote to memory of 1476	2244	Utsysc.exe	rundll32.exe
PID 2244 wrote to memory of 3124	2244	Utsysc.exe	rundll32.exe
PID 2244 wrote to memory of 3124	2244	Utsysc.exe	rundll32.exe
PID 2244 wrote to memory of 3124	2244	Utsysc.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe
"C:\Users\Admin\AppData\Local\Temp\75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 580
2⤵
- Program crash
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 680
2⤵
- Program crash
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 708
2⤵
- Program crash
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 852
2⤵
- Program crash
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 712
2⤵
- Program crash
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 892
2⤵
- Program crash
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1124
2⤵
- Program crash
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1148
2⤵
- Program crash
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 1228
2⤵
- Program crash
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 976
2⤵
- Program crash
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 976
2⤵
- Program crash
PID:4144

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 620
3⤵
- Program crash
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 932
3⤵
- Program crash
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 940
3⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1016
3⤵
- Program crash
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 996
3⤵
- Program crash
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1040
3⤵
- Program crash
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1008
3⤵
- Program crash
PID:676

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 920
3⤵
- Program crash
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 624
3⤵
- Program crash
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 916
3⤵
- Program crash
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1228
3⤵
- Program crash
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1248
3⤵
- Program crash
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1240
3⤵
- Program crash
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1256
3⤵
- Program crash
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1228
3⤵
- Program crash
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1440
3⤵
- Program crash
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1448
3⤵
- Program crash
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1444
3⤵
- Program crash
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1692
3⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1040
3⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1788
3⤵
- Program crash
PID:2056

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
PID:3964

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1796
3⤵
- Program crash
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1852
3⤵
- Program crash
PID:1240

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
PID:1476

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1252
3⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1864
3⤵
- Program crash
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 788
2⤵
- Program crash
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 752
2⤵
- Program crash
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1992 -ip 1992
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1992 -ip 1992
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1992 -ip 1992
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1992 -ip 1992
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1992 -ip 1992
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1992 -ip 1992
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1992 -ip 1992
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1992 -ip 1992
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1992 -ip 1992
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1992 -ip 1992
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1992 -ip 1992
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1992 -ip 1992
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2244 -ip 2244
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1992 -ip 1992
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2244 -ip 2244
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2244 -ip 2244
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2244 -ip 2244
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2244 -ip 2244
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2244 -ip 2244
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2244 -ip 2244
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2244 -ip 2244
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2244 -ip 2244
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2244 -ip 2244
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2244 -ip 2244
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2244 -ip 2244
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2244 -ip 2244
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2244 -ip 2244
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2244 -ip 2244
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2244 -ip 2244
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2244 -ip 2244
1⤵
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2244 -ip 2244
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2244 -ip 2244
1⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
1⤵
- Executes dropped EXE
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 444
2⤵
- Program crash
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 632 -ip 632
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2244 -ip 2244
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2244 -ip 2244
1⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
1⤵
- Executes dropped EXE
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 452
2⤵
- Program crash
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 532 -ip 532
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2244 -ip 2244
1⤵
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2244 -ip 2244
1⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2244 -ip 2244
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2244 -ip 2244
1⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
1⤵
- Executes dropped EXE
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 444
2⤵
- Program crash
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 64 -ip 64
1⤵
PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\963151031488

Filesize
79KB

MD5
65ed4594ce329404c88cbc0b8f84f6cd

SHA1
c70f7694c1efc258702f7b659d115f5fa4e1b4bd

SHA256
46f2989cf8a3a4c4a5b8600ca2a14e2dc45f0fc38198ab3b270c1849b22137ca

SHA512
d80da6ecadcb670cfe1ded3502d3986d1f8186057cbae7de84a49d460c6ca76f46446eae39929655390779d3d2d2f3fe5223995e25fb3bddfbbec9ed350b398a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
422KB

MD5
b55804bd3be73d762a80a9776b05a2ba

SHA1
e39751d63cc2327fa4800494ad77fb89215231b7

SHA256
75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692

SHA512
88e8539902b7843f0fc9d1e70d362b32681240a357a3ed95007e4916ffe5f8fb27e08750992fec7dd49c8dc299c0bc0aac7eaf648d6ce1a0556d2e2b04b23aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
422KB

MD5
b55804bd3be73d762a80a9776b05a2ba

SHA1
e39751d63cc2327fa4800494ad77fb89215231b7

SHA256
75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692

SHA512
88e8539902b7843f0fc9d1e70d362b32681240a357a3ed95007e4916ffe5f8fb27e08750992fec7dd49c8dc299c0bc0aac7eaf648d6ce1a0556d2e2b04b23aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
422KB

MD5
b55804bd3be73d762a80a9776b05a2ba

SHA1
e39751d63cc2327fa4800494ad77fb89215231b7

SHA256
75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692

SHA512
88e8539902b7843f0fc9d1e70d362b32681240a357a3ed95007e4916ffe5f8fb27e08750992fec7dd49c8dc299c0bc0aac7eaf648d6ce1a0556d2e2b04b23aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
422KB

MD5
b55804bd3be73d762a80a9776b05a2ba

SHA1
e39751d63cc2327fa4800494ad77fb89215231b7

SHA256
75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692

SHA512
88e8539902b7843f0fc9d1e70d362b32681240a357a3ed95007e4916ffe5f8fb27e08750992fec7dd49c8dc299c0bc0aac7eaf648d6ce1a0556d2e2b04b23aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
422KB

MD5
b55804bd3be73d762a80a9776b05a2ba

SHA1
e39751d63cc2327fa4800494ad77fb89215231b7

SHA256
75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692

SHA512
88e8539902b7843f0fc9d1e70d362b32681240a357a3ed95007e4916ffe5f8fb27e08750992fec7dd49c8dc299c0bc0aac7eaf648d6ce1a0556d2e2b04b23aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
422KB

MD5
b55804bd3be73d762a80a9776b05a2ba

SHA1
e39751d63cc2327fa4800494ad77fb89215231b7

SHA256
75e8dfc1b905f37971df736c6fe18f8a0d952973665bccaa00f1036aee748692

SHA512
88e8539902b7843f0fc9d1e70d362b32681240a357a3ed95007e4916ffe5f8fb27e08750992fec7dd49c8dc299c0bc0aac7eaf648d6ce1a0556d2e2b04b23aed

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
memory/64-81-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/64-80-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download
memory/532-59-0x00000000009D0000-0x0000000000AD0000-memory.dmp

Filesize
1024KB

Download
memory/532-60-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/632-37-0x00000000009D0000-0x0000000000AD0000-memory.dmp

Filesize
1024KB

Download
memory/632-38-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/1992-3-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/1992-1-0x0000000000BC0000-0x0000000000CC0000-memory.dmp

Filesize
1024KB

Download
memory/1992-18-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/1992-2-0x0000000000B20000-0x0000000000B8C000-memory.dmp

Filesize
432KB

Download
memory/2244-17-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/2244-55-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/2244-56-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/2244-54-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/2244-53-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/2244-41-0x00000000009D0000-0x0000000000AD0000-memory.dmp

Filesize
1024KB

Download
memory/2244-40-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/2244-73-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/2244-74-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/2244-34-0x0000000000400000-0x000000000088A000-memory.dmp

Filesize
4.5MB

Download
memory/2244-16-0x0000000000950000-0x00000000009BC000-memory.dmp

Filesize
432KB

Download
memory/2244-15-0x00000000009D0000-0x0000000000AD0000-memory.dmp

Filesize
1024KB

Download