amadey | 888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d

Analysis

max time kernel
122s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
Size

1.8MB
MD5

bc5023306fc8985f32a0a9e78156e17e
SHA1

c0548bcd5649f2b2e394fddd2b2e51361096d21c
SHA256

888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d
SHA512

25d4b98401407d5beb5a57fc5b99bf5ee238db5beb54931a07772dd7e3cf93f7e8ac9a7bee64fad3075aaf50463f1147688fb8fc347980d0f96342c43905f46c
SSDEEP

24576:FgtslEnROL38/C/dS8x9zypcmv2AuFKi03Gua/r6kiLrj57stKvfXNGXlpuPt3:QnY38/8S8Lzr6bi03NbkiLHYK3XYpW

Score

10^/10

amadey lumma redline rhadamanthys zgrat @rlreborn cloud (tg: @fatherofcarders)new discovery evasion infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

new

185.215.113.67:26260

Extracted

Family

redline

Botnet

@RLREBORN Cloud (TG: @FATHEROFCARDERS)

45.15.156.209:40481

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

lumma

https://triangleseasonbenchwj.shop/api

https://gemcreedarticulateod.shop/api

https://secretionsuitcasenioise.shop/api

https://claimconcessionrebe.shop/api

https://liabilityarrangemenyit.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe	family_zgrat_v1
behavioral2/memory/5044-47-0x00000000001B0000-0x0000000000742000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000279001\new.exe	family_redline
behavioral2/memory/1832-72-0x0000000000E40000-0x0000000000E94000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000280001\RDX1.exe	family_redline
behavioral2/memory/4928-102-0x00000000002A0000-0x00000000002F4000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

MsBuild.exe

description pid process target process

PID 3084 created 2696 3084 MsBuild.exe sihost.exe
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

description	pid	process	target process
PID 3084 created 2696	3084	MsBuild.exe	sihost.exe

Detects executables packed with unregistered version of .NET Reactor 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000279001\new.exe	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/1832-72-0x0000000000E40000-0x0000000000E94000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
C:\Users\Admin\AppData\Local\Temp\1000280001\RDX1.exe	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/4928-102-0x00000000002A0000-0x00000000002F4000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

53 4232 rundll32.exe
72 3956 rundll32.exe
Downloads MZ/PE file

flow	pid	process
53	4232	rundll32.exe
72	3956	rundll32.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorgu.exe888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorgu.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation explorgu.exe
Executes dropped EXE 6 IoCs

Processes:

explorgu.exeNational.exenew.exeRDX1.exelumma123142124.exeFile300un.exe

pid process

4364 explorgu.exe
5044 National.exe
1832 new.exe
4928 RDX1.exe
4908 lumma123142124.exe
224 File300un.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	explorgu.exe

pid	process
4364	explorgu.exe
5044	National.exe
1832	new.exe
4928	RDX1.exe
4908	lumma123142124.exe
224	File300un.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Wine	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
Key opened	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Software\Wine	explorgu.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exeNational.exe

pid process

4504 rundll32.exe
4232 rundll32.exe
3956 rundll32.exe
5044 National.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exeexplorgu.exe

pid process

848 888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
4364 explorgu.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

lumma123142124.exeNational.exe

description pid process target process

PID 4908 set thread context of 4728 4908 lumma123142124.exe RegAsm.exe
PID 5044 set thread context of 3084 5044 National.exe MsBuild.exe
Drops file in Windows directory 1 IoCs

Processes:

888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job 888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4508 4728 WerFault.exe RegAsm.exe
548 4728 WerFault.exe RegAsm.exe
2392 5044 WerFault.exe National.exe
3036 3084 WerFault.exe MsBuild.exe
2960 3084 WerFault.exe MsBuild.exe

pid	process
4504	rundll32.exe
4232	rundll32.exe
3956	rundll32.exe
5044	National.exe

description	pid	process	target process
PID 4908 set thread context of 4728	4908	lumma123142124.exe	RegAsm.exe
PID 5044 set thread context of 3084	5044	National.exe	MsBuild.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe

pid	pid_target	process	target process
4508	4728	WerFault.exe	RegAsm.exe
548	4728	WerFault.exe	RegAsm.exe
2392	5044	WerFault.exe	National.exe
3036	3084	WerFault.exe	MsBuild.exe
2960	3084	WerFault.exe	MsBuild.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exeexplorgu.exerundll32.exepowershell.exeRDX1.exeMsBuild.exedialer.exenew.exe

pid	process
848	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
848	888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
4364	explorgu.exe
4364	explorgu.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe
4232	rundll32.exe
680	powershell.exe
680	powershell.exe
680	powershell.exe
4928	RDX1.exe
3084	MsBuild.exe
3084	MsBuild.exe
3920	dialer.exe
3920	dialer.exe
3920	dialer.exe
3920	dialer.exe
1832	new.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeRDX1.exenew.exe

description pid process

Token: SeDebugPrivilege 680 powershell.exe
Token: SeDebugPrivilege 4928 RDX1.exe
Token: SeDebugPrivilege 1832 new.exe

description	pid	process
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	4928	RDX1.exe
Token: SeDebugPrivilege	1832	new.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

explorgu.exelumma123142124.exerundll32.exerundll32.exeNational.exeMsBuild.exe

description	pid	process	target process
PID 4364 wrote to memory of 5044	4364	explorgu.exe	National.exe
PID 4364 wrote to memory of 5044	4364	explorgu.exe	National.exe
PID 4364 wrote to memory of 5044	4364	explorgu.exe	National.exe
PID 4364 wrote to memory of 1832	4364	explorgu.exe	new.exe
PID 4364 wrote to memory of 1832	4364	explorgu.exe	new.exe
PID 4364 wrote to memory of 1832	4364	explorgu.exe	new.exe
PID 4364 wrote to memory of 4928	4364	explorgu.exe	RDX1.exe
PID 4364 wrote to memory of 4928	4364	explorgu.exe	RDX1.exe
PID 4364 wrote to memory of 4928	4364	explorgu.exe	RDX1.exe
PID 4364 wrote to memory of 4908	4364	explorgu.exe	lumma123142124.exe
PID 4364 wrote to memory of 4908	4364	explorgu.exe	lumma123142124.exe
PID 4364 wrote to memory of 4908	4364	explorgu.exe	lumma123142124.exe
PID 4908 wrote to memory of 4728	4908	lumma123142124.exe	RegAsm.exe
PID 4908 wrote to memory of 4728	4908	lumma123142124.exe	RegAsm.exe
PID 4908 wrote to memory of 4728	4908	lumma123142124.exe	RegAsm.exe
PID 4908 wrote to memory of 4728	4908	lumma123142124.exe	RegAsm.exe
PID 4908 wrote to memory of 4728	4908	lumma123142124.exe	RegAsm.exe
PID 4908 wrote to memory of 4728	4908	lumma123142124.exe	RegAsm.exe
PID 4908 wrote to memory of 4728	4908	lumma123142124.exe	RegAsm.exe
PID 4908 wrote to memory of 4728	4908	lumma123142124.exe	RegAsm.exe
PID 4908 wrote to memory of 4728	4908	lumma123142124.exe	RegAsm.exe
PID 4364 wrote to memory of 4504	4364	explorgu.exe	rundll32.exe
PID 4364 wrote to memory of 4504	4364	explorgu.exe	rundll32.exe
PID 4364 wrote to memory of 4504	4364	explorgu.exe	rundll32.exe
PID 4504 wrote to memory of 4232	4504	rundll32.exe	rundll32.exe
PID 4504 wrote to memory of 4232	4504	rundll32.exe	rundll32.exe
PID 4232 wrote to memory of 2324	4232	rundll32.exe	netsh.exe
PID 4232 wrote to memory of 2324	4232	rundll32.exe	netsh.exe
PID 4364 wrote to memory of 224	4364	explorgu.exe	File300un.exe
PID 4364 wrote to memory of 224	4364	explorgu.exe	File300un.exe
PID 4364 wrote to memory of 224	4364	explorgu.exe	File300un.exe
PID 4232 wrote to memory of 680	4232	rundll32.exe	powershell.exe
PID 4232 wrote to memory of 680	4232	rundll32.exe	powershell.exe
PID 4364 wrote to memory of 3956	4364	explorgu.exe	rundll32.exe
PID 4364 wrote to memory of 3956	4364	explorgu.exe	rundll32.exe
PID 4364 wrote to memory of 3956	4364	explorgu.exe	rundll32.exe
PID 5044 wrote to memory of 3084	5044	National.exe	MsBuild.exe
PID 5044 wrote to memory of 3084	5044	National.exe	MsBuild.exe
PID 5044 wrote to memory of 3084	5044	National.exe	MsBuild.exe
PID 5044 wrote to memory of 3084	5044	National.exe	MsBuild.exe
PID 5044 wrote to memory of 3084	5044	National.exe	MsBuild.exe
PID 5044 wrote to memory of 3084	5044	National.exe	MsBuild.exe
PID 5044 wrote to memory of 3084	5044	National.exe	MsBuild.exe
PID 5044 wrote to memory of 3084	5044	National.exe	MsBuild.exe
PID 5044 wrote to memory of 3084	5044	National.exe	MsBuild.exe
PID 5044 wrote to memory of 3084	5044	National.exe	MsBuild.exe
PID 5044 wrote to memory of 3084	5044	National.exe	MsBuild.exe
PID 3084 wrote to memory of 3920	3084	MsBuild.exe	dialer.exe
PID 3084 wrote to memory of 3920	3084	MsBuild.exe	dialer.exe
PID 3084 wrote to memory of 3920	3084	MsBuild.exe	dialer.exe
PID 3084 wrote to memory of 3920	3084	MsBuild.exe	dialer.exe
PID 3084 wrote to memory of 3920	3084	MsBuild.exe	dialer.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2696

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3920

C:\Users\Admin\AppData\Local\Temp\888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe
"C:\Users\Admin\AppData\Local\Temp\888ce84266258342e3f3afbdbfde377b6dac2d47c4499b527a47f5f6f3a3af7d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4364

C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe
"C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 432
4⤵
- Program crash
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 436
4⤵
- Program crash
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 964
3⤵
- Program crash
PID:2392

C:\Users\Admin\AppData\Local\Temp\1000279001\new.exe
"C:\Users\Admin\AppData\Local\Temp\1000279001\new.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Users\Admin\AppData\Local\Temp\1000280001\RDX1.exe
"C:\Users\Admin\AppData\Local\Temp\1000280001\RDX1.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Users\Admin\AppData\Local\Temp\1000281001\lumma123142124.exe
"C:\Users\Admin\AppData\Local\Temp\1000281001\lumma123142124.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1220
4⤵
- Program crash
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1220
4⤵
- Program crash
PID:548

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\791175113106_Desktop.zip' -CompressionLevel Optimal
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Users\Admin\AppData\Local\Temp\1000282001\File300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000282001\File300un.exe"
2⤵
- Executes dropped EXE
PID:224

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3956

C:\Windows\system32\netsh.exe
netsh wlan show profiles
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4728 -ip 4728
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4728 -ip 4728
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5044 -ip 5044
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3084 -ip 3084
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3084 -ip 3084
1⤵
PID:996

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
Filesize
1.1MB

MD5
72a4897696f3cd8f07416c8b8980248a

SHA1
79ef11113b6f96d7e0921789cd15de2552ecfcff

SHA256
65890a6aadf8a0653a1c61064a1dda35ae3828fa3f836d3d9522bccaf4bc2780

SHA512
2662059130315dedf5b1e90cddc53423b87d395df23e586ea55e6ff863505c820613d54da3945433fd40543919be579714b2e76e3c2b49da6b3bd05747dd474a

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
Filesize
1.1MB

MD5
37aa8c6527bbe45a02db20252390affa

SHA1
06d928b99168c1d481c358eb3f5564f015b7887f

SHA256
60b498ee16d47c4a4bb9f193cf7dca10341b0dbf01f128e9598d0141c7810ae2

SHA512
0f98deedb436566e876a1c74a8bd02b9b37ac167c37916569d872e7ef8e385429c50b9d048cf4334de44c6454356b23ea12661a0014601a36f6b45c724c2c980

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe
Filesize
5.6MB

MD5
6c43c0e522be699b762ef2f93979f753

SHA1
90056b17c488288068cd44848057b4fc5a63a973

SHA256
30837ff7ce483965ce6b270bec9a1082ee7972e28d8e17bbfbf9cc908671cae0

SHA512
67a51f38ad7bb5771e2d2495977c72a3b8793aefe7918c9afc38eb411de7c72530bf393c36f005fd673e2713f04fa0e156419de30383931d46c68873d72cb0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe
Filesize
3.7MB

MD5
c2d1bbb7ba23c2c2bcdf58d244101d80

SHA1
f48ce9c3607d8b30a8993e59b18b1646a2c6047d

SHA256
cf90a611dc7a434d3ee1529c1b7be61af2efd4262a4f2a8f2652f7a7fb97b2b9

SHA512
1678ea006237a63171557bf2fa3bf89a510b2fb7aeb5c22492390d9e3437609ff75b6632425a16fd2fb0e7115ec208dbfa4fa3af89006217c128f37ca5b5bf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000277001\National.exe
Filesize
3.0MB

MD5
3b49b1df7e7dff5f7c072a580b13615a

SHA1
25ffcd65f20e7134ddbfcb5b133f223cbc35fe55

SHA256
7b452459c3563f6ff52d911198a68247ea81eb4d5c94af596b09e118e7dd3aee

SHA512
b9b3388ee28d7067d44594c48181b0598d2156d287466dc78ae0e37ea490132effe7c0323d366641aa824b50e0f5df6e72c62715fcac58b30c5aa37bafa14177

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000279001\new.exe
Filesize
313KB

MD5
f7df4f6867414bb68132b8815f010e4a

SHA1
ff3b43447568de645671afb2214b26901ad7a4fc

SHA256
2c9490406c7ea631dddcd60f862445faef37c036651636e4bf5e6fe0837c4b42

SHA512
0ad9b1544c25ae7814fe1ecdb1cfd466fd14603a6d55749e63ce6b90926ad239f134aef1bcaa0910b79235b8a3873ad11698e17dbd0cfee92fb909f4daf0412e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000280001\RDX1.exe
Filesize
313KB

MD5
a98147219e118138a69583d2bf4b4a4f

SHA1
0933d682bc3d11a1468fbca7c863a5c1619b06ed

SHA256
aea02ed572705a2cb522550f31ec39cf0781b90d5ea6f58686f60bd7c91e52c2

SHA512
719e73b5341d7c358439efdcf9d479c68bd7d0a67a77fc190e187a1dc293f4791357e509e08b94156b71b9bcc02c4ab5576f4f67a25da7ea4d5a026ae4f86266

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000281001\lumma123142124.exe
Filesize
231KB

MD5
443a6c1590ec11f1aa5f4fc9b9b1c18d

SHA1
75034ec94274982acbd02dc9f35ba15880c137ee

SHA256
c29c64282ecf027d14ea337af76c6b89b3617863755bd0e29646bfc00bcadd69

SHA512
fc90e9390da7ed2e5262521cb69cf5b1aba13221b7ccc89261e89214b6e607d61940139bc704f095681778a83833471a686be88e3ec3dc95fb6c0dd0e730f4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000281001\lumma123142124.exe
Filesize
33KB

MD5
74e53c668ef944f403bb57b604863f91

SHA1
98616d6c8ebc9b0b5bcc6d3b0724929a4987b004

SHA256
3cd558a73ff6dba73d09ffbfbd66ca11f341219a18ef6b0f31968ba8785a76a2

SHA512
464ab6b02a3a99b2a850bd4df2348d24d5c208f116732ffc1e9dfeb5c0c3bbf6688315d3ab51b370a1bf2cff7cb8c0ecba0f8a5d80c5669af44d036d9193ccde

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000281001\lumma123142124.exe
Filesize
17KB

MD5
996bc4212f1d78c27473464452752e54

SHA1
df6818c9bf73311326ae081c7ffcd750e4195090

SHA256
929e5015bc4cf3987beb47650ec1896a11978582224be0e98a9177707dd21e5e

SHA512
b145a7d9a91eb2d98c59c03aeece0575fbadcd970bfaa2431dc426e20f88d92361da15a146bca5982848de968386ee8716988c69c7af43ee6c1ed20c07d84c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000282001\File300un.exe
Filesize
57KB

MD5
055231d52a308768e6f648954fd9a3af

SHA1
eb07ae002f10dd7a0940499b1b65ad4726bd9576

SHA256
1da862e5ed37d1aca728940d0f58601c2932a86289bcd8aee627d4b8f3abb3c3

SHA512
9b4807e91b195c776dff98087298cd465083d57aac425d149e733b1b9e37cfd0bca73182dbf93f4ce75c74730656778a3b2e6f52f8dd054efa9c5040f38b80c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gcg4slwf.2he.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
34KB

MD5
10b40555b4372d2ad276f469967337a6

SHA1
f360029fa6fa795e15aaea598325c0ad4eda1d28

SHA256
d68d0cb731398010b0a2f7219c804218f8fac242cfcad64338aad42e2c4ab33e

SHA512
ac362b65de7775dbed923cc03c979519403c8c96b8376e3a1183af8c7ee8eccb8463e76d60cf1e1e41c40c2d0f345d3c0a07d091d1ae778db90cdffad06c1b56

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
31KB

MD5
6faaa2a08b42b544589a8d532e81d217

SHA1
2921145922187463c3df7da6c76e1734e69499fc

SHA256
3fd471ef82e0336170b8d6449689ad35820e0fab6afcb827ebcc583e4010cfe2

SHA512
3a2153d0501cfb18a266c835e08521eef2431a02eaa4e7856ce76f5956063402cdb672c1623eb4ae577c83ca5dc6d86df744b64f6df0f30016e67adb96b61670

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
504KB

MD5
dfadef9a27df1e69105bc355797a8991

SHA1
822adb41e93fdc4046e59d93d4fcdcedeba17e03

SHA256
619320a7f1685c6b1b5db297d032414e95a4d22d4ca108d57b3580e1884bb224

SHA512
5392df6a0100ae3554fbaf2da3a23002ef79fbd1923af374534ff9d52a703cfff180318cf9be9d33fadd4517c020a798e4eff121d6151fa69d877ea143a359c8

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
261KB

MD5
9b2ed6ddce3153362a69ca008f8f0af5

SHA1
c6a78288b3db0cf71a08faa988e6b36ad98553e5

SHA256
dde92cc7e239f010a948d87475a00a22a31471b343b959c1e0d2604bea558c19

SHA512
d7336e38a91abd30afe75bbd88f086ef248cce333dd05da7d38454d9fa85587eb6abc1ba73b25765bf2c80c91af15629b5eeb7de9fee5363455b1ec12a53d8c7

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
487KB

MD5
f56b733e983454707cdc8d14130469bf

SHA1
f70128ee4c6acc8e7e183e5ae5af56fa03abd994

SHA256
44df4a139f33a9b7594f1236540809679f5ec3249d3ae42b37220445d90fb312

SHA512
3ec0427fdf35e249890d2d7da9d2ff44aac5ae05709f843070ba27de26d52cf617893fc8a6a380c7e9e5f4ed5fbdb107d7636807a207f3bfecf51022cf65024f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
323KB

MD5
77c9acf27b8a4510c52cc48efa1db9b4

SHA1
85fc807172b952f119dfe49f36dd74cb84fd8872

SHA256
d2f85e22a4569aa28907e822c1e1c238b96b2890b0ae182caaf7a321cb508040

SHA512
cd0a6e0b403b2e63df405320cff9684dbffeabcb2d578771aeca50e954ae42556d25265af66bc70ecb4c2781b0a8e33f9a60832be83df4172f39b564808d18be

Download Submit
memory/224-178-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/224-176-0x0000000073510000-0x0000000073CC0000-memory.dmp

Filesize
7.7MB

Download
memory/224-174-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/680-192-0x00007FF9CB1E0000-0x00007FF9CBCA1000-memory.dmp

Filesize
10.8MB

Download
memory/680-193-0x0000022DA2410000-0x0000022DA2420000-memory.dmp

Filesize
64KB

Download
memory/680-190-0x0000022DA2450000-0x0000022DA2472000-memory.dmp

Filesize
136KB

Download
memory/848-1-0x0000000077904000-0x0000000077906000-memory.dmp

Filesize
8KB

Download
memory/848-5-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/848-0-0x0000000000C20000-0x00000000010D2000-memory.dmp

Filesize
4.7MB

Download
memory/848-8-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/848-3-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/848-10-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/848-7-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/848-4-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/848-2-0x0000000000C20000-0x00000000010D2000-memory.dmp

Filesize
4.7MB

Download
memory/848-9-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/848-15-0x0000000000C20000-0x00000000010D2000-memory.dmp

Filesize
4.7MB

Download
memory/848-6-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/1832-73-0x0000000073510000-0x0000000073CC0000-memory.dmp

Filesize
7.7MB

Download
memory/1832-77-0x0000000005800000-0x000000000580A000-memory.dmp

Filesize
40KB

Download
memory/1832-78-0x00000000069A0000-0x0000000006FB8000-memory.dmp

Filesize
6.1MB

Download
memory/1832-80-0x0000000005B30000-0x0000000005B42000-memory.dmp

Filesize
72KB

Download
memory/1832-79-0x0000000005C20000-0x0000000005D2A000-memory.dmp

Filesize
1.0MB

Download
memory/1832-81-0x0000000005B90000-0x0000000005BCC000-memory.dmp

Filesize
240KB

Download
memory/1832-82-0x0000000005D30000-0x0000000005D7C000-memory.dmp

Filesize
304KB

Download
memory/1832-76-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/1832-75-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/1832-72-0x0000000000E40000-0x0000000000E94000-memory.dmp

Filesize
336KB

Download
memory/1832-177-0x0000000073510000-0x0000000073CC0000-memory.dmp

Filesize
7.7MB

Download
memory/1832-74-0x0000000005DD0000-0x0000000006374000-memory.dmp

Filesize
5.6MB

Download
memory/1832-194-0x0000000006440000-0x00000000064A6000-memory.dmp

Filesize
408KB

Download
memory/1832-179-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/3084-247-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3084-250-0x0000000076A20000-0x0000000076C35000-memory.dmp

Filesize
2.1MB

Download
memory/3084-237-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3084-243-0x00000000037D0000-0x0000000003BD0000-memory.dmp

Filesize
4.0MB

Download
memory/3084-244-0x00000000037D0000-0x0000000003BD0000-memory.dmp

Filesize
4.0MB

Download
memory/3084-240-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3920-251-0x0000000000260000-0x0000000000269000-memory.dmp

Filesize
36KB

Download
memory/3920-258-0x0000000076A20000-0x0000000076C35000-memory.dmp

Filesize
2.1MB

Download
memory/3920-255-0x00007FF9EA1B0000-0x00007FF9EA3A5000-memory.dmp

Filesize
2.0MB

Download
memory/3920-253-0x00000000020A0000-0x00000000024A0000-memory.dmp

Filesize
4.0MB

Download
memory/4364-272-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4364-261-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4364-26-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4364-105-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4364-27-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4364-245-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4364-262-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4364-103-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4364-263-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4364-264-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4364-265-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4364-18-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4364-271-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4364-220-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4364-19-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4364-25-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/4364-266-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4364-20-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/4364-24-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/4364-21-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/4364-22-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4364-23-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/4364-204-0x0000000000C60000-0x0000000001112000-memory.dmp

Filesize
4.7MB

Download
memory/4728-140-0x0000000000F70000-0x0000000000FB0000-memory.dmp

Filesize
256KB

Download
memory/4728-139-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/4728-138-0x0000000000F70000-0x0000000000FB0000-memory.dmp

Filesize
256KB

Download
memory/4728-134-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4728-142-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4728-131-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4908-127-0x0000000073510000-0x0000000073CC0000-memory.dmp

Filesize
7.7MB

Download
memory/4908-137-0x0000000003160000-0x0000000005160000-memory.dmp

Filesize
32.0MB

Download
memory/4908-136-0x0000000073510000-0x0000000073CC0000-memory.dmp

Filesize
7.7MB

Download
memory/4908-128-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/4908-126-0x0000000000EF0000-0x0000000000F8C000-memory.dmp

Filesize
624KB

Download
memory/4928-104-0x0000000073510000-0x0000000073CC0000-memory.dmp

Filesize
7.7MB

Download
memory/4928-191-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/4928-102-0x00000000002A0000-0x00000000002F4000-memory.dmp

Filesize
336KB

Download
memory/4928-189-0x0000000073510000-0x0000000073CC0000-memory.dmp

Filesize
7.7MB

Download
memory/4928-106-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/5044-141-0x0000000073510000-0x0000000073CC0000-memory.dmp

Filesize
7.7MB

Download
memory/5044-175-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/5044-52-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/5044-51-0x00000000050A0000-0x00000000050A8000-memory.dmp

Filesize
32KB

Download
memory/5044-50-0x0000000005080000-0x000000000509A000-memory.dmp

Filesize
104KB

Download
memory/5044-49-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/5044-48-0x0000000073510000-0x0000000073CC0000-memory.dmp

Filesize
7.7MB

Download
memory/5044-47-0x00000000001B0000-0x0000000000742000-memory.dmp

Filesize
5.6MB

Download