amadey | d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f

Resubmissions

29-10-2024 10:37

241029-mnv55avbqk 10

05-05-2023 19:46

230505-yg72wscd81 10

Analysis

max time kernel
145s
max time network
156s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-10-2024 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe
Size

1.2MB
MD5

74b0ccf3de68e8e63088a697bccced26
SHA1

d3d8252558125ac843ac3c339bab3641e23a61d5
SHA256

d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f
SHA512

85de1d6d8b4ec19a3b82ecbbd41ce129742c63fd306214bb37c3005733056a7cab7c5a3765c41612a00d5e12c694f11864146e69fb723d696ce18a50caec74c9
SSDEEP

24576:LyfKfMXMQEseAkUF4Owq7/nqC0fIXSV8UQRBQfU3LEI:+fwMc5PCF4OhPqC0fzQLQfOL

Score

10^/10

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

http://193.3.19.154

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
23b27c80db2465a8e1dc15491b69b82f
url_paths
/store/games/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 34 IoCs

resource	yara_rule
behavioral3/memory/3560-28-0x0000000004940000-0x000000000495A000-memory.dmp	healer
behavioral3/memory/3560-30-0x00000000049B0000-0x00000000049C8000-memory.dmp	healer
behavioral3/memory/3560-32-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3560-58-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3560-56-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3560-54-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3560-52-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3560-50-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3560-48-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3560-46-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3560-44-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3560-42-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3560-40-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3560-38-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3560-36-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3560-34-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3560-31-0x00000000049B0000-0x00000000049C3000-memory.dmp	healer
behavioral3/memory/3608-64-0x0000000004D60000-0x0000000004D7A000-memory.dmp	healer
behavioral3/memory/3608-65-0x0000000004DD0000-0x0000000004DE8000-memory.dmp	healer
behavioral3/memory/3608-73-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral3/memory/3608-71-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral3/memory/3608-91-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral3/memory/3608-89-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral3/memory/3608-87-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral3/memory/3608-85-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral3/memory/3608-83-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral3/memory/3608-81-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral3/memory/3608-79-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral3/memory/3608-77-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral3/memory/3608-75-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral3/memory/3608-93-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral3/memory/3608-69-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral3/memory/3608-67-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer
behavioral3/memory/3608-66-0x0000000004DD0000-0x0000000004DE2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	298211359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	298211359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	186127212.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	186127212.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	186127212.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	186127212.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	186127212.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	298211359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	298211359.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	298211359.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral3/memory/980-105-0x0000000004E60000-0x0000000004E9C000-memory.dmp	family_redline
behavioral3/memory/980-106-0x00000000056B0000-0x00000000056EA000-memory.dmp	family_redline
behavioral3/memory/980-108-0x00000000056B0000-0x00000000056E5000-memory.dmp	family_redline
behavioral3/memory/980-112-0x00000000056B0000-0x00000000056E5000-memory.dmp	family_redline
behavioral3/memory/980-110-0x00000000056B0000-0x00000000056E5000-memory.dmp	family_redline
behavioral3/memory/980-107-0x00000000056B0000-0x00000000056E5000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	385941545.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
4032	cZ674215.exe
4636	KB289092.exe
3528	qE215205.exe
3560	186127212.exe
3608	298211359.exe
988	385941545.exe
2948	oneetx.exe
980	415153552.exe
3532	oneetx.exe
656	oneetx.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	298211359.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	186127212.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	186127212.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cZ674215.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	KB289092.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	qE215205.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4580	3608	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	186127212.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cZ674215.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KB289092.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qE215205.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	298211359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	385941545.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	415153552.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3560	186127212.exe
3560	186127212.exe
3608	298211359.exe
3608	298211359.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3560	186127212.exe
Token: SeDebugPrivilege	3608	298211359.exe
Token: SeDebugPrivilege	980	415153552.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
988	385941545.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 4032	948	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe	81
PID 948 wrote to memory of 4032	948	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe	81
PID 948 wrote to memory of 4032	948	d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe	81
PID 4032 wrote to memory of 4636	4032	cZ674215.exe	82
PID 4032 wrote to memory of 4636	4032	cZ674215.exe	82
PID 4032 wrote to memory of 4636	4032	cZ674215.exe	82
PID 4636 wrote to memory of 3528	4636	KB289092.exe	83
PID 4636 wrote to memory of 3528	4636	KB289092.exe	83
PID 4636 wrote to memory of 3528	4636	KB289092.exe	83
PID 3528 wrote to memory of 3560	3528	qE215205.exe	84
PID 3528 wrote to memory of 3560	3528	qE215205.exe	84
PID 3528 wrote to memory of 3560	3528	qE215205.exe	84
PID 3528 wrote to memory of 3608	3528	qE215205.exe	85
PID 3528 wrote to memory of 3608	3528	qE215205.exe	85
PID 3528 wrote to memory of 3608	3528	qE215205.exe	85
PID 4636 wrote to memory of 988	4636	KB289092.exe	89
PID 4636 wrote to memory of 988	4636	KB289092.exe	89
PID 4636 wrote to memory of 988	4636	KB289092.exe	89
PID 988 wrote to memory of 2948	988	385941545.exe	90
PID 988 wrote to memory of 2948	988	385941545.exe	90
PID 988 wrote to memory of 2948	988	385941545.exe	90
PID 4032 wrote to memory of 980	4032	cZ674215.exe	91
PID 4032 wrote to memory of 980	4032	cZ674215.exe	91
PID 4032 wrote to memory of 980	4032	cZ674215.exe	91
PID 2948 wrote to memory of 1956	2948	oneetx.exe	92
PID 2948 wrote to memory of 1956	2948	oneetx.exe	92
PID 2948 wrote to memory of 1956	2948	oneetx.exe	92
PID 2948 wrote to memory of 4396	2948	oneetx.exe	94
PID 2948 wrote to memory of 4396	2948	oneetx.exe	94
PID 2948 wrote to memory of 4396	2948	oneetx.exe	94
PID 4396 wrote to memory of 1612	4396	cmd.exe	96
PID 4396 wrote to memory of 1612	4396	cmd.exe	96
PID 4396 wrote to memory of 1612	4396	cmd.exe	96
PID 4396 wrote to memory of 2496	4396	cmd.exe	97
PID 4396 wrote to memory of 2496	4396	cmd.exe	97
PID 4396 wrote to memory of 2496	4396	cmd.exe	97
PID 4396 wrote to memory of 3536	4396	cmd.exe	98
PID 4396 wrote to memory of 3536	4396	cmd.exe	98
PID 4396 wrote to memory of 3536	4396	cmd.exe	98
PID 4396 wrote to memory of 1652	4396	cmd.exe	99
PID 4396 wrote to memory of 1652	4396	cmd.exe	99
PID 4396 wrote to memory of 1652	4396	cmd.exe	99
PID 4396 wrote to memory of 1420	4396	cmd.exe	100
PID 4396 wrote to memory of 1420	4396	cmd.exe	100
PID 4396 wrote to memory of 1420	4396	cmd.exe	100
PID 4396 wrote to memory of 1640	4396	cmd.exe	101
PID 4396 wrote to memory of 1640	4396	cmd.exe	101
PID 4396 wrote to memory of 1640	4396	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe
"C:\Users\Admin\AppData\Local\Temp\d1051a6e5813ae8faf78b2248f8f81592f08f8f996507fe0b322c21f5a92a84f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cZ674215.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cZ674215.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KB289092.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KB289092.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qE215205.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qE215205.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\186127212.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\186127212.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\298211359.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\298211359.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1212
        6⤵
        Program crash
        
        PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385941545.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385941545.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1956
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\415153552.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\415153552.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3608 -ip 3608
1⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
1⤵
- Executes dropped EXE
PID:3532

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
1⤵
- Executes dropped EXE
PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cZ674215.exe

Filesize
1.0MB

MD5
fac510b9d09689ed6da473f4299d9842

SHA1
3490f68eb4c9e7bd8732c10653acd78d433c3ac0

SHA256
c758a98d0ec766e3f19658ef398052f3352c2cece1058db9563918f4f4000053

SHA512
1ae59a73f816ef59185b2a699860fe24e65c383b41738642fc11e31aae3272aecd48dd6dd79097507bd63feb86396f9d8c65e9a24b1c6d17092b7e7d143d0cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\415153552.exe

Filesize
461KB

MD5
1f83c7703947d020013d1da55720af72

SHA1
3a3711e6d659131f3ea1b9fca6721821b3d7a95e

SHA256
3bbc69bedd6ba43241f7fe993ad3085a860a4316cbbbfa301d91e74fcfdc75ab

SHA512
9f1d266e021a209ad8da310b91345bd718799558711ddb28e0116f5672a57c840825aa9df831967451957112713504fc4dfd270eb7afa636710cbe011ef63391

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KB289092.exe

Filesize
638KB

MD5
c4833707e57427ae9ef317823c0856ac

SHA1
b0fceeea6a88a31aee0d802db8fffa0f2b297274

SHA256
50db37d6ba78f12d481ee474b72387f3f543ac7c96488fcbda035feaaf45bda5

SHA512
c7a778c3210fc966f51fae28364caabeb4bbaa445a9007d775241c0c6906781b72cee4e4e6dfd518a911e2c67564f3367ef2c0f70ffd6aff53b0b7f964df936b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\385941545.exe

Filesize
204KB

MD5
b38ef258d68b6aaf1ad2c6cfa99e3f94

SHA1
40ef301f931486216c9293fbfba1a0ba846cf647

SHA256
e2bed58b32d53409b8a316926a462dd4c5bb4375f3268d43561ce426f0da5e94

SHA512
529fc4d4ae0dcf9fa3f95e0904d68d06ab0fcf4ee6cf59df76f42587920be3f51eee5e7473f95fa25bd502bec4f15d8d0550b013b9ea3bbebe8c1de56d389a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qE215205.exe

Filesize
467KB

MD5
ee0f317f44b37b2bd1d2c476cd496f80

SHA1
00874fed0aaf45d425d05e44561fae53f704d807

SHA256
4d1ab88c142d74d9773d3f040faeb56827a7f8324a71ac635c82a8b327a9c2c3

SHA512
c61447e7e0b620da890340263811a356b4173978560b72fb7cd9d520360eba4fffc8fd1fe2323afdacf91fb834dc025a18d3e73d5a193dead62bc68b1cd245a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\186127212.exe

Filesize
176KB

MD5
1961de8005293372ef065337715b49e3

SHA1
c4c4f869a66f4c173ecde374db1df30752b6de1d

SHA256
f85bd9845e59c591e90363ab6170456122e213e4bc5ca7f9ad976c2b68951ccb

SHA512
74ce76066fa56a4ca9818cd5fbbf4241f63bd982378c5f46909330e9c979af303b2a70f049c342fd54450a1e2a4b99131051031509efae589182c095c0277155

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\298211359.exe

Filesize
377KB

MD5
81be911edfff00fe91967c45f80fa86b

SHA1
39319ebb19b09b46b5825f4d27436640957be112

SHA256
6e7439841be72fe0401d1866629b15fe3598b24dc54362c695afd527a3c940f2

SHA512
9f8baed9088c84c4bfaad6a87a810325c29aa457259a65efbd5604ff6b02d63903c3cca5aaeec7151f87137aaee00605c0ad5fd92f07046624ed89b985c6acbb

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
11KB

MD5
b7759166a0f1807b202b45f510c2172e

SHA1
ef160ebdf82a6cadd27197fb589a3786e58e3fa5

SHA256
825eb1a627f34c3d1fad85cb5904b5ac0fded65f677c5a85fa992e42c450fd99

SHA512
5085882d85f2d3ab9fa2c2b3bfbde24072ae732b02529946700df1ee92fbafb0e7d305bf21f6034b44012d310495bc7ebd4826b226685a1cc3790b429d0169ec

Download Submit
memory/980-900-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/980-899-0x00000000081D0000-0x00000000087E8000-memory.dmp

Filesize
6.1MB

Download
memory/980-107-0x00000000056B0000-0x00000000056E5000-memory.dmp

Filesize
212KB

Download
memory/980-110-0x00000000056B0000-0x00000000056E5000-memory.dmp

Filesize
212KB

Download
memory/980-112-0x00000000056B0000-0x00000000056E5000-memory.dmp

Filesize
212KB

Download
memory/980-108-0x00000000056B0000-0x00000000056E5000-memory.dmp

Filesize
212KB

Download
memory/980-901-0x0000000007BF0000-0x0000000007CFA000-memory.dmp

Filesize
1.0MB

Download
memory/980-106-0x00000000056B0000-0x00000000056EA000-memory.dmp

Filesize
232KB

Download
memory/980-105-0x0000000004E60000-0x0000000004E9C000-memory.dmp

Filesize
240KB

Download
memory/980-902-0x0000000007D00000-0x0000000007D3C000-memory.dmp

Filesize
240KB

Download
memory/980-903-0x0000000002850000-0x000000000289C000-memory.dmp

Filesize
304KB

Download
memory/3560-46-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3560-38-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3560-31-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3560-36-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3560-28-0x0000000004940000-0x000000000495A000-memory.dmp

Filesize
104KB

Download
memory/3560-29-0x0000000004B40000-0x00000000050E6000-memory.dmp

Filesize
5.6MB

Download
memory/3560-30-0x00000000049B0000-0x00000000049C8000-memory.dmp

Filesize
96KB

Download
memory/3560-32-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3560-58-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3560-56-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3560-34-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3560-54-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3560-52-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3560-50-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3560-48-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3560-44-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3560-42-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3560-40-0x00000000049B0000-0x00000000049C3000-memory.dmp

Filesize
76KB

Download
memory/3608-87-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-79-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-66-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-94-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/3608-96-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/3608-69-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-93-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-75-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-77-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-67-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-81-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-83-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-85-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-89-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-91-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-71-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-73-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/3608-65-0x0000000004DD0000-0x0000000004DE8000-memory.dmp

Filesize
96KB

Download
memory/3608-64-0x0000000004D60000-0x0000000004D7A000-memory.dmp

Filesize
104KB

Download