Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 20:01
Static task
static1
General
-
Target
17dc8eb75b6c476ba5d85428da9e6eba8ea3380b54cb01a74730f88d7be21ce8.exe
-
Size
1.0MB
-
MD5
bfb21c9f6ad936ddea19cf16e8d00f65
-
SHA1
a8945d3908fabccf5e3ca2eab01eff390ed91657
-
SHA256
17dc8eb75b6c476ba5d85428da9e6eba8ea3380b54cb01a74730f88d7be21ce8
-
SHA512
fd57017f3aee54a018aed41933c203b50896ccdacd436045f0c519e1f868bb24b3769d574b3433f1e35cad6158cec78a7657f8635abc7c2e1008696eb67c32e9
-
SSDEEP
24576:Ky1zoh+QEf0nhkNpHFqz4SSaROPFlLUM4InGx5D:RFohLEf0n2L84aCF+MjI5
Malware Config
Extracted
amadey
3.70
b50502
http://77.91.124.207
-
install_dir
595f021478
-
install_file
oneetx.exe
-
strings_key
6e3d32d239380a49b6f83128fe71ea01
-
url_paths
/plays/chapter/index.php
Extracted
redline
norm
77.91.124.145:4125
-
auth_value
1514e6c0ec3d10a36f68f61b206f5759
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb9-19.dat healer behavioral1/memory/1728-22-0x0000000000660000-0x000000000066A000-memory.dmp healer behavioral1/memory/3496-48-0x00000000021D0000-0x00000000021EA000-memory.dmp healer behavioral1/memory/3496-50-0x0000000002560000-0x0000000002578000-memory.dmp healer behavioral1/memory/3496-78-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3496-76-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3496-74-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3496-72-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3496-70-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3496-68-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3496-66-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3496-64-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3496-62-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3496-60-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3496-58-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3496-56-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3496-54-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3496-52-0x0000000002560000-0x0000000002572000-memory.dmp healer behavioral1/memory/3496-51-0x0000000002560000-0x0000000002572000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection cor8375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" cor8375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" cor8375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" az651152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" az651152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" az651152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" cor8375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" cor8375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" cor8375.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection az651152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" az651152.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" az651152.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/1464-2169-0x0000000005400000-0x0000000005432000-memory.dmp family_redline behavioral1/files/0x0008000000023cb5-2174.dat family_redline behavioral1/memory/4952-2182-0x00000000009C0000-0x00000000009F0000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation bu840181.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation oneetx.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation dcd16s40.exe -
Executes dropped EXE 10 IoCs
pid Process 4772 kina1326.exe 448 kina7995.exe 1728 az651152.exe 2732 bu840181.exe 1856 oneetx.exe 3496 cor8375.exe 1464 dcd16s40.exe 4952 1.exe 1116 oneetx.exe 5432 oneetx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" az651152.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features cor8375.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" cor8375.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 17dc8eb75b6c476ba5d85428da9e6eba8ea3380b54cb01a74730f88d7be21ce8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" kina1326.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" kina7995.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 30 IoCs
pid pid_target Process procid_target 2504 2732 WerFault.exe 96 2680 2732 WerFault.exe 96 1148 2732 WerFault.exe 96 4796 2732 WerFault.exe 96 4496 2732 WerFault.exe 96 2252 2732 WerFault.exe 96 1596 2732 WerFault.exe 96 3268 2732 WerFault.exe 96 2500 2732 WerFault.exe 96 4736 2732 WerFault.exe 96 2288 1856 WerFault.exe 117 4676 1856 WerFault.exe 117 4728 1856 WerFault.exe 117 320 1856 WerFault.exe 117 2276 1856 WerFault.exe 117 2024 1856 WerFault.exe 117 3884 1856 WerFault.exe 117 4456 1856 WerFault.exe 117 2844 1856 WerFault.exe 117 4144 1856 WerFault.exe 117 5096 1856 WerFault.exe 117 1356 1856 WerFault.exe 117 2156 3496 WerFault.exe 122 5964 1464 WerFault.exe 149 812 1116 WerFault.exe 162 1384 1856 WerFault.exe 117 5560 5432 WerFault.exe 167 5172 1856 WerFault.exe 117 5608 1856 WerFault.exe 117 5880 1856 WerFault.exe 117 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 17dc8eb75b6c476ba5d85428da9e6eba8ea3380b54cb01a74730f88d7be21ce8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bu840181.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kina1326.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kina7995.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cor8375.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dcd16s40.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1328 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1728 az651152.exe 1728 az651152.exe 3496 cor8375.exe 3496 cor8375.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1728 az651152.exe Token: SeDebugPrivilege 3496 cor8375.exe Token: SeDebugPrivilege 1464 dcd16s40.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2732 bu840181.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2884 wrote to memory of 4772 2884 17dc8eb75b6c476ba5d85428da9e6eba8ea3380b54cb01a74730f88d7be21ce8.exe 83 PID 2884 wrote to memory of 4772 2884 17dc8eb75b6c476ba5d85428da9e6eba8ea3380b54cb01a74730f88d7be21ce8.exe 83 PID 2884 wrote to memory of 4772 2884 17dc8eb75b6c476ba5d85428da9e6eba8ea3380b54cb01a74730f88d7be21ce8.exe 83 PID 4772 wrote to memory of 448 4772 kina1326.exe 84 PID 4772 wrote to memory of 448 4772 kina1326.exe 84 PID 4772 wrote to memory of 448 4772 kina1326.exe 84 PID 448 wrote to memory of 1728 448 kina7995.exe 86 PID 448 wrote to memory of 1728 448 kina7995.exe 86 PID 448 wrote to memory of 2732 448 kina7995.exe 96 PID 448 wrote to memory of 2732 448 kina7995.exe 96 PID 448 wrote to memory of 2732 448 kina7995.exe 96 PID 2732 wrote to memory of 1856 2732 bu840181.exe 117 PID 2732 wrote to memory of 1856 2732 bu840181.exe 117 PID 2732 wrote to memory of 1856 2732 bu840181.exe 117 PID 4772 wrote to memory of 3496 4772 kina1326.exe 122 PID 4772 wrote to memory of 3496 4772 kina1326.exe 122 PID 4772 wrote to memory of 3496 4772 kina1326.exe 122 PID 1856 wrote to memory of 1328 1856 oneetx.exe 135 PID 1856 wrote to memory of 1328 1856 oneetx.exe 135 PID 1856 wrote to memory of 1328 1856 oneetx.exe 135 PID 2884 wrote to memory of 1464 2884 17dc8eb75b6c476ba5d85428da9e6eba8ea3380b54cb01a74730f88d7be21ce8.exe 149 PID 2884 wrote to memory of 1464 2884 17dc8eb75b6c476ba5d85428da9e6eba8ea3380b54cb01a74730f88d7be21ce8.exe 149 PID 2884 wrote to memory of 1464 2884 17dc8eb75b6c476ba5d85428da9e6eba8ea3380b54cb01a74730f88d7be21ce8.exe 149 PID 1464 wrote to memory of 4952 1464 dcd16s40.exe 150 PID 1464 wrote to memory of 4952 1464 dcd16s40.exe 150 PID 1464 wrote to memory of 4952 1464 dcd16s40.exe 150
Processes
-
C:\Users\Admin\AppData\Local\Temp\17dc8eb75b6c476ba5d85428da9e6eba8ea3380b54cb01a74730f88d7be21ce8.exe"C:\Users\Admin\AppData\Local\Temp\17dc8eb75b6c476ba5d85428da9e6eba8ea3380b54cb01a74730f88d7be21ce8.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina1326.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina1326.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7995.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7995.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\az651152.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\az651152.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu840181.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu840181.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 6965⤵
- Program crash
PID:2504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 7765⤵
- Program crash
PID:2680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 8565⤵
- Program crash
PID:1148
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 9525⤵
- Program crash
PID:4796
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 9725⤵
- Program crash
PID:4496
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 9925⤵
- Program crash
PID:2252
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 12165⤵
- Program crash
PID:1596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 12085⤵
- Program crash
PID:3268
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 13165⤵
- Program crash
PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 6926⤵
- Program crash
PID:2288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 10046⤵
- Program crash
PID:4676
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 10126⤵
- Program crash
PID:4728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 10926⤵
- Program crash
PID:320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 11166⤵
- Program crash
PID:2276
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 10846⤵
- Program crash
PID:2024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 10806⤵
- Program crash
PID:3884
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 9966⤵
- Program crash
PID:4456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 7726⤵
- Program crash
PID:2844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 8886⤵
- Program crash
PID:4144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 7766⤵
- Program crash
PID:5096
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 14446⤵
- Program crash
PID:1356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 10686⤵
- Program crash
PID:1384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 14206⤵
- Program crash
PID:5172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 14086⤵
- Program crash
PID:5608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 15926⤵
- Program crash
PID:5880
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 14285⤵
- Program crash
PID:4736
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cor8375.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cor8375.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 10844⤵
- Program crash
PID:2156
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dcd16s40.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dcd16s40.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 13843⤵
- Program crash
PID:5964
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2732 -ip 27321⤵PID:832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2732 -ip 27321⤵PID:4968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2732 -ip 27321⤵PID:1188
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2732 -ip 27321⤵PID:4132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2732 -ip 27321⤵PID:5044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2732 -ip 27321⤵PID:2124
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2732 -ip 27321⤵PID:1680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2732 -ip 27321⤵PID:1080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2732 -ip 27321⤵PID:3324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2732 -ip 27321⤵PID:4716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1856 -ip 18561⤵PID:2956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1856 -ip 18561⤵PID:4300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1856 -ip 18561⤵PID:5088
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1856 -ip 18561⤵PID:628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1856 -ip 18561⤵PID:3860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1856 -ip 18561⤵PID:3892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1856 -ip 18561⤵PID:4780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1856 -ip 18561⤵PID:2456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1856 -ip 18561⤵PID:540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1856 -ip 18561⤵PID:848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1856 -ip 18561⤵PID:4360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1856 -ip 18561⤵PID:4452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3496 -ip 34961⤵PID:1784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1464 -ip 14641⤵PID:5876
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1922⤵
- Program crash
PID:812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1116 -ip 11161⤵PID:4808
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1856 -ip 18561⤵PID:1572
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
PID:5432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 3202⤵
- Program crash
PID:5560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5432 -ip 54321⤵PID:5520
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1856 -ip 18561⤵PID:1492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1856 -ip 18561⤵PID:5280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1856 -ip 18561⤵PID:5784
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
426KB
MD54e1d6f1d4a3c4617d1fd91fa6db6061d
SHA1e46bfdf39d02111bcd9bf5adbe83e555eea15997
SHA25620e5c69aba3f0e916cb8744f028993caad9a2f047676d8bb0a681b668a224445
SHA5123e6f7cad0e249d29a3cc94ea46b8bb261e72703046f05f81d55b16f85386eabd03f6c9e31df1e99a0ab704b6c27c8d87ffdd1dcab7b15dd4fd16437cadf924cb
-
Filesize
588KB
MD5a55b2d155d6eab23f8100ea0d4a14b7a
SHA15f18b79cac54a51c8dfb2797d9f1c2b154b9ec42
SHA256fc5737e2516612677739771f3b921932ada24a54f64f8eb1bdec87a3f2935f95
SHA512e9bd6c3a881b98e992730da429b51c674dc0de839e4a9377c447d5205851e88b61087517323dd7f526c42cc5c3f30f01d5bfbc933c4983dc79a0f3d2f1a6829f
-
Filesize
243KB
MD58175c1ae4576aaba6af1dda39e35c21b
SHA1e516d58f4603f78e1e3a4c7edf2206f224fcc738
SHA2560f4f6ae2a0b37494fc8daf1ca1244ed42cc639486a9c303e9113a18d489c2b97
SHA5123776c581bebe90cd7ee86afb4392e8e042f0421683fbce773a341bd1d70221a75710d9c43d4dab209d890cc14ceef0d46c5f6df2e0fd68f21cf0e2b3b6137187
-
Filesize
316KB
MD5764e7fff6c7e4e3ae650e5c350b4b832
SHA169ab26de1a94734c0c33056c53fbc50200ce75e9
SHA2563dfc67b4049001d9f5159adaeef516e2490e6f11af7a45b9cdd81cc46a30e98a
SHA5123596888cb9901bebab1a6274ff3cb412830f225d19a96ab2b5ba93e1a35195683aa7fbbd2f85223015b5ec7c2a2e94b5b323d811dab400e17543f6807b39d6ad
-
Filesize
15KB
MD5ccaf2e840d23fb4f73ab759d4824286c
SHA1d715c19cf9b8e4841a3f492035ed3c115a735421
SHA25614d12c22da5f30a8fd0a6b7d2ae6197d8e72abcc8466f1316c50ba9063450a5e
SHA512fb780594a961222bc99c5f4f41f14adcc827df1750dcb5e88ee204c9523b0920165258ea3f287df9644e78b64768014d526ef2542bfb22a0c7b34c8f417b41c0
-
Filesize
235KB
MD523c4f3a369a1223672c417b7cd5fdfc1
SHA131efc44ce096a0291f131b54709f4828aca285ee
SHA2563ec53a554baf9d1daace9eb38a49a67733678b153e1f4f8e78ecbb642430f0eb
SHA512f30f775a510419b58219a7b851ffe2e2d044f79b20b2aaf334feb5a3665ce5504eaa59e3180e63212934cfb9d91dec0c1891fed1fa467b9a0c4a2fc8574a65d7
-
Filesize
168KB
MD51073b2e7f778788852d3f7bb79929882
SHA17f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4
SHA256c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb
SHA51290cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0