amadey | 15a51c6be5bf6923610a2c6d5287a57916e3674cd5996ccc54a29b857a6017bc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15a51c6be5bf6923610a2c6d5287a57916e3674cd5996ccc54a29b857a6017bc.exe
Size

1.3MB
MD5

133e056074a6f5b7bddb78acfc918b3e
SHA1

51b19fe344b7ddba77d28a4eb88d9be8ecdb9643
SHA256

15a51c6be5bf6923610a2c6d5287a57916e3674cd5996ccc54a29b857a6017bc
SHA512

fd534a911af47f347c2ac62c70a0b829f3ecadac66026c711f2f97bf93d7b2a38b3f444c4a267804e9cdf6442a632d3df96620e7096eaaaf1aa7da3e6c9f3dc1
SSDEEP

24576:IyhtUH0y/7QMsgCl36kTX7LGf22id+2VQAdbedAyXbDdJbnje3iTQ:P/UH1zYlNTvGf3iA2VjedpdJvkiT

Score

10^/10

amadey healer redline b50502 maxo norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.70

Botnet

b50502

http://77.91.124.207

Attributes

install_dir
595f021478
install_file
oneetx.exe
strings_key
6e3d32d239380a49b6f83128fe71ea01
url_paths
/plays/chapter/index.php

rc4.plain

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

maxo

77.91.124.145:4125

Attributes

auth_value
44cd1dfc9c943902c043f02a77e4ee3c

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 19 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c46-33.dat	healer
behavioral1/memory/4592-35-0x00000000002B0000-0x00000000002BA000-memory.dmp	healer
behavioral1/memory/1272-60-0x00000000022A0000-0x00000000022BA000-memory.dmp	healer
behavioral1/memory/1272-62-0x00000000024F0000-0x0000000002508000-memory.dmp	healer
behavioral1/memory/1272-66-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/1272-90-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/1272-88-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/1272-86-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/1272-84-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/1272-63-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/1272-82-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/1272-80-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/1272-78-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/1272-76-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/1272-74-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/1272-72-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/1272-70-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/1272-68-0x00000000024F0000-0x0000000002502000-memory.dmp	healer
behavioral1/memory/1272-64-0x00000000024F0000-0x0000000002502000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor0344.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor0344.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor0344.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az244752.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az244752.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az244752.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az244752.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az244752.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor0344.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor0344.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor0344.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	az244752.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/4352-2184-0x0000000005400000-0x0000000005432000-memory.dmp	family_redline
behavioral1/files/0x0009000000023c42-2189.dat	family_redline
behavioral1/memory/3112-2197-0x0000000000390000-0x00000000003C0000-memory.dmp	family_redline
behavioral1/files/0x0016000000023c2b-2206.dat	family_redline
behavioral1/memory/692-2208-0x0000000000470000-0x00000000004A0000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	bu269993.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	dZs67s74.exe

Executes dropped EXE 14 IoCs

pid	Process
3956	kina1230.exe
4708	kina9059.exe
1308	kina6269.exe
2964	kina2030.exe
4592	az244752.exe
4076	bu269993.exe
1856	oneetx.exe
1272	cor0344.exe
4544	oneetx.exe
4352	dZs67s74.exe
3112	1.exe
692	en056171.exe
5208	oneetx.exe
1512	oneetx.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor0344.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor0344.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az244752.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	15a51c6be5bf6923610a2c6d5287a57916e3674cd5996ccc54a29b857a6017bc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina1230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina9059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina6269.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	kina2030.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
1744	4076	WerFault.exe	97
4412	4076	WerFault.exe	97
4872	4076	WerFault.exe	97
732	4076	WerFault.exe	97
3772	4076	WerFault.exe	97
3280	4076	WerFault.exe	97
4460	4076	WerFault.exe	97
2136	4076	WerFault.exe	97
2796	4076	WerFault.exe	97
4912	4076	WerFault.exe	97
1176	1856	WerFault.exe	124
2836	1856	WerFault.exe	124
2164	1856	WerFault.exe	124
1380	1856	WerFault.exe	124
2004	1856	WerFault.exe	124
4168	1856	WerFault.exe	124
4812	1856	WerFault.exe	124
3976	1856	WerFault.exe	124
4180	1856	WerFault.exe	124
1096	1856	WerFault.exe	124
2280	1856	WerFault.exe	124
3592	1856	WerFault.exe	124
452	4544	WerFault.exe	154
4652	1272	WerFault.exe	129
3688	4352	WerFault.exe	159
4336	1856	WerFault.exe	124
860	5208	WerFault.exe	168
3684	1512	WerFault.exe	171
3612	1856	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cor0344.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dZs67s74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kina1230.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kina6269.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kina2030.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bu269993.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	en056171.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15a51c6be5bf6923610a2c6d5287a57916e3674cd5996ccc54a29b857a6017bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kina9059.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4592	az244752.exe
4592	az244752.exe
1272	cor0344.exe
1272	cor0344.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	az244752.exe
Token: SeDebugPrivilege	1272	cor0344.exe
Token: SeDebugPrivilege	4352	dZs67s74.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4076	bu269993.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 3956	3292	15a51c6be5bf6923610a2c6d5287a57916e3674cd5996ccc54a29b857a6017bc.exe	83
PID 3292 wrote to memory of 3956	3292	15a51c6be5bf6923610a2c6d5287a57916e3674cd5996ccc54a29b857a6017bc.exe	83
PID 3292 wrote to memory of 3956	3292	15a51c6be5bf6923610a2c6d5287a57916e3674cd5996ccc54a29b857a6017bc.exe	83
PID 3956 wrote to memory of 4708	3956	kina1230.exe	84
PID 3956 wrote to memory of 4708	3956	kina1230.exe	84
PID 3956 wrote to memory of 4708	3956	kina1230.exe	84
PID 4708 wrote to memory of 1308	4708	kina9059.exe	85
PID 4708 wrote to memory of 1308	4708	kina9059.exe	85
PID 4708 wrote to memory of 1308	4708	kina9059.exe	85
PID 1308 wrote to memory of 2964	1308	kina6269.exe	86
PID 1308 wrote to memory of 2964	1308	kina6269.exe	86
PID 1308 wrote to memory of 2964	1308	kina6269.exe	86
PID 2964 wrote to memory of 4592	2964	kina2030.exe	87
PID 2964 wrote to memory of 4592	2964	kina2030.exe	87
PID 2964 wrote to memory of 4076	2964	kina2030.exe	97
PID 2964 wrote to memory of 4076	2964	kina2030.exe	97
PID 2964 wrote to memory of 4076	2964	kina2030.exe	97
PID 4076 wrote to memory of 1856	4076	bu269993.exe	124
PID 4076 wrote to memory of 1856	4076	bu269993.exe	124
PID 4076 wrote to memory of 1856	4076	bu269993.exe	124
PID 1308 wrote to memory of 1272	1308	kina6269.exe	129
PID 1308 wrote to memory of 1272	1308	kina6269.exe	129
PID 1308 wrote to memory of 1272	1308	kina6269.exe	129
PID 1856 wrote to memory of 4412	1856	oneetx.exe	144
PID 1856 wrote to memory of 4412	1856	oneetx.exe	144
PID 1856 wrote to memory of 4412	1856	oneetx.exe	144
PID 4708 wrote to memory of 4352	4708	kina9059.exe	159
PID 4708 wrote to memory of 4352	4708	kina9059.exe	159
PID 4708 wrote to memory of 4352	4708	kina9059.exe	159
PID 4352 wrote to memory of 3112	4352	dZs67s74.exe	160
PID 4352 wrote to memory of 3112	4352	dZs67s74.exe	160
PID 4352 wrote to memory of 3112	4352	dZs67s74.exe	160
PID 3956 wrote to memory of 692	3956	kina1230.exe	163
PID 3956 wrote to memory of 692	3956	kina1230.exe	163
PID 3956 wrote to memory of 692	3956	kina1230.exe	163

C:\Users\Admin\AppData\Local\Temp\15a51c6be5bf6923610a2c6d5287a57916e3674cd5996ccc54a29b857a6017bc.exe
"C:\Users\Admin\AppData\Local\Temp\15a51c6be5bf6923610a2c6d5287a57916e3674cd5996ccc54a29b857a6017bc.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina1230.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina1230.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9059.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9059.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina6269.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina6269.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1308
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kina2030.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kina2030.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az244752.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az244752.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu269993.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu269993.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 696
        7⤵
        Program crash
        
        PID:1744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 792
        7⤵
        Program crash
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 756
        7⤵
        Program crash
        
        PID:4872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 960
        7⤵
        Program crash
        
        PID:732
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 996
        7⤵
        Program crash
        
        PID:3772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 976
        7⤵
        Program crash
        
        PID:3280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1220
        7⤵
        Program crash
        
        PID:4460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1212
        7⤵
        Program crash
        
        PID:2136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1320
        7⤵
        Program crash
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 692
        8⤵
        Program crash
        
        PID:1176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 724
        8⤵
        Program crash
        
        PID:2836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 968
        8⤵
        Program crash
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1088
        8⤵
        Program crash
        
        PID:1380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1116
        8⤵
        Program crash
        
        PID:2004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1124
        8⤵
        Program crash
        
        PID:4168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1132
        8⤵
        Program crash
        
        PID:4812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1152
        8⤵
        Program crash
        
        PID:3976
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1012
        8⤵
        Program crash
        
        PID:4180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 784
        8⤵
        Program crash
        
        PID:1096
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1292
        8⤵
        Program crash
        
        PID:2280
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1320
        8⤵
        Program crash
        
        PID:3592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1172
        8⤵
        Program crash
        
        PID:4336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1560
        8⤵
        Program crash
        
        PID:3612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1412
        7⤵
        Program crash
        
        PID:4912
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0344.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0344.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1104
        6⤵
        Program crash
        
        PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dZs67s74.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dZs67s74.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4352
    - - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1216
        5⤵
        Program crash
        
        PID:3688
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en056171.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en056171.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4076 -ip 4076
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4076 -ip 4076
1⤵
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4076 -ip 4076
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4076 -ip 4076
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4076 -ip 4076
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4076 -ip 4076
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4076 -ip 4076
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4076 -ip 4076
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4076 -ip 4076
1⤵
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4076 -ip 4076
1⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1856 -ip 1856
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1856 -ip 1856
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1856 -ip 1856
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1856 -ip 1856
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1856 -ip 1856
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1856 -ip 1856
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1856 -ip 1856
1⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1856 -ip 1856
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1856 -ip 1856
1⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1856 -ip 1856
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1856 -ip 1856
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1856 -ip 1856
1⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:4544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 320
  2⤵
  - Program crash
  PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4544 -ip 4544
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1272 -ip 1272
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4352 -ip 4352
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1856 -ip 1856
1⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:5208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 220
  2⤵
  - Program crash
  PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5208 -ip 5208
1⤵
PID:5180

C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
1⤵
- Executes dropped EXE
PID:1512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 320
  2⤵
  - Program crash
  PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1512 -ip 1512
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1856 -ip 1856
1⤵
PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina1230.exe

Filesize
1.2MB

MD5
c8270d6ab1439e1373740781a783a87f

SHA1
2cc93af111077beb8830899ab04243f2d5f440c6

SHA256
f24520649f0b0f554e4a6a1cb70ea817a562ccbad4315fad09ee50d5a3265f98

SHA512
8824de303d38bb4ee4ad495ce0c3da9a382251c9609d48ede98ad216b3ed8a26df924ffa1fd38af2c9c662e557b432dd37c9b93735dff5eb68fe117eab825889

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en056171.exe

Filesize
168KB

MD5
18c6735bdf7c6f977a19523a4437fd47

SHA1
147ff374161fa7871cb11f6c778b8dbd43cc8341

SHA256
0111258a1d2a7006a91fb807ce5332e29af84175a9d00cbe2245b3bb066c4b76

SHA512
acaeefa78195e26d84876f079bc7feaf66356dec1f54df853839e6dc1f7fc49548bb9d7dc8a6da3e30c193930f19d36efc74f1eb939210367cc2c441b60c5a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9059.exe

Filesize
1.0MB

MD5
42a71a219ab9061e7600db49b65ade42

SHA1
d35900404b9ca8f124daee255ecc6933696bed26

SHA256
709d5db076b5be45171943e4c3630cbde05fbd8394703b33c02150e9acadbd72

SHA512
bd450dfe71084e20cfe56609cc815511a2e5b599628ba467fb75227c2488c411a7313ac7c9e551368a45caa8745e6f88ca6dcb8921a419fd72ea153900b59dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dZs67s74.exe

Filesize
426KB

MD5
48f462915467479e6a2193a4b52567f8

SHA1
1ca18c2baf3a86e7503d320294750e5dbc60dc73

SHA256
6fee328293b37e83af7e8791141694b66e8f1fac86c148228395af0b221c7163

SHA512
5482821c39e10fbafc3dcb9eb8f24adc1213941b50149b0c9ec0a99b39d1dc7f58895a39ee6512a3dec56c91c3384f75cde9faff06eba1ba02ab6733b0d1c920

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina6269.exe

Filesize
588KB

MD5
877853541163fc86c004773e3be704fd

SHA1
4bd7db980cfb31070888873351131a23b45fb3f8

SHA256
c17c1aa71eece369550abf17bad637b861109e736113b3e02b19db1ce5789501

SHA512
d25c7c3ce6b68aa891838f04ec9fee1f2a9f944ea353ed4e6cec275017938f74de3060ec6f213d3a8e6f16c667d1e5ec11f3562854fd8d134fae9399fcf85d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0344.exe

Filesize
242KB

MD5
039914f05d247c477a554eafebf874f3

SHA1
4b3c1819d5e7d1f2fb274d9538d2fdd622c8c0c4

SHA256
1f497c79dbfbdb3f980419e908bfc50b8ee54602cffcba335f4024e0f7e8c4d8

SHA512
634af3b45a3acc078b09d3acd56bca398a4b281529f8ea18d5be87991f1118eebd1a19353d754bbf1becbd09b5c63be8c3113d042643741428e1373cacefea0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kina2030.exe

Filesize
315KB

MD5
c9cbf1f177667f0014030f672039324f

SHA1
6f3b56ec75cf87d16e1cdbfffb44e447019acb1a

SHA256
ec172c18144bca523bf78f37080f2342f312c363f4f634906f73edab09f6265c

SHA512
c539d9dfe3803b280ef5d46458528e8a838faca02267fee1c975d9cdb30b16952f07ced3f842af796266b93d61534b6ef149adc47f70a0682e92beb96bf8f052

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az244752.exe

Filesize
14KB

MD5
4db0d7e2dc0421230ca375d55cf1ba2e

SHA1
874ebf98e6d99df6be36499acd07c42058ebf6bb

SHA256
e228fa0375b00c7c6495d76cd64fd3fb235472a0eef3f668ef4d44d9bf98e407

SHA512
dfd5479bfcc25155a55bece60a90a17e8ad2cab8d045d4061ca7d99c1e3f762ab571246cb69c3fd7b5e1b6269405adc963dc54a79e7e83d79d55cef43acdff76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu269993.exe

Filesize
234KB

MD5
eb198959c1a980a1d594f7d71838a9c6

SHA1
bab362d42a57ccdf9e86d914398ece711b87a51a

SHA256
d9c3d74379bd1c876079be6cac5eac2ce57c33d83341e96a976aa5c50e16dd2d

SHA512
b8cd8bf324fb4bc678e51104bdcc2658ce95392bee7ead766490922c867e45de484dcf8db84966f00353d0574f2320f284016311a2a0ca9f1ed4f9d3647b816c

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/692-2209-0x0000000002610000-0x0000000002616000-memory.dmp

Filesize
24KB

Download
memory/692-2208-0x0000000000470000-0x00000000004A0000-memory.dmp

Filesize
192KB

Download
memory/1272-96-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1272-68-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-88-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-86-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-84-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-63-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-82-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-80-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-78-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-76-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-74-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-72-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-70-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-61-0x0000000004BD0000-0x0000000005174000-memory.dmp

Filesize
5.6MB

Download
memory/1272-64-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-90-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-60-0x00000000022A0000-0x00000000022BA000-memory.dmp

Filesize
104KB

Download
memory/1272-66-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/1272-62-0x00000000024F0000-0x0000000002508000-memory.dmp

Filesize
96KB

Download
memory/1856-94-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3112-2203-0x0000000004DC0000-0x0000000004E0C000-memory.dmp

Filesize
304KB

Download
memory/3112-2202-0x0000000004D70000-0x0000000004DAC000-memory.dmp

Filesize
240KB

Download
memory/3112-2201-0x0000000004D10000-0x0000000004D22000-memory.dmp

Filesize
72KB

Download
memory/3112-2200-0x0000000004E20000-0x0000000004F2A000-memory.dmp

Filesize
1.0MB

Download
memory/3112-2199-0x0000000005330000-0x0000000005948000-memory.dmp

Filesize
6.1MB

Download
memory/3112-2198-0x0000000002460000-0x0000000002466000-memory.dmp

Filesize
24KB

Download
memory/3112-2197-0x0000000000390000-0x00000000003C0000-memory.dmp

Filesize
192KB

Download
memory/4076-55-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4352-129-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-119-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-115-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-113-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-111-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-109-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-107-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-105-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-104-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-2184-0x0000000005400000-0x0000000005432000-memory.dmp

Filesize
200KB

Download
memory/4352-123-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-125-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-127-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-131-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-133-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-121-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-117-0x0000000005200000-0x000000000525F000-memory.dmp

Filesize
380KB

Download
memory/4352-103-0x0000000005200000-0x0000000005266000-memory.dmp

Filesize
408KB

Download
memory/4352-102-0x00000000026F0000-0x0000000002756000-memory.dmp

Filesize
408KB

Download
memory/4544-93-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/4592-35-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download