amadey | 3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131

Analysis

max time kernel
87s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2023 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131.exe
Size

950KB
MD5

7ca685e8611d7bd7ef52bf3289e06681
SHA1

3bbc1c8e12ce1f8b576edf97feef855fdf4acac8
SHA256

3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131
SHA512

5500b5bef1487c0af8c29ffb05210d3dba4c68ad40e24b0e1c1ed13301012bc1ec642446c1d46c57c13778c937c9d112a568f1a74651cffffbd6095fc2c7a998
SSDEEP

24576:9yIUoKIqvtu9ZCB3jDegJkwzI5fSZbUJgdP:YF2qFz3HeizI56dUJ

Score

10^/10

amadey aurora discovery evasion persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.70

212.113.119.255/joomla/index.php

Extracted

Family

aurora

85.192.40.255:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v9445Iy.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v9445Iy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v9445Iy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v9445Iy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v9445Iy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v9445Iy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v9445Iy.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xuFfc06.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	xuFfc06.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 8 IoCs

Processes:

za027228.exeza691819.exev9445Iy.exew47LE19.exexuFfc06.exeoneetx.exeys545611.exeUnique.exe

pid process

2352 za027228.exe
1796 za691819.exe
1320 v9445Iy.exe
2088 w47LE19.exe
2288 xuFfc06.exe
920 oneetx.exe
2064 ys545611.exe
2624 Unique.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2352	za027228.exe
1796	za691819.exe
1320	v9445Iy.exe
2088	w47LE19.exe
2288	xuFfc06.exe
920	oneetx.exe
2064	ys545611.exe
2624	Unique.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v9445Iy.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v9445Iy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v9445Iy.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131.exeza027228.exeza691819.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za027228.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za027228.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za691819.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za691819.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3240 1320 WerFault.exe v9445Iy.exe
2512 2088 WerFault.exe w47LE19.exe
1904 2064 WerFault.exe ys545611.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3060 schtasks.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

1052 systeminfo.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

v9445Iy.exew47LE19.exeys545611.exe

pid process

1320 v9445Iy.exe
1320 v9445Iy.exe
2088 w47LE19.exe
2088 w47LE19.exe
2064 ys545611.exe
2064 ys545611.exe

pid	pid_target	process	target process
3240	1320	WerFault.exe	v9445Iy.exe
2512	2088	WerFault.exe	w47LE19.exe
1904	2064	WerFault.exe	ys545611.exe

pid	process
3060	schtasks.exe

pid	process
1052	systeminfo.exe

pid	process
1320	v9445Iy.exe
1320	v9445Iy.exe
2088	w47LE19.exe
2088	w47LE19.exe
2064	ys545611.exe
2064	ys545611.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

v9445Iy.exew47LE19.exeys545611.exeWMIC.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1320	v9445Iy.exe
Token: SeDebugPrivilege	2088	w47LE19.exe
Token: SeDebugPrivilege	2064	ys545611.exe
Token: SeIncreaseQuotaPrivilege	1852	WMIC.exe
Token: SeSecurityPrivilege	1852	WMIC.exe
Token: SeTakeOwnershipPrivilege	1852	WMIC.exe
Token: SeLoadDriverPrivilege	1852	WMIC.exe
Token: SeSystemProfilePrivilege	1852	WMIC.exe
Token: SeSystemtimePrivilege	1852	WMIC.exe
Token: SeProfSingleProcessPrivilege	1852	WMIC.exe
Token: SeIncBasePriorityPrivilege	1852	WMIC.exe
Token: SeCreatePagefilePrivilege	1852	WMIC.exe
Token: SeBackupPrivilege	1852	WMIC.exe
Token: SeRestorePrivilege	1852	WMIC.exe
Token: SeShutdownPrivilege	1852	WMIC.exe
Token: SeDebugPrivilege	1852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1852	WMIC.exe
Token: SeRemoteShutdownPrivilege	1852	WMIC.exe
Token: SeUndockPrivilege	1852	WMIC.exe
Token: SeManageVolumePrivilege	1852	WMIC.exe
Token: 33	1852	WMIC.exe
Token: 34	1852	WMIC.exe
Token: 35	1852	WMIC.exe
Token: 36	1852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1852	WMIC.exe
Token: SeSecurityPrivilege	1852	WMIC.exe
Token: SeTakeOwnershipPrivilege	1852	WMIC.exe
Token: SeLoadDriverPrivilege	1852	WMIC.exe
Token: SeSystemProfilePrivilege	1852	WMIC.exe
Token: SeSystemtimePrivilege	1852	WMIC.exe
Token: SeProfSingleProcessPrivilege	1852	WMIC.exe
Token: SeIncBasePriorityPrivilege	1852	WMIC.exe
Token: SeCreatePagefilePrivilege	1852	WMIC.exe
Token: SeBackupPrivilege	1852	WMIC.exe
Token: SeRestorePrivilege	1852	WMIC.exe
Token: SeShutdownPrivilege	1852	WMIC.exe
Token: SeDebugPrivilege	1852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1852	WMIC.exe
Token: SeRemoteShutdownPrivilege	1852	WMIC.exe
Token: SeUndockPrivilege	1852	WMIC.exe
Token: SeManageVolumePrivilege	1852	WMIC.exe
Token: 33	1852	WMIC.exe
Token: 34	1852	WMIC.exe
Token: 35	1852	WMIC.exe
Token: 36	1852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3100	wmic.exe
Token: SeSecurityPrivilege	3100	wmic.exe
Token: SeTakeOwnershipPrivilege	3100	wmic.exe
Token: SeLoadDriverPrivilege	3100	wmic.exe
Token: SeSystemProfilePrivilege	3100	wmic.exe
Token: SeSystemtimePrivilege	3100	wmic.exe
Token: SeProfSingleProcessPrivilege	3100	wmic.exe
Token: SeIncBasePriorityPrivilege	3100	wmic.exe
Token: SeCreatePagefilePrivilege	3100	wmic.exe
Token: SeBackupPrivilege	3100	wmic.exe
Token: SeRestorePrivilege	3100	wmic.exe
Token: SeShutdownPrivilege	3100	wmic.exe
Token: SeDebugPrivilege	3100	wmic.exe
Token: SeSystemEnvironmentPrivilege	3100	wmic.exe
Token: SeRemoteShutdownPrivilege	3100	wmic.exe
Token: SeUndockPrivilege	3100	wmic.exe
Token: SeManageVolumePrivilege	3100	wmic.exe
Token: 33	3100	wmic.exe
Token: 34	3100	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

xuFfc06.exe

pid process

2288 xuFfc06.exe

pid	process
2288	xuFfc06.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131.exeza027228.exeza691819.exexuFfc06.exeoneetx.exeUnique.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4480 wrote to memory of 2352	4480	3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131.exe	za027228.exe
PID 4480 wrote to memory of 2352	4480	3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131.exe	za027228.exe
PID 4480 wrote to memory of 2352	4480	3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131.exe	za027228.exe
PID 2352 wrote to memory of 1796	2352	za027228.exe	za691819.exe
PID 2352 wrote to memory of 1796	2352	za027228.exe	za691819.exe
PID 2352 wrote to memory of 1796	2352	za027228.exe	za691819.exe
PID 1796 wrote to memory of 1320	1796	za691819.exe	v9445Iy.exe
PID 1796 wrote to memory of 1320	1796	za691819.exe	v9445Iy.exe
PID 1796 wrote to memory of 1320	1796	za691819.exe	v9445Iy.exe
PID 1796 wrote to memory of 2088	1796	za691819.exe	w47LE19.exe
PID 1796 wrote to memory of 2088	1796	za691819.exe	w47LE19.exe
PID 1796 wrote to memory of 2088	1796	za691819.exe	w47LE19.exe
PID 2352 wrote to memory of 2288	2352	za027228.exe	xuFfc06.exe
PID 2352 wrote to memory of 2288	2352	za027228.exe	xuFfc06.exe
PID 2352 wrote to memory of 2288	2352	za027228.exe	xuFfc06.exe
PID 2288 wrote to memory of 920	2288	xuFfc06.exe	oneetx.exe
PID 2288 wrote to memory of 920	2288	xuFfc06.exe	oneetx.exe
PID 2288 wrote to memory of 920	2288	xuFfc06.exe	oneetx.exe
PID 4480 wrote to memory of 2064	4480	3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131.exe	ys545611.exe
PID 4480 wrote to memory of 2064	4480	3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131.exe	ys545611.exe
PID 4480 wrote to memory of 2064	4480	3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131.exe	ys545611.exe
PID 920 wrote to memory of 3060	920	oneetx.exe	schtasks.exe
PID 920 wrote to memory of 3060	920	oneetx.exe	schtasks.exe
PID 920 wrote to memory of 3060	920	oneetx.exe	schtasks.exe
PID 920 wrote to memory of 2624	920	oneetx.exe	Unique.exe
PID 920 wrote to memory of 2624	920	oneetx.exe	Unique.exe
PID 920 wrote to memory of 2624	920	oneetx.exe	Unique.exe
PID 2624 wrote to memory of 4620	2624	Unique.exe	cmd.exe
PID 2624 wrote to memory of 4620	2624	Unique.exe	cmd.exe
PID 2624 wrote to memory of 4620	2624	Unique.exe	cmd.exe
PID 4620 wrote to memory of 1852	4620	cmd.exe	WMIC.exe
PID 4620 wrote to memory of 1852	4620	cmd.exe	WMIC.exe
PID 4620 wrote to memory of 1852	4620	cmd.exe	WMIC.exe
PID 2624 wrote to memory of 3100	2624	Unique.exe	wmic.exe
PID 2624 wrote to memory of 3100	2624	Unique.exe	wmic.exe
PID 2624 wrote to memory of 3100	2624	Unique.exe	wmic.exe
PID 2624 wrote to memory of 2552	2624	Unique.exe	cmd.exe
PID 2624 wrote to memory of 2552	2624	Unique.exe	cmd.exe
PID 2624 wrote to memory of 2552	2624	Unique.exe	cmd.exe
PID 2552 wrote to memory of 1268	2552	cmd.exe	WMIC.exe
PID 2552 wrote to memory of 1268	2552	cmd.exe	WMIC.exe
PID 2552 wrote to memory of 1268	2552	cmd.exe	WMIC.exe
PID 2624 wrote to memory of 4264	2624	Unique.exe	cmd.exe
PID 2624 wrote to memory of 4264	2624	Unique.exe	cmd.exe
PID 2624 wrote to memory of 4264	2624	Unique.exe	cmd.exe
PID 4264 wrote to memory of 4516	4264	cmd.exe	WMIC.exe
PID 4264 wrote to memory of 4516	4264	cmd.exe	WMIC.exe
PID 4264 wrote to memory of 4516	4264	cmd.exe	WMIC.exe
PID 2624 wrote to memory of 3744	2624	Unique.exe	cmd.exe
PID 2624 wrote to memory of 3744	2624	Unique.exe	cmd.exe
PID 2624 wrote to memory of 3744	2624	Unique.exe	cmd.exe
PID 3744 wrote to memory of 1052	3744	cmd.exe	systeminfo.exe
PID 3744 wrote to memory of 1052	3744	cmd.exe	systeminfo.exe
PID 3744 wrote to memory of 1052	3744	cmd.exe	systeminfo.exe

C:\Users\Admin\AppData\Local\Temp\3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131.exe
"C:\Users\Admin\AppData\Local\Temp\3bd5d7b72ff14e9979654f3079edaa96a885d1c80e579b46049ad06f79532131.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za027228.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za027228.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za691819.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za691819.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9445Iy.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9445Iy.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1084
5⤵
- Program crash
PID:3240

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w47LE19.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w47LE19.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1308
5⤵
- Program crash
PID:2512

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xuFfc06.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xuFfc06.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
5⤵
- Creates scheduled task(s)
PID:3060

C:\Users\Admin\AppData\Local\Temp\1000032001\Unique.exe
"C:\Users\Admin\AppData\Local\Temp\1000032001\Unique.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
6⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
6⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
7⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
6⤵
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
7⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
cmd "/c " systeminfo
6⤵
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\systeminfo.exe
systeminfo
7⤵
- Gathers system information
PID:1052

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ys545611.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ys545611.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1676
3⤵
- Program crash
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1320 -ip 1320
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2088 -ip 2088
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2064 -ip 2064
1⤵
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000032001\Unique.exe
Filesize
3.1MB

MD5
17f5da38b24f536ff81aec383e40dc93

SHA1
9ee6c50dfd7ca007d9926652c3117f6e1c3283d6

SHA256
de3c7ba6254b2826f3a9082db334cb2e5fb60fc233394e8fa8bc2764313ce994

SHA512
28333b3f98809e7a25234b0f435a44933615a894ecf3031c945324b2e15d6a9959a2644f451fbaa82edb59242c64b0476581b874578a2fa6811b4e964376ea69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000032001\Unique.exe
Filesize
3.1MB

MD5
17f5da38b24f536ff81aec383e40dc93

SHA1
9ee6c50dfd7ca007d9926652c3117f6e1c3283d6

SHA256
de3c7ba6254b2826f3a9082db334cb2e5fb60fc233394e8fa8bc2764313ce994

SHA512
28333b3f98809e7a25234b0f435a44933615a894ecf3031c945324b2e15d6a9959a2644f451fbaa82edb59242c64b0476581b874578a2fa6811b4e964376ea69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000032001\Unique.exe
Filesize
3.1MB

MD5
17f5da38b24f536ff81aec383e40dc93

SHA1
9ee6c50dfd7ca007d9926652c3117f6e1c3283d6

SHA256
de3c7ba6254b2826f3a9082db334cb2e5fb60fc233394e8fa8bc2764313ce994

SHA512
28333b3f98809e7a25234b0f435a44933615a894ecf3031c945324b2e15d6a9959a2644f451fbaa82edb59242c64b0476581b874578a2fa6811b4e964376ea69

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ys545611.exe
Filesize
361KB

MD5
c119bf8afa3f9fd56b7e8fa441729499

SHA1
3a3e2a6d7b51ceffc09f9d16bb1dba47022777f6

SHA256
4ccbec154f5ae46c90dde2948a63687ebf752da7ed9f4815cb2603d4ab44fa79

SHA512
6e0601cbb6c63de616182f145bb0e42cce26c716df93cd072abc4e71aca6820bb968752f1eb296cf3fa8ed799eca2c8c23c178dfdbbc50edd100b198b1309e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ys545611.exe
Filesize
361KB

MD5
c119bf8afa3f9fd56b7e8fa441729499

SHA1
3a3e2a6d7b51ceffc09f9d16bb1dba47022777f6

SHA256
4ccbec154f5ae46c90dde2948a63687ebf752da7ed9f4815cb2603d4ab44fa79

SHA512
6e0601cbb6c63de616182f145bb0e42cce26c716df93cd072abc4e71aca6820bb968752f1eb296cf3fa8ed799eca2c8c23c178dfdbbc50edd100b198b1309e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za027228.exe
Filesize
733KB

MD5
45789b0a4d351af6c120f0bbfb540aa2

SHA1
09fedb666f20141124518f5724768d86497fbfc6

SHA256
0c75eec0134b3363260aee6113afadceff321c62099044a95334e52554110a5d

SHA512
a0469a53a0ac5870ab159f9d55969207cbb99237ce2036ef3abc423e19ba465db46bf853205b6c2cbeb8dc02c5f6a25ce9eb39459542e85664d83a99fd01fe2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za027228.exe
Filesize
733KB

MD5
45789b0a4d351af6c120f0bbfb540aa2

SHA1
09fedb666f20141124518f5724768d86497fbfc6

SHA256
0c75eec0134b3363260aee6113afadceff321c62099044a95334e52554110a5d

SHA512
a0469a53a0ac5870ab159f9d55969207cbb99237ce2036ef3abc423e19ba465db46bf853205b6c2cbeb8dc02c5f6a25ce9eb39459542e85664d83a99fd01fe2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xuFfc06.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xuFfc06.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za691819.exe
Filesize
550KB

MD5
0b89a0a214b4e2501f4d72061338ba45

SHA1
912b6ee2100fe4bb63ce978007c9947156d03280

SHA256
412f446f5ccfbb07f8b984459a839ee1b48c0d093227ad6f534e4b433fc59335

SHA512
5153a47e812a1c3a75c06246b7f1c2e7bd52658bc710e160e43e4a173c2f3d70f9593fcc4ba5b19ab15e733cce36a224249e77df3feedeb8cc0ced0bbe5a579d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za691819.exe
Filesize
550KB

MD5
0b89a0a214b4e2501f4d72061338ba45

SHA1
912b6ee2100fe4bb63ce978007c9947156d03280

SHA256
412f446f5ccfbb07f8b984459a839ee1b48c0d093227ad6f534e4b433fc59335

SHA512
5153a47e812a1c3a75c06246b7f1c2e7bd52658bc710e160e43e4a173c2f3d70f9593fcc4ba5b19ab15e733cce36a224249e77df3feedeb8cc0ced0bbe5a579d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9445Iy.exe
Filesize
278KB

MD5
0cf6bf5f85331ac3179100bf9f60533e

SHA1
a9db167690d6c0e1cda7c75d4d069a91f38956a6

SHA256
fedb2b84f8c443fc2e99c34196e8301e53e33341b75f989e82d7e2b604062e91

SHA512
086765928015443469373b1b848b36d661c180fc409ff4016cbd98d44272efe8d71269b06b9b1260d71cb102b3849fb87234abf2e636e7680e61cb844c7eb3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9445Iy.exe
Filesize
278KB

MD5
0cf6bf5f85331ac3179100bf9f60533e

SHA1
a9db167690d6c0e1cda7c75d4d069a91f38956a6

SHA256
fedb2b84f8c443fc2e99c34196e8301e53e33341b75f989e82d7e2b604062e91

SHA512
086765928015443469373b1b848b36d661c180fc409ff4016cbd98d44272efe8d71269b06b9b1260d71cb102b3849fb87234abf2e636e7680e61cb844c7eb3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w47LE19.exe
Filesize
361KB

MD5
4302929bd1e3683fd58a38d2ec70bc13

SHA1
5c268880ac88f89e59f84e69b7ca98f916085ac3

SHA256
394bf8fde8ac6e966124cbf8639e2a4dac9306e0d07d25d0da3ca4ddf728543c

SHA512
0df7c2d3b2079d5a35697028b42a9a5077939b567644b64028faf7c9188e087c92db9318dce12696ae5f2e466c598241a2d87de1f9f984a5e2695d4773b3461a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w47LE19.exe
Filesize
361KB

MD5
4302929bd1e3683fd58a38d2ec70bc13

SHA1
5c268880ac88f89e59f84e69b7ca98f916085ac3

SHA256
394bf8fde8ac6e966124cbf8639e2a4dac9306e0d07d25d0da3ca4ddf728543c

SHA512
0df7c2d3b2079d5a35697028b42a9a5077939b567644b64028faf7c9188e087c92db9318dce12696ae5f2e466c598241a2d87de1f9f984a5e2695d4773b3461a

Download Submit
memory/1320-174-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1320-190-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1320-170-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1320-172-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1320-166-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1320-176-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1320-178-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1320-180-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1320-182-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1320-184-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1320-185-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1320-186-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1320-187-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1320-188-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/1320-189-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1320-168-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1320-191-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/1320-193-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/1320-164-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1320-162-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1320-160-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1320-155-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

Filesize
180KB

Download
memory/1320-158-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/1320-156-0x0000000007220000-0x00000000077C4000-memory.dmp

Filesize
5.6MB

Download
memory/1320-157-0x00000000048D0000-0x00000000048E2000-memory.dmp

Filesize
72KB

Download
memory/2064-1062-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/2064-1064-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/2064-1065-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/2064-1823-0x0000000007150000-0x0000000007160000-memory.dmp

Filesize
64KB

Download
memory/2088-202-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-218-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-220-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-222-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-224-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-226-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-228-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-230-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-232-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-234-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-243-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2088-994-0x0000000009CC0000-0x000000000A2D8000-memory.dmp

Filesize
6.1MB

Download
memory/2088-995-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/2088-996-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/2088-997-0x000000000A460000-0x000000000A49C000-memory.dmp

Filesize
240KB

Download
memory/2088-998-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2088-999-0x000000000A760000-0x000000000A7C6000-memory.dmp

Filesize
408KB

Download
memory/2088-1000-0x000000000AE20000-0x000000000AEB2000-memory.dmp

Filesize
584KB

Download
memory/2088-1001-0x000000000AEF0000-0x000000000AF66000-memory.dmp

Filesize
472KB

Download
memory/2088-1002-0x000000000AFD0000-0x000000000B192000-memory.dmp

Filesize
1.8MB

Download
memory/2088-216-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-214-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-212-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-210-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-208-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-206-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-204-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-201-0x0000000004D50000-0x0000000004D85000-memory.dmp

Filesize
212KB

Download
memory/2088-200-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2088-199-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2088-198-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

Filesize
280KB

Download
memory/2088-1003-0x000000000B1A0000-0x000000000B6CC000-memory.dmp

Filesize
5.2MB

Download
memory/2088-1004-0x000000000B7E0000-0x000000000B7FE000-memory.dmp

Filesize
120KB

Download
memory/2088-1005-0x00000000049F0000-0x0000000004A40000-memory.dmp

Filesize
320KB

Download