amadey | 58c5b10d3a88506e0a4c2e1cfbbda23ded7fb65eb6124e9b61e0bd02a715952a

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2023 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x00080000000122f2-105.exe
Size

209KB
MD5

88ba73a2eb9e03fc5034d36b47b9adc4
SHA1

a06b3a2458eb56bf07e325af82e7f8574c07861d
SHA256

58c5b10d3a88506e0a4c2e1cfbbda23ded7fb65eb6124e9b61e0bd02a715952a
SHA512

75489284081a8d87bcf2176cbad8e4d15d1307a41b6793f4d2c51523109b1ba8da5a0c92a8685c6e1b1bdec748279649dfaed6e6f60040a10bfe9a56c522d885
SSDEEP

3072:H/DmgskHbfHN+Pst60p0zuNmnKG7peNMQbuZAIqbey3lfbi:fDmfAfHN+wiuInRexuZAIij

Score

10^/10

amadey redline duha evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.83

77.91.68.30/music/rock/index.php

Extracted

Family

redline

Botnet

duha

83.97.73.129:19068

Attributes

auth_value
aafe99874c3b8854069470882e00246c

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

k0908679.exeAppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0908679.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0908679.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k0908679.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0908679.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0908679.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0908679.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0x00080000000122f2-105.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	0x00080000000122f2-105.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 14 IoCs

Processes:

lamod.exefoto124.exex1854400.exex4098505.exef2578721.exefotod25.exey8457042.exey7708521.exey6495542.exej1888029.exek0908679.exel6273262.exelamod.exelamod.exe

pid	process
2020	lamod.exe
324	foto124.exe
1088	x1854400.exe
4032	x4098505.exe
4328	f2578721.exe
3388	fotod25.exe
3800	y8457042.exe
1428	y7708521.exe
3200	y6495542.exe
4320	j1888029.exe
1840	k0908679.exe
4448	l6273262.exe
2060	lamod.exe
4480	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

428 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

k0908679.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k0908679.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
428	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0908679.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

foto124.exey7708521.exey6495542.exex1854400.exex4098505.exey8457042.exefotod25.exelamod.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	foto124.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7708521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	y7708521.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6495542.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1854400.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4098505.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y8457042.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	y6495542.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x4098505.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fotod25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fotod25.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fotod25.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000004051\\fotod25.exe"	lamod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	foto124.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foto124.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000003051\\foto124.exe"	lamod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x1854400.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	y8457042.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

j1888029.exe

description pid process target process

PID 4320 set thread context of 4116 4320 j1888029.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1152 4320 WerFault.exe j1888029.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3640 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

AppLaunch.exek0908679.exe

pid process

4116 AppLaunch.exe
4116 AppLaunch.exe
1840 k0908679.exe
1840 k0908679.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AppLaunch.exek0908679.exe

description pid process

Token: SeDebugPrivilege 4116 AppLaunch.exe
Token: SeDebugPrivilege 1840 k0908679.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0x00080000000122f2-105.exe

pid process

3680 0x00080000000122f2-105.exe

description	pid	process	target process
PID 4320 set thread context of 4116	4320	j1888029.exe	AppLaunch.exe

pid	pid_target	process	target process
1152	4320	WerFault.exe	j1888029.exe

pid	process
3640	schtasks.exe

pid	process
4116	AppLaunch.exe
4116	AppLaunch.exe
1840	k0908679.exe
1840	k0908679.exe

description	pid	process
Token: SeDebugPrivilege	4116	AppLaunch.exe
Token: SeDebugPrivilege	1840	k0908679.exe

pid	process
3680	0x00080000000122f2-105.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0x00080000000122f2-105.exelamod.execmd.exefoto124.exex1854400.exex4098505.exefotod25.exey8457042.exey7708521.exey6495542.exej1888029.exe

description	pid	process	target process
PID 3680 wrote to memory of 2020	3680	0x00080000000122f2-105.exe	lamod.exe
PID 3680 wrote to memory of 2020	3680	0x00080000000122f2-105.exe	lamod.exe
PID 3680 wrote to memory of 2020	3680	0x00080000000122f2-105.exe	lamod.exe
PID 2020 wrote to memory of 3640	2020	lamod.exe	schtasks.exe
PID 2020 wrote to memory of 3640	2020	lamod.exe	schtasks.exe
PID 2020 wrote to memory of 3640	2020	lamod.exe	schtasks.exe
PID 2020 wrote to memory of 2016	2020	lamod.exe	cmd.exe
PID 2020 wrote to memory of 2016	2020	lamod.exe	cmd.exe
PID 2020 wrote to memory of 2016	2020	lamod.exe	cmd.exe
PID 2016 wrote to memory of 2120	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 2120	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 2120	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 2312	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 2312	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 2312	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 2884	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 2884	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 2884	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 876	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 876	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 876	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 3124	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 3124	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 3124	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 4956	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 4956	2016	cmd.exe	cacls.exe
PID 2016 wrote to memory of 4956	2016	cmd.exe	cacls.exe
PID 2020 wrote to memory of 324	2020	lamod.exe	foto124.exe
PID 2020 wrote to memory of 324	2020	lamod.exe	foto124.exe
PID 2020 wrote to memory of 324	2020	lamod.exe	foto124.exe
PID 324 wrote to memory of 1088	324	foto124.exe	x1854400.exe
PID 324 wrote to memory of 1088	324	foto124.exe	x1854400.exe
PID 324 wrote to memory of 1088	324	foto124.exe	x1854400.exe
PID 1088 wrote to memory of 4032	1088	x1854400.exe	x4098505.exe
PID 1088 wrote to memory of 4032	1088	x1854400.exe	x4098505.exe
PID 1088 wrote to memory of 4032	1088	x1854400.exe	x4098505.exe
PID 4032 wrote to memory of 4328	4032	x4098505.exe	f2578721.exe
PID 4032 wrote to memory of 4328	4032	x4098505.exe	f2578721.exe
PID 4032 wrote to memory of 4328	4032	x4098505.exe	f2578721.exe
PID 2020 wrote to memory of 3388	2020	lamod.exe	fotod25.exe
PID 2020 wrote to memory of 3388	2020	lamod.exe	fotod25.exe
PID 2020 wrote to memory of 3388	2020	lamod.exe	fotod25.exe
PID 3388 wrote to memory of 3800	3388	fotod25.exe	y8457042.exe
PID 3388 wrote to memory of 3800	3388	fotod25.exe	y8457042.exe
PID 3388 wrote to memory of 3800	3388	fotod25.exe	y8457042.exe
PID 3800 wrote to memory of 1428	3800	y8457042.exe	y7708521.exe
PID 3800 wrote to memory of 1428	3800	y8457042.exe	y7708521.exe
PID 3800 wrote to memory of 1428	3800	y8457042.exe	y7708521.exe
PID 1428 wrote to memory of 3200	1428	y7708521.exe	y6495542.exe
PID 1428 wrote to memory of 3200	1428	y7708521.exe	y6495542.exe
PID 1428 wrote to memory of 3200	1428	y7708521.exe	y6495542.exe
PID 3200 wrote to memory of 4320	3200	y6495542.exe	j1888029.exe
PID 3200 wrote to memory of 4320	3200	y6495542.exe	j1888029.exe
PID 3200 wrote to memory of 4320	3200	y6495542.exe	j1888029.exe
PID 4320 wrote to memory of 4116	4320	j1888029.exe	AppLaunch.exe
PID 4320 wrote to memory of 4116	4320	j1888029.exe	AppLaunch.exe
PID 4320 wrote to memory of 4116	4320	j1888029.exe	AppLaunch.exe
PID 4320 wrote to memory of 4116	4320	j1888029.exe	AppLaunch.exe
PID 4320 wrote to memory of 4116	4320	j1888029.exe	AppLaunch.exe
PID 3200 wrote to memory of 1840	3200	y6495542.exe	k0908679.exe
PID 3200 wrote to memory of 1840	3200	y6495542.exe	k0908679.exe
PID 1428 wrote to memory of 4448	1428	y7708521.exe	l6273262.exe
PID 1428 wrote to memory of 4448	1428	y7708521.exe	l6273262.exe
PID 1428 wrote to memory of 4448	1428	y7708521.exe	l6273262.exe

C:\Users\Admin\AppData\Local\Temp\0x00080000000122f2-105.exe
"C:\Users\Admin\AppData\Local\Temp\0x00080000000122f2-105.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
3⤵
- Creates scheduled task(s)
PID:3640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2120

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
4⤵
PID:2312

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
4⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:876

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
4⤵
PID:3124

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
4⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\1000003051\foto124.exe
"C:\Users\Admin\AppData\Local\Temp\1000003051\foto124.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1854400.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1854400.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4098505.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4098505.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2578721.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2578721.exe
6⤵
- Executes dropped EXE
PID:4328

C:\Users\Admin\AppData\Local\Temp\1000004051\fotod25.exe
"C:\Users\Admin\AppData\Local\Temp\1000004051\fotod25.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3388

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y8457042.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y8457042.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y7708521.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y7708521.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y6495542.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y6495542.exe
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j1888029.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j1888029.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 136
8⤵
- Program crash
PID:1152

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k0908679.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k0908679.exe
7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l6273262.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l6273262.exe
6⤵
- Executes dropped EXE
PID:4448

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4320 -ip 4320
1⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:2060

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000003051\foto124.exe
Filesize
597KB

MD5
3b7fa82e06b0fb23779fc46c583937c0

SHA1
52878d921a9d982b8808cbfb3793e9eeb4672bb8

SHA256
fb60203e5592d030fee3c165a23439a7a51f12d8ce6331c052ab9bb2c51f960f

SHA512
cbd7f31a9b614a461b4add63eb37164576376b720a0488889642265808ee8846478f62a56ef9a73947b3bb7a756cda4dace10bbd82e9c9c67bfab6451063abca

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003051\foto124.exe
Filesize
597KB

MD5
3b7fa82e06b0fb23779fc46c583937c0

SHA1
52878d921a9d982b8808cbfb3793e9eeb4672bb8

SHA256
fb60203e5592d030fee3c165a23439a7a51f12d8ce6331c052ab9bb2c51f960f

SHA512
cbd7f31a9b614a461b4add63eb37164576376b720a0488889642265808ee8846478f62a56ef9a73947b3bb7a756cda4dace10bbd82e9c9c67bfab6451063abca

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003051\foto124.exe
Filesize
597KB

MD5
3b7fa82e06b0fb23779fc46c583937c0

SHA1
52878d921a9d982b8808cbfb3793e9eeb4672bb8

SHA256
fb60203e5592d030fee3c165a23439a7a51f12d8ce6331c052ab9bb2c51f960f

SHA512
cbd7f31a9b614a461b4add63eb37164576376b720a0488889642265808ee8846478f62a56ef9a73947b3bb7a756cda4dace10bbd82e9c9c67bfab6451063abca

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004051\fotod25.exe
Filesize
763KB

MD5
007575d98c7b2a63d9dba16995a03842

SHA1
026c316abd9575aa75d1f68cc8ef96b9f2d7a11b

SHA256
5525112e857f88caa98fae95e67b15bc2f0c48f7b4c86422d570b6235cfbc2db

SHA512
dd9d16dad90906951f48e4b90295e7c6dd2a8b817d887732d1333210b52663c25c4891476d578c8742a890d488caaea8710ed3961be900ed50b0abef52c23484

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004051\fotod25.exe
Filesize
763KB

MD5
007575d98c7b2a63d9dba16995a03842

SHA1
026c316abd9575aa75d1f68cc8ef96b9f2d7a11b

SHA256
5525112e857f88caa98fae95e67b15bc2f0c48f7b4c86422d570b6235cfbc2db

SHA512
dd9d16dad90906951f48e4b90295e7c6dd2a8b817d887732d1333210b52663c25c4891476d578c8742a890d488caaea8710ed3961be900ed50b0abef52c23484

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004051\fotod25.exe
Filesize
763KB

MD5
007575d98c7b2a63d9dba16995a03842

SHA1
026c316abd9575aa75d1f68cc8ef96b9f2d7a11b

SHA256
5525112e857f88caa98fae95e67b15bc2f0c48f7b4c86422d570b6235cfbc2db

SHA512
dd9d16dad90906951f48e4b90295e7c6dd2a8b817d887732d1333210b52663c25c4891476d578c8742a890d488caaea8710ed3961be900ed50b0abef52c23484

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1854400.exe
Filesize
377KB

MD5
299bdd432c08f8c8bb78fdf8f5f256f6

SHA1
f22dd6d815d63ac6ba1b75f63becb187df1650c9

SHA256
b77cbbc5feee9c0a84229939465221d2c2529864c0cf8d86bfbe4644638c778e

SHA512
b83c3e0f94730f11ad7b531a98fa6114151a26d92bf51dc25ac888f4f01d0857d15e91f3b3d05c20408a3b21955d756fa505ecdd7f01f11cc194292cc4e472a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1854400.exe
Filesize
377KB

MD5
299bdd432c08f8c8bb78fdf8f5f256f6

SHA1
f22dd6d815d63ac6ba1b75f63becb187df1650c9

SHA256
b77cbbc5feee9c0a84229939465221d2c2529864c0cf8d86bfbe4644638c778e

SHA512
b83c3e0f94730f11ad7b531a98fa6114151a26d92bf51dc25ac888f4f01d0857d15e91f3b3d05c20408a3b21955d756fa505ecdd7f01f11cc194292cc4e472a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4098505.exe
Filesize
206KB

MD5
cd31769859c9686f805d10275c575441

SHA1
b6ea3e79a233b7619d652546cc41dd59cffb0487

SHA256
18e19b4e9f1e4f780ee159465a07f7e2a6f22a141dcfcec1fd41632b7ce1b4ff

SHA512
75616cfb012d6f6a508e4d3358b4bc65507676a74d6d3a3e67ae328f6c19741e6f8d797c55a97436470d2b203a9adf945601137503c9101d68fa15bc116ae39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4098505.exe
Filesize
206KB

MD5
cd31769859c9686f805d10275c575441

SHA1
b6ea3e79a233b7619d652546cc41dd59cffb0487

SHA256
18e19b4e9f1e4f780ee159465a07f7e2a6f22a141dcfcec1fd41632b7ce1b4ff

SHA512
75616cfb012d6f6a508e4d3358b4bc65507676a74d6d3a3e67ae328f6c19741e6f8d797c55a97436470d2b203a9adf945601137503c9101d68fa15bc116ae39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2578721.exe
Filesize
172KB

MD5
c427640fd5e42e7bfb9ffea1cfcf346d

SHA1
83cfbfa853ec160243e144295de6556567478834

SHA256
5d98696249cd74aeb54f3c5bc3e22e7f7de44cf58947f6e1950fb27e6835851a

SHA512
688cdfe2bf0b8138613633c81c655e2a66506fe53f504bee7d83d315def4c69c88767d0565770ac517bc9b522591b26f905320bd323fc0a6eac2e5d296decbc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2578721.exe
Filesize
172KB

MD5
c427640fd5e42e7bfb9ffea1cfcf346d

SHA1
83cfbfa853ec160243e144295de6556567478834

SHA256
5d98696249cd74aeb54f3c5bc3e22e7f7de44cf58947f6e1950fb27e6835851a

SHA512
688cdfe2bf0b8138613633c81c655e2a66506fe53f504bee7d83d315def4c69c88767d0565770ac517bc9b522591b26f905320bd323fc0a6eac2e5d296decbc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y8457042.exe
Filesize
544KB

MD5
8472d0fd7c978de0ac07b2729db29706

SHA1
1fc63adeaa4bd7c58dcd60affb52ebac45dc4dea

SHA256
74d36c85ed885bc54f959edb2fd9a5bf135f274fcad45b6c58bd04ccb75fc775

SHA512
4db3b0721cb804454973bf22872daffe82462587e81392c41af4fa7963f18dbe6bd7d42de358e688ab617c2d55359ac09a25d095af688ac1993f73806e7a93b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y8457042.exe
Filesize
544KB

MD5
8472d0fd7c978de0ac07b2729db29706

SHA1
1fc63adeaa4bd7c58dcd60affb52ebac45dc4dea

SHA256
74d36c85ed885bc54f959edb2fd9a5bf135f274fcad45b6c58bd04ccb75fc775

SHA512
4db3b0721cb804454973bf22872daffe82462587e81392c41af4fa7963f18dbe6bd7d42de358e688ab617c2d55359ac09a25d095af688ac1993f73806e7a93b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y7708521.exe
Filesize
372KB

MD5
4bb91e9882ddd85d1ce911fb6cdcfce5

SHA1
034967ba559528c13137e6547f5c2f8519a0e65d

SHA256
8fffea4ace90c14da9d2c49b170df65c62b11ab28101936b48ed460d1f147de2

SHA512
fa2e5022fc798ff927593b054646b57d6650d6c6c93e71f13c42bc50e8e136b506920d8f96f773f309e6012c8ea4a70e90fb0aeb1ff25705e1d95511b8cc0976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y7708521.exe
Filesize
372KB

MD5
4bb91e9882ddd85d1ce911fb6cdcfce5

SHA1
034967ba559528c13137e6547f5c2f8519a0e65d

SHA256
8fffea4ace90c14da9d2c49b170df65c62b11ab28101936b48ed460d1f147de2

SHA512
fa2e5022fc798ff927593b054646b57d6650d6c6c93e71f13c42bc50e8e136b506920d8f96f773f309e6012c8ea4a70e90fb0aeb1ff25705e1d95511b8cc0976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l6273262.exe
Filesize
172KB

MD5
bfda91ed9e3f46bd8fdf5814df640702

SHA1
4984273bfdbfbba8a3309182242a12927adc8a5a

SHA256
01999a6ed936c8b2fffb50710c6e41e562480c85b432813579851a6e2c7d8ee0

SHA512
27b4e45ac07136cf1105f85a6113cc831cb7e75f2974dea5fd89ee99e03bd5578b1399f2b4764d4922adb11f4f4388f085770bae5bb99be7d7e31e58c0980f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l6273262.exe
Filesize
172KB

MD5
bfda91ed9e3f46bd8fdf5814df640702

SHA1
4984273bfdbfbba8a3309182242a12927adc8a5a

SHA256
01999a6ed936c8b2fffb50710c6e41e562480c85b432813579851a6e2c7d8ee0

SHA512
27b4e45ac07136cf1105f85a6113cc831cb7e75f2974dea5fd89ee99e03bd5578b1399f2b4764d4922adb11f4f4388f085770bae5bb99be7d7e31e58c0980f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l6273262.exe
Filesize
172KB

MD5
bfda91ed9e3f46bd8fdf5814df640702

SHA1
4984273bfdbfbba8a3309182242a12927adc8a5a

SHA256
01999a6ed936c8b2fffb50710c6e41e562480c85b432813579851a6e2c7d8ee0

SHA512
27b4e45ac07136cf1105f85a6113cc831cb7e75f2974dea5fd89ee99e03bd5578b1399f2b4764d4922adb11f4f4388f085770bae5bb99be7d7e31e58c0980f91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y6495542.exe
Filesize
216KB

MD5
5ac98935f918767a41b25d19dfeb1ec5

SHA1
e44c6177713f642f6c66d79cbddba32de5f86408

SHA256
24a97fac4ee27123f97a192c1d977b13c6ec710e14fb4120180cea17d93807ff

SHA512
1073c7d32f468a6de939f020d419b0783faa21ae645665417cabae2fcf01b3aa31a6beabb6c00901edfb528822af39a8650cbb848fef307be7e2c670b9bb0322

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y6495542.exe
Filesize
216KB

MD5
5ac98935f918767a41b25d19dfeb1ec5

SHA1
e44c6177713f642f6c66d79cbddba32de5f86408

SHA256
24a97fac4ee27123f97a192c1d977b13c6ec710e14fb4120180cea17d93807ff

SHA512
1073c7d32f468a6de939f020d419b0783faa21ae645665417cabae2fcf01b3aa31a6beabb6c00901edfb528822af39a8650cbb848fef307be7e2c670b9bb0322

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j1888029.exe
Filesize
139KB

MD5
f95031fae969bcd54634e4c980bfdb49

SHA1
3301ea0d005b1e4198895b96a0bf58b8713c4765

SHA256
8cba03c090918dbbf2989679cd740585565a55f5b232d5f32ac89b95419149b1

SHA512
6f981f7a7fdd667f7f0ab4c9bcfbc0447d65efce9e13181e9a077d5a7f25383833936767f894efeeb25b47761f0e1e9c8757bfd7929703c1970f70e8b7147959

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\j1888029.exe
Filesize
139KB

MD5
f95031fae969bcd54634e4c980bfdb49

SHA1
3301ea0d005b1e4198895b96a0bf58b8713c4765

SHA256
8cba03c090918dbbf2989679cd740585565a55f5b232d5f32ac89b95419149b1

SHA512
6f981f7a7fdd667f7f0ab4c9bcfbc0447d65efce9e13181e9a077d5a7f25383833936767f894efeeb25b47761f0e1e9c8757bfd7929703c1970f70e8b7147959

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k0908679.exe
Filesize
12KB

MD5
54f85f7d6f119c4c6ce62bb6003e0d5d

SHA1
e39a4faa69ce89c2f5ceca8c7579fbe9b46f12e0

SHA256
d4c2342989b2b4efc2771685d7231e943881c987fb564ce155c32a7e16722d4b

SHA512
cfebb160c38ea3ca3e20cec4ac52f69c67fd7ed7e7d2cbcd598c3e0e608a0e397e3b7ca835de1db2c8621da0bcc36643694b484090d1dbee433058439694e543

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k0908679.exe
Filesize
12KB

MD5
54f85f7d6f119c4c6ce62bb6003e0d5d

SHA1
e39a4faa69ce89c2f5ceca8c7579fbe9b46f12e0

SHA256
d4c2342989b2b4efc2771685d7231e943881c987fb564ce155c32a7e16722d4b

SHA512
cfebb160c38ea3ca3e20cec4ac52f69c67fd7ed7e7d2cbcd598c3e0e608a0e397e3b7ca835de1db2c8621da0bcc36643694b484090d1dbee433058439694e543

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k0908679.exe
Filesize
12KB

MD5
54f85f7d6f119c4c6ce62bb6003e0d5d

SHA1
e39a4faa69ce89c2f5ceca8c7579fbe9b46f12e0

SHA256
d4c2342989b2b4efc2771685d7231e943881c987fb564ce155c32a7e16722d4b

SHA512
cfebb160c38ea3ca3e20cec4ac52f69c67fd7ed7e7d2cbcd598c3e0e608a0e397e3b7ca835de1db2c8621da0bcc36643694b484090d1dbee433058439694e543

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
209KB

MD5
88ba73a2eb9e03fc5034d36b47b9adc4

SHA1
a06b3a2458eb56bf07e325af82e7f8574c07861d

SHA256
58c5b10d3a88506e0a4c2e1cfbbda23ded7fb65eb6124e9b61e0bd02a715952a

SHA512
75489284081a8d87bcf2176cbad8e4d15d1307a41b6793f4d2c51523109b1ba8da5a0c92a8685c6e1b1bdec748279649dfaed6e6f60040a10bfe9a56c522d885

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
209KB

MD5
88ba73a2eb9e03fc5034d36b47b9adc4

SHA1
a06b3a2458eb56bf07e325af82e7f8574c07861d

SHA256
58c5b10d3a88506e0a4c2e1cfbbda23ded7fb65eb6124e9b61e0bd02a715952a

SHA512
75489284081a8d87bcf2176cbad8e4d15d1307a41b6793f4d2c51523109b1ba8da5a0c92a8685c6e1b1bdec748279649dfaed6e6f60040a10bfe9a56c522d885

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
209KB

MD5
88ba73a2eb9e03fc5034d36b47b9adc4

SHA1
a06b3a2458eb56bf07e325af82e7f8574c07861d

SHA256
58c5b10d3a88506e0a4c2e1cfbbda23ded7fb65eb6124e9b61e0bd02a715952a

SHA512
75489284081a8d87bcf2176cbad8e4d15d1307a41b6793f4d2c51523109b1ba8da5a0c92a8685c6e1b1bdec748279649dfaed6e6f60040a10bfe9a56c522d885

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
209KB

MD5
88ba73a2eb9e03fc5034d36b47b9adc4

SHA1
a06b3a2458eb56bf07e325af82e7f8574c07861d

SHA256
58c5b10d3a88506e0a4c2e1cfbbda23ded7fb65eb6124e9b61e0bd02a715952a

SHA512
75489284081a8d87bcf2176cbad8e4d15d1307a41b6793f4d2c51523109b1ba8da5a0c92a8685c6e1b1bdec748279649dfaed6e6f60040a10bfe9a56c522d885

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
209KB

MD5
88ba73a2eb9e03fc5034d36b47b9adc4

SHA1
a06b3a2458eb56bf07e325af82e7f8574c07861d

SHA256
58c5b10d3a88506e0a4c2e1cfbbda23ded7fb65eb6124e9b61e0bd02a715952a

SHA512
75489284081a8d87bcf2176cbad8e4d15d1307a41b6793f4d2c51523109b1ba8da5a0c92a8685c6e1b1bdec748279649dfaed6e6f60040a10bfe9a56c522d885

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1840-245-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/4116-235-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4328-206-0x00000000006A0000-0x00000000006D0000-memory.dmp

Filesize
192KB

Download
memory/4328-241-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/4328-231-0x0000000005640000-0x0000000005C58000-memory.dmp

Filesize
6.1MB

Download
memory/4328-232-0x0000000005130000-0x000000000523A000-memory.dmp

Filesize
1.0MB

Download
memory/4328-247-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/4328-233-0x0000000004FF0000-0x0000000005002000-memory.dmp

Filesize
72KB

Download
memory/4328-274-0x0000000000EE0000-0x0000000000F56000-memory.dmp

Filesize
472KB

Download
memory/4328-275-0x00000000053E0000-0x0000000005472000-memory.dmp

Filesize
584KB

Download
memory/4328-276-0x0000000006700000-0x0000000006CA4000-memory.dmp

Filesize
5.6MB

Download
memory/4328-277-0x0000000002780000-0x00000000027E6000-memory.dmp

Filesize
408KB

Download
memory/4328-237-0x0000000005060000-0x000000000509C000-memory.dmp

Filesize
240KB

Download
memory/4448-252-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/4448-253-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download