amadey | b08799ff34387e8d47e1b3b9252ccf2d8e2a53277488c9de2ed44efc0bb5a8eb

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b08799ff34387e8d47e1b3b9252ccf2d8e2a53277488c9de2ed44efc0bb5a8eb.exe
Size

1.1MB
MD5

0520720d3b511779c03b50f772c96670
SHA1

b10b1cb6d59ac80f675389023189853be1a43e36
SHA256

b08799ff34387e8d47e1b3b9252ccf2d8e2a53277488c9de2ed44efc0bb5a8eb
SHA512

b64a5fed80cd3c0bb96f944a118ab9c6fddab50f84db5f8a407e000c06669f2f03a69722c6adec7cb00befdcedbf888256aaf6c16d4e9cafb052083906fe5b55
SSDEEP

24576:xyx3M5Gk3eUFrMIj5qqub/x/jMNroqDzDFBeivvt:kx3EGkH57EAXFBJv

Score

10^/10

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/1204-40-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1204-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1204-42-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1204-44-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/2792-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	u6601973.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	t1387655.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 14 IoCs

pid	Process
4976	z6541980.exe
948	z2464011.exe
3888	z4541954.exe
4700	z0962072.exe
4384	q6623057.exe
4712	r7265172.exe
2128	s3965780.exe
1012	t1387655.exe
4348	explothe.exe
4832	u6601973.exe
4184	legota.exe
2832	w2173201.exe
4048	legota.exe
4388	explothe.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b08799ff34387e8d47e1b3b9252ccf2d8e2a53277488c9de2ed44efc0bb5a8eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6541980.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2464011.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z4541954.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z0962072.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4384 set thread context of 2792	4384	q6623057.exe	96
PID 4712 set thread context of 1204	4712	r7265172.exe	103
PID 2128 set thread context of 4736	2128	s3965780.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1036	4384	WerFault.exe	93
4472	4712	WerFault.exe	101
696	1204	WerFault.exe	103
4172	2128	WerFault.exe	109

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3540	schtasks.exe
2896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2792	AppLaunch.exe
2792	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 4976	8	b08799ff34387e8d47e1b3b9252ccf2d8e2a53277488c9de2ed44efc0bb5a8eb.exe	87
PID 8 wrote to memory of 4976	8	b08799ff34387e8d47e1b3b9252ccf2d8e2a53277488c9de2ed44efc0bb5a8eb.exe	87
PID 8 wrote to memory of 4976	8	b08799ff34387e8d47e1b3b9252ccf2d8e2a53277488c9de2ed44efc0bb5a8eb.exe	87
PID 4976 wrote to memory of 948	4976	z6541980.exe	88
PID 4976 wrote to memory of 948	4976	z6541980.exe	88
PID 4976 wrote to memory of 948	4976	z6541980.exe	88
PID 948 wrote to memory of 3888	948	z2464011.exe	89
PID 948 wrote to memory of 3888	948	z2464011.exe	89
PID 948 wrote to memory of 3888	948	z2464011.exe	89
PID 3888 wrote to memory of 4700	3888	z4541954.exe	91
PID 3888 wrote to memory of 4700	3888	z4541954.exe	91
PID 3888 wrote to memory of 4700	3888	z4541954.exe	91
PID 4700 wrote to memory of 4384	4700	z0962072.exe	93
PID 4700 wrote to memory of 4384	4700	z0962072.exe	93
PID 4700 wrote to memory of 4384	4700	z0962072.exe	93
PID 4384 wrote to memory of 2792	4384	q6623057.exe	96
PID 4384 wrote to memory of 2792	4384	q6623057.exe	96
PID 4384 wrote to memory of 2792	4384	q6623057.exe	96
PID 4384 wrote to memory of 2792	4384	q6623057.exe	96
PID 4384 wrote to memory of 2792	4384	q6623057.exe	96
PID 4384 wrote to memory of 2792	4384	q6623057.exe	96
PID 4384 wrote to memory of 2792	4384	q6623057.exe	96
PID 4384 wrote to memory of 2792	4384	q6623057.exe	96
PID 4700 wrote to memory of 4712	4700	z0962072.exe	101
PID 4700 wrote to memory of 4712	4700	z0962072.exe	101
PID 4700 wrote to memory of 4712	4700	z0962072.exe	101
PID 4712 wrote to memory of 1204	4712	r7265172.exe	103
PID 4712 wrote to memory of 1204	4712	r7265172.exe	103
PID 4712 wrote to memory of 1204	4712	r7265172.exe	103
PID 4712 wrote to memory of 1204	4712	r7265172.exe	103
PID 4712 wrote to memory of 1204	4712	r7265172.exe	103
PID 4712 wrote to memory of 1204	4712	r7265172.exe	103
PID 4712 wrote to memory of 1204	4712	r7265172.exe	103
PID 4712 wrote to memory of 1204	4712	r7265172.exe	103
PID 4712 wrote to memory of 1204	4712	r7265172.exe	103
PID 4712 wrote to memory of 1204	4712	r7265172.exe	103
PID 3888 wrote to memory of 2128	3888	z4541954.exe	109
PID 3888 wrote to memory of 2128	3888	z4541954.exe	109
PID 3888 wrote to memory of 2128	3888	z4541954.exe	109
PID 2128 wrote to memory of 5068	2128	s3965780.exe	112
PID 2128 wrote to memory of 5068	2128	s3965780.exe	112
PID 2128 wrote to memory of 5068	2128	s3965780.exe	112
PID 2128 wrote to memory of 4736	2128	s3965780.exe	113
PID 2128 wrote to memory of 4736	2128	s3965780.exe	113
PID 2128 wrote to memory of 4736	2128	s3965780.exe	113
PID 2128 wrote to memory of 4736	2128	s3965780.exe	113
PID 2128 wrote to memory of 4736	2128	s3965780.exe	113
PID 2128 wrote to memory of 4736	2128	s3965780.exe	113
PID 2128 wrote to memory of 4736	2128	s3965780.exe	113
PID 2128 wrote to memory of 4736	2128	s3965780.exe	113
PID 948 wrote to memory of 1012	948	z2464011.exe	116
PID 948 wrote to memory of 1012	948	z2464011.exe	116
PID 948 wrote to memory of 1012	948	z2464011.exe	116
PID 1012 wrote to memory of 4348	1012	t1387655.exe	117
PID 1012 wrote to memory of 4348	1012	t1387655.exe	117
PID 1012 wrote to memory of 4348	1012	t1387655.exe	117
PID 4976 wrote to memory of 4832	4976	z6541980.exe	118
PID 4976 wrote to memory of 4832	4976	z6541980.exe	118
PID 4976 wrote to memory of 4832	4976	z6541980.exe	118
PID 4348 wrote to memory of 3540	4348	explothe.exe	119
PID 4348 wrote to memory of 3540	4348	explothe.exe	119
PID 4348 wrote to memory of 3540	4348	explothe.exe	119
PID 4348 wrote to memory of 1624	4348	explothe.exe	122
PID 4348 wrote to memory of 1624	4348	explothe.exe	122

C:\Users\Admin\AppData\Local\Temp\b08799ff34387e8d47e1b3b9252ccf2d8e2a53277488c9de2ed44efc0bb5a8eb.exe
"C:\Users\Admin\AppData\Local\Temp\b08799ff34387e8d47e1b3b9252ccf2d8e2a53277488c9de2ed44efc0bb5a8eb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:8
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6541980.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6541980.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2464011.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2464011.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4541954.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4541954.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3888
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0962072.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0962072.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4700
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6623057.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6623057.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 140
        7⤵
        Program crash
        
        PID:1036
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7265172.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7265172.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 540
        8⤵
        Program crash
        
        PID:696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 148
        7⤵
        Program crash
        
        PID:4472
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3965780.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3965780.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5068
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4736
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 588
        6⤵
        Program crash
        
        PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1387655.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1387655.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3540
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:4828
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6601973.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6601973.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4184
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1168
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        
        PID:1496
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        
        PID:808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1436
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        
        PID:1580
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        
        PID:5044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2173201.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2173201.exe
  2⤵
  - Executes dropped EXE
  PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4384 -ip 4384
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4712 -ip 4712
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1204 -ip 1204
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2128 -ip 2128
1⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:4048

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2173201.exe

Filesize
23KB

MD5
3b364a3de195bbe5f2328b7d364bcad2

SHA1
7b7881e8d55733beff6d5f6d9ab9bee2ed2cb837

SHA256
06d93f038e478a9fc1082b4acf4b1eaebe35a827003055f3786f7b925447a790

SHA512
49ef4ff0a171c172c75b7fa1d5dd6573cb42871b4fa3ffe87e510f50eaa3990b8181cf0a3248e81d49f725231073211fef5f92b2c18a050e05fe2a361698af85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2173201.exe

Filesize
23KB

MD5
3b364a3de195bbe5f2328b7d364bcad2

SHA1
7b7881e8d55733beff6d5f6d9ab9bee2ed2cb837

SHA256
06d93f038e478a9fc1082b4acf4b1eaebe35a827003055f3786f7b925447a790

SHA512
49ef4ff0a171c172c75b7fa1d5dd6573cb42871b4fa3ffe87e510f50eaa3990b8181cf0a3248e81d49f725231073211fef5f92b2c18a050e05fe2a361698af85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6541980.exe

Filesize
981KB

MD5
2219ed6c640ddff8bbb1a3717f591024

SHA1
0cab9dd89720924cfd14ead4f9ce0fe9ef96d6d1

SHA256
4fae98263a805f6affb325af00c54c152b7c39163c6695efb5fc432df0f406fa

SHA512
f1e55de3ead441de1e32eac049874e780fb538642101de37ff11900cfc00aaf59b4e0aa4489cc02308446e0c914a0a68bff1f3a34c64183370ae989c2806555c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6541980.exe

Filesize
981KB

MD5
2219ed6c640ddff8bbb1a3717f591024

SHA1
0cab9dd89720924cfd14ead4f9ce0fe9ef96d6d1

SHA256
4fae98263a805f6affb325af00c54c152b7c39163c6695efb5fc432df0f406fa

SHA512
f1e55de3ead441de1e32eac049874e780fb538642101de37ff11900cfc00aaf59b4e0aa4489cc02308446e0c914a0a68bff1f3a34c64183370ae989c2806555c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6601973.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6601973.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2464011.exe

Filesize
799KB

MD5
a601f707890a320d5650dd0f91fd0120

SHA1
dfb94f3ab64035eed90c83782b47cb4ce8eb42c0

SHA256
32a742305b31d2a88b61ab1457f5b524b1bda2e90d8914650580600a9df776ff

SHA512
df0184fa08550f9c1dd108122ea2902621e9d93a0c745acd8884fe059756138293ea7c7db2ae16693ef01e65ad0045388047087928501b0de731cec7973b87d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2464011.exe

Filesize
799KB

MD5
a601f707890a320d5650dd0f91fd0120

SHA1
dfb94f3ab64035eed90c83782b47cb4ce8eb42c0

SHA256
32a742305b31d2a88b61ab1457f5b524b1bda2e90d8914650580600a9df776ff

SHA512
df0184fa08550f9c1dd108122ea2902621e9d93a0c745acd8884fe059756138293ea7c7db2ae16693ef01e65ad0045388047087928501b0de731cec7973b87d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1387655.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1387655.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4541954.exe

Filesize
616KB

MD5
cbf3f9ab5589e389eeff799ad495de89

SHA1
f1b4e2048d9babf0ba52b4d8cd8db72633b6ffc9

SHA256
7a26a036bca85ac5df8f12c4da2ac886b1844b0fe1f8e99931debc6110acfdf6

SHA512
aee73c26846471c370a6ca9da2332f9c825ab8ca50ef989ea5fdeda5a378004dbb6f16f9a3f64caba69a6823cfc0c8748cc71cf31a1d3b0f941e54cdba9dbbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4541954.exe

Filesize
616KB

MD5
cbf3f9ab5589e389eeff799ad495de89

SHA1
f1b4e2048d9babf0ba52b4d8cd8db72633b6ffc9

SHA256
7a26a036bca85ac5df8f12c4da2ac886b1844b0fe1f8e99931debc6110acfdf6

SHA512
aee73c26846471c370a6ca9da2332f9c825ab8ca50ef989ea5fdeda5a378004dbb6f16f9a3f64caba69a6823cfc0c8748cc71cf31a1d3b0f941e54cdba9dbbb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3965780.exe

Filesize
390KB

MD5
6960d7411bfcbec2decb63b13d73b768

SHA1
98747c28d7820f6aff9ec741a800ce4638cd9a38

SHA256
777c305adc41b3cc8254f8d5b5c75b2e58ac541ee36940c58fa8b6f071a0037e

SHA512
ac77c7cba8c2593f7727eddeea6385e531c034c67dbde4e19f653bdc8db7c3145965110a7fe1f39cf2c2e8fb7659b6637fc65822ca526ef93e9a95e71360f27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3965780.exe

Filesize
390KB

MD5
6960d7411bfcbec2decb63b13d73b768

SHA1
98747c28d7820f6aff9ec741a800ce4638cd9a38

SHA256
777c305adc41b3cc8254f8d5b5c75b2e58ac541ee36940c58fa8b6f071a0037e

SHA512
ac77c7cba8c2593f7727eddeea6385e531c034c67dbde4e19f653bdc8db7c3145965110a7fe1f39cf2c2e8fb7659b6637fc65822ca526ef93e9a95e71360f27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0962072.exe

Filesize
344KB

MD5
9628141cd8011d060a5615f377234916

SHA1
43c955c442c9de5e3bf8c0f9624026640a90db1f

SHA256
45745116096ec45142d7d780f06bc97fb4e791c35d9c7df59314f2923cd34a79

SHA512
b4b87be19d368520b5c8f34aa234c1af38b57b2475add720c52abdc104407891c1cd7fd56483717c31fc7bc9bb111c3d71a0228ad5af57a4a1e7ca43714b5475

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0962072.exe

Filesize
344KB

MD5
9628141cd8011d060a5615f377234916

SHA1
43c955c442c9de5e3bf8c0f9624026640a90db1f

SHA256
45745116096ec45142d7d780f06bc97fb4e791c35d9c7df59314f2923cd34a79

SHA512
b4b87be19d368520b5c8f34aa234c1af38b57b2475add720c52abdc104407891c1cd7fd56483717c31fc7bc9bb111c3d71a0228ad5af57a4a1e7ca43714b5475

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6623057.exe

Filesize
227KB

MD5
141a130eeda2043e341e3ac72a61d716

SHA1
c0511c9b23a4652db5477c1fdf78d398492cc7a6

SHA256
bc4633d4a5e368ca7641c0646900ea454f436592cbcc5be8d1f79d0bf94aa640

SHA512
cb4853e0f313dcb022be0daa154d2c18babffb6e39fa20227f4fd0faaa7d735e9885c7aea68d3f213827b808972f017d3da10b4493ee195a589c61975940bcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6623057.exe

Filesize
227KB

MD5
141a130eeda2043e341e3ac72a61d716

SHA1
c0511c9b23a4652db5477c1fdf78d398492cc7a6

SHA256
bc4633d4a5e368ca7641c0646900ea454f436592cbcc5be8d1f79d0bf94aa640

SHA512
cb4853e0f313dcb022be0daa154d2c18babffb6e39fa20227f4fd0faaa7d735e9885c7aea68d3f213827b808972f017d3da10b4493ee195a589c61975940bcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7265172.exe

Filesize
356KB

MD5
ad9bca9ab85124a740558e1168709c29

SHA1
2bf89d306af387fde0f03f34f6f8df6f166920b2

SHA256
1f4f1e1c31ddbe34aeb522d75265bf968cdff7a6c49a9b2e4f651491b72aa67a

SHA512
d72631a7168c12c74bcf672250d88efdb5286084f3129be89776d28e23fc672d6a343976c3a2fbb365c4a3ad30d7bd013bd592626acc858f5e32c26d00f19a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7265172.exe

Filesize
356KB

MD5
ad9bca9ab85124a740558e1168709c29

SHA1
2bf89d306af387fde0f03f34f6f8df6f166920b2

SHA256
1f4f1e1c31ddbe34aeb522d75265bf968cdff7a6c49a9b2e4f651491b72aa67a

SHA512
d72631a7168c12c74bcf672250d88efdb5286084f3129be89776d28e23fc672d6a343976c3a2fbb365c4a3ad30d7bd013bd592626acc858f5e32c26d00f19a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
memory/1204-40-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1204-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1204-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1204-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2792-36-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2792-49-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2792-45-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2792-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4736-53-0x0000000074230000-0x00000000749E0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-72-0x0000000005700000-0x000000000574C000-memory.dmp

Filesize
304KB

Download
memory/4736-68-0x00000000056C0000-0x00000000056FC000-memory.dmp

Filesize
240KB

Download
memory/4736-63-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/4736-64-0x0000000005420000-0x0000000005432000-memory.dmp

Filesize
72KB

Download
memory/4736-61-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/4736-60-0x0000000005CA0000-0x00000000062B8000-memory.dmp

Filesize
6.1MB

Download
memory/4736-88-0x0000000074230000-0x00000000749E0000-memory.dmp

Filesize
7.7MB

Download
memory/4736-89-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/4736-54-0x0000000000FD0000-0x0000000000FD6000-memory.dmp

Filesize
24KB

Download
memory/4736-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download