amadey | 5b4fc6c7ee5931ae3a64c2fcd99351a7e528bd6f5bf1741bbb70349c2b231841

Analysis

max time kernel
209s
max time network
226s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5548231bcd8aa72b541ea173b3e186a14338caae1d74db3649326e9168b7209.exe
Size

1.1MB
MD5

c1dc64e77db822294671750564678439
SHA1

b7f771f4ae0cfabe24f7f1a3386222f9b83937e3
SHA256

d5548231bcd8aa72b541ea173b3e186a14338caae1d74db3649326e9168b7209
SHA512

65d807eb0b1dfdcc47e25eec9afcd47c580bea8dfaca19d8b5ab5ceeae7ffecef7077c70770c8a8ded054820825a7b0e03594b6affa32635bfb585e8583adf73
SSDEEP

12288:9MrZy90E31nsErgH6XYSzufmHSXZdSZ1621NCrb7lUSXQZ15G8gZj/JqMGQvg2WR:4yt1sEf/zufmkEW21NCziSkdg14QRu

Score

10^/10

amadey healer mystic redline darts dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

darts

77.91.124.82:19071

Attributes

auth_value
3c8818da7045365845f15ec0946ebf11

Extracted

Family

amadey

Version

3.89

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3900-43-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3900-45-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3900-44-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3900-47-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/896-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	t1396144.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	u8454419.exe

Executes dropped EXE 12 IoCs

pid	Process
3596	z6835711.exe
1692	z9135664.exe
752	z6358304.exe
1048	z6495956.exe
3120	q5310711.exe
1020	r2038990.exe
4472	s3949249.exe
3680	t1396144.exe
3716	explonde.exe
4944	u8454419.exe
4040	legota.exe
3356	w1331418.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d5548231bcd8aa72b541ea173b3e186a14338caae1d74db3649326e9168b7209.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6835711.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9135664.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z6358304.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z6495956.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3120 set thread context of 896	3120	q5310711.exe	94
PID 1020 set thread context of 3900	1020	r2038990.exe	103
PID 4472 set thread context of 1688	4472	s3949249.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3080	3120	WerFault.exe	93
2312	1020	WerFault.exe	101
1964	3900	WerFault.exe	103
2120	4472	WerFault.exe	108

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2832	schtasks.exe
2992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
896	AppLaunch.exe
896	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	896	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 3596	4452	d5548231bcd8aa72b541ea173b3e186a14338caae1d74db3649326e9168b7209.exe	89
PID 4452 wrote to memory of 3596	4452	d5548231bcd8aa72b541ea173b3e186a14338caae1d74db3649326e9168b7209.exe	89
PID 4452 wrote to memory of 3596	4452	d5548231bcd8aa72b541ea173b3e186a14338caae1d74db3649326e9168b7209.exe	89
PID 3596 wrote to memory of 1692	3596	z6835711.exe	90
PID 3596 wrote to memory of 1692	3596	z6835711.exe	90
PID 3596 wrote to memory of 1692	3596	z6835711.exe	90
PID 1692 wrote to memory of 752	1692	z9135664.exe	91
PID 1692 wrote to memory of 752	1692	z9135664.exe	91
PID 1692 wrote to memory of 752	1692	z9135664.exe	91
PID 752 wrote to memory of 1048	752	z6358304.exe	92
PID 752 wrote to memory of 1048	752	z6358304.exe	92
PID 752 wrote to memory of 1048	752	z6358304.exe	92
PID 1048 wrote to memory of 3120	1048	z6495956.exe	93
PID 1048 wrote to memory of 3120	1048	z6495956.exe	93
PID 1048 wrote to memory of 3120	1048	z6495956.exe	93
PID 3120 wrote to memory of 896	3120	q5310711.exe	94
PID 3120 wrote to memory of 896	3120	q5310711.exe	94
PID 3120 wrote to memory of 896	3120	q5310711.exe	94
PID 3120 wrote to memory of 896	3120	q5310711.exe	94
PID 3120 wrote to memory of 896	3120	q5310711.exe	94
PID 3120 wrote to memory of 896	3120	q5310711.exe	94
PID 3120 wrote to memory of 896	3120	q5310711.exe	94
PID 3120 wrote to memory of 896	3120	q5310711.exe	94
PID 1048 wrote to memory of 1020	1048	z6495956.exe	101
PID 1048 wrote to memory of 1020	1048	z6495956.exe	101
PID 1048 wrote to memory of 1020	1048	z6495956.exe	101
PID 1020 wrote to memory of 3900	1020	r2038990.exe	103
PID 1020 wrote to memory of 3900	1020	r2038990.exe	103
PID 1020 wrote to memory of 3900	1020	r2038990.exe	103
PID 1020 wrote to memory of 3900	1020	r2038990.exe	103
PID 1020 wrote to memory of 3900	1020	r2038990.exe	103
PID 1020 wrote to memory of 3900	1020	r2038990.exe	103
PID 1020 wrote to memory of 3900	1020	r2038990.exe	103
PID 1020 wrote to memory of 3900	1020	r2038990.exe	103
PID 1020 wrote to memory of 3900	1020	r2038990.exe	103
PID 1020 wrote to memory of 3900	1020	r2038990.exe	103
PID 752 wrote to memory of 4472	752	z6358304.exe	108
PID 752 wrote to memory of 4472	752	z6358304.exe	108
PID 752 wrote to memory of 4472	752	z6358304.exe	108
PID 4472 wrote to memory of 1688	4472	s3949249.exe	109
PID 4472 wrote to memory of 1688	4472	s3949249.exe	109
PID 4472 wrote to memory of 1688	4472	s3949249.exe	109
PID 4472 wrote to memory of 1688	4472	s3949249.exe	109
PID 4472 wrote to memory of 1688	4472	s3949249.exe	109
PID 4472 wrote to memory of 1688	4472	s3949249.exe	109
PID 4472 wrote to memory of 1688	4472	s3949249.exe	109
PID 4472 wrote to memory of 1688	4472	s3949249.exe	109
PID 1692 wrote to memory of 3680	1692	z9135664.exe	112
PID 1692 wrote to memory of 3680	1692	z9135664.exe	112
PID 1692 wrote to memory of 3680	1692	z9135664.exe	112
PID 3680 wrote to memory of 3716	3680	t1396144.exe	113
PID 3680 wrote to memory of 3716	3680	t1396144.exe	113
PID 3680 wrote to memory of 3716	3680	t1396144.exe	113
PID 3596 wrote to memory of 4944	3596	z6835711.exe	114
PID 3596 wrote to memory of 4944	3596	z6835711.exe	114
PID 3596 wrote to memory of 4944	3596	z6835711.exe	114
PID 4944 wrote to memory of 4040	4944	u8454419.exe	116
PID 4944 wrote to memory of 4040	4944	u8454419.exe	116
PID 4944 wrote to memory of 4040	4944	u8454419.exe	116
PID 4452 wrote to memory of 3356	4452	d5548231bcd8aa72b541ea173b3e186a14338caae1d74db3649326e9168b7209.exe	118
PID 4452 wrote to memory of 3356	4452	d5548231bcd8aa72b541ea173b3e186a14338caae1d74db3649326e9168b7209.exe	118
PID 4452 wrote to memory of 3356	4452	d5548231bcd8aa72b541ea173b3e186a14338caae1d74db3649326e9168b7209.exe	118
PID 4040 wrote to memory of 2832	4040	legota.exe	119
PID 4040 wrote to memory of 2832	4040	legota.exe	119

C:\Users\Admin\AppData\Local\Temp\d5548231bcd8aa72b541ea173b3e186a14338caae1d74db3649326e9168b7209.exe
"C:\Users\Admin\AppData\Local\Temp\d5548231bcd8aa72b541ea173b3e186a14338caae1d74db3649326e9168b7209.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6835711.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6835711.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9135664.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9135664.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6358304.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6358304.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:752
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6495956.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6495956.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5310711.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5310711.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 552
        7⤵
        Program crash
        
        PID:3080
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2038990.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2038990.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 540
        8⤵
        Program crash
        
        PID:1964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 552
        7⤵
        Program crash
        
        PID:2312
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3949249.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3949249.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 580
        6⤵
        Program crash
        
        PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1396144.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1396144.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3716
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2992
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        7⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        7⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:4044
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u8454419.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u8454419.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4040
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2832
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:3344
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4256
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        
        PID:3588
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        
        PID:3004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2208
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        
        PID:1928
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        
        PID:4240
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1331418.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1331418.exe
  2⤵
  - Executes dropped EXE
  PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3120 -ip 3120
1⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1020 -ip 1020
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3900 -ip 3900
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4472 -ip 4472
1⤵
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1331418.exe

Filesize
21KB

MD5
ea1670fa6b7a465e3e4f5cf4d52eedfd

SHA1
162403dfcca42300cafb788f3675f84013040723

SHA256
780a804a06ad32bb6e0dbec74b1c0e36fd6e33b714a46fe923e5277c8b0963d5

SHA512
c7f0c9af60e32a0a694ae9d810f48271495d33ea2087f9763b0a14177d6665d80a4a2f2a15cf51474c31ff918ab1134d85c93288ae34ad327f98c87a6a5d410e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w1331418.exe

Filesize
21KB

MD5
ea1670fa6b7a465e3e4f5cf4d52eedfd

SHA1
162403dfcca42300cafb788f3675f84013040723

SHA256
780a804a06ad32bb6e0dbec74b1c0e36fd6e33b714a46fe923e5277c8b0963d5

SHA512
c7f0c9af60e32a0a694ae9d810f48271495d33ea2087f9763b0a14177d6665d80a4a2f2a15cf51474c31ff918ab1134d85c93288ae34ad327f98c87a6a5d410e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6835711.exe

Filesize
984KB

MD5
e91e5bdb9155b8503061c122bbf6bf90

SHA1
efe09146ad319072244593418836f41c9b4e7662

SHA256
bd559264af159fde5d0e5d873b9acea7f42cbc6044fec0085fb6a95466273a7b

SHA512
243eff618138056e1a3aa390dee73e5d3383d78b1371528164130cbceedbc405872f9c807b587d7da5a8c6445d3c56aefaa75e958de2afe5acaf514654464237

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6835711.exe

Filesize
984KB

MD5
e91e5bdb9155b8503061c122bbf6bf90

SHA1
efe09146ad319072244593418836f41c9b4e7662

SHA256
bd559264af159fde5d0e5d873b9acea7f42cbc6044fec0085fb6a95466273a7b

SHA512
243eff618138056e1a3aa390dee73e5d3383d78b1371528164130cbceedbc405872f9c807b587d7da5a8c6445d3c56aefaa75e958de2afe5acaf514654464237

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u8454419.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u8454419.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9135664.exe

Filesize
801KB

MD5
3e5e3c6f6d4c2c2638628bf310cb6f29

SHA1
9aa689b810dda895953a1252e02de5a3f9d40150

SHA256
c148104f8e894576ddde000e803dfd9337a9731a915aea5bd76822156a197c05

SHA512
0cfa31d6fadeafde35d05a65d8865b341ec3711ae3b4bea51d23fd305fa9f16fb0b6da440c68b70cfdb43cac484f333546371f98aba220461f7ae3d6110a2d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9135664.exe

Filesize
801KB

MD5
3e5e3c6f6d4c2c2638628bf310cb6f29

SHA1
9aa689b810dda895953a1252e02de5a3f9d40150

SHA256
c148104f8e894576ddde000e803dfd9337a9731a915aea5bd76822156a197c05

SHA512
0cfa31d6fadeafde35d05a65d8865b341ec3711ae3b4bea51d23fd305fa9f16fb0b6da440c68b70cfdb43cac484f333546371f98aba220461f7ae3d6110a2d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1396144.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1396144.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6358304.exe

Filesize
618KB

MD5
a9c08c9fda29ce38293797a4c95e5968

SHA1
087f182d993096deab4f29b9c34031eae086c7f8

SHA256
c75db48638e85a9068004c676c61bdced9ee20c6c8046d6619c20b9f21452812

SHA512
7c478556f4219fbed303415ee0157988d504507e95e2166f76eb6eb26cde86dba7827dec9a5bd8d21ea7db0be1b43d65f683bfc957f26d3f158e5161bfb084df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6358304.exe

Filesize
618KB

MD5
a9c08c9fda29ce38293797a4c95e5968

SHA1
087f182d993096deab4f29b9c34031eae086c7f8

SHA256
c75db48638e85a9068004c676c61bdced9ee20c6c8046d6619c20b9f21452812

SHA512
7c478556f4219fbed303415ee0157988d504507e95e2166f76eb6eb26cde86dba7827dec9a5bd8d21ea7db0be1b43d65f683bfc957f26d3f158e5161bfb084df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3949249.exe

Filesize
398KB

MD5
12854248a383afeacb0e667a8426e119

SHA1
84cf56162b10b6058fa7cd4fb66dfdd58c82250e

SHA256
53dbe1a9ee72a7b7c17017cbfdca611b475086b91dcf02fbba7ef195bf8ddfe0

SHA512
3d7995fbf8e7d45de3dff25d5741ec653da71b2b11f883501e09b37e2bfa46642704affcb9d06995ddcbfd913f225663afade1110d68902bd0ac378b1bc5214d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3949249.exe

Filesize
398KB

MD5
12854248a383afeacb0e667a8426e119

SHA1
84cf56162b10b6058fa7cd4fb66dfdd58c82250e

SHA256
53dbe1a9ee72a7b7c17017cbfdca611b475086b91dcf02fbba7ef195bf8ddfe0

SHA512
3d7995fbf8e7d45de3dff25d5741ec653da71b2b11f883501e09b37e2bfa46642704affcb9d06995ddcbfd913f225663afade1110d68902bd0ac378b1bc5214d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6495956.exe

Filesize
348KB

MD5
d6af8816336d01f902ee8e25988296bf

SHA1
51834785bbf5a9eb6f96d0eac64ce351f42cf874

SHA256
61b93da6a3d50d369e989718c050f82b8048b44404edc4c4dfe7e5c0184d23bf

SHA512
45e1ecbf0b2d6f4e9d4b87a02b2fb303e301976691db75e781fafcd83f6bd9093de2d9290df36609079c523f39c0b2750321f1ea67351947a95e3ee5e6a90e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6495956.exe

Filesize
348KB

MD5
d6af8816336d01f902ee8e25988296bf

SHA1
51834785bbf5a9eb6f96d0eac64ce351f42cf874

SHA256
61b93da6a3d50d369e989718c050f82b8048b44404edc4c4dfe7e5c0184d23bf

SHA512
45e1ecbf0b2d6f4e9d4b87a02b2fb303e301976691db75e781fafcd83f6bd9093de2d9290df36609079c523f39c0b2750321f1ea67351947a95e3ee5e6a90e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5310711.exe

Filesize
235KB

MD5
736cb427884b25628b6bb89460aac430

SHA1
2331917c0cf243a1f678b311c35c4f857a1b6620

SHA256
b3f96f294fa99764ac1c5b3566fefcbd215f99b226be9ed870a41d3bdee0e448

SHA512
9568feeb09dfe1f84219c25a184eb005d8daa1c0ab35513f420b07057b26369fe7eb02adc1c5aaa0270d71a5dfbee2e7faa7f79ad54f5c7c0bf67c93f8a642b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5310711.exe

Filesize
235KB

MD5
736cb427884b25628b6bb89460aac430

SHA1
2331917c0cf243a1f678b311c35c4f857a1b6620

SHA256
b3f96f294fa99764ac1c5b3566fefcbd215f99b226be9ed870a41d3bdee0e448

SHA512
9568feeb09dfe1f84219c25a184eb005d8daa1c0ab35513f420b07057b26369fe7eb02adc1c5aaa0270d71a5dfbee2e7faa7f79ad54f5c7c0bf67c93f8a642b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2038990.exe

Filesize
364KB

MD5
ed9f87dd0f5b6e29b8adb2b4f1da1ea0

SHA1
27170f6f5563a10e7b8477c92e40bbf53ae34d10

SHA256
3d7f0b7d365c79852880bfd0c8b0d695ad4e82434fba75b675491a55c43aa4d8

SHA512
0f6dde5eb2df433d65f01b08330e4f125daa6023fbce10b5a7dd3b85aef4ee2099b138b5eae4aa413370695d2109881da2851c1719b9c84cbcab6098c6aa6fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2038990.exe

Filesize
364KB

MD5
ed9f87dd0f5b6e29b8adb2b4f1da1ea0

SHA1
27170f6f5563a10e7b8477c92e40bbf53ae34d10

SHA256
3d7f0b7d365c79852880bfd0c8b0d695ad4e82434fba75b675491a55c43aa4d8

SHA512
0f6dde5eb2df433d65f01b08330e4f125daa6023fbce10b5a7dd3b85aef4ee2099b138b5eae4aa413370695d2109881da2851c1719b9c84cbcab6098c6aa6fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
memory/896-39-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/896-37-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/896-36-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/896-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1688-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1688-55-0x0000000073350000-0x0000000073B00000-memory.dmp

Filesize
7.7MB

Download
memory/1688-64-0x0000000005630000-0x0000000005642000-memory.dmp

Filesize
72KB

Download
memory/1688-65-0x00000000057A0000-0x00000000057DC000-memory.dmp

Filesize
240KB

Download
memory/1688-70-0x00000000057E0000-0x000000000582C000-memory.dmp

Filesize
304KB

Download
memory/1688-62-0x00000000058B0000-0x00000000059BA000-memory.dmp

Filesize
1.0MB

Download
memory/1688-61-0x0000000005DC0000-0x00000000063D8000-memory.dmp

Filesize
6.1MB

Download
memory/1688-63-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/1688-54-0x0000000001430000-0x0000000001436000-memory.dmp

Filesize
24KB

Download
memory/1688-53-0x0000000073350000-0x0000000073B00000-memory.dmp

Filesize
7.7MB

Download
memory/1688-89-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/3900-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3900-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3900-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3900-47-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download