amadey | 9878c85c6aace37e47d4cce684ed99eeab0e81aaa340db79b357ad8ae31cdeec

Analysis

max time kernel
163s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2023 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.49e5333fa65811f1542c4c66951a8880.exe
Size

1.2MB
MD5

49e5333fa65811f1542c4c66951a8880
SHA1

3b7a6e34ccf09d240939e9416774a834eef60ce6
SHA256

9878c85c6aace37e47d4cce684ed99eeab0e81aaa340db79b357ad8ae31cdeec
SHA512

8466a9842e6b3ba22a8cb60cec06ca2c924974595ce22160b25b69b85b675212506e6fae01e0dafa5784420a807f6e54ef7049885b773662bf8915a7f79abc20
SSDEEP

24576:IySsXE7PO7b3W58YzUSKRxr3moqnEouIG4bfyXYIkiwuqKwmJ58JH:Pn0rO7bGS/SKRxrWoqnExV4bqoIg858J

Score

10^/10

amadey redline smokeloader grome backdoor evasion infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5084-49-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explothe.exe5vx6xP4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	5vx6xP4.exe

Executes dropped EXE 11 IoCs

Processes:

qP2GZ60.exedx5VI35.exeog1gO29.exe1XR11ic6.exe2BU7795.exe3qm21LO.exe4eR196VM.exe5vx6xP4.exeexplothe.exeexplothe.exeexplothe.exe

pid	process
4624	qP2GZ60.exe
1828	dx5VI35.exe
4376	og1gO29.exe
1428	1XR11ic6.exe
728	2BU7795.exe
2256	3qm21LO.exe
812	4eR196VM.exe
4924	5vx6xP4.exe
3916	explothe.exe
3356	explothe.exe
1964	explothe.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

876 rundll32.exe

pid	process
876	rundll32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.49e5333fa65811f1542c4c66951a8880.exeqP2GZ60.exedx5VI35.exeog1gO29.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.49e5333fa65811f1542c4c66951a8880.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	qP2GZ60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dx5VI35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	og1gO29.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1XR11ic6.exe2BU7795.exe4eR196VM.exe

description	pid	process	target process
PID 1428 set thread context of 3524	1428	1XR11ic6.exe	AppLaunch.exe
PID 728 set thread context of 2480	728	2BU7795.exe	AppLaunch.exe
PID 812 set thread context of 5084	812	4eR196VM.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2860 2480 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
2860	2480	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3qm21LO.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3qm21LO.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3qm21LO.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3qm21LO.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1896 schtasks.exe

pid	process
1896	schtasks.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3qm21LO.exeAppLaunch.exe

pid	process
2256	3qm21LO.exe
2256	3qm21LO.exe
3524	AppLaunch.exe
3524	AppLaunch.exe
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276
3276

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3276
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3qm21LO.exe

pid process

2256 3qm21LO.exe

pid	process
3276

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3524	AppLaunch.exe
Token: SeShutdownPrivilege	3276
Token: SeCreatePagefilePrivilege	3276
Token: SeShutdownPrivilege	3276
Token: SeCreatePagefilePrivilege	3276

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3276
3276

pid	process
3276
3276

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NEAS.49e5333fa65811f1542c4c66951a8880.exeqP2GZ60.exedx5VI35.exeog1gO29.exe1XR11ic6.exe2BU7795.exe4eR196VM.exe5vx6xP4.exeexplothe.exe

description	pid	process	target process
PID 1744 wrote to memory of 4624	1744	NEAS.49e5333fa65811f1542c4c66951a8880.exe	qP2GZ60.exe
PID 1744 wrote to memory of 4624	1744	NEAS.49e5333fa65811f1542c4c66951a8880.exe	qP2GZ60.exe
PID 1744 wrote to memory of 4624	1744	NEAS.49e5333fa65811f1542c4c66951a8880.exe	qP2GZ60.exe
PID 4624 wrote to memory of 1828	4624	qP2GZ60.exe	dx5VI35.exe
PID 4624 wrote to memory of 1828	4624	qP2GZ60.exe	dx5VI35.exe
PID 4624 wrote to memory of 1828	4624	qP2GZ60.exe	dx5VI35.exe
PID 1828 wrote to memory of 4376	1828	dx5VI35.exe	og1gO29.exe
PID 1828 wrote to memory of 4376	1828	dx5VI35.exe	og1gO29.exe
PID 1828 wrote to memory of 4376	1828	dx5VI35.exe	og1gO29.exe
PID 4376 wrote to memory of 1428	4376	og1gO29.exe	1XR11ic6.exe
PID 4376 wrote to memory of 1428	4376	og1gO29.exe	1XR11ic6.exe
PID 4376 wrote to memory of 1428	4376	og1gO29.exe	1XR11ic6.exe
PID 1428 wrote to memory of 1284	1428	1XR11ic6.exe	AppLaunch.exe
PID 1428 wrote to memory of 1284	1428	1XR11ic6.exe	AppLaunch.exe
PID 1428 wrote to memory of 1284	1428	1XR11ic6.exe	AppLaunch.exe
PID 1428 wrote to memory of 4136	1428	1XR11ic6.exe	AppLaunch.exe
PID 1428 wrote to memory of 4136	1428	1XR11ic6.exe	AppLaunch.exe
PID 1428 wrote to memory of 4136	1428	1XR11ic6.exe	AppLaunch.exe
PID 1428 wrote to memory of 3524	1428	1XR11ic6.exe	AppLaunch.exe
PID 1428 wrote to memory of 3524	1428	1XR11ic6.exe	AppLaunch.exe
PID 1428 wrote to memory of 3524	1428	1XR11ic6.exe	AppLaunch.exe
PID 1428 wrote to memory of 3524	1428	1XR11ic6.exe	AppLaunch.exe
PID 1428 wrote to memory of 3524	1428	1XR11ic6.exe	AppLaunch.exe
PID 1428 wrote to memory of 3524	1428	1XR11ic6.exe	AppLaunch.exe
PID 1428 wrote to memory of 3524	1428	1XR11ic6.exe	AppLaunch.exe
PID 1428 wrote to memory of 3524	1428	1XR11ic6.exe	AppLaunch.exe
PID 4376 wrote to memory of 728	4376	og1gO29.exe	2BU7795.exe
PID 4376 wrote to memory of 728	4376	og1gO29.exe	2BU7795.exe
PID 4376 wrote to memory of 728	4376	og1gO29.exe	2BU7795.exe
PID 728 wrote to memory of 2640	728	2BU7795.exe	AppLaunch.exe
PID 728 wrote to memory of 2640	728	2BU7795.exe	AppLaunch.exe
PID 728 wrote to memory of 2640	728	2BU7795.exe	AppLaunch.exe
PID 728 wrote to memory of 2480	728	2BU7795.exe	AppLaunch.exe
PID 728 wrote to memory of 2480	728	2BU7795.exe	AppLaunch.exe
PID 728 wrote to memory of 2480	728	2BU7795.exe	AppLaunch.exe
PID 728 wrote to memory of 2480	728	2BU7795.exe	AppLaunch.exe
PID 728 wrote to memory of 2480	728	2BU7795.exe	AppLaunch.exe
PID 728 wrote to memory of 2480	728	2BU7795.exe	AppLaunch.exe
PID 728 wrote to memory of 2480	728	2BU7795.exe	AppLaunch.exe
PID 728 wrote to memory of 2480	728	2BU7795.exe	AppLaunch.exe
PID 728 wrote to memory of 2480	728	2BU7795.exe	AppLaunch.exe
PID 728 wrote to memory of 2480	728	2BU7795.exe	AppLaunch.exe
PID 1828 wrote to memory of 2256	1828	dx5VI35.exe	3qm21LO.exe
PID 1828 wrote to memory of 2256	1828	dx5VI35.exe	3qm21LO.exe
PID 1828 wrote to memory of 2256	1828	dx5VI35.exe	3qm21LO.exe
PID 4624 wrote to memory of 812	4624	qP2GZ60.exe	4eR196VM.exe
PID 4624 wrote to memory of 812	4624	qP2GZ60.exe	4eR196VM.exe
PID 4624 wrote to memory of 812	4624	qP2GZ60.exe	4eR196VM.exe
PID 812 wrote to memory of 5084	812	4eR196VM.exe	AppLaunch.exe
PID 812 wrote to memory of 5084	812	4eR196VM.exe	AppLaunch.exe
PID 812 wrote to memory of 5084	812	4eR196VM.exe	AppLaunch.exe
PID 812 wrote to memory of 5084	812	4eR196VM.exe	AppLaunch.exe
PID 812 wrote to memory of 5084	812	4eR196VM.exe	AppLaunch.exe
PID 812 wrote to memory of 5084	812	4eR196VM.exe	AppLaunch.exe
PID 812 wrote to memory of 5084	812	4eR196VM.exe	AppLaunch.exe
PID 812 wrote to memory of 5084	812	4eR196VM.exe	AppLaunch.exe
PID 1744 wrote to memory of 4924	1744	NEAS.49e5333fa65811f1542c4c66951a8880.exe	5vx6xP4.exe
PID 1744 wrote to memory of 4924	1744	NEAS.49e5333fa65811f1542c4c66951a8880.exe	5vx6xP4.exe
PID 1744 wrote to memory of 4924	1744	NEAS.49e5333fa65811f1542c4c66951a8880.exe	5vx6xP4.exe
PID 4924 wrote to memory of 3916	4924	5vx6xP4.exe	explothe.exe
PID 4924 wrote to memory of 3916	4924	5vx6xP4.exe	explothe.exe
PID 4924 wrote to memory of 3916	4924	5vx6xP4.exe	explothe.exe
PID 3916 wrote to memory of 1896	3916	explothe.exe	schtasks.exe
PID 3916 wrote to memory of 1896	3916	explothe.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.49e5333fa65811f1542c4c66951a8880.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.49e5333fa65811f1542c4c66951a8880.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qP2GZ60.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qP2GZ60.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dx5VI35.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dx5VI35.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\og1gO29.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\og1gO29.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4376

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1XR11ic6.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1XR11ic6.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2BU7795.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2BU7795.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 540
7⤵
- Program crash
PID:2860

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3qm21LO.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3qm21LO.exe
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2256

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4eR196VM.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4eR196VM.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5vx6xP4.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5vx6xP4.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
4⤵
- Creates scheduled task(s)
PID:1896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
4⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3100

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
5⤵
PID:3984

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
5⤵
PID:1612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4988

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
5⤵
PID:2504

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
5⤵
PID:4920

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2480 -ip 2480
1⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3356

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5vx6xP4.exe
Filesize
220KB

MD5
32fe1f2aeb6189f43e2df6e8d4fc19ba

SHA1
ce9baf7d7bf7ece34d0d8bb6557f0dc899a3e69d

SHA256
7770a0f046ab4529c66519746a2e2e28712e1b4fc7096311b278ed56b1a18fed

SHA512
a08ccfc1db546237ec136f04d90c6fceaed12cc39217b141981449e1d8c149d80ffa192cd9329166d9ecd8fbcb0de5d4dced0ed63f50186555eeec103d6d27ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5vx6xP4.exe
Filesize
220KB

MD5
32fe1f2aeb6189f43e2df6e8d4fc19ba

SHA1
ce9baf7d7bf7ece34d0d8bb6557f0dc899a3e69d

SHA256
7770a0f046ab4529c66519746a2e2e28712e1b4fc7096311b278ed56b1a18fed

SHA512
a08ccfc1db546237ec136f04d90c6fceaed12cc39217b141981449e1d8c149d80ffa192cd9329166d9ecd8fbcb0de5d4dced0ed63f50186555eeec103d6d27ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qP2GZ60.exe
Filesize
1.0MB

MD5
70ed3118574b86bf6095c7e7b91c3f2d

SHA1
13ce7cf2e5935ce9e51b6b4fd2596dd8e2a19730

SHA256
bb83965a86ed12f0409302ee72287c520529d534f0851a624bda53516b30b76a

SHA512
d558df6ca9cb3e9c802cf794bfa80778c12464f3cf554c0593d7a0130fd2706dd82958681ece32b19d9efcaad1fa7c95332b0f61b4e1b10c3c83c6678a4075a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qP2GZ60.exe
Filesize
1.0MB

MD5
70ed3118574b86bf6095c7e7b91c3f2d

SHA1
13ce7cf2e5935ce9e51b6b4fd2596dd8e2a19730

SHA256
bb83965a86ed12f0409302ee72287c520529d534f0851a624bda53516b30b76a

SHA512
d558df6ca9cb3e9c802cf794bfa80778c12464f3cf554c0593d7a0130fd2706dd82958681ece32b19d9efcaad1fa7c95332b0f61b4e1b10c3c83c6678a4075a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4eR196VM.exe
Filesize
1.1MB

MD5
e969eceaef48cd4ad616a7fa9b927aa7

SHA1
2a83c1f777b52d37d0edefc635a0ce2b79612679

SHA256
97dc6a351b554b56483b17a7e385805928cda3c10dc99f14466638350d5ee0e1

SHA512
6cd36abd6ebab859925814518317ab7ad0a8c5be305d275a0cde1909066c045d9a0093d0e8eb48e85cba4ea9201adbdcfbdc8dce26a97cab5edea61128b0ee11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4eR196VM.exe
Filesize
1.1MB

MD5
e969eceaef48cd4ad616a7fa9b927aa7

SHA1
2a83c1f777b52d37d0edefc635a0ce2b79612679

SHA256
97dc6a351b554b56483b17a7e385805928cda3c10dc99f14466638350d5ee0e1

SHA512
6cd36abd6ebab859925814518317ab7ad0a8c5be305d275a0cde1909066c045d9a0093d0e8eb48e85cba4ea9201adbdcfbdc8dce26a97cab5edea61128b0ee11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dx5VI35.exe
Filesize
643KB

MD5
b056f7becfa2507fd3a0a06865fe74e0

SHA1
02883a91ddadda625af3f4a18c2faf6ba567f5a4

SHA256
417817f75020f361e9da5514a9057bcbb1f71ab437fa66943df8549f2068987e

SHA512
ed4bef2ed45b345b9dccd97d8cfcf47771980aaa751b6701fc50454bb842b419cad1d4ec81a673c87330390e4cdb598515a211de212f069dacaf99890c19f5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dx5VI35.exe
Filesize
643KB

MD5
b056f7becfa2507fd3a0a06865fe74e0

SHA1
02883a91ddadda625af3f4a18c2faf6ba567f5a4

SHA256
417817f75020f361e9da5514a9057bcbb1f71ab437fa66943df8549f2068987e

SHA512
ed4bef2ed45b345b9dccd97d8cfcf47771980aaa751b6701fc50454bb842b419cad1d4ec81a673c87330390e4cdb598515a211de212f069dacaf99890c19f5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3qm21LO.exe
Filesize
30KB

MD5
616b443f4b896458ff5d0e9c3502c27d

SHA1
7770acfd4031496e16d139f73ffa15a410a9d81e

SHA256
b33e4b4357bc3d11aa914d0a23d426e91bea5856ddd7f21504ed386e03fea1f3

SHA512
ee7d8260ad734abab730fc5564a121c7a0c458cae3bf03544606b0bc5359a0c94af912460d25e6a42d1fff3b3a0a6df5ed68884d2f26d46c89a649f770dc3b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3qm21LO.exe
Filesize
30KB

MD5
616b443f4b896458ff5d0e9c3502c27d

SHA1
7770acfd4031496e16d139f73ffa15a410a9d81e

SHA256
b33e4b4357bc3d11aa914d0a23d426e91bea5856ddd7f21504ed386e03fea1f3

SHA512
ee7d8260ad734abab730fc5564a121c7a0c458cae3bf03544606b0bc5359a0c94af912460d25e6a42d1fff3b3a0a6df5ed68884d2f26d46c89a649f770dc3b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\og1gO29.exe
Filesize
519KB

MD5
f025a24b0a8b75fd6565587993b52ed2

SHA1
1e94e85060f073f658c61439849fd5641d08e582

SHA256
fe8536c5d692f20e7e11ee9c3bc5600a183b910ca0d964a0344276f0792e4874

SHA512
1a90a56e4d175db8de08f3b3534d2f61cba495bb48b1c78477260b96e8cd37194dde30129752dc7a5b89e10de138cbf3df07710ac1f4dd25cb30591262dd11fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\og1gO29.exe
Filesize
519KB

MD5
f025a24b0a8b75fd6565587993b52ed2

SHA1
1e94e85060f073f658c61439849fd5641d08e582

SHA256
fe8536c5d692f20e7e11ee9c3bc5600a183b910ca0d964a0344276f0792e4874

SHA512
1a90a56e4d175db8de08f3b3534d2f61cba495bb48b1c78477260b96e8cd37194dde30129752dc7a5b89e10de138cbf3df07710ac1f4dd25cb30591262dd11fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1XR11ic6.exe
Filesize
878KB

MD5
57a7e275f6dd97b3b900107513b32d69

SHA1
b02420cef78872d9cccbc922d7b308cde8972389

SHA256
372ef641d00fcfe74e4ae7e05f7a44470ea44c6d641810423e3d489c0864dc36

SHA512
fc68d755bf4881d08d1010a242a32e6717fc378a4f732a9551633d57513e9ba9f11a681e190db3be0e2d72d4bb9184a433248ecdb95fa9073bfaf99ca3b2be38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1XR11ic6.exe
Filesize
878KB

MD5
57a7e275f6dd97b3b900107513b32d69

SHA1
b02420cef78872d9cccbc922d7b308cde8972389

SHA256
372ef641d00fcfe74e4ae7e05f7a44470ea44c6d641810423e3d489c0864dc36

SHA512
fc68d755bf4881d08d1010a242a32e6717fc378a4f732a9551633d57513e9ba9f11a681e190db3be0e2d72d4bb9184a433248ecdb95fa9073bfaf99ca3b2be38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2BU7795.exe
Filesize
1.1MB

MD5
49fcdccb01f6dec9b1b6d3e79062704b

SHA1
61d3b3962c8a9bc7d9d7eb504a2abaf04723212c

SHA256
465e335a567a51c2f0543a891a08acb4218c132742bc22dae16fc1085ba5988d

SHA512
28d76cfbf1df0ec3749f0ce436c0a8b0c2e44c20e5ca25b8df72bbd6e448c284e6341c17c47e819b2315b6eeaf3d2a6abb956e331b61610ef9548a9f4f3b0294

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2BU7795.exe
Filesize
1.1MB

MD5
49fcdccb01f6dec9b1b6d3e79062704b

SHA1
61d3b3962c8a9bc7d9d7eb504a2abaf04723212c

SHA256
465e335a567a51c2f0543a891a08acb4218c132742bc22dae16fc1085ba5988d

SHA512
28d76cfbf1df0ec3749f0ce436c0a8b0c2e44c20e5ca25b8df72bbd6e448c284e6341c17c47e819b2315b6eeaf3d2a6abb956e331b61610ef9548a9f4f3b0294

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
32fe1f2aeb6189f43e2df6e8d4fc19ba

SHA1
ce9baf7d7bf7ece34d0d8bb6557f0dc899a3e69d

SHA256
7770a0f046ab4529c66519746a2e2e28712e1b4fc7096311b278ed56b1a18fed

SHA512
a08ccfc1db546237ec136f04d90c6fceaed12cc39217b141981449e1d8c149d80ffa192cd9329166d9ecd8fbcb0de5d4dced0ed63f50186555eeec103d6d27ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
32fe1f2aeb6189f43e2df6e8d4fc19ba

SHA1
ce9baf7d7bf7ece34d0d8bb6557f0dc899a3e69d

SHA256
7770a0f046ab4529c66519746a2e2e28712e1b4fc7096311b278ed56b1a18fed

SHA512
a08ccfc1db546237ec136f04d90c6fceaed12cc39217b141981449e1d8c149d80ffa192cd9329166d9ecd8fbcb0de5d4dced0ed63f50186555eeec103d6d27ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
32fe1f2aeb6189f43e2df6e8d4fc19ba

SHA1
ce9baf7d7bf7ece34d0d8bb6557f0dc899a3e69d

SHA256
7770a0f046ab4529c66519746a2e2e28712e1b4fc7096311b278ed56b1a18fed

SHA512
a08ccfc1db546237ec136f04d90c6fceaed12cc39217b141981449e1d8c149d80ffa192cd9329166d9ecd8fbcb0de5d4dced0ed63f50186555eeec103d6d27ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
32fe1f2aeb6189f43e2df6e8d4fc19ba

SHA1
ce9baf7d7bf7ece34d0d8bb6557f0dc899a3e69d

SHA256
7770a0f046ab4529c66519746a2e2e28712e1b4fc7096311b278ed56b1a18fed

SHA512
a08ccfc1db546237ec136f04d90c6fceaed12cc39217b141981449e1d8c149d80ffa192cd9329166d9ecd8fbcb0de5d4dced0ed63f50186555eeec103d6d27ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
220KB

MD5
32fe1f2aeb6189f43e2df6e8d4fc19ba

SHA1
ce9baf7d7bf7ece34d0d8bb6557f0dc899a3e69d

SHA256
7770a0f046ab4529c66519746a2e2e28712e1b4fc7096311b278ed56b1a18fed

SHA512
a08ccfc1db546237ec136f04d90c6fceaed12cc39217b141981449e1d8c149d80ffa192cd9329166d9ecd8fbcb0de5d4dced0ed63f50186555eeec103d6d27ec

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
memory/2256-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2256-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2480-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2480-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3276-42-0x0000000002F00000-0x0000000002F16000-memory.dmp

Filesize
88KB

Download
memory/3524-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3524-32-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/3524-67-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/3524-69-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/5084-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5084-71-0x0000000007E70000-0x0000000007F7A000-memory.dmp

Filesize
1.0MB

Download
memory/5084-72-0x0000000007DA0000-0x0000000007DB2000-memory.dmp

Filesize
72KB

Download
memory/5084-73-0x0000000007E00000-0x0000000007E3C000-memory.dmp

Filesize
240KB

Download
memory/5084-74-0x0000000007F80000-0x0000000007FCC000-memory.dmp

Filesize
304KB

Download
memory/5084-75-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/5084-76-0x0000000007CD0000-0x0000000007CE0000-memory.dmp

Filesize
64KB

Download
memory/5084-70-0x0000000008BC0000-0x00000000091D8000-memory.dmp

Filesize
6.1MB

Download
memory/5084-56-0x0000000007FF0000-0x0000000008594000-memory.dmp

Filesize
5.6MB

Download
memory/5084-53-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/5084-63-0x0000000007CC0000-0x0000000007CCA000-memory.dmp

Filesize
40KB

Download
memory/5084-58-0x0000000007CD0000-0x0000000007CE0000-memory.dmp

Filesize
64KB

Download
memory/5084-57-0x0000000007AE0000-0x0000000007B72000-memory.dmp

Filesize
584KB

Download