amadey | 9ec5d0e09febfa8b01bdc3537e7db491b4d99e977d3e19b7cfda27fa0a3d6624

Analysis

max time kernel
159s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.cbef3cc73a8de12023058afc339c27a0_JC.exe
Size

1.2MB
MD5

cbef3cc73a8de12023058afc339c27a0
SHA1

d852dad521684bd59dc4882d1a41768b99c464b3
SHA256

9ec5d0e09febfa8b01bdc3537e7db491b4d99e977d3e19b7cfda27fa0a3d6624
SHA512

6cb3a7cf1f1cfecd01650b47fc8efd725b8df0ce7ff52e079dc8c4d20eb2b54478b25f29e51433fd559d02aadff80e540562e8c52b736e3cc605598a269f69cc
SSDEEP

24576:tySMI4KG1PBLn8RvvSwimYs8ZwFhMLhSDBFwgboHHomcfjUb3wwelWqWt/y6wkO:ISb4KG1PBLnY6BmYs8H1Mw4EomCj0zRk

Score

10^/10

amadey redline smokeloader grome backdoor evasion infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/836-49-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5om7cl1.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	5om7cl1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 11 IoCs

Processes:

mH0Wf61.exesU8ei24.exeyV4mI14.exe1pV03FS7.exe2Yl7260.exe3yT10Yr.exe4qc317zE.exe5om7cl1.exeexplothe.exeexplothe.exeexplothe.exe

pid	process
3132	mH0Wf61.exe
1408	sU8ei24.exe
3660	yV4mI14.exe
3600	1pV03FS7.exe
1808	2Yl7260.exe
4152	3yT10Yr.exe
1952	4qc317zE.exe
2960	5om7cl1.exe
4948	explothe.exe
4064	explothe.exe
4884	explothe.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.cbef3cc73a8de12023058afc339c27a0_JC.exemH0Wf61.exesU8ei24.exeyV4mI14.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.cbef3cc73a8de12023058afc339c27a0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	mH0Wf61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	sU8ei24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	yV4mI14.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1pV03FS7.exe2Yl7260.exe4qc317zE.exe

description	pid	process	target process
PID 3600 set thread context of 1980	3600	1pV03FS7.exe	AppLaunch.exe
PID 1808 set thread context of 4396	1808	2Yl7260.exe	AppLaunch.exe
PID 1952 set thread context of 836	1952	4qc317zE.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2724 4396 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
2724	4396	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3yT10Yr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3yT10Yr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3yT10Yr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3yT10Yr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3904 schtasks.exe

pid	process
3904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3yT10Yr.exeAppLaunch.exe

pid	process
4152	3yT10Yr.exe
4152	3yT10Yr.exe
1980	AppLaunch.exe
1980	AppLaunch.exe
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3324
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3yT10Yr.exe

pid process

4152 3yT10Yr.exe

pid	process
3324

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1980	AppLaunch.exe
Token: SeShutdownPrivilege	3324
Token: SeCreatePagefilePrivilege	3324
Token: SeShutdownPrivilege	3324
Token: SeCreatePagefilePrivilege	3324
Token: SeShutdownPrivilege	3324
Token: SeCreatePagefilePrivilege	3324
Token: SeShutdownPrivilege	3324
Token: SeCreatePagefilePrivilege	3324
Token: SeShutdownPrivilege	3324
Token: SeCreatePagefilePrivilege	3324

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3324
3324

pid	process
3324
3324

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NEAS.cbef3cc73a8de12023058afc339c27a0_JC.exemH0Wf61.exesU8ei24.exeyV4mI14.exe1pV03FS7.exe2Yl7260.exe4qc317zE.exe5om7cl1.exeexplothe.exe

description	pid	process	target process
PID 4808 wrote to memory of 3132	4808	NEAS.cbef3cc73a8de12023058afc339c27a0_JC.exe	mH0Wf61.exe
PID 4808 wrote to memory of 3132	4808	NEAS.cbef3cc73a8de12023058afc339c27a0_JC.exe	mH0Wf61.exe
PID 4808 wrote to memory of 3132	4808	NEAS.cbef3cc73a8de12023058afc339c27a0_JC.exe	mH0Wf61.exe
PID 3132 wrote to memory of 1408	3132	mH0Wf61.exe	sU8ei24.exe
PID 3132 wrote to memory of 1408	3132	mH0Wf61.exe	sU8ei24.exe
PID 3132 wrote to memory of 1408	3132	mH0Wf61.exe	sU8ei24.exe
PID 1408 wrote to memory of 3660	1408	sU8ei24.exe	yV4mI14.exe
PID 1408 wrote to memory of 3660	1408	sU8ei24.exe	yV4mI14.exe
PID 1408 wrote to memory of 3660	1408	sU8ei24.exe	yV4mI14.exe
PID 3660 wrote to memory of 3600	3660	yV4mI14.exe	1pV03FS7.exe
PID 3660 wrote to memory of 3600	3660	yV4mI14.exe	1pV03FS7.exe
PID 3660 wrote to memory of 3600	3660	yV4mI14.exe	1pV03FS7.exe
PID 3600 wrote to memory of 1980	3600	1pV03FS7.exe	AppLaunch.exe
PID 3600 wrote to memory of 1980	3600	1pV03FS7.exe	AppLaunch.exe
PID 3600 wrote to memory of 1980	3600	1pV03FS7.exe	AppLaunch.exe
PID 3600 wrote to memory of 1980	3600	1pV03FS7.exe	AppLaunch.exe
PID 3600 wrote to memory of 1980	3600	1pV03FS7.exe	AppLaunch.exe
PID 3600 wrote to memory of 1980	3600	1pV03FS7.exe	AppLaunch.exe
PID 3600 wrote to memory of 1980	3600	1pV03FS7.exe	AppLaunch.exe
PID 3600 wrote to memory of 1980	3600	1pV03FS7.exe	AppLaunch.exe
PID 3660 wrote to memory of 1808	3660	yV4mI14.exe	2Yl7260.exe
PID 3660 wrote to memory of 1808	3660	yV4mI14.exe	2Yl7260.exe
PID 3660 wrote to memory of 1808	3660	yV4mI14.exe	2Yl7260.exe
PID 1808 wrote to memory of 1600	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 1600	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 1600	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 4780	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 4780	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 4780	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 1040	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 1040	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 1040	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 4396	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 4396	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 4396	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 4396	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 4396	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 4396	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 4396	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 4396	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 4396	1808	2Yl7260.exe	AppLaunch.exe
PID 1808 wrote to memory of 4396	1808	2Yl7260.exe	AppLaunch.exe
PID 1408 wrote to memory of 4152	1408	sU8ei24.exe	3yT10Yr.exe
PID 1408 wrote to memory of 4152	1408	sU8ei24.exe	3yT10Yr.exe
PID 1408 wrote to memory of 4152	1408	sU8ei24.exe	3yT10Yr.exe
PID 3132 wrote to memory of 1952	3132	mH0Wf61.exe	4qc317zE.exe
PID 3132 wrote to memory of 1952	3132	mH0Wf61.exe	4qc317zE.exe
PID 3132 wrote to memory of 1952	3132	mH0Wf61.exe	4qc317zE.exe
PID 1952 wrote to memory of 836	1952	4qc317zE.exe	AppLaunch.exe
PID 1952 wrote to memory of 836	1952	4qc317zE.exe	AppLaunch.exe
PID 1952 wrote to memory of 836	1952	4qc317zE.exe	AppLaunch.exe
PID 1952 wrote to memory of 836	1952	4qc317zE.exe	AppLaunch.exe
PID 1952 wrote to memory of 836	1952	4qc317zE.exe	AppLaunch.exe
PID 1952 wrote to memory of 836	1952	4qc317zE.exe	AppLaunch.exe
PID 1952 wrote to memory of 836	1952	4qc317zE.exe	AppLaunch.exe
PID 1952 wrote to memory of 836	1952	4qc317zE.exe	AppLaunch.exe
PID 4808 wrote to memory of 2960	4808	NEAS.cbef3cc73a8de12023058afc339c27a0_JC.exe	5om7cl1.exe
PID 4808 wrote to memory of 2960	4808	NEAS.cbef3cc73a8de12023058afc339c27a0_JC.exe	5om7cl1.exe
PID 4808 wrote to memory of 2960	4808	NEAS.cbef3cc73a8de12023058afc339c27a0_JC.exe	5om7cl1.exe
PID 2960 wrote to memory of 4948	2960	5om7cl1.exe	explothe.exe
PID 2960 wrote to memory of 4948	2960	5om7cl1.exe	explothe.exe
PID 2960 wrote to memory of 4948	2960	5om7cl1.exe	explothe.exe
PID 4948 wrote to memory of 3904	4948	explothe.exe	schtasks.exe
PID 4948 wrote to memory of 3904	4948	explothe.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.cbef3cc73a8de12023058afc339c27a0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cbef3cc73a8de12023058afc339c27a0_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mH0Wf61.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mH0Wf61.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3132

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sU8ei24.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sU8ei24.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yV4mI14.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yV4mI14.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3660

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1pV03FS7.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1pV03FS7.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yl7260.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yl7260.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 196
7⤵
- Program crash
PID:2724

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3yT10Yr.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3yT10Yr.exe
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4152

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc317zE.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc317zE.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5om7cl1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5om7cl1.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
4⤵
- Creates scheduled task(s)
PID:3904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
4⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2324

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
5⤵
PID:4176

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
5⤵
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2552

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
5⤵
PID:5056

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
5⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4396 -ip 4396
1⤵
PID:4840

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 4852 -i 4852 -h 480 -j 440 -s 416 -d 4564
1⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4064

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5om7cl1.exe
Filesize
221KB

MD5
dee4b426cb9c6e39e59fb9306b86761f

SHA1
48a20ecd3e575f5b5292dd14be2bd514f8af6b73

SHA256
da443561e5facc3d12a2e543b3de6987542cf79f9f1a4c49d6b6d2d20d79a86f

SHA512
fc92426fa08154bd0741ff8743b83c6b8a77bbfd10d34b36df51a6698ff688a669608d09d6593eedc91c1fc59d45856edb4939b71d6ba80898637a0485a7ff01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5om7cl1.exe
Filesize
221KB

MD5
dee4b426cb9c6e39e59fb9306b86761f

SHA1
48a20ecd3e575f5b5292dd14be2bd514f8af6b73

SHA256
da443561e5facc3d12a2e543b3de6987542cf79f9f1a4c49d6b6d2d20d79a86f

SHA512
fc92426fa08154bd0741ff8743b83c6b8a77bbfd10d34b36df51a6698ff688a669608d09d6593eedc91c1fc59d45856edb4939b71d6ba80898637a0485a7ff01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mH0Wf61.exe
Filesize
1.0MB

MD5
376eec38383015da74aff6657cda4eae

SHA1
b759de3d1906bd285fef84f14b7693b6ff7e26f3

SHA256
49ad4a68593f8641cbe0f7ce700fee89d3d87c365159f6cc0f87e21913d4ed46

SHA512
195f38b9e1d2586afb5278c79a7ff18977a382ce7434719f1b13d886d520ca623266b34aabec607ce057c4bb9ea98f8377a66a8b09a46145c4efdc8aeca31cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mH0Wf61.exe
Filesize
1.0MB

MD5
376eec38383015da74aff6657cda4eae

SHA1
b759de3d1906bd285fef84f14b7693b6ff7e26f3

SHA256
49ad4a68593f8641cbe0f7ce700fee89d3d87c365159f6cc0f87e21913d4ed46

SHA512
195f38b9e1d2586afb5278c79a7ff18977a382ce7434719f1b13d886d520ca623266b34aabec607ce057c4bb9ea98f8377a66a8b09a46145c4efdc8aeca31cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc317zE.exe
Filesize
1.1MB

MD5
abd703eb285b2ca627851ab4cb8c3235

SHA1
911d5866a90859c49e6d81c525c9914c846f32f1

SHA256
8a9f8219a01a8c3dd4b2e17a5ca9f9224bbe56ab6deccd23dfc096e0e59ced22

SHA512
37a6dd6144fda61e124c179212697199d04ca166438e760b3f0895e46653faab13e9bc3c34ee4d9051f99af08aa572e275e43642c6f24e88e77f90dbb03b271d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qc317zE.exe
Filesize
1.1MB

MD5
abd703eb285b2ca627851ab4cb8c3235

SHA1
911d5866a90859c49e6d81c525c9914c846f32f1

SHA256
8a9f8219a01a8c3dd4b2e17a5ca9f9224bbe56ab6deccd23dfc096e0e59ced22

SHA512
37a6dd6144fda61e124c179212697199d04ca166438e760b3f0895e46653faab13e9bc3c34ee4d9051f99af08aa572e275e43642c6f24e88e77f90dbb03b271d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sU8ei24.exe
Filesize
651KB

MD5
be6596931bccb2a804c03b7f91d4081e

SHA1
a2f7a9a8f696bdbc3b916029e72660a795a1ea0d

SHA256
47ffff275d99d8f0e54bfd1d1e35a2fbeb2a8ee9e25884eedccc0e11424d178f

SHA512
0da1341ced9c474e717da7c31accb358079238132c40795e81dfd6231d20960f983101e27ccaeca6d495c8b60ccedd4f9c813862dd4a37f7d493492b45e7b297

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sU8ei24.exe
Filesize
651KB

MD5
be6596931bccb2a804c03b7f91d4081e

SHA1
a2f7a9a8f696bdbc3b916029e72660a795a1ea0d

SHA256
47ffff275d99d8f0e54bfd1d1e35a2fbeb2a8ee9e25884eedccc0e11424d178f

SHA512
0da1341ced9c474e717da7c31accb358079238132c40795e81dfd6231d20960f983101e27ccaeca6d495c8b60ccedd4f9c813862dd4a37f7d493492b45e7b297

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3yT10Yr.exe
Filesize
31KB

MD5
9687cb362e740c9e01a8de944dc075ff

SHA1
bb2b1b9428ea80afa9a1a118938fa18fae0b7248

SHA256
99c23fb98d8f4d12381c672c1b56b387a4e36a3d993fd7667b04a35c268902c5

SHA512
e4e638c7cacffd32922b2bf0e270db1fd43c234c7e454d7f045eeef6f7ca0451a4f1dfeed0c62db9492efa563cfeceda39c64f54173bb720c31f21b19f4c6643

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3yT10Yr.exe
Filesize
31KB

MD5
9687cb362e740c9e01a8de944dc075ff

SHA1
bb2b1b9428ea80afa9a1a118938fa18fae0b7248

SHA256
99c23fb98d8f4d12381c672c1b56b387a4e36a3d993fd7667b04a35c268902c5

SHA512
e4e638c7cacffd32922b2bf0e270db1fd43c234c7e454d7f045eeef6f7ca0451a4f1dfeed0c62db9492efa563cfeceda39c64f54173bb720c31f21b19f4c6643

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yV4mI14.exe
Filesize
527KB

MD5
0e44073d5e3a4c9ca6feb9c27060deca

SHA1
afe21f6616a9d47d3f3da37632e08a3521c206a1

SHA256
57a7d59df33f3a7db9b498ef983b453af158d88b3881856e53ae43f1de2a8202

SHA512
85356fd65ed0855391432ab0d6a7670de5bda90c7a09c95c0fe14bf356e8e18da780f4bcf0908a1c9658610f574354951203358f7259ccee1a82f373f931d15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\yV4mI14.exe
Filesize
527KB

MD5
0e44073d5e3a4c9ca6feb9c27060deca

SHA1
afe21f6616a9d47d3f3da37632e08a3521c206a1

SHA256
57a7d59df33f3a7db9b498ef983b453af158d88b3881856e53ae43f1de2a8202

SHA512
85356fd65ed0855391432ab0d6a7670de5bda90c7a09c95c0fe14bf356e8e18da780f4bcf0908a1c9658610f574354951203358f7259ccee1a82f373f931d15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1pV03FS7.exe
Filesize
869KB

MD5
626d5e720379985e4660516dd7427680

SHA1
9b771db384a32c14e83049183b50b9897b97384e

SHA256
9bae8823f108227ba596ffaf5944f28329b27b1012f792853871fca75c190286

SHA512
87d92a2fe3565950704ac5c3a52f57fbce9efdcdbf8f48fa15344cc25e93d096522726964326e2dbdac5974f6294d426b4a812ae5cdc1a08513166b10e6d971c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1pV03FS7.exe
Filesize
869KB

MD5
626d5e720379985e4660516dd7427680

SHA1
9b771db384a32c14e83049183b50b9897b97384e

SHA256
9bae8823f108227ba596ffaf5944f28329b27b1012f792853871fca75c190286

SHA512
87d92a2fe3565950704ac5c3a52f57fbce9efdcdbf8f48fa15344cc25e93d096522726964326e2dbdac5974f6294d426b4a812ae5cdc1a08513166b10e6d971c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yl7260.exe
Filesize
1.0MB

MD5
cdbd1f6dca89227a76c535699b92f395

SHA1
186ec445a070405d7c1de4d070c290a12b23c074

SHA256
100bc1635b90078d42854a55432ee8e70ce85189449e3735af19ea0221e1d886

SHA512
92d4a4dd734e53657c9659b67b01e4f6bd2714a709fec422e67673b2dddf7285485d5314084853275d9e77379ffd2473dc935730b301ceeacaf1ed83445859a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yl7260.exe
Filesize
1.0MB

MD5
cdbd1f6dca89227a76c535699b92f395

SHA1
186ec445a070405d7c1de4d070c290a12b23c074

SHA256
100bc1635b90078d42854a55432ee8e70ce85189449e3735af19ea0221e1d886

SHA512
92d4a4dd734e53657c9659b67b01e4f6bd2714a709fec422e67673b2dddf7285485d5314084853275d9e77379ffd2473dc935730b301ceeacaf1ed83445859a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
dee4b426cb9c6e39e59fb9306b86761f

SHA1
48a20ecd3e575f5b5292dd14be2bd514f8af6b73

SHA256
da443561e5facc3d12a2e543b3de6987542cf79f9f1a4c49d6b6d2d20d79a86f

SHA512
fc92426fa08154bd0741ff8743b83c6b8a77bbfd10d34b36df51a6698ff688a669608d09d6593eedc91c1fc59d45856edb4939b71d6ba80898637a0485a7ff01

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
dee4b426cb9c6e39e59fb9306b86761f

SHA1
48a20ecd3e575f5b5292dd14be2bd514f8af6b73

SHA256
da443561e5facc3d12a2e543b3de6987542cf79f9f1a4c49d6b6d2d20d79a86f

SHA512
fc92426fa08154bd0741ff8743b83c6b8a77bbfd10d34b36df51a6698ff688a669608d09d6593eedc91c1fc59d45856edb4939b71d6ba80898637a0485a7ff01

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
dee4b426cb9c6e39e59fb9306b86761f

SHA1
48a20ecd3e575f5b5292dd14be2bd514f8af6b73

SHA256
da443561e5facc3d12a2e543b3de6987542cf79f9f1a4c49d6b6d2d20d79a86f

SHA512
fc92426fa08154bd0741ff8743b83c6b8a77bbfd10d34b36df51a6698ff688a669608d09d6593eedc91c1fc59d45856edb4939b71d6ba80898637a0485a7ff01

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
dee4b426cb9c6e39e59fb9306b86761f

SHA1
48a20ecd3e575f5b5292dd14be2bd514f8af6b73

SHA256
da443561e5facc3d12a2e543b3de6987542cf79f9f1a4c49d6b6d2d20d79a86f

SHA512
fc92426fa08154bd0741ff8743b83c6b8a77bbfd10d34b36df51a6698ff688a669608d09d6593eedc91c1fc59d45856edb4939b71d6ba80898637a0485a7ff01

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
dee4b426cb9c6e39e59fb9306b86761f

SHA1
48a20ecd3e575f5b5292dd14be2bd514f8af6b73

SHA256
da443561e5facc3d12a2e543b3de6987542cf79f9f1a4c49d6b6d2d20d79a86f

SHA512
fc92426fa08154bd0741ff8743b83c6b8a77bbfd10d34b36df51a6698ff688a669608d09d6593eedc91c1fc59d45856edb4939b71d6ba80898637a0485a7ff01

Download Submit
memory/836-69-0x0000000007B80000-0x0000000007C8A000-memory.dmp

Filesize
1.0MB

Download
memory/836-70-0x0000000007900000-0x0000000007912000-memory.dmp

Filesize
72KB

Download
memory/836-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/836-50-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/836-76-0x0000000007970000-0x0000000007980000-memory.dmp

Filesize
64KB

Download
memory/836-75-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/836-74-0x0000000007AB0000-0x0000000007AFC000-memory.dmp

Filesize
304KB

Download
memory/836-56-0x0000000007D00000-0x00000000082A4000-memory.dmp

Filesize
5.6MB

Download
memory/836-57-0x00000000077F0000-0x0000000007882000-memory.dmp

Filesize
584KB

Download
memory/836-72-0x0000000007A70000-0x0000000007AAC000-memory.dmp

Filesize
240KB

Download
memory/836-60-0x0000000007970000-0x0000000007980000-memory.dmp

Filesize
64KB

Download
memory/836-64-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/836-68-0x00000000088D0000-0x0000000008EE8000-memory.dmp

Filesize
6.1MB

Download
memory/1980-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1980-58-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/1980-73-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/1980-32-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/3324-42-0x0000000002D60000-0x0000000002D76000-memory.dmp

Filesize
88KB

Download
memory/4152-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4152-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4396-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download