amadey | c9691c9eba788ff4641cd85a1ede2f1689401ec99065cb81e99428635ad44988

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2023 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
Size

395KB
MD5

85ced175fc50113e11a118e44f83f57a
SHA1

0623207b6b2f59278569b1f431f9cbb97a56baf4
SHA256

ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168
SHA512

6955fe346a90e91c24eb867525e3786d1fb7b4b609b837863d376fe00f62707cf2242a6c530380a9638d2e8c9b0e90cbbb126a7d2698d01583ed6a5e0030222c
SSDEEP

6144:DLiidECmWHgYTzjJZR2RPKlnQ1CC9QDE2D/4t1VDsVcXgQY:DWiTBHgYTzjw5KKJg1avsGwQ

Score

10^/10

amadey trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

flow pid process

72 4800 rundll32.exe
74 4800 rundll32.exe
81 3392 rundll32.exe
82 3392 rundll32.exe
84 1844 rundll32.exe
85 1844 rundll32.exe
Downloads MZ/PE file

flow	pid	process
72	4800	rundll32.exe
74	4800	rundll32.exe
81	3392	rundll32.exe
82	3392	rundll32.exe
84	1844	rundll32.exe
85	1844	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exeUtsysc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	Utsysc.exe

Executes dropped EXE 3 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exe

pid process

4476 Utsysc.exe
8 Utsysc.exe
2004 Utsysc.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

4800 rundll32.exe
3392 rundll32.exe
1844 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4476	Utsysc.exe
8	Utsysc.exe
2004	Utsysc.exe

pid	process
4800	rundll32.exe
3392	rundll32.exe
1844	rundll32.exe

Program crash 34 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3024	4972	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
3516	4972	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
524	4972	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
3100	4972	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
1200	4972	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
2888	4972	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
3052	4972	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
3920	4972	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
2388	4972	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
1416	4972	WerFault.exe	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
1232	4476	WerFault.exe	Utsysc.exe
1044	4476	WerFault.exe	Utsysc.exe
4756	4476	WerFault.exe	Utsysc.exe
2256	4476	WerFault.exe	Utsysc.exe
4800	4476	WerFault.exe	Utsysc.exe
440	4476	WerFault.exe	Utsysc.exe
488	4476	WerFault.exe	Utsysc.exe
5016	4476	WerFault.exe	Utsysc.exe
2020	4476	WerFault.exe	Utsysc.exe
2884	4476	WerFault.exe	Utsysc.exe
3892	4476	WerFault.exe	Utsysc.exe
4640	4476	WerFault.exe	Utsysc.exe
1560	4476	WerFault.exe	Utsysc.exe
4792	4476	WerFault.exe	Utsysc.exe
2908	4476	WerFault.exe	Utsysc.exe
4064	4476	WerFault.exe	Utsysc.exe
1744	4476	WerFault.exe	Utsysc.exe
1524	4476	WerFault.exe	Utsysc.exe
400	4476	WerFault.exe	Utsysc.exe
3048	8	WerFault.exe	Utsysc.exe
3772	4476	WerFault.exe	Utsysc.exe
1988	4476	WerFault.exe	Utsysc.exe
3456	2004	WerFault.exe	Utsysc.exe
2908	4476	WerFault.exe	Utsysc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3756 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe

pid process

4972 ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe

pid	process
3756	schtasks.exe

pid	process
4972	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exeUtsysc.exe

description	pid	process	target process
PID 4972 wrote to memory of 4476	4972	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe	Utsysc.exe
PID 4972 wrote to memory of 4476	4972	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe	Utsysc.exe
PID 4972 wrote to memory of 4476	4972	ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe	Utsysc.exe
PID 4476 wrote to memory of 3756	4476	Utsysc.exe	schtasks.exe
PID 4476 wrote to memory of 3756	4476	Utsysc.exe	schtasks.exe
PID 4476 wrote to memory of 3756	4476	Utsysc.exe	schtasks.exe
PID 4476 wrote to memory of 4016	4476	Utsysc.exe	rundll32.exe
PID 4476 wrote to memory of 4016	4476	Utsysc.exe	rundll32.exe
PID 4476 wrote to memory of 4016	4476	Utsysc.exe	rundll32.exe
PID 4476 wrote to memory of 452	4476	Utsysc.exe	rundll32.exe
PID 4476 wrote to memory of 452	4476	Utsysc.exe	rundll32.exe
PID 4476 wrote to memory of 452	4476	Utsysc.exe	rundll32.exe
PID 4476 wrote to memory of 4800	4476	Utsysc.exe	rundll32.exe
PID 4476 wrote to memory of 4800	4476	Utsysc.exe	rundll32.exe
PID 4476 wrote to memory of 4800	4476	Utsysc.exe	rundll32.exe
PID 4476 wrote to memory of 3392	4476	Utsysc.exe	rundll32.exe
PID 4476 wrote to memory of 3392	4476	Utsysc.exe	rundll32.exe
PID 4476 wrote to memory of 3392	4476	Utsysc.exe	rundll32.exe
PID 4476 wrote to memory of 1844	4476	Utsysc.exe	rundll32.exe
PID 4476 wrote to memory of 1844	4476	Utsysc.exe	rundll32.exe
PID 4476 wrote to memory of 1844	4476	Utsysc.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe
"C:\Users\Admin\AppData\Local\Temp\ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 568
2⤵
- Program crash
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 668
2⤵
- Program crash
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 736
2⤵
- Program crash
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 852
2⤵
- Program crash
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 828
2⤵
- Program crash
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 828
2⤵
- Program crash
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1100
2⤵
- Program crash
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1116
2⤵
- Program crash
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1216
2⤵
- Program crash
PID:2388

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 612
3⤵
- Program crash
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 800
3⤵
- Program crash
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 800
3⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 812
3⤵
- Program crash
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1008
3⤵
- Program crash
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1008
3⤵
- Program crash
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 996
3⤵
- Program crash
PID:488

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe" /F
3⤵
- Creates scheduled task(s)
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 800
3⤵
- Program crash
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 612
3⤵
- Program crash
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 800
3⤵
- Program crash
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1288
3⤵
- Program crash
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1272
3⤵
- Program crash
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1280
3⤵
- Program crash
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1296
3⤵
- Program crash
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 788
3⤵
- Program crash
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1404
3⤵
- Program crash
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1436
3⤵
- Program crash
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1640
3⤵
- Program crash
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1052
3⤵
- Program crash
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1720
3⤵
- Program crash
PID:3772

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
PID:4016

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
3⤵
PID:452

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4800

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3392

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1292
3⤵
- Program crash
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1728
3⤵
- Program crash
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1476
2⤵
- Program crash
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4972 -ip 4972
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4972 -ip 4972
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4972 -ip 4972
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4972 -ip 4972
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4972 -ip 4972
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4972 -ip 4972
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4972 -ip 4972
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4972 -ip 4972
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4972 -ip 4972
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4972 -ip 4972
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4476 -ip 4476
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4476 -ip 4476
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4476 -ip 4476
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4476 -ip 4476
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4476 -ip 4476
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4476 -ip 4476
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4476 -ip 4476
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4476 -ip 4476
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4476 -ip 4476
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4476 -ip 4476
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4476 -ip 4476
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4476 -ip 4476
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4476 -ip 4476
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4476 -ip 4476
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4476 -ip 4476
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4476 -ip 4476
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4476 -ip 4476
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4476 -ip 4476
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4476 -ip 4476
1⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
1⤵
- Executes dropped EXE
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 432
2⤵
- Program crash
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 8 -ip 8
1⤵
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4476 -ip 4476
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4476 -ip 4476
1⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 440
2⤵
- Program crash
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2004 -ip 2004
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4476 -ip 4476
1⤵
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\873812795143

Filesize
73KB

MD5
86e2bebc28deea67b604d071124db0fb

SHA1
70d8af85c2526b7bb339e4b9dc3b67486cf87dfb

SHA256
e412bf28e223dbadc064d082a5121533b90fb32b81211a6f7eb7529b0068e51a

SHA512
61d3604bd033965fed66a858449f88621899616ff5f4c1b9b22f653bd820af4d2914c3be863ee7ebfd6c9a23826984d84dc476ecd70e0725062b239797e70b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
395KB

MD5
85ced175fc50113e11a118e44f83f57a

SHA1
0623207b6b2f59278569b1f431f9cbb97a56baf4

SHA256
ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168

SHA512
6955fe346a90e91c24eb867525e3786d1fb7b4b609b837863d376fe00f62707cf2242a6c530380a9638d2e8c9b0e90cbbb126a7d2698d01583ed6a5e0030222c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
395KB

MD5
85ced175fc50113e11a118e44f83f57a

SHA1
0623207b6b2f59278569b1f431f9cbb97a56baf4

SHA256
ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168

SHA512
6955fe346a90e91c24eb867525e3786d1fb7b4b609b837863d376fe00f62707cf2242a6c530380a9638d2e8c9b0e90cbbb126a7d2698d01583ed6a5e0030222c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
395KB

MD5
85ced175fc50113e11a118e44f83f57a

SHA1
0623207b6b2f59278569b1f431f9cbb97a56baf4

SHA256
ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168

SHA512
6955fe346a90e91c24eb867525e3786d1fb7b4b609b837863d376fe00f62707cf2242a6c530380a9638d2e8c9b0e90cbbb126a7d2698d01583ed6a5e0030222c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
395KB

MD5
85ced175fc50113e11a118e44f83f57a

SHA1
0623207b6b2f59278569b1f431f9cbb97a56baf4

SHA256
ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168

SHA512
6955fe346a90e91c24eb867525e3786d1fb7b4b609b837863d376fe00f62707cf2242a6c530380a9638d2e8c9b0e90cbbb126a7d2698d01583ed6a5e0030222c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe

Filesize
395KB

MD5
85ced175fc50113e11a118e44f83f57a

SHA1
0623207b6b2f59278569b1f431f9cbb97a56baf4

SHA256
ac5191f13cd12090eee4819aa75fe5795df43a9e3101753666734ab2ad5da168

SHA512
6955fe346a90e91c24eb867525e3786d1fb7b4b609b837863d376fe00f62707cf2242a6c530380a9638d2e8c9b0e90cbbb126a7d2698d01583ed6a5e0030222c

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll

Filesize
102KB

MD5
4194e9b8b694b1e9b672c36f0d868e32

SHA1
252f27fe313c7bf8e9f36aef0c7b676383872efb

SHA256
97e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125

SHA512
f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

Filesize
66KB

MD5
9b0507b53287ffe4c3af7ea8413b3998

SHA1
a042a1973f9714866e8156a8f714926c2bb02b3f

SHA256
70746fa232ede6a0818ad60d2552f22b5cce9b06181c6bfa1808fe5a1c313db1

SHA512
a46f2e4380c13b4f48f3e8e60522f6e707a0c198e53fa37ae478f2323017e1106e77f1542db3c01c9d534c59c5ec0cd4f604886fb8d04bab77b06bc13464f521

Download Submit
memory/8-41-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/8-42-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2004-76-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2004-75-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/4476-18-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4476-70-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4476-19-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4476-54-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4476-55-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4476-37-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/4476-17-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/4476-36-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4476-68-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4476-72-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4476-35-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4972-3-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4972-14-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4972-2-0x0000000002260000-0x00000000022CC000-memory.dmp

Filesize
432KB

Download
memory/4972-1-0x0000000000770000-0x0000000000870000-memory.dmp

Filesize
1024KB

Download
memory/4972-15-0x0000000002260000-0x00000000022CC000-memory.dmp

Filesize
432KB

Download