amadey | 75e952d2ed9a980f772f46fc31b842fa56cc5f3174da16f6850bb33238342bd9

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

601ea83a4a3b3ba5037c8185d1b8f521091a9bcc2a1676c6e047518405c91d58.exe
Size

1.6MB
MD5

4134fbef26ed612d274c2beeb721b0b6
SHA1

4b7add665f3246c6107d65692a9f6145a1aa579f
SHA256

601ea83a4a3b3ba5037c8185d1b8f521091a9bcc2a1676c6e047518405c91d58
SHA512

a33d0f9c32ed55a708a28b891d7a5761b17257afbbeecd3cd5702c6ec6ba920d56e9414da282bfda8f7ea20fde0cdb38fe9083167f96da48877bce5c4ec1d668
SSDEEP

49152:IMkxML0hUMN3069F5Ienkh8kFOx7P+JskQaCeUvej:7bUU0NIekh8kF8IQZ

Score

10^/10

amadey mystic redline smokeloader grome backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/2660-47-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2660-48-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2660-49-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/2660-51-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/files/0x0007000000023363-83.dat	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/5056-62-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	5BA4nx5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	7li0xO95.exe

Executes dropped EXE 15 IoCs

pid	Process
4540	iv0Dv81.exe
3040	Qp5Ej06.exe
5052	KP3hS40.exe
4852	KN8vi25.exe
4396	Sl7Ut74.exe
4700	1NV38aX9.exe
1844	2gz5927.exe
1492	3PP91BW.exe
1064	4LZ284Qh.exe
1416	5BA4nx5.exe
2740	explothe.exe
1708	6YY0bV9.exe
684	7li0xO95.exe
4932	explothe.exe
4148	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	Sl7Ut74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	601ea83a4a3b3ba5037c8185d1b8f521091a9bcc2a1676c6e047518405c91d58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	iv0Dv81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Qp5Ej06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	KP3hS40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	KN8vi25.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4700 set thread context of 4376	4700	1NV38aX9.exe	104
PID 1844 set thread context of 2660	1844	2gz5927.exe	110
PID 1064 set thread context of 5056	1064	4LZ284Qh.exe	124

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3296	2660	WerFault.exe	110

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3PP91BW.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3PP91BW.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3PP91BW.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2824	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-817259280-2658881748-983986378-1000\{1585BB76-CC90-4FD9-899B-C9FB3C492D8F}	msedge.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4376	AppLaunch.exe
4376	AppLaunch.exe
4376	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 4540	2388	601ea83a4a3b3ba5037c8185d1b8f521091a9bcc2a1676c6e047518405c91d58.exe	97
PID 2388 wrote to memory of 4540	2388	601ea83a4a3b3ba5037c8185d1b8f521091a9bcc2a1676c6e047518405c91d58.exe	97
PID 2388 wrote to memory of 4540	2388	601ea83a4a3b3ba5037c8185d1b8f521091a9bcc2a1676c6e047518405c91d58.exe	97
PID 4540 wrote to memory of 3040	4540	iv0Dv81.exe	98
PID 4540 wrote to memory of 3040	4540	iv0Dv81.exe	98
PID 4540 wrote to memory of 3040	4540	iv0Dv81.exe	98
PID 3040 wrote to memory of 5052	3040	Qp5Ej06.exe	99
PID 3040 wrote to memory of 5052	3040	Qp5Ej06.exe	99
PID 3040 wrote to memory of 5052	3040	Qp5Ej06.exe	99
PID 5052 wrote to memory of 4852	5052	KP3hS40.exe	100
PID 5052 wrote to memory of 4852	5052	KP3hS40.exe	100
PID 5052 wrote to memory of 4852	5052	KP3hS40.exe	100
PID 4852 wrote to memory of 4396	4852	KN8vi25.exe	101
PID 4852 wrote to memory of 4396	4852	KN8vi25.exe	101
PID 4852 wrote to memory of 4396	4852	KN8vi25.exe	101
PID 4396 wrote to memory of 4700	4396	Sl7Ut74.exe	102
PID 4396 wrote to memory of 4700	4396	Sl7Ut74.exe	102
PID 4396 wrote to memory of 4700	4396	Sl7Ut74.exe	102
PID 4700 wrote to memory of 2276	4700	1NV38aX9.exe	103
PID 4700 wrote to memory of 2276	4700	1NV38aX9.exe	103
PID 4700 wrote to memory of 2276	4700	1NV38aX9.exe	103
PID 4700 wrote to memory of 4376	4700	1NV38aX9.exe	104
PID 4700 wrote to memory of 4376	4700	1NV38aX9.exe	104
PID 4700 wrote to memory of 4376	4700	1NV38aX9.exe	104
PID 4700 wrote to memory of 4376	4700	1NV38aX9.exe	104
PID 4700 wrote to memory of 4376	4700	1NV38aX9.exe	104
PID 4700 wrote to memory of 4376	4700	1NV38aX9.exe	104
PID 4700 wrote to memory of 4376	4700	1NV38aX9.exe	104
PID 4700 wrote to memory of 4376	4700	1NV38aX9.exe	104
PID 4396 wrote to memory of 1844	4396	Sl7Ut74.exe	105
PID 4396 wrote to memory of 1844	4396	Sl7Ut74.exe	105
PID 4396 wrote to memory of 1844	4396	Sl7Ut74.exe	105
PID 1844 wrote to memory of 2660	1844	2gz5927.exe	110
PID 1844 wrote to memory of 2660	1844	2gz5927.exe	110
PID 1844 wrote to memory of 2660	1844	2gz5927.exe	110
PID 1844 wrote to memory of 2660	1844	2gz5927.exe	110
PID 1844 wrote to memory of 2660	1844	2gz5927.exe	110
PID 1844 wrote to memory of 2660	1844	2gz5927.exe	110
PID 1844 wrote to memory of 2660	1844	2gz5927.exe	110
PID 1844 wrote to memory of 2660	1844	2gz5927.exe	110
PID 1844 wrote to memory of 2660	1844	2gz5927.exe	110
PID 1844 wrote to memory of 2660	1844	2gz5927.exe	110
PID 4852 wrote to memory of 1492	4852	KN8vi25.exe	112
PID 4852 wrote to memory of 1492	4852	KN8vi25.exe	112
PID 4852 wrote to memory of 1492	4852	KN8vi25.exe	112
PID 5052 wrote to memory of 1064	5052	KP3hS40.exe	119
PID 5052 wrote to memory of 1064	5052	KP3hS40.exe	119
PID 5052 wrote to memory of 1064	5052	KP3hS40.exe	119
PID 1064 wrote to memory of 2124	1064	4LZ284Qh.exe	122
PID 1064 wrote to memory of 2124	1064	4LZ284Qh.exe	122
PID 1064 wrote to memory of 2124	1064	4LZ284Qh.exe	122
PID 1064 wrote to memory of 4068	1064	4LZ284Qh.exe	123
PID 1064 wrote to memory of 4068	1064	4LZ284Qh.exe	123
PID 1064 wrote to memory of 4068	1064	4LZ284Qh.exe	123
PID 1064 wrote to memory of 5056	1064	4LZ284Qh.exe	124
PID 1064 wrote to memory of 5056	1064	4LZ284Qh.exe	124
PID 1064 wrote to memory of 5056	1064	4LZ284Qh.exe	124
PID 1064 wrote to memory of 5056	1064	4LZ284Qh.exe	124
PID 1064 wrote to memory of 5056	1064	4LZ284Qh.exe	124
PID 1064 wrote to memory of 5056	1064	4LZ284Qh.exe	124
PID 1064 wrote to memory of 5056	1064	4LZ284Qh.exe	124
PID 1064 wrote to memory of 5056	1064	4LZ284Qh.exe	124
PID 3040 wrote to memory of 1416	3040	Qp5Ej06.exe	125
PID 3040 wrote to memory of 1416	3040	Qp5Ej06.exe	125

C:\Users\Admin\AppData\Local\Temp\601ea83a4a3b3ba5037c8185d1b8f521091a9bcc2a1676c6e047518405c91d58.exe
"C:\Users\Admin\AppData\Local\Temp\601ea83a4a3b3ba5037c8185d1b8f521091a9bcc2a1676c6e047518405c91d58.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iv0Dv81.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iv0Dv81.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qp5Ej06.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qp5Ej06.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KP3hS40.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KP3hS40.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\KN8vi25.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\KN8vi25.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4852
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sl7Ut74.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sl7Ut74.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1NV38aX9.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1NV38aX9.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:2276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2gz5927.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2gz5927.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 540
        9⤵
        Program crash
        
        PID:3296
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PP91BW.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PP91BW.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4LZ284Qh.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4LZ284Qh.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2124
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4068
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5BA4nx5.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5BA4nx5.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1416
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2740
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2824
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:416
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6YY0bV9.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6YY0bV9.exe
    3⤵
    - Executes dropped EXE
    PID:1708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7li0xO95.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7li0xO95.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:684
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2016.tmp\2017.tmp\2018.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7li0xO95.exe"
    3⤵
    PID:4724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:1064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2660 -ip 2660
1⤵
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4016 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:1
1⤵
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4584 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:1
1⤵
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5728 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:1
1⤵
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5772 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:1
1⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4832 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:8
1⤵
PID:572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5488 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:8
1⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6244 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5280 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:8
1⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6464 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:1
1⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6400 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:8
1⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6440 --field-trial-handle=2288,i,11069632825633797559,14829202121434726371,262144 --variations-seed-version /prefetch:8
1⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\2016.tmp\2017.tmp\2018.bat

Filesize
632B

MD5
401dcacea4acfc09e8774cd0fcf16129

SHA1
ae03b7999297b5383785eddc4f6194fd4c80e149

SHA256
1d5c24e97e32d5e4aefe29c6a84df664e67a2db5da7a6d138e5084a60a7bb0e6

SHA512
7c423d05b9ea04a06614037c9e28f3da27fbb95daefd14450cabb35a6abf546b1a6585c1bcd07a66a3d02f967fa1774c9cb09b5520a53b2f90e0ed1cedae3dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7li0xO95.exe

Filesize
87KB

MD5
24c23ac8125978ded1ddf98693e50724

SHA1
57021ee42416af192ea530f25e011a8b6c8fbf8d

SHA256
870666925ff3f6d365a3fa6f7bc26e2652cf0ec22b99d9fb77be2eb1d391d69a

SHA512
a6f48bda8f10d8d23fb9c533d5c7b4c04e2c81b67bef56366a36574d618baa755db6c566553ef963c3db75ce1997bed3e97f93fec565a14706a00523282da5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iv0Dv81.exe

Filesize
1.4MB

MD5
73fe2077f5f6956000a2d586c5986179

SHA1
610eddd2970d08d039faeefc3683dc1e6b0db116

SHA256
53373e9a9202cc2967ceb083eb956bf9e903e25a7b0ce9365bd2f2525e187f9e

SHA512
42af9c76dd085443fc81dfb4598c390317588d327a51d065c82d8609741be39419f5ed35daa8737f969e86a332122152beb3b9d21d2a62b608f215a8281c15db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6YY0bV9.exe

Filesize
182KB

MD5
a387a3ac649ddf3a348610a83a5a2d5b

SHA1
40c918c05a4f4ad5e596d96869295a25cb1f27b9

SHA256
8423dea4a303c90140a2f43f19944e4365b76d3bba8b75b4787644c0618ac253

SHA512
60f0864ed3b599e281f3af3d2ae4c7adf902c1fd4326e71ff5306764bfa69742595166f999bf0f4441037df9198402d84d902f1f15635d4f83a16e93a283e75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Qp5Ej06.exe

Filesize
1.2MB

MD5
d26c210d5c1005271bbb1dbaee7cc54a

SHA1
29cc2288946081fe8458e6fb9393b3f3e6447c4a

SHA256
71b6faa2c801edd8c8358414830450c3cf7bd8b6d36b4a499af4de4172f8eff7

SHA512
389777a5d202d862d56c4d0d99b734184dc10e7ff73c5e49d8a12efa950a1145149c409b51d6bd2e6edd26eadcd73a9114287ae0723b0839f22f219c56b9f79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5BA4nx5.exe

Filesize
219KB

MD5
99f3e21239bcf421e662e12a289eb5af

SHA1
30d13b9f6bdd5f376eedf8cd38bf7cc0b56932d7

SHA256
68d401bf10be8823a7c53ccf59edfa4a889bd923927af7da38f7547405ef1307

SHA512
1e923d2036506f8410eb37c7f738a1281aca66ee75fe39778cadb8ed2b574cdeb307647b6a3c78e4fa1e783b604928cd58ece08567f80f5424102d341a556a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\KP3hS40.exe

Filesize
1.0MB

MD5
030f3059f53c613ef4fdf8d82a5f1114

SHA1
7f1e148e8562ae86e7fd25962f2eef783896769c

SHA256
c4c2ce08cedaf808fe284d1b1f0e30a551c764b09853faf191819cacfcc3f72d

SHA512
e832876c58f0e638fc14412b7671a15ab37f4a3e57176a96fcb3dd52cc0bc7c06312760730616be7ee76d9827b8175819b21446e0915b737b36c72e369904128

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4LZ284Qh.exe

Filesize
1.1MB

MD5
b59aab324b59b18d6c8173e2f49619d0

SHA1
3f7eab30ef9c2a7267dc687ab25e5397fec44cc9

SHA256
7c73fbe200ee480ebfc38ad51942d7e45dc103801d89d8fe47a875a350f652d1

SHA512
8dbb335198482725fd26a437ee81734a4f2036c8fb8fcd173b8c383dd27c9894bc474a9c13584fc537a8a28a7087b572ad18eeab914dfeb58306ab4265b925de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\KN8vi25.exe

Filesize
658KB

MD5
01de67d96c525395a9a68ab442a5343c

SHA1
16da88d2b648ccfe9a9bfdcfb4144cd4ade3aced

SHA256
2d350f93eabc1e1eb7c82f85c99f8a198877269822d85e84724f2f97fb2d839e

SHA512
6ac64afca30c6ada31b87f9db316195595abb5fff0e961ebe44ece62e47f0056bb2c93cead0c06059b58da633755fc149225034d618b50e94bfcc69d091a9e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PP91BW.exe

Filesize
30KB

MD5
71dbe6294fda4526a5e1a10bcbac0f32

SHA1
4141508301b5e50e74c9c646e11b222445ae088f

SHA256
697f25439fd56492f8d933d1cff6bb054c0466eb0210c6f7f8bc7a202bec1064

SHA512
7bded99bf1b20c978f0f4c526823b417d9da5b219b6353d43190e7bac8dc11ee14875c7b60ea9a6a8e0e457f35c635a728f298dde160425958106f2781baa1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sl7Ut74.exe

Filesize
534KB

MD5
00b8380f4a5e4057c25ffdcb45400a06

SHA1
10fb5cb7c754bda83eb4e56a9598e39e5fc18a2a

SHA256
8af3f042cbc7b218bdbb946600f86e994f5d0f8610fdd063f3b217eb038214da

SHA512
8c6e545baa6a7ff29fb0c01e519cf2bca6ebc5740b7fe8be403c40d6d432b359e42951be5d777ec521de4e0e4bb8feadfe786ec5407c64e82cc0990bfba207d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1NV38aX9.exe

Filesize
891KB

MD5
dbad52d4392fcc295ac697b83d1dee8b

SHA1
b757958515266a89cd9839e03285c620c101ac79

SHA256
72f2176f67b44f5b256e161ab6e8c8c5ea3dcacf40402e61bcf1e072091231b0

SHA512
56b45b472dd116c497af20f69add541ce01ae8a110b3cf09234ffec5f3b44334b3d9ee5ee4cae511b02c39095bb32cb20a61565c5fd2b3cfeb2e7fe12e02c043

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2gz5927.exe

Filesize
1.1MB

MD5
b35a48cc9c75fa069ee854f6ab436907

SHA1
a1b71adb9d153d57a9cc011489bfe34daf318c0a

SHA256
747be7f422deb3f77502a8053e48596e1adce44b8d6ec86b271900e6ecd0fcd7

SHA512
3f0064b9a02cf29a1e45e4616d270083cdae79334e98ec7eddccab6fb52fcd4988c00fa57b467b63904bfc4ffef68432aa3aa6c3f1b0804f96dccb84bb3f369e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1492-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1492-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2660-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4376-57-0x00000000741C0000-0x0000000074970000-memory.dmp

Filesize
7.7MB

Download
memory/4376-46-0x00000000741C0000-0x0000000074970000-memory.dmp

Filesize
7.7MB

Download
memory/5056-69-0x00000000741C0000-0x0000000074970000-memory.dmp

Filesize
7.7MB

Download
memory/5056-77-0x0000000007A10000-0x0000000007A1A000-memory.dmp

Filesize
40KB

Download
memory/5056-72-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/5056-70-0x0000000007F70000-0x0000000008514000-memory.dmp

Filesize
5.6MB

Download
memory/5056-87-0x0000000008B40000-0x0000000009158000-memory.dmp

Filesize
6.1MB

Download
memory/5056-89-0x0000000007D50000-0x0000000007E5A000-memory.dmp

Filesize
1.0MB

Download
memory/5056-90-0x0000000007C80000-0x0000000007C92000-memory.dmp

Filesize
72KB

Download
memory/5056-91-0x0000000007CE0000-0x0000000007D1C000-memory.dmp

Filesize
240KB

Download
memory/5056-92-0x0000000007E60000-0x0000000007EAC000-memory.dmp

Filesize
304KB

Download
memory/5056-71-0x0000000007A60000-0x0000000007AF2000-memory.dmp

Filesize
584KB

Download
memory/5056-95-0x00000000741C0000-0x0000000074970000-memory.dmp

Filesize
7.7MB

Download
memory/5056-96-0x0000000005600000-0x0000000005610000-memory.dmp

Filesize
64KB

Download
memory/5056-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download