amadey | 5840b5b5291c64d0635a1a8c0fc047675c06c778c24cf3b45368fc82b7c76df1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c56936ed9bcb76fe8ee2069618cf3b509fe6cf4c73c1fb53723596077ab1f5fa.exe
Size

1.6MB
MD5

d7ac39bafca00876be0923660c93e691
SHA1

3c9ef605a454e34dd9a9fd62e9b6708264845bd4
SHA256

c56936ed9bcb76fe8ee2069618cf3b509fe6cf4c73c1fb53723596077ab1f5fa
SHA512

a975964dfb6185d16cf41ad750d085bfe7073c22b0109c475e0e9df2e16cfca504e5dc1a7eff787a05d1b3f8b0175a93315d3c164629128bf492f13c4916ecba
SSDEEP

49152:CVxCYUkZjoWq8qAE7Gqp+LsIwq5C5SEaJ7:oA1YjV2F7pq5CdaJ7

Score

10^/10

amadey mystic redline smokeloader grome backdoor evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f
url_paths
/theme/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/4936-47-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4936-50-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4936-53-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/memory/4936-55-0x0000000000400000-0x0000000000434000-memory.dmp	mystic_family
behavioral1/files/0x0007000000023303-85.dat	mystic_family

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/5108-65-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	5cd3ke9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 16 IoCs

pid	Process
5100	iZ5KL58.exe
1036	Ax5HT65.exe
948	eU0eg95.exe
3564	QT1eA51.exe
2576	GI9Ju35.exe
2720	1Ee74lL7.exe
1016	2eJ5051.exe
1460	3DC11De.exe
3408	4bo585QP.exe
3424	5cd3ke9.exe
716	explothe.exe
1520	6nj8Bd1.exe
3820	7wD3zy47.exe
544	explothe.exe
5012	explothe.exe
4980	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c56936ed9bcb76fe8ee2069618cf3b509fe6cf4c73c1fb53723596077ab1f5fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	iZ5KL58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ax5HT65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	eU0eg95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	QT1eA51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	GI9Ju35.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 3740	2720	1Ee74lL7.exe	100
PID 1016 set thread context of 4936	1016	2eJ5051.exe	107
PID 3408 set thread context of 5108	3408	4bo585QP.exe	113

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
348	4936	WerFault.exe	107

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3DC11De.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3DC11De.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3DC11De.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
952	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{A278511C-ABA0-46CB-BC61-117B4163BD68}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3740	AppLaunch.exe
3740	AppLaunch.exe
3740	AppLaunch.exe
1460	3DC11De.exe
1460	3DC11De.exe
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found
3316	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1460	3DC11De.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3740	AppLaunch.exe
Token: SeShutdownPrivilege	3316	Process not Found
Token: SeCreatePagefilePrivilege	3316	Process not Found
Token: SeShutdownPrivilege	3316	Process not Found
Token: SeCreatePagefilePrivilege	3316	Process not Found
Token: SeShutdownPrivilege	3316	Process not Found
Token: SeCreatePagefilePrivilege	3316	Process not Found
Token: SeShutdownPrivilege	3316	Process not Found
Token: SeCreatePagefilePrivilege	3316	Process not Found
Token: SeShutdownPrivilege	3316	Process not Found
Token: SeCreatePagefilePrivilege	3316	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3316	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 5100	3896	c56936ed9bcb76fe8ee2069618cf3b509fe6cf4c73c1fb53723596077ab1f5fa.exe	92
PID 3896 wrote to memory of 5100	3896	c56936ed9bcb76fe8ee2069618cf3b509fe6cf4c73c1fb53723596077ab1f5fa.exe	92
PID 3896 wrote to memory of 5100	3896	c56936ed9bcb76fe8ee2069618cf3b509fe6cf4c73c1fb53723596077ab1f5fa.exe	92
PID 5100 wrote to memory of 1036	5100	iZ5KL58.exe	94
PID 5100 wrote to memory of 1036	5100	iZ5KL58.exe	94
PID 5100 wrote to memory of 1036	5100	iZ5KL58.exe	94
PID 1036 wrote to memory of 948	1036	Ax5HT65.exe	95
PID 1036 wrote to memory of 948	1036	Ax5HT65.exe	95
PID 1036 wrote to memory of 948	1036	Ax5HT65.exe	95
PID 948 wrote to memory of 3564	948	eU0eg95.exe	96
PID 948 wrote to memory of 3564	948	eU0eg95.exe	96
PID 948 wrote to memory of 3564	948	eU0eg95.exe	96
PID 3564 wrote to memory of 2576	3564	QT1eA51.exe	98
PID 3564 wrote to memory of 2576	3564	QT1eA51.exe	98
PID 3564 wrote to memory of 2576	3564	QT1eA51.exe	98
PID 2576 wrote to memory of 2720	2576	GI9Ju35.exe	99
PID 2576 wrote to memory of 2720	2576	GI9Ju35.exe	99
PID 2576 wrote to memory of 2720	2576	GI9Ju35.exe	99
PID 2720 wrote to memory of 3740	2720	1Ee74lL7.exe	100
PID 2720 wrote to memory of 3740	2720	1Ee74lL7.exe	100
PID 2720 wrote to memory of 3740	2720	1Ee74lL7.exe	100
PID 2720 wrote to memory of 3740	2720	1Ee74lL7.exe	100
PID 2720 wrote to memory of 3740	2720	1Ee74lL7.exe	100
PID 2720 wrote to memory of 3740	2720	1Ee74lL7.exe	100
PID 2720 wrote to memory of 3740	2720	1Ee74lL7.exe	100
PID 2720 wrote to memory of 3740	2720	1Ee74lL7.exe	100
PID 2576 wrote to memory of 1016	2576	GI9Ju35.exe	101
PID 2576 wrote to memory of 1016	2576	GI9Ju35.exe	101
PID 2576 wrote to memory of 1016	2576	GI9Ju35.exe	101
PID 1016 wrote to memory of 2928	1016	2eJ5051.exe	106
PID 1016 wrote to memory of 2928	1016	2eJ5051.exe	106
PID 1016 wrote to memory of 2928	1016	2eJ5051.exe	106
PID 1016 wrote to memory of 4936	1016	2eJ5051.exe	107
PID 1016 wrote to memory of 4936	1016	2eJ5051.exe	107
PID 1016 wrote to memory of 4936	1016	2eJ5051.exe	107
PID 1016 wrote to memory of 4936	1016	2eJ5051.exe	107
PID 1016 wrote to memory of 4936	1016	2eJ5051.exe	107
PID 1016 wrote to memory of 4936	1016	2eJ5051.exe	107
PID 1016 wrote to memory of 4936	1016	2eJ5051.exe	107
PID 1016 wrote to memory of 4936	1016	2eJ5051.exe	107
PID 1016 wrote to memory of 4936	1016	2eJ5051.exe	107
PID 1016 wrote to memory of 4936	1016	2eJ5051.exe	107
PID 3564 wrote to memory of 1460	3564	QT1eA51.exe	108
PID 3564 wrote to memory of 1460	3564	QT1eA51.exe	108
PID 3564 wrote to memory of 1460	3564	QT1eA51.exe	108
PID 948 wrote to memory of 3408	948	eU0eg95.exe	112
PID 948 wrote to memory of 3408	948	eU0eg95.exe	112
PID 948 wrote to memory of 3408	948	eU0eg95.exe	112
PID 3408 wrote to memory of 5108	3408	4bo585QP.exe	113
PID 3408 wrote to memory of 5108	3408	4bo585QP.exe	113
PID 3408 wrote to memory of 5108	3408	4bo585QP.exe	113
PID 3408 wrote to memory of 5108	3408	4bo585QP.exe	113
PID 3408 wrote to memory of 5108	3408	4bo585QP.exe	113
PID 3408 wrote to memory of 5108	3408	4bo585QP.exe	113
PID 3408 wrote to memory of 5108	3408	4bo585QP.exe	113
PID 3408 wrote to memory of 5108	3408	4bo585QP.exe	113
PID 1036 wrote to memory of 3424	1036	Ax5HT65.exe	114
PID 1036 wrote to memory of 3424	1036	Ax5HT65.exe	114
PID 1036 wrote to memory of 3424	1036	Ax5HT65.exe	114
PID 3424 wrote to memory of 716	3424	5cd3ke9.exe	115
PID 3424 wrote to memory of 716	3424	5cd3ke9.exe	115
PID 3424 wrote to memory of 716	3424	5cd3ke9.exe	115
PID 5100 wrote to memory of 1520	5100	iZ5KL58.exe	116
PID 5100 wrote to memory of 1520	5100	iZ5KL58.exe	116

C:\Users\Admin\AppData\Local\Temp\c56936ed9bcb76fe8ee2069618cf3b509fe6cf4c73c1fb53723596077ab1f5fa.exe
"C:\Users\Admin\AppData\Local\Temp\c56936ed9bcb76fe8ee2069618cf3b509fe6cf4c73c1fb53723596077ab1f5fa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iZ5KL58.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iZ5KL58.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ax5HT65.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ax5HT65.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eU0eg95.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eU0eg95.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QT1eA51.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QT1eA51.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3564
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\GI9Ju35.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\GI9Ju35.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ee74lL7.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ee74lL7.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2eJ5051.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2eJ5051.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:2928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 540
        9⤵
        Program crash
        
        PID:348
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3DC11De.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3DC11De.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1460
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4bo585QP.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4bo585QP.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3408
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5108
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5cd3ke9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5cd3ke9.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3424
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:716
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:952
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:4340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6nj8Bd1.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6nj8Bd1.exe
    3⤵
    - Executes dropped EXE
    PID:1520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wD3zy47.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wD3zy47.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A596.tmp\A597.tmp\A598.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wD3zy47.exe"
    3⤵
    PID:2092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:3544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:4364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4936 -ip 4936
1⤵
PID:3756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3876 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:1252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4560 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4972 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5084 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=1948 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=4736 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:1
1⤵
PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5468 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6492 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6668 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:2780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6808 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6836 --field-trial-handle=2304,i,7548677271533893574,11048237606705436109,262144 --variations-seed-version /prefetch:8
1⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5012

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\A596.tmp\A597.tmp\A598.bat

Filesize
645B

MD5
376a9f688d0224a448db8acbf154f0dc

SHA1
4b36f19dc23654c9333289c37e454fe09ea28ab5

SHA256
7bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a

SHA512
a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wD3zy47.exe

Filesize
89KB

MD5
4c63d8b4f91718de2669b1eb9cbc22cd

SHA1
9cc4cecc28662aed6504caa05f722a95eda5a424

SHA256
211163b0fa2acab48cdcb0dccd6c008bf5d81b92718fc90fbf16f0693ebaec11

SHA512
50437fcb42d1d5ae2985cc39fa114e84fbde5e99956c859c475b123fe041958cceaf18bca8fdaf8ac92597380a7e2da1e889b2bc5dc7a18cb9748fbaed5f97be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iZ5KL58.exe

Filesize
1.4MB

MD5
76cd536d472bee848058b455b479e432

SHA1
9c742fa03a057039ed4311ec6f3a50b142458f98

SHA256
ebdb3e356837ed476380ec6645eeb91fc639209c50cc81b668601bac9013a370

SHA512
8feb743d70a9ebf1884f450994788a3159ccd2d3ae37c8205ed4f60f571b569203aaef0bb1bf5c7dd008fb9823ff105327c8b064a8763179b696b1ef759eabe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6nj8Bd1.exe

Filesize
182KB

MD5
47fb2a8040b1de651ead55ae87690449

SHA1
90bbf82526aa1f7d87f444296003cb1b37860b8f

SHA256
b09d4c825e850c2c5d6f9a900f5ad5f035e3102ac5e713dcc3ce6a3ec6661376

SHA512
0c29613442c972032284d007d3ff4276ecc433d23a34d0e6cbfac71ea2f0f07dcce1a2aa8e1512bbe2c31bbfd37d3b31688c3a0c28106d2679bb6d5c1c781353

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ax5HT65.exe

Filesize
1.2MB

MD5
47c13b767e6ca5c30e47bc6a97ac15d0

SHA1
4cb620ba23fc9f2bcf123814d3cd644bd3880d4b

SHA256
e8a4afa2dd0d1625e8a5b9e6ce8cd78770661923cca06c7dabc9df5bb9ef882b

SHA512
e220759f31c84e478b2a45cfd95a427becd755a9bbd641988576257656616fc4a84012575985ef353fc1d73c5f76ebecb69496c5ba76af95a5607f4f6e3317c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5cd3ke9.exe

Filesize
219KB

MD5
0d51ca6c86f1be63b52fab49f4f3d04e

SHA1
860e11ebd1da88bb20ff835b4c26e1707d9a853e

SHA256
da3382a454e110c3bdcab8d18825ca8e84135d4b06fead5e8035649aa0db28c4

SHA512
5a9ab6e0f7510ce45de48c533c51457068e8496ff1ee3bd4f397150399a105006a6ec4cd8a7e1b58b4ec3db39f3038c0dcf5e6aae1e8be5a8e8e950d8b6a1ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eU0eg95.exe

Filesize
1.1MB

MD5
7c841f04d0db30fca527e6241f2f55f6

SHA1
d013030f21af549de8e9893551d36c94e5b0ba17

SHA256
1c5ecdf1fc0af89882117af3e7bafe72a1565723ef6702277938e56b4bfd6c93

SHA512
21cbc717ab24e7491bcade7e49c2208c2dc6b854ff9cfa51e17a9919107f953a37b7f23f9a8deb6a9740d07d20c8db047601f3db357014326757828a7e54de2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4bo585QP.exe

Filesize
1.1MB

MD5
1f531de869b40ec6f169c33476e27746

SHA1
aea5afac149cefd8e6ebdd4164c4e91ab5d3fd8b

SHA256
42ae85b4dc788dd33b90608aa722a53d5e6714af8b768b7047cc7bf925d10d96

SHA512
0bbcfc55db6e9db12f0df5cce666076a8e680cfbe633f4882da911b586a444a31da59f2b3da8585728fe61fc9c1370f08fe82ab1254587aa7695f26400757ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\QT1eA51.exe

Filesize
656KB

MD5
f3e7de2a57075e4ddc74136c69a1de74

SHA1
7fef0487c75a3f4b0588b69ec984d2a7b7b441d5

SHA256
732d5795b19ba2a75a1430d4a69be6a11367bd8ec633643af1cb97f6c5983c65

SHA512
4bca4bf5ae5a35235c05b4bd87909e95b9d3fd9678ad9f933984a68033495eb269b85499c8270fb4e3856bb943752c9e7c65753f057e361e3dea48d591c98cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3DC11De.exe

Filesize
30KB

MD5
a150cb7612547ffa842cfa3cb818815d

SHA1
ca27d884715f5085fdbedf7b6b2e8c9b2570234a

SHA256
4538e03c71f2ce91bb716d756cceb3a281279dbb788ec79983061f57a3bc3108

SHA512
883aa4ad973e5078834d4b417d547f871521dbd7bef29d1bea2d5eb53a02676087b7738e67d8617c634b43c3c4e423dd202c589a39781210da69fccb490316f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\GI9Ju35.exe

Filesize
532KB

MD5
abc5894b2b927c28707bf4e1a53b3380

SHA1
7481ae78cc53022cc196ca1633777d33934a5816

SHA256
b3f8df1c32b147d3cbb51aad55974ff54467eceda45adf03cf1083702ec6fd87

SHA512
2f8e77ac03670ee3a7a09e13b6f0dda9523e24d4ab643a324694e69ff115fad6d03905ca71182e248f396bdd411cfa45dccdfeed85da76829ef123079cad37a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ee74lL7.exe

Filesize
891KB

MD5
1299e1843120126ed0b7f61f3c7d3281

SHA1
46f29ca7b1d6273a8ec8eb591106db30b0c4803a

SHA256
0c9423ff86ef39dbf0115e766256c97d5386d5d86ffda0faa599dc12a47b9b10

SHA512
e3b1050d11978148cc5f677eb8b04f1d0eea3fb0ee4a2c59fb0b88d9389b7ba12f2ac10becf25b5287bc4ad2572bced0ba4f19acf032f3fa493d2476102bdf79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2eJ5051.exe

Filesize
1.1MB

MD5
8ee06103508841d589beebb3170fe1f1

SHA1
5779caa74ca1824fa1faf171a24a4905c2b8c43e

SHA256
8b8ef90fc3e3331f756cd68a285540d0e21e10617998e2bf0d513635dd71cc9b

SHA512
fa95f22ae95a1b7b679db8e960a00e3e8bff03f0ed3de6acb862ce85f43ddb8f2bcac9e6148944761664f69fe12a8515cd0a2fa2f08be7d7ec0c91672b5add40

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1460-52-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1460-58-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3316-56-0x0000000002D40000-0x0000000002D56000-memory.dmp

Filesize
88KB

Download
memory/3740-64-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3740-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3740-46-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/4936-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4936-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5108-73-0x00000000080D0000-0x0000000008674000-memory.dmp

Filesize
5.6MB

Download
memory/5108-83-0x0000000007BE0000-0x0000000007BEA000-memory.dmp

Filesize
40KB

Download
memory/5108-79-0x0000000007E60000-0x0000000007E70000-memory.dmp

Filesize
64KB

Download
memory/5108-74-0x0000000007C00000-0x0000000007C92000-memory.dmp

Filesize
584KB

Download
memory/5108-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-92-0x0000000008CA0000-0x00000000092B8000-memory.dmp

Filesize
6.1MB

Download
memory/5108-93-0x0000000007F80000-0x000000000808A000-memory.dmp

Filesize
1.0MB

Download
memory/5108-94-0x0000000007E70000-0x0000000007E82000-memory.dmp

Filesize
72KB

Download
memory/5108-95-0x0000000007ED0000-0x0000000007F0C000-memory.dmp

Filesize
240KB

Download
memory/5108-96-0x0000000007F10000-0x0000000007F5C000-memory.dmp

Filesize
304KB

Download
memory/5108-99-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/5108-100-0x0000000007E60000-0x0000000007E70000-memory.dmp

Filesize
64KB

Download
memory/5108-72-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download