amadey | c35b2a353f3f737fd5d522bda8150c7fe11a4c4773ad1702d174b480462784c6

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645.exe
Size

1.3MB
MD5

444fbed769b5f41a0e756e79b9d1e658
SHA1

9aabf704f69cbbcc81b71999f7f9749c86a0d190
SHA256

6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645
SHA512

8d27c05a1cff2bc98ddec672ae9fab1287f964277a112e2b6fe1087d8ac464c0e736115acadd27c1a6a783f38cef650d7bd63ec03d5dd85d3ce256bef1a5ee08
SSDEEP

24576:ayaZk2ZUXVtE9VdwtoHP98FVHc/44mPoIeGTJu42BsoSG4:haZkJ6atyP+Fhr0YuptS

Score

10^/10

amadey healer mystic redline daf753 fb0fb8 trush dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

daf753

http://77.91.68.78

Attributes

install_dir
cb378487cf
install_file
legota.exe
strings_key
f3785cbeef2013b6724eed349fd316ba
url_paths
/help/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral9/memory/4988-40-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family
behavioral9/memory/4988-43-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family
behavioral9/memory/4988-41-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral9/files/0x000800000002343e-34.dat	healer
behavioral9/memory/3092-35-0x0000000000080000-0x000000000008A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q4232514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q4232514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q4232514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q4232514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q4232514.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q4232514.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral9/memory/2068-47-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	t1075823.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	u9141115.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	legota.exe

Executes dropped EXE 16 IoCs

pid	Process
3596	z1944238.exe
1236	z1676919.exe
2388	z9714253.exe
668	z1504166.exe
3092	q4232514.exe
872	r9236648.exe
3544	s1965067.exe
2168	t1075823.exe
3504	explonde.exe
548	u9141115.exe
4628	legota.exe
3692	w2776372.exe
3132	legota.exe
4604	explonde.exe
5068	legota.exe
4440	explonde.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q4232514.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1944238.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1676919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9714253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z1504166.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 872 set thread context of 4988	872	r9236648.exe	103
PID 3544 set thread context of 2068	3544	s1965067.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1420	872	WerFault.exe	99
3476	3544	WerFault.exe	107

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3612	schtasks.exe
3736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3092	q4232514.exe
3092	q4232514.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3092	q4232514.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3596	4044	6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645.exe	82
PID 4044 wrote to memory of 3596	4044	6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645.exe	82
PID 4044 wrote to memory of 3596	4044	6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645.exe	82
PID 3596 wrote to memory of 1236	3596	z1944238.exe	83
PID 3596 wrote to memory of 1236	3596	z1944238.exe	83
PID 3596 wrote to memory of 1236	3596	z1944238.exe	83
PID 1236 wrote to memory of 2388	1236	z1676919.exe	84
PID 1236 wrote to memory of 2388	1236	z1676919.exe	84
PID 1236 wrote to memory of 2388	1236	z1676919.exe	84
PID 2388 wrote to memory of 668	2388	z9714253.exe	86
PID 2388 wrote to memory of 668	2388	z9714253.exe	86
PID 2388 wrote to memory of 668	2388	z9714253.exe	86
PID 668 wrote to memory of 3092	668	z1504166.exe	88
PID 668 wrote to memory of 3092	668	z1504166.exe	88
PID 668 wrote to memory of 872	668	z1504166.exe	99
PID 668 wrote to memory of 872	668	z1504166.exe	99
PID 668 wrote to memory of 872	668	z1504166.exe	99
PID 872 wrote to memory of 4988	872	r9236648.exe	103
PID 872 wrote to memory of 4988	872	r9236648.exe	103
PID 872 wrote to memory of 4988	872	r9236648.exe	103
PID 872 wrote to memory of 4988	872	r9236648.exe	103
PID 872 wrote to memory of 4988	872	r9236648.exe	103
PID 872 wrote to memory of 4988	872	r9236648.exe	103
PID 872 wrote to memory of 4988	872	r9236648.exe	103
PID 872 wrote to memory of 4988	872	r9236648.exe	103
PID 872 wrote to memory of 4988	872	r9236648.exe	103
PID 872 wrote to memory of 4988	872	r9236648.exe	103
PID 2388 wrote to memory of 3544	2388	z9714253.exe	107
PID 2388 wrote to memory of 3544	2388	z9714253.exe	107
PID 2388 wrote to memory of 3544	2388	z9714253.exe	107
PID 3544 wrote to memory of 2068	3544	s1965067.exe	109
PID 3544 wrote to memory of 2068	3544	s1965067.exe	109
PID 3544 wrote to memory of 2068	3544	s1965067.exe	109
PID 3544 wrote to memory of 2068	3544	s1965067.exe	109
PID 3544 wrote to memory of 2068	3544	s1965067.exe	109
PID 3544 wrote to memory of 2068	3544	s1965067.exe	109
PID 3544 wrote to memory of 2068	3544	s1965067.exe	109
PID 3544 wrote to memory of 2068	3544	s1965067.exe	109
PID 1236 wrote to memory of 2168	1236	z1676919.exe	112
PID 1236 wrote to memory of 2168	1236	z1676919.exe	112
PID 1236 wrote to memory of 2168	1236	z1676919.exe	112
PID 2168 wrote to memory of 3504	2168	t1075823.exe	113
PID 2168 wrote to memory of 3504	2168	t1075823.exe	113
PID 2168 wrote to memory of 3504	2168	t1075823.exe	113
PID 3596 wrote to memory of 548	3596	z1944238.exe	114
PID 3596 wrote to memory of 548	3596	z1944238.exe	114
PID 3596 wrote to memory of 548	3596	z1944238.exe	114
PID 3504 wrote to memory of 3612	3504	explonde.exe	115
PID 3504 wrote to memory of 3612	3504	explonde.exe	115
PID 3504 wrote to memory of 3612	3504	explonde.exe	115
PID 3504 wrote to memory of 4692	3504	explonde.exe	117
PID 3504 wrote to memory of 4692	3504	explonde.exe	117
PID 3504 wrote to memory of 4692	3504	explonde.exe	117
PID 548 wrote to memory of 4628	548	u9141115.exe	119
PID 548 wrote to memory of 4628	548	u9141115.exe	119
PID 548 wrote to memory of 4628	548	u9141115.exe	119
PID 4044 wrote to memory of 3692	4044	6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645.exe	120
PID 4044 wrote to memory of 3692	4044	6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645.exe	120
PID 4044 wrote to memory of 3692	4044	6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645.exe	120
PID 4692 wrote to memory of 2584	4692	cmd.exe	122
PID 4692 wrote to memory of 2584	4692	cmd.exe	122
PID 4692 wrote to memory of 2584	4692	cmd.exe	122
PID 4692 wrote to memory of 2364	4692	cmd.exe	123
PID 4692 wrote to memory of 2364	4692	cmd.exe	123

C:\Users\Admin\AppData\Local\Temp\6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645.exe
"C:\Users\Admin\AppData\Local\Temp\6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1944238.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1944238.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1676919.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1676919.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9714253.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9714253.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1504166.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1504166.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:668
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4232514.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4232514.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9236648.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9236648.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 148
        7⤵
        Program crash
        
        PID:1420
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1965067.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1965067.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3544
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 136
        6⤵
        Program crash
        
        PID:3476
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1075823.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1075823.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3612
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        7⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        7⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:4300
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9141115.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9141115.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4628
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3736
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:2420
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:556
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        
        PID:1044
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        
        PID:3260
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4012
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        
        PID:2548
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        
        PID:4920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2776372.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2776372.exe
  2⤵
  - Executes dropped EXE
  PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 872 -ip 872
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3544 -ip 3544
1⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:3132

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:4604

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:5068

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2776372.exe

Filesize
17KB

MD5
3906ee3ed498c08847666ed930b1c274

SHA1
0bc616baaf9b044ae6bdf39a05f2303facaafcea

SHA256
fd198196ae57e8f92207c2eb3da275c748013c0dba84ac329a8d968b685fa099

SHA512
27cf0c44e7f0e33586bab6d6c81688c47d492822d786be9b90e16565827649f253f3bef79355adfe243acedae56e2fd18450448ffa9294d24a1c4d8b4e9829cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1944238.exe

Filesize
1.2MB

MD5
c4231f9d8a3bcc84fdfe4ffa9a9f37d7

SHA1
d77639af43119e95bbd09d6fbeb34390aae69377

SHA256
7b1f0afbde9de4ce7448065be591c5925febb211ac12325da099b9a6b8121d5b

SHA512
67d71e6e608ed9fff5c1e4f39a50a8a985745017f4f1cd09715bda3bb9c26c5d6a0cd390ac925137b03dd986edf733dd88ca748480dabc04cd1dde0265f48233

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9141115.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1676919.exe

Filesize
1.0MB

MD5
d2c11bf55df2fff6c7087414af5a1269

SHA1
5911ea73d553860e2e2d9c4cdce869ab4733dcba

SHA256
a43fd0c88f1c441f9139a7779e9ea5187e12bc78a7a5b6c56b65f09791ca7997

SHA512
b79da78a2c5c48dfd4df848bd2f086fcab25a0527aa93b435dbd09f1ecf616d123c99395c4c102d6e12028c711cc15839a2409440647a75d4375bb0c46c0ebfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1075823.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9714253.exe

Filesize
867KB

MD5
23a927dc1da96bf809fdceaf95ada8b7

SHA1
7878dca4f62bd66cb481baa78c8fb3ae9614427a

SHA256
6d47aea3276bc75806eb09da8ac525fab1fc52750897b12f4e32e490739b7025

SHA512
86c87b9d8e7345e192cbe7a55ba95b7c9da098783a35a992b37fbbb538ddc01a7b5ab83887b0ab9466981c1b8bd7e9d91bf471cf1a52bcc4f2a6d3f638518291

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1965067.exe

Filesize
1.0MB

MD5
7a504958439cf7bff6479c879913689e

SHA1
6f590015cdc9ea31d727cebf1de34fb358cf0dde

SHA256
ce833cc26b551663d31d2408a798c3dc5884629dd20a144c48e116d3277c56fb

SHA512
7472cfddc44731e2897dba531cc14e4fe202379d2e45e71d7625fa704d4886f9f2216039891086e06a6dc166a6f14bcdc48a8b655b1bfc3207ffc8265d4621b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1504166.exe

Filesize
476KB

MD5
351108c05475f9cd186955b54d914426

SHA1
920659c2276098f11ce4fabfadfb029d81b0c1b6

SHA256
93702b92633aabd029da073b4ca0129607ce08e50efc629cf7dc32e81139a7e4

SHA512
63e88e844688c27108f1edb4427fe71ea711ff9444591ccf320134c9816615db10fed2302ca18fce6052e42084e812833b3e7e5e724359d49da750dcd986a9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4232514.exe

Filesize
11KB

MD5
aad73435fa722a93278d03c28597b2f8

SHA1
c3fa745d0721e15f02b335debbcf458dbf430338

SHA256
60be5b68bf29c60f2fd531b56d74b7a34f9c57a7ea149006c0b3842e0d8ad8b5

SHA512
18e530ca1a0d3f7526bcbbdf51247944815c4649dcd26bbc2159785bdd220aaafc0d1bcb32b5c1d3817676ee365be9c3f6addcd29e2d199dda934337468dd9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9236648.exe

Filesize
1.0MB

MD5
68e066b4de0277392c40b13402c402d1

SHA1
08486beb290bf586563d1bccfd6465502371c2e5

SHA256
1af0423865835359059409f26de8a6b00ef2528fc2edeb7a19df6595cf98000c

SHA512
75febbf7d215ffa265ee0e46b26ec796893be9620f08dc22efcccda8cfb5c246b4335b94fde2a421b81ffc96a19af7c77d97374fae135f977272583f4a619efb

Download Submit
memory/2068-61-0x0000000005670000-0x000000000577A000-memory.dmp

Filesize
1.0MB

Download
memory/2068-47-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2068-48-0x00000000013E0000-0x00000000013E6000-memory.dmp

Filesize
24KB

Download
memory/2068-54-0x0000000005B80000-0x0000000006198000-memory.dmp

Filesize
6.1MB

Download
memory/2068-63-0x0000000005580000-0x0000000005592000-memory.dmp

Filesize
72KB

Download
memory/2068-69-0x00000000055E0000-0x000000000561C000-memory.dmp

Filesize
240KB

Download
memory/2068-70-0x0000000005620000-0x000000000566C000-memory.dmp

Filesize
304KB

Download
memory/3092-35-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/4988-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-43-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4988-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download