amadey | 2dae798f2fcb49ad5f375700dcbe54c08e9cc5c25fe542ebd7939aa5f5f023aa

Analysis

max time kernel
129s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48143dd10cb17672737bf39325eefbced2eac21f1831cda9176650d72814984c.exe
Size

1.1MB
MD5

9cede695194136214f017abf6997be1e
SHA1

3b1183591e0f83e40c3bc596746bf0ad3ff4ca7c
SHA256

48143dd10cb17672737bf39325eefbced2eac21f1831cda9176650d72814984c
SHA512

b175768e20b2cd0413e5282ec7de926d63c122b2de2171c1ef6291d0afee20aced35844a6006b69b9f340a72ee3695f9f5e31d4eb0d8b7a3e12dc7aa8de3a162
SSDEEP

24576:nytbOhoQ0HLS6oFFhFED50aHYNWJpo66YRZR3CkwqOYvTdKQi:ytbB93khSl0EWCbR/wqOSB

Score

10^/10

amadey healer mystic redline daf753 fb0fb8 trush dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

trush

77.91.124.82:19071

Attributes

auth_value
c13814867cde8193679cd0cad2d774be

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

amadey

Version

3.89

Botnet

daf753

http://77.91.68.78

Attributes

install_dir
cb378487cf
install_file
legota.exe
strings_key
f3785cbeef2013b6724eed349fd316ba
url_paths
/help/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 3 IoCs

resource	yara_rule
behavioral7/memory/1904-40-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family
behavioral7/memory/1904-41-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family
behavioral7/memory/1904-43-0x0000000000400000-0x000000000042F000-memory.dmp	mystic_family

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral7/files/0x0008000000023445-33.dat	healer
behavioral7/memory/2780-35-0x00000000000C0000-0x00000000000CA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q9301829.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q9301829.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q9301829.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q9301829.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q9301829.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q9301829.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral7/memory/2988-47-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	u2709348.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	t6033928.exe

Executes dropped EXE 16 IoCs

pid	Process
1388	z6902154.exe
4348	z2688917.exe
540	z8642173.exe
5420	z3608136.exe
2780	q9301829.exe
5800	r0499564.exe
3316	s2363214.exe
1568	t6033928.exe
5508	explonde.exe
3068	u2709348.exe
5444	legota.exe
4336	w8374207.exe
832	explonde.exe
4928	legota.exe
3164	explonde.exe
4408	legota.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q9301829.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	48143dd10cb17672737bf39325eefbced2eac21f1831cda9176650d72814984c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6902154.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2688917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8642173.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z3608136.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5800 set thread context of 1904	5800	r0499564.exe	100
PID 3316 set thread context of 2988	3316	s2363214.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6056	5800	WerFault.exe	98
2572	3316	WerFault.exe	105

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2284	schtasks.exe
3872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2780	q9301829.exe
2780	q9301829.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	q9301829.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 1388	884	48143dd10cb17672737bf39325eefbced2eac21f1831cda9176650d72814984c.exe	83
PID 884 wrote to memory of 1388	884	48143dd10cb17672737bf39325eefbced2eac21f1831cda9176650d72814984c.exe	83
PID 884 wrote to memory of 1388	884	48143dd10cb17672737bf39325eefbced2eac21f1831cda9176650d72814984c.exe	83
PID 1388 wrote to memory of 4348	1388	z6902154.exe	84
PID 1388 wrote to memory of 4348	1388	z6902154.exe	84
PID 1388 wrote to memory of 4348	1388	z6902154.exe	84
PID 4348 wrote to memory of 540	4348	z2688917.exe	85
PID 4348 wrote to memory of 540	4348	z2688917.exe	85
PID 4348 wrote to memory of 540	4348	z2688917.exe	85
PID 540 wrote to memory of 5420	540	z8642173.exe	87
PID 540 wrote to memory of 5420	540	z8642173.exe	87
PID 540 wrote to memory of 5420	540	z8642173.exe	87
PID 5420 wrote to memory of 2780	5420	z3608136.exe	88
PID 5420 wrote to memory of 2780	5420	z3608136.exe	88
PID 5420 wrote to memory of 5800	5420	z3608136.exe	98
PID 5420 wrote to memory of 5800	5420	z3608136.exe	98
PID 5420 wrote to memory of 5800	5420	z3608136.exe	98
PID 5800 wrote to memory of 1904	5800	r0499564.exe	100
PID 5800 wrote to memory of 1904	5800	r0499564.exe	100
PID 5800 wrote to memory of 1904	5800	r0499564.exe	100
PID 5800 wrote to memory of 1904	5800	r0499564.exe	100
PID 5800 wrote to memory of 1904	5800	r0499564.exe	100
PID 5800 wrote to memory of 1904	5800	r0499564.exe	100
PID 5800 wrote to memory of 1904	5800	r0499564.exe	100
PID 5800 wrote to memory of 1904	5800	r0499564.exe	100
PID 5800 wrote to memory of 1904	5800	r0499564.exe	100
PID 5800 wrote to memory of 1904	5800	r0499564.exe	100
PID 540 wrote to memory of 3316	540	z8642173.exe	105
PID 540 wrote to memory of 3316	540	z8642173.exe	105
PID 540 wrote to memory of 3316	540	z8642173.exe	105
PID 3316 wrote to memory of 2988	3316	s2363214.exe	107
PID 3316 wrote to memory of 2988	3316	s2363214.exe	107
PID 3316 wrote to memory of 2988	3316	s2363214.exe	107
PID 3316 wrote to memory of 2988	3316	s2363214.exe	107
PID 3316 wrote to memory of 2988	3316	s2363214.exe	107
PID 3316 wrote to memory of 2988	3316	s2363214.exe	107
PID 3316 wrote to memory of 2988	3316	s2363214.exe	107
PID 3316 wrote to memory of 2988	3316	s2363214.exe	107
PID 4348 wrote to memory of 1568	4348	z2688917.exe	110
PID 4348 wrote to memory of 1568	4348	z2688917.exe	110
PID 4348 wrote to memory of 1568	4348	z2688917.exe	110
PID 1568 wrote to memory of 5508	1568	t6033928.exe	111
PID 1568 wrote to memory of 5508	1568	t6033928.exe	111
PID 1568 wrote to memory of 5508	1568	t6033928.exe	111
PID 1388 wrote to memory of 3068	1388	z6902154.exe	112
PID 1388 wrote to memory of 3068	1388	z6902154.exe	112
PID 1388 wrote to memory of 3068	1388	z6902154.exe	112
PID 5508 wrote to memory of 2284	5508	explonde.exe	113
PID 5508 wrote to memory of 2284	5508	explonde.exe	113
PID 5508 wrote to memory of 2284	5508	explonde.exe	113
PID 5508 wrote to memory of 4088	5508	explonde.exe	115
PID 5508 wrote to memory of 4088	5508	explonde.exe	115
PID 5508 wrote to memory of 4088	5508	explonde.exe	115
PID 3068 wrote to memory of 5444	3068	u2709348.exe	117
PID 3068 wrote to memory of 5444	3068	u2709348.exe	117
PID 3068 wrote to memory of 5444	3068	u2709348.exe	117
PID 884 wrote to memory of 4336	884	48143dd10cb17672737bf39325eefbced2eac21f1831cda9176650d72814984c.exe	118
PID 884 wrote to memory of 4336	884	48143dd10cb17672737bf39325eefbced2eac21f1831cda9176650d72814984c.exe	118
PID 884 wrote to memory of 4336	884	48143dd10cb17672737bf39325eefbced2eac21f1831cda9176650d72814984c.exe	118
PID 4088 wrote to memory of 5600	4088	cmd.exe	119
PID 4088 wrote to memory of 5600	4088	cmd.exe	119
PID 4088 wrote to memory of 5600	4088	cmd.exe	119
PID 4088 wrote to memory of 3012	4088	cmd.exe	120
PID 4088 wrote to memory of 3012	4088	cmd.exe	120

C:\Users\Admin\AppData\Local\Temp\48143dd10cb17672737bf39325eefbced2eac21f1831cda9176650d72814984c.exe
"C:\Users\Admin\AppData\Local\Temp\48143dd10cb17672737bf39325eefbced2eac21f1831cda9176650d72814984c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:884
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6902154.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6902154.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2688917.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2688917.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8642173.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8642173.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3608136.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3608136.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5420
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9301829.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9301829.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0499564.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0499564.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 556
        7⤵
        Program crash
        
        PID:6056
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2363214.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2363214.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3316
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 572
        6⤵
        Program crash
        
        PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6033928.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6033928.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5508
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:2284
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        7⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        7⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:2344
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2709348.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2709348.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:5444
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3872
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:6092
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        
        PID:1176
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        
        PID:3476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4956
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        
        PID:4584
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        
        PID:5488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8374207.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8374207.exe
  2⤵
  - Executes dropped EXE
  PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5800 -ip 5800
1⤵
PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3316 -ip 3316
1⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:832

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3164

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8374207.exe

Filesize
17KB

MD5
d0717dd84783dac8e111a9dce5c0defa

SHA1
13a3af5e32a8ce31b06d5c0db3e95493dcf8b142

SHA256
8a5a71035ccb0b1ae234e94dbc776cc15eaeac625941e68b48febfec07f3fe4c

SHA512
e7bd845ceead2e153c6c73abc370681da7647655aadc984477f1f65ee67e9f58d0d8f5a7bc95b17d9e4f0e226b9ea8b5c715fc59d70bc8c1ff3dbdd5d8465852

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6902154.exe

Filesize
1.0MB

MD5
d400e3eff0b341af6075db03e1f79404

SHA1
aa7d398a8f00421168a0083ec6768cb2a789b57f

SHA256
db0eab6180bbc0b9e6b3ec67df6ab1a8ee0bdee5470bee97dd771ced50f8098b

SHA512
fcc32f98950cbfd02b9fb7b5ff97f465dbeb4272efe7456b16adc66a8f24e89e560656a7dc2874086acdb1dd43656087bc100f6237bc8fe44fc6361f2dc5a226

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2709348.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2688917.exe

Filesize
872KB

MD5
aeb8581927de414c7a85befbb00e0438

SHA1
855198089d85cf557e1e26ca34e6c47099a7f1f1

SHA256
fd65fab83289d9f8f515e29a7cac9893eb9ebef3a29beffe20de0ba6580eff47

SHA512
b9078adc3e93a1b0cf7a72d14e7d18333393e2ee15b1b00fa0b57242b746f3944749f38efd881779122794b339753223db670ed2af27494cca7013ac9535a9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6033928.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8642173.exe

Filesize
690KB

MD5
dcb35573bdc0272b7a862cdf0bd318f8

SHA1
7bad8526bea5671a567eb833d43c2f39fffa4933

SHA256
97fe71a675483b62985e0343a60c7352db29056e1d4a436727702fb906c4c175

SHA512
25920fe8d3df94ea1b3754833c01aad321702cbe1af1eb8083310f4395fc5d4d2972d6cefb25f52d5b2299d307aef4fe39df256ff5bc828be61047c066462f8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2363214.exe

Filesize
707KB

MD5
3a711f9aedd2e50474917336669ba52e

SHA1
73babcbd86274c6e81ddfa2fea51242f586fe131

SHA256
ef70e08e2837f1f499031399802a5228db85a4036e2cf434414ad1cc43f5d84d

SHA512
abeadbfb9ffc205664b1a3f6a38b2d851053329c1d17a2c077d3642e915bd71ec8d662c25c84e1ac7d14e46a4c7be9d8afdddb9df0063d549278091621120c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3608136.exe

Filesize
387KB

MD5
7d807868f82fa6103202d60eeee5f6bc

SHA1
cae029bccc72ac082d09bab066e0ba4315e12f5e

SHA256
b359ecd0fc06eb23bfc32fde530fd9679807dbd50ad839a40b5a05aef5a5a07a

SHA512
415987b414a36880449a31270ee7e9717221eccc6e61234b10bc956efa4886b6c4b9a1f13ab37fa164a26a7665f8b0f08234c5301f06f37aadcba5c5d57334c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9301829.exe

Filesize
11KB

MD5
f1d69ae29322e0d720f2bdd18edd4d01

SHA1
2d829e412ca2eb5da7a48959bc71bda958d03974

SHA256
63eb6de577bd7e2fec5d194fe8baef5dca4ab3acedd14456481ff5230c83be2a

SHA512
2a0556d937c005050a5193b3d2658313416abc35acf506946477aaa1f0f801bb177637c2762e4773fd84d7b339d4a60f7eef808637b06826b88c33a82791a735

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0499564.exe

Filesize
700KB

MD5
7679518bb8be59045af21ad0e9d9cd5c

SHA1
fd75d3d719d721c76fb1f5deff66b05fc868a3ee

SHA256
b27e3050d65eb20ce61af444825fc1c6e0db32516208f6e565c7e29f6ab36657

SHA512
b2cba400a8c4fb765d11c6426b7774a6cf402484b2d8fb2ca4031a72a040fa4d92f4e19f87431140813d3d1edf5f14f16f2e247ae7b31f854f1e4da7b474f675

Download Submit
memory/1904-43-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-35-0x00000000000C0000-0x00000000000CA000-memory.dmp

Filesize
40KB

Download
memory/2988-58-0x000000000AE10000-0x000000000B428000-memory.dmp

Filesize
6.1MB

Download
memory/2988-62-0x000000000A990000-0x000000000AA9A000-memory.dmp

Filesize
1.0MB

Download
memory/2988-48-0x00000000077D0000-0x00000000077D6000-memory.dmp

Filesize
24KB

Download
memory/2988-68-0x000000000A8D0000-0x000000000A8E2000-memory.dmp

Filesize
72KB

Download
memory/2988-73-0x000000000A930000-0x000000000A96C000-memory.dmp

Filesize
240KB

Download
memory/2988-47-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2988-79-0x0000000004E10000-0x0000000004E5C000-memory.dmp

Filesize
304KB

Download