amadey | 4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
Size

10KB
MD5

ed6b7fa2b46bebbeabc7dc7e0b01718d
SHA1

0a019805abb8542c37cb30796ef9c38ae1485086
SHA256

4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43
SHA512

4d6d16438c72e23bb13cf0a26120cef042bd631382f80e3fb4ab38ff5bde7d9a0ec1e3b10ed4317906d2da38bf0a2b111d4de1df54fc645ff9fa506455ba3649
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KYN:xlwwHe/20PKn/cLTlHuptYcFwVc03Km

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

TrupAshot

documents-elegant.at.ply.gg:54835

Mutex

4a87b5397a2736773782f50e108b2da4

Attributes

reg_key
4a87b5397a2736773782f50e108b2da4
splitter
|'|'|

Extracted

Family

amadey

Version

4.41

Botnet

ad1b56

http://45.80.158.31

Attributes

install_dir
28c5e5ba36
install_file
Hkbsse.exe
strings_key
7b1e9202fdcdff462c8be8cfd7b21076
url_paths
/g9bkfkWf/index.php

rc4.plain

Extracted

Family

xworm

Attributes

Install_directory
%LocalAppData%
install_file
Google Chrome.exe
pastebin_url
https://pastebin.com/raw/hhG5zGXd

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

217.195.195.46:1604

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

cryptbot

analforeverlovyu.top

tvexv20vt.top

Attributes

url_path
/v1/upload.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Files\XClient.exe	family_xworm
behavioral1/memory/2924-377-0x0000000000A30000-0x0000000000A4A000-memory.dmp	family_xworm

Modifies firewall policy service 3 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

SeetrolClient.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	SeetrolClient.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files (x86)\seetrol\client\SeetrolClient.exe = "C:\\Program Files (x86)\\seetrol\\client\\SeetrolClient.exe:*:Enabled:SeetrolClient"	SeetrolClient.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

sysarddrvs.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" sysarddrvs.exe
Njrat family
njrat
Phorphiex family
phorphiex

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysarddrvs.exe

Phorphiex payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\11.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\Files\1.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysarddrvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Files\w.exe	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2680 powershell.exe
2148 powershell.exe
1392 powershell.exe
1916 powershell.exe
2880 powershell.exe
1296 powershell.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2488 netsh.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
2680	powershell.exe
2148	powershell.exe
1392	powershell.exe
1916	powershell.exe
2880	powershell.exe
1296	powershell.exe

pid	process
2488	netsh.exe

Drops startup file 2 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a87b5397a2736773782f50e108b2da4.exe	conhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a87b5397a2736773782f50e108b2da4.exe	conhost.exe

Executes dropped EXE 19 IoCs

Processes:

444.execonhost.exeAmadey.exeHkbsse.execlient.exeClientRun.exeSeetrolClient.exegame.exemeta.exeChannel1.exefeb9sxwk.execurlapp64.exe11.exeXClient.exesysarddrvs.exew.exeseo.exe1.exesysklnorbcv.exe

pid	process
1292	444.exe
1480	conhost.exe
2280	Amadey.exe
1100	Hkbsse.exe
1960	client.exe
1948	ClientRun.exe
1588	SeetrolClient.exe
2128	game.exe
2100	meta.exe
1928	Channel1.exe
2436	feb9sxwk.exe
2544	curlapp64.exe
2072	11.exe
2924	XClient.exe
2176	sysarddrvs.exe
2848	w.exe
1772	seo.exe
2648	1.exe
1748	sysklnorbcv.exe

Loads dropped DLL 27 IoCs

Processes:

4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe444.exeAmadey.execlient.exeClientRun.exeSeetrolClient.execmd.execurlapp64.exe

pid	process
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
1292	444.exe
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
2280	Amadey.exe
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
1960	client.exe
1960	client.exe
1948	ClientRun.exe
1948	ClientRun.exe
1588	SeetrolClient.exe
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
592
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
2092	cmd.exe
2544	curlapp64.exe
2544	curlapp64.exe
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysarddrvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysarddrvs.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

11.exeXClient.exe1.execonhost.execlient.execurlapp64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysarddrvs.exe"	11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Local\\Google Chrome.exe"	XClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysklnorbcv.exe"	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\4a87b5397a2736773782f50e108b2da4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\" .."	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4a87b5397a2736773782f50e108b2da4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\" .."	conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\curlapp64 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Files\\curlapp64.exe"	curlapp64.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SeetrolClient.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SeetrolClient.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

51 raw.githubusercontent.com
53 raw.githubusercontent.com
69 pastebin.com
70 pastebin.com
10 raw.githubusercontent.com
11 raw.githubusercontent.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SeetrolClient.exe

flow	ioc
51	raw.githubusercontent.com
53	raw.githubusercontent.com
69	pastebin.com
70	pastebin.com
10	raw.githubusercontent.com
11	raw.githubusercontent.com

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

conhost.exe

description	ioc	process
File created	F:\autorun.inf	conhost.exe
File opened for modification	F:\autorun.inf	conhost.exe
File created	C:\autorun.inf	conhost.exe
File opened for modification	C:\autorun.inf	conhost.exe
File created	D:\autorun.inf	conhost.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2748 tasklist.exe
2468 tasklist.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

meta.exe

description pid process target process

PID 2100 set thread context of 2240 2100 meta.exe regsvcs.exe

pid	process
2748	tasklist.exe
2468	tasklist.exe

description	pid	process	target process
PID 2100 set thread context of 2240	2100	meta.exe	regsvcs.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe	upx
behavioral1/memory/1960-186-0x00000000001C0000-0x00000000001DB000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Seetrol_Clt.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SeetrolClient.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STClientChat.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SeetrolMyService.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUpdate.exe	upx
behavioral1/memory/1588-214-0x0000000000400000-0x0000000000727000-memory.dmp	upx
behavioral1/memory/1588-217-0x0000000001410000-0x0000000001737000-memory.dmp	upx
behavioral1/memory/1948-222-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/1588-238-0x0000000000400000-0x0000000000727000-memory.dmp	upx
behavioral1/memory/1588-241-0x0000000000400000-0x0000000000727000-memory.dmp	upx
behavioral1/memory/1588-272-0x0000000000400000-0x0000000000727000-memory.dmp	upx

Drops file in Program Files directory 25 IoCs

Processes:

SeetrolClient.exeClientRun.exe

description	ioc	process
File created	C:\Program Files (x86)\seetrol\client\105\x86\dfmirage.sys	SeetrolClient.exe
File created	C:\Program Files (x86)\seetrol\client\068\dfmirage.dll	SeetrolClient.exe
File created	C:\Program Files (x86)\seetrol\client\105\dfmirage.cat	SeetrolClient.exe
File created	C:\Program Files (x86)\seetrol\client\sthooks.dll	ClientRun.exe
File created	C:\Program Files (x86)\seetrol\client\STUpdate.exe	ClientRun.exe
File created	C:\Program Files (x86)\seetrol\client\mdph.tmp	ClientRun.exe
File created	C:\Program Files (x86)\seetrol\client\SeetrolClient.cfg	SeetrolClient.exe
File created	C:\Program Files (x86)\seetrol\client\Install.cmd	SeetrolClient.exe
File created	C:\Program Files (x86)\seetrol\client\068\dfmirage.cat	SeetrolClient.exe
File created	C:\Program Files (x86)\seetrol\client\105\x64\dfmirage.dll	SeetrolClient.exe
File created	C:\Program Files (x86)\seetrol\client\105\x86\dfmirage.dll	SeetrolClient.exe
File created	C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe	ClientRun.exe
File created	C:\Program Files (x86)\seetrol\client\sas.dll	ClientRun.exe
File created	C:\Program Files (x86)\seetrol\client\MirrInst32.exe	SeetrolClient.exe
File created	C:\Program Files (x86)\seetrol\client\068\dfmirage.sys	SeetrolClient.exe
File created	C:\Program Files (x86)\seetrol\client\105\x64\dfmirage.sys	SeetrolClient.exe
File created	C:\Program Files (x86)\seetrol\client\Uninstall.cmd	SeetrolClient.exe
File created	C:\Program Files (x86)\seetrol\client\068\dfmirage.inf	SeetrolClient.exe
File opened for modification	C:\Program Files (x86)\seetrol\client\Seetrol_Clt.exe	ClientRun.exe
File created	C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	ClientRun.exe
File created	C:\Program Files (x86)\seetrol\client\STClientChat.exe	ClientRun.exe
File created	C:\Program Files (x86)\seetrol\client\SeetrolMyService.exe	ClientRun.exe
File created	C:\Program Files (x86)\seetrol\client\dtph.tmp	ClientRun.exe
File created	C:\Program Files (x86)\seetrol\client\MirrInst64.exe	SeetrolClient.exe
File created	C:\Program Files (x86)\seetrol\client\105\dfmirage.inf	SeetrolClient.exe

Drops file in Windows directory 5 IoCs

Processes:

Amadey.exe11.exe1.exe

description	ioc	process
File created	C:\Windows\Tasks\Hkbsse.job	Amadey.exe
File created	C:\Windows\sysarddrvs.exe	11.exe
File opened for modification	C:\Windows\sysarddrvs.exe	11.exe
File created	C:\Windows\sysklnorbcv.exe	1.exe
File opened for modification	C:\Windows\sysklnorbcv.exe	1.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2480 sc.exe
2576 sc.exe
2840 sc.exe
1920 sc.exe
2476 sc.exe
2728 sc.exe
2572 sc.exe
2492 sc.exe
1476 sc.exe
1584 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2480	sc.exe
2576	sc.exe
2840	sc.exe
1920	sc.exe
2476	sc.exe
2728	sc.exe
2572	sc.exe
2492	sc.exe
1476	sc.exe
1584	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

444.exeipconfig.exefindstr.exepowershell.exeseo.exefindstr.execmd.exe1.exeAmadey.exeSeetrolClient.exetasklist.execmd.exesc.exesysklnorbcv.exe4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exeClientRun.exesc.exePredicted.pifconhost.exeHkbsse.exeregsvcs.exesc.exefindstr.exechoice.execlient.exesysarddrvs.execmd.exesc.exetasklist.execmd.exenetsh.exe11.exesc.exeChannel1.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amadey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SeetrolClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysklnorbcv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ClientRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Predicted.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysarddrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Channel1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1484 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2944 ipconfig.exe

pid	process
1484	timeout.exe

pid	process
2944	ipconfig.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2668 schtasks.exe

pid	process
2668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exe

pid	process
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe
1480	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

conhost.exe

pid process

1480 conhost.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.execonhost.exeClientRun.exemeta.exeregsvcs.exeXClient.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
Token: SeDebugPrivilege	1480	conhost.exe
Token: 33	1480	conhost.exe
Token: SeIncBasePriorityPrivilege	1480	conhost.exe
Token: 33	1480	conhost.exe
Token: SeIncBasePriorityPrivilege	1480	conhost.exe
Token: SeDebugPrivilege	1948	ClientRun.exe
Token: SeDebugPrivilege	1948	ClientRun.exe
Token: SeDebugPrivilege	1948	ClientRun.exe
Token: 33	1480	conhost.exe
Token: SeIncBasePriorityPrivilege	1480	conhost.exe
Token: 33	1480	conhost.exe
Token: SeIncBasePriorityPrivilege	1480	conhost.exe
Token: 33	1480	conhost.exe
Token: SeIncBasePriorityPrivilege	1480	conhost.exe
Token: 33	1480	conhost.exe
Token: SeIncBasePriorityPrivilege	1480	conhost.exe
Token: 33	1480	conhost.exe
Token: SeIncBasePriorityPrivilege	1480	conhost.exe
Token: 33	1480	conhost.exe
Token: SeIncBasePriorityPrivilege	1480	conhost.exe
Token: 33	1480	conhost.exe
Token: SeIncBasePriorityPrivilege	1480	conhost.exe
Token: SeDebugPrivilege	2100	meta.exe
Token: SeDebugPrivilege	2240	regsvcs.exe
Token: SeBackupPrivilege	2240	regsvcs.exe
Token: SeSecurityPrivilege	2240	regsvcs.exe
Token: SeSecurityPrivilege	2240	regsvcs.exe
Token: SeSecurityPrivilege	2240	regsvcs.exe
Token: SeSecurityPrivilege	2240	regsvcs.exe
Token: 33	1480	conhost.exe
Token: SeIncBasePriorityPrivilege	1480	conhost.exe
Token: 33	1480	conhost.exe
Token: SeIncBasePriorityPrivilege	1480	conhost.exe
Token: 33	1480	conhost.exe
Token: SeIncBasePriorityPrivilege	1480	conhost.exe
Token: SeBackupPrivilege	2240	regsvcs.exe
Token: SeSecurityPrivilege	2240	regsvcs.exe
Token: SeSecurityPrivilege	2240	regsvcs.exe
Token: SeSecurityPrivilege	2240	regsvcs.exe
Token: SeSecurityPrivilege	2240	regsvcs.exe
Token: 33	1480	conhost.exe
Token: SeIncBasePriorityPrivilege	1480	conhost.exe
Token: SeDebugPrivilege	2924	XClient.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	2748	tasklist.exe
Token: SeDebugPrivilege	2468	tasklist.exe
Token: SeDebugPrivilege	2924	XClient.exe
Token: 33	1480	conhost.exe
Token: SeIncBasePriorityPrivilege	1480	conhost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

Amadey.exeSeetrolClient.exePredicted.pif

pid process

2280 Amadey.exe
1588 SeetrolClient.exe
1588 SeetrolClient.exe
1588 SeetrolClient.exe
1804 Predicted.pif
1804 Predicted.pif
1804 Predicted.pif
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

SeetrolClient.exePredicted.pif

pid process

1588 SeetrolClient.exe
1588 SeetrolClient.exe
1804 Predicted.pif
1804 Predicted.pif
1804 Predicted.pif
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

SeetrolClient.exeXClient.exe

pid process

1588 SeetrolClient.exe
1588 SeetrolClient.exe
1588 SeetrolClient.exe
2924 XClient.exe

pid	process
2280	Amadey.exe
1588	SeetrolClient.exe
1588	SeetrolClient.exe
1588	SeetrolClient.exe
1804	Predicted.pif
1804	Predicted.pif
1804	Predicted.pif

pid	process
1588	SeetrolClient.exe
1588	SeetrolClient.exe
1804	Predicted.pif
1804	Predicted.pif
1804	Predicted.pif

pid	process
1588	SeetrolClient.exe
1588	SeetrolClient.exe
1588	SeetrolClient.exe
2924	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe444.execonhost.exeAmadey.execlient.exeClientRun.exeSeetrolClient.exemeta.exe

description	pid	process	target process
PID 1992 wrote to memory of 1292	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	444.exe
PID 1992 wrote to memory of 1292	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	444.exe
PID 1992 wrote to memory of 1292	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	444.exe
PID 1992 wrote to memory of 1292	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	444.exe
PID 1292 wrote to memory of 1480	1292	444.exe	conhost.exe
PID 1292 wrote to memory of 1480	1292	444.exe	conhost.exe
PID 1292 wrote to memory of 1480	1292	444.exe	conhost.exe
PID 1292 wrote to memory of 1480	1292	444.exe	conhost.exe
PID 1480 wrote to memory of 2488	1480	conhost.exe	netsh.exe
PID 1480 wrote to memory of 2488	1480	conhost.exe	netsh.exe
PID 1480 wrote to memory of 2488	1480	conhost.exe	netsh.exe
PID 1480 wrote to memory of 2488	1480	conhost.exe	netsh.exe
PID 1992 wrote to memory of 2280	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	Amadey.exe
PID 1992 wrote to memory of 2280	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	Amadey.exe
PID 1992 wrote to memory of 2280	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	Amadey.exe
PID 1992 wrote to memory of 2280	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	Amadey.exe
PID 2280 wrote to memory of 1100	2280	Amadey.exe	Hkbsse.exe
PID 2280 wrote to memory of 1100	2280	Amadey.exe	Hkbsse.exe
PID 2280 wrote to memory of 1100	2280	Amadey.exe	Hkbsse.exe
PID 2280 wrote to memory of 1100	2280	Amadey.exe	Hkbsse.exe
PID 1992 wrote to memory of 1960	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	client.exe
PID 1992 wrote to memory of 1960	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	client.exe
PID 1992 wrote to memory of 1960	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	client.exe
PID 1992 wrote to memory of 1960	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	client.exe
PID 1992 wrote to memory of 1960	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	client.exe
PID 1992 wrote to memory of 1960	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	client.exe
PID 1992 wrote to memory of 1960	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	client.exe
PID 1960 wrote to memory of 1948	1960	client.exe	ClientRun.exe
PID 1960 wrote to memory of 1948	1960	client.exe	ClientRun.exe
PID 1960 wrote to memory of 1948	1960	client.exe	ClientRun.exe
PID 1960 wrote to memory of 1948	1960	client.exe	ClientRun.exe
PID 1960 wrote to memory of 1948	1960	client.exe	ClientRun.exe
PID 1960 wrote to memory of 1948	1960	client.exe	ClientRun.exe
PID 1960 wrote to memory of 1948	1960	client.exe	ClientRun.exe
PID 1948 wrote to memory of 1588	1948	ClientRun.exe	SeetrolClient.exe
PID 1948 wrote to memory of 1588	1948	ClientRun.exe	SeetrolClient.exe
PID 1948 wrote to memory of 1588	1948	ClientRun.exe	SeetrolClient.exe
PID 1948 wrote to memory of 1588	1948	ClientRun.exe	SeetrolClient.exe
PID 1948 wrote to memory of 1588	1948	ClientRun.exe	SeetrolClient.exe
PID 1948 wrote to memory of 1588	1948	ClientRun.exe	SeetrolClient.exe
PID 1948 wrote to memory of 1588	1948	ClientRun.exe	SeetrolClient.exe
PID 1588 wrote to memory of 2944	1588	SeetrolClient.exe	ipconfig.exe
PID 1588 wrote to memory of 2944	1588	SeetrolClient.exe	ipconfig.exe
PID 1588 wrote to memory of 2944	1588	SeetrolClient.exe	ipconfig.exe
PID 1588 wrote to memory of 2944	1588	SeetrolClient.exe	ipconfig.exe
PID 1588 wrote to memory of 2944	1588	SeetrolClient.exe	ipconfig.exe
PID 1588 wrote to memory of 2944	1588	SeetrolClient.exe	ipconfig.exe
PID 1588 wrote to memory of 2944	1588	SeetrolClient.exe	ipconfig.exe
PID 1992 wrote to memory of 2128	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	game.exe
PID 1992 wrote to memory of 2128	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	game.exe
PID 1992 wrote to memory of 2128	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	game.exe
PID 1992 wrote to memory of 2128	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	game.exe
PID 1992 wrote to memory of 2100	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	meta.exe
PID 1992 wrote to memory of 2100	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	meta.exe
PID 1992 wrote to memory of 2100	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	meta.exe
PID 1992 wrote to memory of 2100	1992	4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe	meta.exe
PID 2100 wrote to memory of 2240	2100	meta.exe	regsvcs.exe
PID 2100 wrote to memory of 2240	2100	meta.exe	regsvcs.exe
PID 2100 wrote to memory of 2240	2100	meta.exe	regsvcs.exe
PID 2100 wrote to memory of 2240	2100	meta.exe	regsvcs.exe
PID 2100 wrote to memory of 2240	2100	meta.exe	regsvcs.exe
PID 2100 wrote to memory of 2240	2100	meta.exe	regsvcs.exe
PID 2100 wrote to memory of 2240	2100	meta.exe	regsvcs.exe
PID 2100 wrote to memory of 2240	2100	meta.exe	regsvcs.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

SeetrolClient.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1"	SeetrolClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	SeetrolClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SeetrolClient.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe
"C:\Users\Admin\AppData\Local\Temp\4586378fb8e91587b6c436af567fa9cc9f44d88ff665ff4115d72d0983340e43.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\Files\444.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\444.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Users\Admin\AppData\Roaming\conhost.exe
    "C:\Users\Admin\AppData\Roaming\conhost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\conhost.exe" "conhost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2488
- C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
    "C:\Users\Admin\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1100
- C:\Users\Admin\AppData\Local\Temp\Files\client.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\client.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
      "C:\Program Files (x86)\seetrol\client\SeetrolClient.exe"
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1588
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" /flushdns
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:2944
- C:\Users\Admin\AppData\Local\Temp\Files\game.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\game.exe"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Users\Admin\AppData\Local\Temp\Files\meta.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\meta.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Channel1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1928
- C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"
  2⤵
  - Executes dropped EXE
  PID:2436
- - C:\Windows\system32\cmd.exe
    cmd.exe /c start "" "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
    3⤵
    - Loads dropped DLL
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:2544
- - C:\Windows\system32\cmd.exe
    cmd.exe /c timeout /t 10 /nobreak && del /q "C:\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe"
    3⤵
    PID:588
  - - C:\Windows\system32\timeout.exe
      timeout /t 10 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1484
- C:\Users\Admin\AppData\Local\Temp\Files\11.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\11.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2072
- - C:\Windows\sysarddrvs.exe
    C:\Windows\sysarddrvs.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    PID:2176
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1304
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
      4⤵
      System Location Discovery: System Language Discovery
      PID:2016
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1920
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2480
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2576
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2476
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2728
- C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Google Chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Google Chrome" /tr "C:\Users\Admin\AppData\Local\Google Chrome.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2668
- C:\Users\Admin\AppData\Local\Temp\Files\w.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\w.exe"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\Files\seo.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\seo.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Vote Vote.cmd & Vote.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1796
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2748
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2136
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2468
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 419591
      4⤵
      System Location Discovery: System Language Discovery
      PID:1996
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "SAVEDBEDFLESHPROVIDED" Waves
      4⤵
      System Location Discovery: System Language Discovery
      PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Poll + ..\Memorabilia + ..\Kenny + ..\Rick + ..\Britannica + ..\Circuits J
      4⤵
      System Location Discovery: System Language Discovery
      PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\419591\Predicted.pif
      Predicted.pif J
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1804
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2948
- C:\Users\Admin\AppData\Local\Temp\Files\1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\1.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2648
- - C:\Windows\sysklnorbcv.exe
    C:\Windows\sysklnorbcv.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1748
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      PID:1716
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1916
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
      4⤵
      PID:2980
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2840
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2572
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2492
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        
        PID:1476
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        5⤵
        Launches sc.exe
        
        PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\533259084254

Filesize
47KB

MD5
183ef6943837f0064fdd0ec56ee6dc10

SHA1
800978299feb14768c9ce5c1ea9c715657e4d55b

SHA256
f220de3ef884233f16d7875aa15e998723edfdf2ced762185e3d6227b613943d

SHA512
cb0b08d64802013444d3dc85152a2b956407ebd8338415e1d86fd3d044d2f6947c27803e2f6df601ab9bb136056f164c58ccfc2eb8d83a87bfc1b719baa3a669

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCA91.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1.exe

Filesize
84KB

MD5
a775d164cf76e9a9ff6afd7eb1e3ab2e

SHA1
0b390cd5a44a64296b592360b6b74ac66fb26026

SHA256
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

SHA512
80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\11.exe

Filesize
79KB

MD5
e2e3268f813a0c5128ff8347cbaa58c8

SHA1
4952cbfbdec300c048808d79ee431972b8a7ba84

SHA256
d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

SHA512
cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\curlapp64.exe

Filesize
600KB

MD5
f9830df1dfdb31cec5e3bd9f892edc9a

SHA1
073e56d2fbef94dd6fdfc1ff1fe12ecc71736029

SHA256
9c40291f6a315e70b45ad05f9671d7eea89ab14aecebf42ce9ba4c167509c9e5

SHA512
5cffa490084da873f341b4b88c3b92d9b25d1ba9e9a28e5d249037c2cb3fa27348d4f2eb770e274c3bab47c69eaf942f118c25eca47b6216cff3c492c815a885

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\game.exe

Filesize
3.6MB

MD5
49a4df6234a85f29ff15b8d58dcb995b

SHA1
f85b7f5e5f4075a528a76c69052a3a772799c718

SHA256
4b77e49987843ca290926630aa7e1bc0e29b84b094a44495898e490367af658e

SHA512
7a8ca5cae878bda825ba73478ec36844508e503c282ca9bdc3cc2013780f5cdb500a14f60d885b684a15ad2657c493da2d089db3d20e1a64e09ea4c376f719c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\libcurl.dll

Filesize
575KB

MD5
18ce47f58b4c1a9cfc1edf7c8bf49b7c

SHA1
e74d08ab06ed8200d7e674d8031d6df8250de8cb

SHA256
36d97f1c254832cee9698cea2f1a63ea98d231641fd29715ef581be103ace602

SHA512
19b2d6968095c4e8f08c66ab73e7ec5e0439712bcb2777266602ef2ad123a779395a3d44bc0c7c9945376998fb2165bc60e6bf682863a55a0cff40c720594bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STClientChat.exe

Filesize
630KB

MD5
7aef1cb0e581471da8382549441e73a7

SHA1
3e2abe17e60e18890e631a4b4e421efd0478a69e

SHA256
16fea5a5ab725da533bf75b111ac8fd9c240f151015d2b1040d8abea551937fc

SHA512
ad7d822612c5414830390a51b5d4144a3c349f1cbe389a1b265905263ee204b50a71b974b360dbb02c64924b3366d28fc2e840e014dae96ff05b6ab48458bac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\STUpdate.exe

Filesize
57KB

MD5
27d99e10488ef746e4a75064a60ff311

SHA1
d64e45d11402d80e46f3b322f482b2bed3dc3d74

SHA256
7cc186ca6bfb3277b7e8495ee1af6ab6cb472a405a482eb054836d03c558cd4c

SHA512
4f1c906b7bbe8b349f36f104bea8a22735d73f0b9114b032ff40a0b44dce641ba513d593e4754fbcdbc17586e30d409fb9a8bdb760b3b052ddc7eac0349a6994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SeetrolClient.exe

Filesize
713KB

MD5
c3192af2dff9319b35ec48b6fe23b0ff

SHA1
3713858569b97f4044caf9f2e0f8ad5b6b2ef713

SHA256
aec05f916b60a80379a0ecde59749ec89beaa0d331e67846f172dbdce858f278

SHA512
dea78632c6e7d4b749982765857de3daab0ecd2a92ae38a7497d5bdfa6d56d7b8a2378a3043455b645526f67fcdebeaff09d5799c410b383e50e44fa46acd0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SeetrolMyService.exe

Filesize
50KB

MD5
60190685605be1d7cdd4eec0c89dbb63

SHA1
a549a7d01a7f104fd88cbb927e60e8754ce2450b

SHA256
9a0756f31f56631f302a55b43279d8a839b2f1f64b87f232c93eee735855d37d

SHA512
85811baa6d95d37367fbd8574bd992538dceebe432b3ad5ae0ed041ef112951b75c166257a1560e7b78c1db9d835a87b4b88956b5ae64ac3e9447340edbe0b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Seetrol_Clt.exe

Filesize
350KB

MD5
58b4ed8f98841fa40b8f796b52d1188d

SHA1
0f67de7c94295b1239d2f3a885e950013a229282

SHA256
1eb86a3b7ab8fa8642af4f94a8bfce1b4a65867f5a177ae8147da96431e72770

SHA512
308ceb774bc8129accb9bf418255aab7efa60dcbae0f5931117461062e49b77ddbcbf75a0d09f7492de6ace663f9b2f3ef9e984b11150a666c5a84730f36ace3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sas.dll

Filesize
14KB

MD5
60c3820c4f56c77e3e8bece9d7a51842

SHA1
b1bda7390cc5515718a23fb95dab44e7436cf24c

SHA256
c2904b2822b3c1b003a72f84d42ffbfdefd253f322c99b77cf8a950f37c716e6

SHA512
474ddfbd8524163396a9335b25acb577cd12e87e9bdfa5ed7f4aa54a7d1cea17d94d001772cb76376b4f921b96bf3341011e94ade97aca76be942363ed92a6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sthooks.dll

Filesize
70KB

MD5
4552dca24d26dd640f131e68ce8ba37c

SHA1
d5b80dc90511e8aa5a25f10ebf2893ae146d84e6

SHA256
18997169e6d07921bb724c9e6a5ab784bccab52f598c5cf0c166aa47db0c1c5a

SHA512
c62a9203bc3edd46ba95a19291446af8dd8b436d7f152ea8b64faa07d6e08fcd7c740d9fb4b949c2c49c3fb9f5c7197421ec3a6dd212dc7b12bb6ddf5f80202f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCAB4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e37a1e4218c45dd3749cc7da47db6e54

SHA1
bf200693a91b981127a38feedb33f565ad20886c

SHA256
061b9caad8266d15436f628b07f4292f059dcd07febd2b8469ecfa207b991241

SHA512
76f17ffcfee1da7a500b1175d9c8dedd9795639beaeb781aef446fcc2e14d2e9d0beb4fc894ca817159f0a283e41663845837cec234988c1a15d24890e33c396

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Files\444.exe

Filesize
37KB

MD5
fb0bdd758f8a9f405e6af2358da06ae1

SHA1
6c283ab5e49e6fe3a93a996f850a5639fc49e3f5

SHA256
9da4778fce03b654f62009b3d88958213f139b2f35fe1bed438100fae35bdfbf

SHA512
71d3bd1c621a93bc54f1104285da5bf8e59bc26c3055cf708f61070c1a80ee705c33efd4a05acf3d3a90a9d9fca0357c66894dcb5045ab38b27834ff56c06253

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Amadey.exe

Filesize
435KB

MD5
bb63e746e54ae6a1ff2d5d01fc4b6c61

SHA1
b22879f1eb81aabb7cf37fd531f85724f84fdc09

SHA256
18aeb7be496d51bada50f3781764bb7771f74d7050e3ceefa51725b3f86a59f6

SHA512
a7ad6ecb848789cd32090863ef5196dab836a4a5937b988516e0d72f69b2fb6459db9baf0ff8281d301134cbf9a66d2b889fb647ad0f637cf0e03f46cea23e42

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Channel1.exe

Filesize
6.3MB

MD5
703bea610f53655fa0014b93f0fa4b7e

SHA1
a3caccfaeffc6c6c39644404ad93455d37f0cdab

SHA256
1dac4bd2e15c7e98e3e8c657e9f6463f6d4f7d6a1256a3270649bfa5154c9e73

SHA512
9d083a762a23c05e9a084a6424a0852725ed4fb010b074416228034c4bbbbfce2bcfc9cf3e9f24f719d768cf8204eade9d3dcaf4a414c79fcb4b4f5af4986aeb

Download Submit
\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
77KB

MD5
12ac7eecca99175c8953b8368d96440e

SHA1
aa6fcf14c66644111d1160a6dd4cdb67c58e709a

SHA256
9d7a88aa72820977134b39b0ae1907fd738de184b89ce72fbb77cee530a10e49

SHA512
5d5f775b32182c6aab302462a2b8e9a2d608f232df2dc02c3826405e4a3a46ef040e8249feaf2133dee3ed3f111aeb4e884fdb4edae743dbc6e255c40eb51c9e

Download Submit
\Users\Admin\AppData\Local\Temp\Files\client.exe

Filesize
1.8MB

MD5
d57c5086ea166bc56e091761a43781ff

SHA1
16b7a96e3c43e82ca962bd94ae1898f796c9cd00

SHA256
dc08aa33da827c3199f3f0345606b97b83bc508239c4c24f02a78d6e996bca09

SHA512
893a1fea55837f2cb7cca1a22ab18795c3fcf91edcdf506c269415b06257d17c8fc426b50a8aa2e4dd34de73cc8fe41711b3276b16499a56714aecd2b98cccda

Download Submit
\Users\Admin\AppData\Local\Temp\Files\feb9sxwk.exe

Filesize
1.6MB

MD5
d4e3a11d9468375f793c4c5c2504a374

SHA1
6dc95fc874fcadac1fc135fd521eddbdcb63b1c6

SHA256
0dc03de0ec34caca989f22de1ad61e7bd6bc1eabc6f993dbed2983f4cc33923d

SHA512
9d87f182f02daafad9b21f8a0f5a0eeedb277f60aa2d21bb8eb660945c153503db35821562f12b82a4e84cef848f1b1391c116ff30606cb495cf2e8ce4634217

Download Submit
\Users\Admin\AppData\Local\Temp\Files\meta.exe

Filesize
2.7MB

MD5
3aace51d76b16a60e94636150bd1137e

SHA1
f6f1e069df72735cb940058ddfb7144166f8489b

SHA256
b51004463e8cdfe74c593f1d3e883ff20d53ad6081de7bf46bb3837b86975955

SHA512
95fb1f22ed9454911bfca8ada4c8d0a6cf402de3324b133e1c70afaa272a5b5a54302a0d1eb221999da9343ba90b3cac0b2daecf1879d0b9b40857330a0d0f4e

Download Submit
\Users\Admin\AppData\Local\Temp\Files\w.exe

Filesize
47KB

MD5
d4826d365cf4dd98966196f868817394

SHA1
2d17bf67b0a179b2f32a3f6e57c960a9eae42be5

SHA256
2ab6b6abe9e3f1d24bf8606a675915e600413c8a9089de5ae3606b595a70aab5

SHA512
6269bd39c8682aa9e22422c162034de84cbf1d82ff46c25c7dd04a60759d88958b1ac7e4488f315b4e5e4a3b173af1132eedd741ce99265c6d1c4fab9f94d180

Download Submit
\Users\Admin\AppData\Local\Temp\Files\zlib1.dll

Filesize
88KB

MD5
f53d1efea4855da42da07de49d80ba68

SHA1
920349f4bd5a5b8e77195c81e261dfa2177eb1ee

SHA256
7e9f43688189578042d791e3e5301165316edc7c1ed739e0669c033a3ca08037

SHA512
5d72f64b8e5c42a3c9a7bcbbe8a1598a85402ade4f312ab9e26869f8b39952a3aa037f2cf7da89e686c5bc3fcb221feeae077b9ffd2eef98dac0e307637fe7bd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe

Filesize
43KB

MD5
8b47aa48b7c1a24e0210d602f438c69d

SHA1
6732e01a8ab4170aab69fbefc32177b5bcf3986f

SHA256
f1a702b948c083b48f2b8a03f52ba7682203409798387b7a9178d83639e8cba4

SHA512
1d21f37a053754b71ad94042dd6e297b4b991bf07a7742bd45ba685ed045911ab029e4c6d223fb01ca95ffe17ac38468b9253b035de2cdfcb8bcdd5efb34c8ec

Download Submit
memory/1292-130-0x000000006FA10000-0x000000006FFBB000-memory.dmp

Filesize
5.7MB

Download
memory/1292-122-0x000000006FA10000-0x000000006FFBB000-memory.dmp

Filesize
5.7MB

Download
memory/1292-121-0x000000006FA10000-0x000000006FFBB000-memory.dmp

Filesize
5.7MB

Download
memory/1292-120-0x000000006FA11000-0x000000006FA12000-memory.dmp

Filesize
4KB

Download
memory/1296-404-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1296-405-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1588-217-0x0000000001410000-0x0000000001737000-memory.dmp

Filesize
3.2MB

Download
memory/1588-238-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/1588-241-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/1588-272-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/1588-214-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/1588-240-0x0000000001410000-0x0000000001737000-memory.dmp

Filesize
3.2MB

Download
memory/1796-458-0x0000000077240000-0x000000007733A000-memory.dmp

Filesize
1000KB

Download
memory/1796-457-0x0000000077340000-0x000000007745F000-memory.dmp

Filesize
1.1MB

Download
memory/1928-442-0x0000000000400000-0x0000000001064000-memory.dmp

Filesize
12.4MB

Download
memory/1948-213-0x0000000002BC0000-0x0000000002EE7000-memory.dmp

Filesize
3.2MB

Download
memory/1948-222-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1960-186-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/1992-0-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/1992-2-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/1992-1-0x0000000001240000-0x0000000001248000-memory.dmp

Filesize
32KB

Download
memory/1992-4-0x0000000074660000-0x0000000074D4E000-memory.dmp

Filesize
6.9MB

Download
memory/1992-256-0x0000000006DC0000-0x0000000007DBB000-memory.dmp

Filesize
16.0MB

Download
memory/1992-254-0x0000000006DC0000-0x0000000007DBB000-memory.dmp

Filesize
16.0MB

Download
memory/1992-3-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/2128-255-0x0000000000400000-0x00000000013FB000-memory.dmp

Filesize
16.0MB

Download
memory/2148-414-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2148-415-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2240-269-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2240-271-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2240-270-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2848-392-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/2880-398-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2880-397-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2924-377-0x0000000000A30000-0x0000000000A4A000-memory.dmp

Filesize
104KB

Download