amadey | 055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895

Analysis

max time kernel
141s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.8MB
MD5

8cbe0ced0c0f7bfbdf19128ba80adb99
SHA1

15e615a0fe64fe5200dd916232d9bc26b1c3d815
SHA256

055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895
SHA512

4b258260770b08fdd8f14b7bf0e703b8ca5010e4698e457bc0cfc76c246fb9e7c60ee4d2068b717f8205c2c1954d3b6b8742ed2547b67082f5b89c63d850e938
SSDEEP

49152:kNv6yZz1fXBB9nu/SkIK3OdW+56W0xSDmoJb3:s6yZz1fRB9nu/SkIK3ibpDmA

Score

10^/10

amadey lumma stealc 9c9aa5 fed3aa stok discovery evasion execution persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

lumma

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

stok

http://185.215.113.206

Attributes

url_path
/c4becf79229cb002.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2496 created 1212	2496	7dbf8ffe61.exe	21

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d16e0f62ac.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	067454c17f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7dbf8ffe61.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VR6f3vF.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1872	powershell.exe
2764	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d16e0f62ac.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7dbf8ffe61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VR6f3vF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7dbf8ffe61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	067454c17f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	067454c17f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VR6f3vF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d16e0f62ac.exe

Executes dropped EXE 10 IoCs

pid	Process
2608	skotes.exe
2340	Cq6Id6x.exe
2016	Cq6Id6x.exe
2900	x0qQ2DH.exe
2040	d16e0f62ac.exe
2596	axplong.exe
2876	067454c17f.exe
2496	7dbf8ffe61.exe
288	VR6f3vF.exe
1752	kf5cl0F.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	7dbf8ffe61.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	VR6f3vF.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	d16e0f62ac.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Wine	067454c17f.exe

Loads dropped DLL 15 IoCs

pid	Process
2848	file.exe
2608	skotes.exe
2340	Cq6Id6x.exe
2608	skotes.exe
2608	skotes.exe
2608	skotes.exe
2040	d16e0f62ac.exe
2040	d16e0f62ac.exe
2596	axplong.exe
2596	axplong.exe
2596	axplong.exe
2596	axplong.exe
2608	skotes.exe
2608	skotes.exe
2608	skotes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\067454c17f.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1007312001\\067454c17f.exe"	axplong.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2848	file.exe
2608	skotes.exe
2040	d16e0f62ac.exe
2596	axplong.exe
2876	067454c17f.exe
2496	7dbf8ffe61.exe
288	VR6f3vF.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2340 set thread context of 2016	2340	Cq6Id6x.exe	34

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	file.exe
File created	C:\Windows\Tasks\axplong.job	d16e0f62ac.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cq6Id6x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d16e0f62ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7dbf8ffe61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kf5cl0F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cq6Id6x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	067454c17f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VR6f3vF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2848	file.exe
2608	skotes.exe
2016	Cq6Id6x.exe
2016	Cq6Id6x.exe
2016	Cq6Id6x.exe
2016	Cq6Id6x.exe
2040	d16e0f62ac.exe
2596	axplong.exe
2876	067454c17f.exe
2496	7dbf8ffe61.exe
2496	7dbf8ffe61.exe
2496	7dbf8ffe61.exe
2496	7dbf8ffe61.exe
2496	7dbf8ffe61.exe
288	VR6f3vF.exe
2304	dialer.exe
2304	dialer.exe
2304	dialer.exe
2304	dialer.exe
1752	kf5cl0F.exe
288	VR6f3vF.exe
288	VR6f3vF.exe
288	VR6f3vF.exe
288	VR6f3vF.exe
1872	powershell.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	Cq6Id6x.exe
Token: SeDebugPrivilege	1752	kf5cl0F.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2848	file.exe
2040	d16e0f62ac.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2608	2848	file.exe	30
PID 2848 wrote to memory of 2608	2848	file.exe	30
PID 2848 wrote to memory of 2608	2848	file.exe	30
PID 2848 wrote to memory of 2608	2848	file.exe	30
PID 2608 wrote to memory of 2340	2608	skotes.exe	33
PID 2608 wrote to memory of 2340	2608	skotes.exe	33
PID 2608 wrote to memory of 2340	2608	skotes.exe	33
PID 2608 wrote to memory of 2340	2608	skotes.exe	33
PID 2608 wrote to memory of 2340	2608	skotes.exe	33
PID 2608 wrote to memory of 2340	2608	skotes.exe	33
PID 2608 wrote to memory of 2340	2608	skotes.exe	33
PID 2340 wrote to memory of 2016	2340	Cq6Id6x.exe	34
PID 2340 wrote to memory of 2016	2340	Cq6Id6x.exe	34
PID 2340 wrote to memory of 2016	2340	Cq6Id6x.exe	34
PID 2340 wrote to memory of 2016	2340	Cq6Id6x.exe	34
PID 2340 wrote to memory of 2016	2340	Cq6Id6x.exe	34
PID 2340 wrote to memory of 2016	2340	Cq6Id6x.exe	34
PID 2340 wrote to memory of 2016	2340	Cq6Id6x.exe	34
PID 2340 wrote to memory of 2016	2340	Cq6Id6x.exe	34
PID 2340 wrote to memory of 2016	2340	Cq6Id6x.exe	34
PID 2340 wrote to memory of 2016	2340	Cq6Id6x.exe	34
PID 2340 wrote to memory of 2016	2340	Cq6Id6x.exe	34
PID 2340 wrote to memory of 2016	2340	Cq6Id6x.exe	34
PID 2340 wrote to memory of 2016	2340	Cq6Id6x.exe	34
PID 2608 wrote to memory of 2900	2608	skotes.exe	36
PID 2608 wrote to memory of 2900	2608	skotes.exe	36
PID 2608 wrote to memory of 2900	2608	skotes.exe	36
PID 2608 wrote to memory of 2900	2608	skotes.exe	36
PID 2608 wrote to memory of 2040	2608	skotes.exe	37
PID 2608 wrote to memory of 2040	2608	skotes.exe	37
PID 2608 wrote to memory of 2040	2608	skotes.exe	37
PID 2608 wrote to memory of 2040	2608	skotes.exe	37
PID 2040 wrote to memory of 2596	2040	d16e0f62ac.exe	38
PID 2040 wrote to memory of 2596	2040	d16e0f62ac.exe	38
PID 2040 wrote to memory of 2596	2040	d16e0f62ac.exe	38
PID 2040 wrote to memory of 2596	2040	d16e0f62ac.exe	38
PID 2596 wrote to memory of 2876	2596	axplong.exe	40
PID 2596 wrote to memory of 2876	2596	axplong.exe	40
PID 2596 wrote to memory of 2876	2596	axplong.exe	40
PID 2596 wrote to memory of 2876	2596	axplong.exe	40
PID 2596 wrote to memory of 2496	2596	axplong.exe	41
PID 2596 wrote to memory of 2496	2596	axplong.exe	41
PID 2596 wrote to memory of 2496	2596	axplong.exe	41
PID 2596 wrote to memory of 2496	2596	axplong.exe	41
PID 2608 wrote to memory of 288	2608	skotes.exe	42
PID 2608 wrote to memory of 288	2608	skotes.exe	42
PID 2608 wrote to memory of 288	2608	skotes.exe	42
PID 2608 wrote to memory of 288	2608	skotes.exe	42
PID 2496 wrote to memory of 2304	2496	7dbf8ffe61.exe	43
PID 2496 wrote to memory of 2304	2496	7dbf8ffe61.exe	43
PID 2496 wrote to memory of 2304	2496	7dbf8ffe61.exe	43
PID 2496 wrote to memory of 2304	2496	7dbf8ffe61.exe	43
PID 2496 wrote to memory of 2304	2496	7dbf8ffe61.exe	43
PID 2496 wrote to memory of 2304	2496	7dbf8ffe61.exe	43
PID 2608 wrote to memory of 1752	2608	skotes.exe	44
PID 2608 wrote to memory of 1752	2608	skotes.exe	44
PID 2608 wrote to memory of 1752	2608	skotes.exe	44
PID 2608 wrote to memory of 1752	2608	skotes.exe	44
PID 1752 wrote to memory of 1872	1752	kf5cl0F.exe	46
PID 1752 wrote to memory of 1872	1752	kf5cl0F.exe	46
PID 1752 wrote to memory of 1872	1752	kf5cl0F.exe	46
PID 1752 wrote to memory of 1872	1752	kf5cl0F.exe	46
PID 1752 wrote to memory of 2764	1752	kf5cl0F.exe	48
PID 1752 wrote to memory of 2764	1752	kf5cl0F.exe	48

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe
      "C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\1016945001\x0qQ2DH.exe
      "C:\Users\Admin\AppData\Local\Temp\1016945001\x0qQ2DH.exe"
      4⤵
      Executes dropped EXE
      PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\1016974001\d16e0f62ac.exe
      "C:\Users\Admin\AppData\Local\Temp\1016974001\d16e0f62ac.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
        
        "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Users\Admin\AppData\Local\Temp\1007312001\067454c17f.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1007312001\067454c17f.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2876
      - C:\Users\Admin\AppData\Local\Temp\1007313001\7dbf8ffe61.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1007313001\7dbf8ffe61.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Users\Admin\AppData\Local\Temp\1007314001\7915579442.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1007314001\7915579442.exe"
        6⤵
        
        PID:2692
      - C:\Users\Admin\AppData\Local\Temp\1007315001\2fefd0b28a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1007315001\2fefd0b28a.exe"
        6⤵
        
        PID:552
  - - C:\Users\Admin\AppData\Local\Temp\1017019001\VR6f3vF.exe
      "C:\Users\Admin\AppData\Local\Temp\1017019001\VR6f3vF.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:288
  - - C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe
      "C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath "C:\altedl"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe
      "C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe"
      4⤵
      PID:960
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1007312001\067454c17f.exe

Filesize
2.8MB

MD5
9122e2bcf23186c18f6600aa3548a997

SHA1
f1fb113d1659300ff0edae392398a51235685665

SHA256
61b12be55358b1356a682c7e891c42205afcb367ac9025feefec5b08a333bfcc

SHA512
d7c6a752fe10d846eb15deb16c2d3bbc800460c21af6a75fb21a661d38f2ef023b3028ce535f80448123da7d1191f815c971783132260758496dd6f5fc6950c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1007313001\7dbf8ffe61.exe

Filesize
1.9MB

MD5
cbcfb4d5443855cec4a4871e69d7e58e

SHA1
c44cec80d1c60979299f3d52d4d7d0bfb75dee21

SHA256
120957e5a588345f6c6af3908edde7cd04bf78a3ec7655a81c0098970e97e2ec

SHA512
c40472c1a225211916bbf96761de1d939ac31ca50755512ed541bd93861c5c6635ae0aa10f73655ca0c45db0ab31c77c2bba765b58fceb4529f06b633742e39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1007315001\2fefd0b28a.exe

Filesize
4.2MB

MD5
1bba40cd593bed2b1f35529f02a1bc01

SHA1
a0d27bf89c1d0ef1da317b101d134dd83a326fd9

SHA256
0c9d197700bb3c5a707382a110a0466daa05c6d44793a60248c69c1784b02237

SHA512
f75b3e7ea9751b2e3f02d90de33f46cee91a2c464d2e32072dc3ca5aef85cd3e46be44e87ac1201b3b9fe08ba015522d9094869347afe2809b30a3bc0c57182d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1007315001\2fefd0b28a.exe

Filesize
3.9MB

MD5
64372223457161e80f57291c95832cf2

SHA1
20e7cee8f3724f208830bfc1ef21e1adef166f55

SHA256
5b669ca380d579c960360f9bcadcee47b0d914e38e8c475585ecddef297ad45f

SHA512
c8c16719c37f28b7aa5dd029262be05074504e0514e145d6c957537b2bf9294f56534e22ee05ca45a69422e4b9e4eb100837fea49918553e990a678b804d0635

Download Submit
C:\Users\Admin\AppData\Local\Temp\1016920001\Cq6Id6x.exe

Filesize
3.1MB

MD5
f9b9f98592292b5cbf59c7a60e9ebaee

SHA1
59cc872fd0a11b259cc5b70893f35e9b5a7c8cbb

SHA256
5688e9e0becc622c573af2a1af4ee0676ef3907e38a9258a7801b46b7ad64665

SHA512
f27e4a96173aeb064f47d44ff445b1e15f6d4f39a4ad711c019bb29692caea56eb910970d22bc13ac5c57a256d71e77b12aa60c8405335a239781c57cb0eaf8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1016945001\x0qQ2DH.exe

Filesize
17.6MB

MD5
3c224e3fc892719dc1e302378e533579

SHA1
0a65062e1426a95bfeca355398b6fdc4912fb6b1

SHA256
64cc7f7906fe1ebf0b6977892abd9aa36f5e525cb241964c3986ee9e1a18312d

SHA512
554a26e9654eccce831e4adcee49d5e2507956935e562b134a86f332d867debfcd1f64fdb88fccb2e1eee810975d565dbc6ea1376516817ee38765e4bd733a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1016974001\d16e0f62ac.exe

Filesize
2.8MB

MD5
8f0a96de651243bd92487d6281594240

SHA1
139e1824f6b2a6bb1d2c5b7b19e336976164da98

SHA256
09746a78e3bac9ee20a487f0efc864dcfed4d1e89cd6b1e84e76f188987914d2

SHA512
2a63c5439ec65900a7383277b5b81bd3c1d932d75879c634351e53ae9f10c8819f4ea32bfb3935df8514c17831beb03c217c5ec0367b58bb682d4dc480f0b5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1017019001\VR6f3vF.exe

Filesize
1.8MB

MD5
ff279f4e5b1c6fbda804d2437c2dbdc8

SHA1
2feb3762c877a5ae3ca60eeebc37003ad0844245

SHA256
e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378

SHA512
c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967

Download Submit
C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe

Filesize
21KB

MD5
14becdf1e2402e9aa6c2be0e6167041e

SHA1
72cbbae6878f5e06060a0038b25ede93b445f0df

SHA256
7a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a

SHA512
16b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe

Filesize
1.8MB

MD5
25fb9c54265bbacc7a055174479f0b70

SHA1
4af069a2ec874703a7e29023d23a1ada491b584e

SHA256
552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c

SHA512
7dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668

Download Submit
C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe

Filesize
1.6MB

MD5
38f05dec6eb2ed86f7d6f7666c22850c

SHA1
ce39fea77ec71b0e45d422f9c51088f00f1d2059

SHA256
50c19a19d0fec7837e22b2113a2399b2ac1cb8faae9d6424137758eaebd3642f

SHA512
df4e9c1adb04c82ad4313a44cbc848d1aabd17edeb21077079853d90e1535580ea61898cc4fb85f9054be55ec6e82aa5e8102bad8e3ea48ea8daaa0e4ad4b711

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
2.8MB

MD5
8cbe0ced0c0f7bfbdf19128ba80adb99

SHA1
15e615a0fe64fe5200dd916232d9bc26b1c3d815

SHA256
055c34101c332838618fdedb730655f61b97553c5e56df94efd373667a3db895

SHA512
4b258260770b08fdd8f14b7bf0e703b8ca5010e4698e457bc0cfc76c246fb9e7c60ee4d2068b717f8205c2c1954d3b6b8742ed2547b67082f5b89c63d850e938

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
71304af194afa3f7deec1533ed874439

SHA1
0c94f6e5362be794b1ea938880c922931c172ca8

SHA256
a8b1fe2f7c9150335df89e7d19eac368fca250bd5f64a7fc8c241fd650d02aec

SHA512
d3adf5f9e199c52c96b1dccfe4205e7fa841d7fd448f83397ce018ea812d09ca32a0a91a28c6b89d16fb840af33c7d605df741361e0281093f15edb588569ef8

Download Submit
\Users\Admin\AppData\Local\Temp\1007315001\2fefd0b28a.exe

Filesize
4.1MB

MD5
6a526a1de6b88bcee82dfd175665f8fe

SHA1
93cde28ab2200ea59d54ea1a4c3134cf8c3761bd

SHA256
4b5766119d70f66ca9016369112aa217db52564e5dd7e8d38c5aefb04fdbf0ac

SHA512
8feba93d83e1d774ac20902dc13215e7c2e1aa000e89eacfb490b17f546477bdb11cdf14bd8a92061133162268ad7ff8643d9a3b1701e540b85d495d636a48f4

Download Submit
memory/288-185-0x0000000000350000-0x00000000007F6000-memory.dmp

Filesize
4.6MB

Download
memory/288-217-0x0000000000350000-0x00000000007F6000-memory.dmp

Filesize
4.6MB

Download
memory/552-259-0x0000000000E00000-0x000000000194F000-memory.dmp

Filesize
11.3MB

Download
memory/1752-215-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/2016-52-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2016-53-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2016-55-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2016-57-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2016-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2016-62-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2016-49-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2016-60-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2040-116-0x00000000066B0000-0x00000000069C2000-memory.dmp

Filesize
3.1MB

Download
memory/2040-115-0x0000000000E70000-0x0000000001182000-memory.dmp

Filesize
3.1MB

Download
memory/2040-123-0x00000000066B0000-0x00000000069C2000-memory.dmp

Filesize
3.1MB

Download
memory/2040-114-0x00000000066B0000-0x00000000069C2000-memory.dmp

Filesize
3.1MB

Download
memory/2040-99-0x0000000000E70000-0x0000000001182000-memory.dmp

Filesize
3.1MB

Download
memory/2304-192-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/2304-198-0x0000000076A90000-0x0000000076AD7000-memory.dmp

Filesize
284KB

Download
memory/2304-196-0x0000000077400000-0x00000000775A9000-memory.dmp

Filesize
1.7MB

Download
memory/2304-195-0x0000000001FE0000-0x00000000023E0000-memory.dmp

Filesize
4.0MB

Download
memory/2340-46-0x0000000005780000-0x00000000058D6000-memory.dmp

Filesize
1.3MB

Download
memory/2340-47-0x0000000000560000-0x0000000000582000-memory.dmp

Filesize
136KB

Download
memory/2340-42-0x0000000000D20000-0x0000000001040000-memory.dmp

Filesize
3.1MB

Download
memory/2496-166-0x00000000009C0000-0x0000000000E84000-memory.dmp

Filesize
4.8MB

Download
memory/2496-186-0x0000000004CF0000-0x00000000050F0000-memory.dmp

Filesize
4.0MB

Download
memory/2496-187-0x0000000004CF0000-0x00000000050F0000-memory.dmp

Filesize
4.0MB

Download
memory/2496-190-0x0000000076A90000-0x0000000076AD7000-memory.dmp

Filesize
284KB

Download
memory/2496-193-0x00000000009C0000-0x0000000000E84000-memory.dmp

Filesize
4.8MB

Download
memory/2496-188-0x0000000077400000-0x00000000775A9000-memory.dmp

Filesize
1.7MB

Download
memory/2596-200-0x0000000006A10000-0x0000000006F0D000-memory.dmp

Filesize
5.0MB

Download
memory/2596-118-0x00000000009C0000-0x0000000000CD2000-memory.dmp

Filesize
3.1MB

Download
memory/2596-145-0x0000000006A10000-0x0000000006F0D000-memory.dmp

Filesize
5.0MB

Download
memory/2596-221-0x00000000009C0000-0x0000000000CD2000-memory.dmp

Filesize
3.1MB

Download
memory/2596-240-0x0000000006A10000-0x0000000006ED4000-memory.dmp

Filesize
4.8MB

Download
memory/2596-242-0x00000000063F0000-0x00000000066FB000-memory.dmp

Filesize
3.0MB

Download
memory/2596-163-0x0000000006A10000-0x0000000006ED4000-memory.dmp

Filesize
4.8MB

Download
memory/2596-165-0x0000000006A10000-0x0000000006ED4000-memory.dmp

Filesize
4.8MB

Download
memory/2596-125-0x00000000009C0000-0x0000000000CD2000-memory.dmp

Filesize
3.1MB

Download
memory/2596-126-0x00000000009C0000-0x0000000000CD2000-memory.dmp

Filesize
3.1MB

Download
memory/2596-258-0x0000000006A10000-0x000000000755F000-memory.dmp

Filesize
11.3MB

Download
memory/2596-143-0x0000000006A10000-0x0000000006F0D000-memory.dmp

Filesize
5.0MB

Download
memory/2608-183-0x0000000006760000-0x0000000006C06000-memory.dmp

Filesize
4.6MB

Download
memory/2608-22-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-66-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-43-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-44-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-124-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-45-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-122-0x0000000006190000-0x00000000064A2000-memory.dmp

Filesize
3.1MB

Download
memory/2608-67-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-27-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-184-0x0000000006760000-0x0000000006C06000-memory.dmp

Filesize
4.6MB

Download
memory/2608-121-0x0000000006190000-0x00000000064A2000-memory.dmp

Filesize
3.1MB

Download
memory/2608-120-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-17-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-63-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-98-0x0000000006190000-0x00000000064A2000-memory.dmp

Filesize
3.1MB

Download
memory/2608-26-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-24-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-23-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-244-0x0000000006760000-0x0000000006C06000-memory.dmp

Filesize
4.6MB

Download
memory/2608-64-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-21-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-19-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-18-0x00000000008A1000-0x00000000008CF000-memory.dmp

Filesize
184KB

Download
memory/2608-220-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2608-100-0x0000000006190000-0x00000000064A2000-memory.dmp

Filesize
3.1MB

Download
memory/2608-65-0x00000000008A0000-0x0000000000BAB000-memory.dmp

Filesize
3.0MB

Download
memory/2692-241-0x0000000001230000-0x000000000153B000-memory.dmp

Filesize
3.0MB

Download
memory/2692-243-0x0000000001230000-0x000000000153B000-memory.dmp

Filesize
3.0MB

Download
memory/2848-14-0x0000000001130000-0x000000000143B000-memory.dmp

Filesize
3.0MB

Download
memory/2848-15-0x00000000068D0000-0x0000000006BDB000-memory.dmp

Filesize
3.0MB

Download
memory/2848-0-0x0000000001130000-0x000000000143B000-memory.dmp

Filesize
3.0MB

Download
memory/2848-5-0x0000000001130000-0x000000000143B000-memory.dmp

Filesize
3.0MB

Download
memory/2848-3-0x0000000001130000-0x000000000143B000-memory.dmp

Filesize
3.0MB

Download
memory/2848-2-0x0000000001131000-0x000000000115F000-memory.dmp

Filesize
184KB

Download
memory/2848-1-0x00000000775F0000-0x00000000775F2000-memory.dmp

Filesize
8KB

Download
memory/2876-144-0x0000000000F40000-0x000000000143D000-memory.dmp

Filesize
5.0MB

Download
memory/2876-147-0x0000000000F40000-0x000000000143D000-memory.dmp

Filesize
5.0MB

Download
memory/2900-81-0x0000000000850000-0x00000000019E6000-memory.dmp

Filesize
17.6MB

Download