|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||
Amadey has changed the Startup folder to the one containing its executable by overwriting the registry keys.
|Enterprise||T1005||Data from Local System|
|Enterprise||T1140||Deobfuscate/Decode Files or Information|
|Enterprise||T1568||.001||Dynamic Resolution: Fast Flux DNS|
|Enterprise||T1041||Exfiltration Over C2 Channel|
|Enterprise||T1083||File and Directory Discovery||
Amadey has searched for folders associated with antivirus software.
|Enterprise||T1105||Ingress Tool Transfer||
Amadey can download and execute files to further infect a host machine with additional malware.
Amadey has used a variety of Windows API calls, including
|Enterprise||T1027||Obfuscated Files or Information||
Amadey has obfuscated strings such as antivirus vendor names, domains, files, and others.
|Enterprise||T1518||.001||Software Discovery: Security Software Discovery||
Amadey has checked for a variety of antivirus products.
|Enterprise||T1553||.005||Subvert Trust Controls: Mark-of-the-Web Bypass||
Amadey has modified the
|Enterprise||T1082||System Information Discovery||
Amadey has collected the computer name and OS version from a compromised machine.
|Enterprise||T1614||System Location Discovery||
Amadey does not run any tasks or install additional malware if the victim machine is based in Russia.
|Enterprise||T1016||System Network Configuration Discovery|
|Enterprise||T1033||System Owner/User Discovery||
Amadey has collected the user name from a compromised host using