amadey | 8f79740dea7fef1e268d10c85a5d14ffc6758f7120d40735c36a1bfd7b0183f2

Analysis

max time kernel
141s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2023, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f79740dea7fef1e268d10c85a5d14ffc6758f7120d40735c36a1bfd7b0183f2.exe
Size

986KB
MD5

5c80375ba8c2ebb0b014b10727a6bf32
SHA1

7f49813bfc31199b8d4dd34089e821511684436b
SHA256

8f79740dea7fef1e268d10c85a5d14ffc6758f7120d40735c36a1bfd7b0183f2
SHA512

e645088b3257623f50de9a1f8260c50fa9264462dca1b8fef07172ff59a2fbb1afeee78f8e8eedcefe3b6d6ccd2b366c5a48b4938bbd7dda9d64d7a910735da1
SSDEEP

24576:Py3ZVU+ATNnsQ/48d71ElOIvP0AhExeQ9P35xBQZM:a3ZS3B371Q1hExNjxBQ

Score

10^/10

amadey redline foksa rosto discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosto

hueref.eu:4162

Attributes

auth_value
07d81eba8cad42bbd0ae60042d48eac6

Extracted

Family

amadey

Version

3.68

193.233.20.26/Do3m4Gor/index.php

Extracted

Family

redline

Botnet

foksa

hueref.eu:4162

Attributes

auth_value
6a9b2601a21672b285de3ed41b5402e4

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ljzL39Sy91.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ljzL39Sy91.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ljzL39Sy91.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	knmb55Zp52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	knmb55Zp52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	knmb55Zp52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ljzL39Sy91.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ljzL39Sy91.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ljzL39Sy91.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	knmb55Zp52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	knmb55Zp52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	knmb55Zp52.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/2712-211-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-210-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-213-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-215-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-217-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-219-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-221-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-229-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-225-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-231-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-233-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-235-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-237-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-239-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-241-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-243-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-245-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/2712-247-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	nm75YB58Lp45.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ghaaer.exe

Executes dropped EXE 11 IoCs

pid	Process
1040	zkWL6488vF.exe
1840	zkLZ5019dk.exe
3680	zkmq6639Xh.exe
3704	knmb55Zp52.exe
3420	ljzL39Sy91.exe
2712	miXq15BM86.exe
3836	nm75YB58Lp45.exe
2300	ghaaer.exe
4984	rdqw56mJ50.exe
724	ghaaer.exe
4936	ghaaer.exe

Loads dropped DLL 1 IoCs

pid	Process
3804	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	knmb55Zp52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	knmb55Zp52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ljzL39Sy91.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zkLZ5019dk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zkmq6639Xh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zkmq6639Xh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8f79740dea7fef1e268d10c85a5d14ffc6758f7120d40735c36a1bfd7b0183f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8f79740dea7fef1e268d10c85a5d14ffc6758f7120d40735c36a1bfd7b0183f2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zkWL6488vF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zkWL6488vF.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zkLZ5019dk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2708	3704	WerFault.exe	85
4668	2712	WerFault.exe	101

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3704	knmb55Zp52.exe
3704	knmb55Zp52.exe
3420	ljzL39Sy91.exe
3420	ljzL39Sy91.exe
2712	miXq15BM86.exe
2712	miXq15BM86.exe
4984	rdqw56mJ50.exe
4984	rdqw56mJ50.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	knmb55Zp52.exe
Token: SeDebugPrivilege	3420	ljzL39Sy91.exe
Token: SeDebugPrivilege	2712	miXq15BM86.exe
Token: SeDebugPrivilege	4984	rdqw56mJ50.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 1040	2660	8f79740dea7fef1e268d10c85a5d14ffc6758f7120d40735c36a1bfd7b0183f2.exe	81
PID 2660 wrote to memory of 1040	2660	8f79740dea7fef1e268d10c85a5d14ffc6758f7120d40735c36a1bfd7b0183f2.exe	81
PID 2660 wrote to memory of 1040	2660	8f79740dea7fef1e268d10c85a5d14ffc6758f7120d40735c36a1bfd7b0183f2.exe	81
PID 1040 wrote to memory of 1840	1040	zkWL6488vF.exe	82
PID 1040 wrote to memory of 1840	1040	zkWL6488vF.exe	82
PID 1040 wrote to memory of 1840	1040	zkWL6488vF.exe	82
PID 1840 wrote to memory of 3680	1840	zkLZ5019dk.exe	84
PID 1840 wrote to memory of 3680	1840	zkLZ5019dk.exe	84
PID 1840 wrote to memory of 3680	1840	zkLZ5019dk.exe	84
PID 3680 wrote to memory of 3704	3680	zkmq6639Xh.exe	85
PID 3680 wrote to memory of 3704	3680	zkmq6639Xh.exe	85
PID 3680 wrote to memory of 3704	3680	zkmq6639Xh.exe	85
PID 3680 wrote to memory of 3420	3680	zkmq6639Xh.exe	100
PID 3680 wrote to memory of 3420	3680	zkmq6639Xh.exe	100
PID 1840 wrote to memory of 2712	1840	zkLZ5019dk.exe	101
PID 1840 wrote to memory of 2712	1840	zkLZ5019dk.exe	101
PID 1840 wrote to memory of 2712	1840	zkLZ5019dk.exe	101
PID 1040 wrote to memory of 3836	1040	zkWL6488vF.exe	106
PID 1040 wrote to memory of 3836	1040	zkWL6488vF.exe	106
PID 1040 wrote to memory of 3836	1040	zkWL6488vF.exe	106
PID 3836 wrote to memory of 2300	3836	nm75YB58Lp45.exe	107
PID 3836 wrote to memory of 2300	3836	nm75YB58Lp45.exe	107
PID 3836 wrote to memory of 2300	3836	nm75YB58Lp45.exe	107
PID 2660 wrote to memory of 4984	2660	8f79740dea7fef1e268d10c85a5d14ffc6758f7120d40735c36a1bfd7b0183f2.exe	108
PID 2660 wrote to memory of 4984	2660	8f79740dea7fef1e268d10c85a5d14ffc6758f7120d40735c36a1bfd7b0183f2.exe	108
PID 2660 wrote to memory of 4984	2660	8f79740dea7fef1e268d10c85a5d14ffc6758f7120d40735c36a1bfd7b0183f2.exe	108
PID 2300 wrote to memory of 5048	2300	ghaaer.exe	109
PID 2300 wrote to memory of 5048	2300	ghaaer.exe	109
PID 2300 wrote to memory of 5048	2300	ghaaer.exe	109
PID 2300 wrote to memory of 4304	2300	ghaaer.exe	111
PID 2300 wrote to memory of 4304	2300	ghaaer.exe	111
PID 2300 wrote to memory of 4304	2300	ghaaer.exe	111
PID 4304 wrote to memory of 4312	4304	cmd.exe	114
PID 4304 wrote to memory of 4312	4304	cmd.exe	114
PID 4304 wrote to memory of 4312	4304	cmd.exe	114
PID 4304 wrote to memory of 3312	4304	cmd.exe	113
PID 4304 wrote to memory of 3312	4304	cmd.exe	113
PID 4304 wrote to memory of 3312	4304	cmd.exe	113
PID 4304 wrote to memory of 4468	4304	cmd.exe	115
PID 4304 wrote to memory of 4468	4304	cmd.exe	115
PID 4304 wrote to memory of 4468	4304	cmd.exe	115
PID 4304 wrote to memory of 4392	4304	cmd.exe	116
PID 4304 wrote to memory of 4392	4304	cmd.exe	116
PID 4304 wrote to memory of 4392	4304	cmd.exe	116
PID 4304 wrote to memory of 492	4304	cmd.exe	117
PID 4304 wrote to memory of 492	4304	cmd.exe	117
PID 4304 wrote to memory of 492	4304	cmd.exe	117
PID 4304 wrote to memory of 1332	4304	cmd.exe	118
PID 4304 wrote to memory of 1332	4304	cmd.exe	118
PID 4304 wrote to memory of 1332	4304	cmd.exe	118
PID 2300 wrote to memory of 3804	2300	ghaaer.exe	121
PID 2300 wrote to memory of 3804	2300	ghaaer.exe	121
PID 2300 wrote to memory of 3804	2300	ghaaer.exe	121

C:\Users\Admin\AppData\Local\Temp\8f79740dea7fef1e268d10c85a5d14ffc6758f7120d40735c36a1bfd7b0183f2.exe
"C:\Users\Admin\AppData\Local\Temp\8f79740dea7fef1e268d10c85a5d14ffc6758f7120d40735c36a1bfd7b0183f2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zkWL6488vF.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zkWL6488vF.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zkLZ5019dk.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zkLZ5019dk.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zkmq6639Xh.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zkmq6639Xh.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knmb55Zp52.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knmb55Zp52.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1084
        6⤵
        Program crash
        
        PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ljzL39Sy91.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ljzL39Sy91.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\miXq15BM86.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\miXq15BM86.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2712
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 896
        5⤵
        Program crash
        
        PID:4668
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nm75YB58Lp45.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nm75YB58Lp45.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\5975271bda\ghaaer.exe
      "C:\Users\Admin\AppData\Local\Temp\5975271bda\ghaaer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ghaaer.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\ghaaer.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:5048
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "ghaaer.exe" /P "Admin:N"&&CACLS "ghaaer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4304
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "ghaaer.exe" /P "Admin:N"
        6⤵
        
        PID:3312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4312
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "ghaaer.exe" /P "Admin:R" /E
        6⤵
        
        PID:4468
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4392
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        6⤵
        
        PID:492
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        6⤵
        
        PID:1332
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:3804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rdqw56mJ50.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rdqw56mJ50.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3704 -ip 3704
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2712 -ip 2712
1⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\5975271bda\ghaaer.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\ghaaer.exe
1⤵
- Executes dropped EXE
PID:724

C:\Users\Admin\AppData\Local\Temp\5975271bda\ghaaer.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\ghaaer.exe
1⤵
- Executes dropped EXE
PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\ghaaer.exe

Filesize
235KB

MD5
ac37b26719e17ef06e7eff1e80d80fad

SHA1
7027aea7add1fdbbe8da8d1f2929db974aea9d0b

SHA256
5260335d8eccfa3de42a0819ecd504b80c9cc8dad5bddbc7fd1e48763961133b

SHA512
f791a7c1af223bbcb7234e791b69796919abc0c2e220f746a52f151e2ae4e5a395aae0693324430efc069f2276ab82e43895ae8cc36103f1846a98a012bfcf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\ghaaer.exe

Filesize
235KB

MD5
ac37b26719e17ef06e7eff1e80d80fad

SHA1
7027aea7add1fdbbe8da8d1f2929db974aea9d0b

SHA256
5260335d8eccfa3de42a0819ecd504b80c9cc8dad5bddbc7fd1e48763961133b

SHA512
f791a7c1af223bbcb7234e791b69796919abc0c2e220f746a52f151e2ae4e5a395aae0693324430efc069f2276ab82e43895ae8cc36103f1846a98a012bfcf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\ghaaer.exe

Filesize
235KB

MD5
ac37b26719e17ef06e7eff1e80d80fad

SHA1
7027aea7add1fdbbe8da8d1f2929db974aea9d0b

SHA256
5260335d8eccfa3de42a0819ecd504b80c9cc8dad5bddbc7fd1e48763961133b

SHA512
f791a7c1af223bbcb7234e791b69796919abc0c2e220f746a52f151e2ae4e5a395aae0693324430efc069f2276ab82e43895ae8cc36103f1846a98a012bfcf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\ghaaer.exe

Filesize
235KB

MD5
ac37b26719e17ef06e7eff1e80d80fad

SHA1
7027aea7add1fdbbe8da8d1f2929db974aea9d0b

SHA256
5260335d8eccfa3de42a0819ecd504b80c9cc8dad5bddbc7fd1e48763961133b

SHA512
f791a7c1af223bbcb7234e791b69796919abc0c2e220f746a52f151e2ae4e5a395aae0693324430efc069f2276ab82e43895ae8cc36103f1846a98a012bfcf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\ghaaer.exe

Filesize
235KB

MD5
ac37b26719e17ef06e7eff1e80d80fad

SHA1
7027aea7add1fdbbe8da8d1f2929db974aea9d0b

SHA256
5260335d8eccfa3de42a0819ecd504b80c9cc8dad5bddbc7fd1e48763961133b

SHA512
f791a7c1af223bbcb7234e791b69796919abc0c2e220f746a52f151e2ae4e5a395aae0693324430efc069f2276ab82e43895ae8cc36103f1846a98a012bfcf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rdqw56mJ50.exe

Filesize
175KB

MD5
75ced8ad0d8cd237ebc9cb7b00852651

SHA1
adab63df3e0a40fd9f170ab57da66f01f226141c

SHA256
a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819

SHA512
f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rdqw56mJ50.exe

Filesize
175KB

MD5
75ced8ad0d8cd237ebc9cb7b00852651

SHA1
adab63df3e0a40fd9f170ab57da66f01f226141c

SHA256
a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819

SHA512
f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zkWL6488vF.exe

Filesize
842KB

MD5
ad915505bdbded72e3270760122ac935

SHA1
f3d97fe3e0e66e64176f6da347491c3790916872

SHA256
e71692f2bf9023e410f0682509bf788d18028f997eb705fe95c1a5044a784ab4

SHA512
9f7b9d6654a07a7730f8d7d92bdeb3c1f2ef10effb4c4399981c746df93fed7c55a246baed7aacef58715d9a1ce18a2d5c88519132957d5183091f19f80b0f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zkWL6488vF.exe

Filesize
842KB

MD5
ad915505bdbded72e3270760122ac935

SHA1
f3d97fe3e0e66e64176f6da347491c3790916872

SHA256
e71692f2bf9023e410f0682509bf788d18028f997eb705fe95c1a5044a784ab4

SHA512
9f7b9d6654a07a7730f8d7d92bdeb3c1f2ef10effb4c4399981c746df93fed7c55a246baed7aacef58715d9a1ce18a2d5c88519132957d5183091f19f80b0f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nm75YB58Lp45.exe

Filesize
235KB

MD5
ac37b26719e17ef06e7eff1e80d80fad

SHA1
7027aea7add1fdbbe8da8d1f2929db974aea9d0b

SHA256
5260335d8eccfa3de42a0819ecd504b80c9cc8dad5bddbc7fd1e48763961133b

SHA512
f791a7c1af223bbcb7234e791b69796919abc0c2e220f746a52f151e2ae4e5a395aae0693324430efc069f2276ab82e43895ae8cc36103f1846a98a012bfcf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nm75YB58Lp45.exe

Filesize
235KB

MD5
ac37b26719e17ef06e7eff1e80d80fad

SHA1
7027aea7add1fdbbe8da8d1f2929db974aea9d0b

SHA256
5260335d8eccfa3de42a0819ecd504b80c9cc8dad5bddbc7fd1e48763961133b

SHA512
f791a7c1af223bbcb7234e791b69796919abc0c2e220f746a52f151e2ae4e5a395aae0693324430efc069f2276ab82e43895ae8cc36103f1846a98a012bfcf0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zkLZ5019dk.exe

Filesize
655KB

MD5
0bdd1a69bd3d7757255ee9c82158524b

SHA1
909f4caca63bd398e214e7efa26eb307c185928b

SHA256
172406952294ad2caa088f9e318578f46b8b6cb44e5ff8a611557a71717dab4a

SHA512
f75d262cbe32f544c77d4f9d03a29f36bf9b9da0c453999a7668e6f2abe858dcb262d9dfb347e1d05f663f200eae6780445396fc794f99727feec6df958c8f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zkLZ5019dk.exe

Filesize
655KB

MD5
0bdd1a69bd3d7757255ee9c82158524b

SHA1
909f4caca63bd398e214e7efa26eb307c185928b

SHA256
172406952294ad2caa088f9e318578f46b8b6cb44e5ff8a611557a71717dab4a

SHA512
f75d262cbe32f544c77d4f9d03a29f36bf9b9da0c453999a7668e6f2abe858dcb262d9dfb347e1d05f663f200eae6780445396fc794f99727feec6df958c8f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\miXq15BM86.exe

Filesize
290KB

MD5
1ef58e21a15e90d73d400e2b62b17256

SHA1
5ac56358af1c665c89dda115587a5360fecb841a

SHA256
1406756fb455734d1a168cecfb2312e43937ed84153f6578d11d8c30729af209

SHA512
302fda42de2c9fa1ba22f4be5630b25c33abcacf576b040abf5df26f9acefb68f5eeddcc21bac6086d9e43fd92dfe31969251f2b74de2e441c0cce7cf9cd08f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\miXq15BM86.exe

Filesize
290KB

MD5
1ef58e21a15e90d73d400e2b62b17256

SHA1
5ac56358af1c665c89dda115587a5360fecb841a

SHA256
1406756fb455734d1a168cecfb2312e43937ed84153f6578d11d8c30729af209

SHA512
302fda42de2c9fa1ba22f4be5630b25c33abcacf576b040abf5df26f9acefb68f5eeddcc21bac6086d9e43fd92dfe31969251f2b74de2e441c0cce7cf9cd08f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zkmq6639Xh.exe

Filesize
327KB

MD5
bcb5df58094eeaf606aef4f6d7014f22

SHA1
40e5dca404eee97d5f940fa9102cf05475d917ce

SHA256
299e7ee39f867dac0c46f9c2bfe42506e2cf0d111db72aee86ae7041460512c7

SHA512
3e663d0fb94d6cd1f9e4e00bc918148b817349fbe3a72fef0950896196dbbf0e91b8ab911c9a7fb10de63730b94be449c060c238a73691d7d50921aa624a9941

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zkmq6639Xh.exe

Filesize
327KB

MD5
bcb5df58094eeaf606aef4f6d7014f22

SHA1
40e5dca404eee97d5f940fa9102cf05475d917ce

SHA256
299e7ee39f867dac0c46f9c2bfe42506e2cf0d111db72aee86ae7041460512c7

SHA512
3e663d0fb94d6cd1f9e4e00bc918148b817349fbe3a72fef0950896196dbbf0e91b8ab911c9a7fb10de63730b94be449c060c238a73691d7d50921aa624a9941

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knmb55Zp52.exe

Filesize
232KB

MD5
db3ab3357fc347e4ca262d7a8cf6f90f

SHA1
517fef5bb4d3246dd817765cdb7747b0580973b4

SHA256
e03720c814f0a4c343c5f49e4d8e53f9ee71d7a6412c93b5bdb1ac58e80eddad

SHA512
f7d7b8e7850b0f00381619e1f8776d1885e43f489b4786daaeea4a5a8b2d278b10cc0a693b32ff4023bbee1e8a6f8e51e227ce97ac8a0d201f8f43efe772e97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\knmb55Zp52.exe

Filesize
232KB

MD5
db3ab3357fc347e4ca262d7a8cf6f90f

SHA1
517fef5bb4d3246dd817765cdb7747b0580973b4

SHA256
e03720c814f0a4c343c5f49e4d8e53f9ee71d7a6412c93b5bdb1ac58e80eddad

SHA512
f7d7b8e7850b0f00381619e1f8776d1885e43f489b4786daaeea4a5a8b2d278b10cc0a693b32ff4023bbee1e8a6f8e51e227ce97ac8a0d201f8f43efe772e97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ljzL39Sy91.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ljzL39Sy91.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
c1ddaca25d84d05e809ffce1d2b468b7

SHA1
38f257a264e657a20aa2fb3b48adb53c4bce5c8f

SHA256
cf2730fda38e3945795b00cfaa3074b9ec356b0ff7b2a493a318fccd34b677dd

SHA512
87fc6fc4aa53d4ba31da2802677599709cbd04556082cf3531e2c90659c23d5fa2210b658635f11f48b22d87e01c26bed5bf42f8139962441a3778754229f14e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
c1ddaca25d84d05e809ffce1d2b468b7

SHA1
38f257a264e657a20aa2fb3b48adb53c4bce5c8f

SHA256
cf2730fda38e3945795b00cfaa3074b9ec356b0ff7b2a493a318fccd34b677dd

SHA512
87fc6fc4aa53d4ba31da2802677599709cbd04556082cf3531e2c90659c23d5fa2210b658635f11f48b22d87e01c26bed5bf42f8139962441a3778754229f14e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
c1ddaca25d84d05e809ffce1d2b468b7

SHA1
38f257a264e657a20aa2fb3b48adb53c4bce5c8f

SHA256
cf2730fda38e3945795b00cfaa3074b9ec356b0ff7b2a493a318fccd34b677dd

SHA512
87fc6fc4aa53d4ba31da2802677599709cbd04556082cf3531e2c90659c23d5fa2210b658635f11f48b22d87e01c26bed5bf42f8139962441a3778754229f14e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/2712-1126-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/2712-245-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-1135-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2712-1134-0x0000000006F50000-0x0000000006FA0000-memory.dmp

Filesize
320KB

Download
memory/2712-1133-0x0000000006EC0000-0x0000000006F36000-memory.dmp

Filesize
472KB

Download
memory/2712-1132-0x0000000006760000-0x0000000006C8C000-memory.dmp

Filesize
5.2MB

Download
memory/2712-1131-0x0000000006580000-0x0000000006742000-memory.dmp

Filesize
1.8MB

Download
memory/2712-1130-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2712-1129-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2712-1128-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2712-1125-0x0000000005DD0000-0x0000000005E62000-memory.dmp

Filesize
584KB

Download
memory/2712-1124-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2712-1123-0x0000000005AD0000-0x0000000005B0C000-memory.dmp

Filesize
240KB

Download
memory/2712-211-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-210-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-213-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-215-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-217-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-219-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-221-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-222-0x0000000000660000-0x00000000006AB000-memory.dmp

Filesize
300KB

Download
memory/2712-224-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2712-226-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2712-228-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/2712-229-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-225-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-231-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-233-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-235-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-237-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-239-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-241-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-243-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-1122-0x0000000005AB0000-0x0000000005AC2000-memory.dmp

Filesize
72KB

Download
memory/2712-247-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/2712-1120-0x00000000052D0000-0x00000000058E8000-memory.dmp

Filesize
6.1MB

Download
memory/2712-1121-0x0000000005970000-0x0000000005A7A000-memory.dmp

Filesize
1.0MB

Download
memory/3420-204-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/3704-183-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3704-164-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/3704-186-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/3704-185-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3704-188-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/3704-190-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/3704-200-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3704-199-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3704-198-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3704-197-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3704-195-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3704-179-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/3704-181-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/3704-182-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/3704-194-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/3704-177-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/3704-175-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/3704-173-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/3704-171-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/3704-162-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/3704-163-0x0000000004D80000-0x0000000005324000-memory.dmp

Filesize
5.6MB

Download
memory/3704-169-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/3704-165-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/3704-167-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/3704-192-0x0000000004C20000-0x0000000004C32000-memory.dmp

Filesize
72KB

Download
memory/4984-1154-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/4984-1153-0x0000000000E10000-0x0000000000E42000-memory.dmp

Filesize
200KB

Download