amadey | ef63aa1f88b9426b9784132ccb08b1d38d736dbbf5d5720d63da3a53486b2adb

Analysis

max time kernel
101s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2023, 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef63aa1f88b9426b9784132ccb08b1d38d736dbbf5d5720d63da3a53486b2adb.exe
Size

980KB
MD5

58b4d4e43301437f0e6cd7b2400c0606
SHA1

c54cdfeb9457d65e1c9bf29a4f5fd4a3c0a2c570
SHA256

ef63aa1f88b9426b9784132ccb08b1d38d736dbbf5d5720d63da3a53486b2adb
SHA512

3f14fdfdb64f1fd438a9745abeff5298bbfec0d29e2a3de2f95cf56f32ca56b4a4a6b1db0a5ac8bc8c411d87533a9af920774037fb690d832a5bbc1d86112e47
SSDEEP

24576:Sykii+FnyDH8C7t7a8qb/Qt5ateXq8SIJcpX:5kiHw8CIp+Rl

Score

10^/10

amadey redline foksa rosto discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosto

hueref.eu:4162

Attributes

auth_value
07d81eba8cad42bbd0ae60042d48eac6

Extracted

Family

amadey

Version

3.68

193.233.20.25/buH5N004d/index.php

Extracted

Family

redline

Botnet

foksa

hueref.eu:4162

Attributes

auth_value
6a9b2601a21672b285de3ed41b5402e4

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ctIY43ed74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ctIY43ed74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ctIY43ed74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	beTV10TZ49.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	beTV10TZ49.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ctIY43ed74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	beTV10TZ49.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ctIY43ed74.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ctIY43ed74.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	beTV10TZ49.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	beTV10TZ49.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	beTV10TZ49.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

resource	yara_rule
behavioral1/memory/4524-209-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-211-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-208-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-213-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-215-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-217-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-219-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-221-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-223-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-225-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-227-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-229-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-231-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-233-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-235-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-237-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-239-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-241-0x00000000050F0000-0x000000000512E000-memory.dmp	family_redline
behavioral1/memory/4524-260-0x00000000023F0000-0x0000000002400000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	hk51il59Us71.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ghaaer.exe

Executes dropped EXE 10 IoCs

pid	Process
1064	ptqK6132LB.exe
1804	ptAM7834RW.exe
1684	ptmY3422pE.exe
3684	beTV10TZ49.exe
4404	ctIY43ed74.exe
4524	drAP56AE73.exe
3104	hk51il59Us71.exe
3924	ghaaer.exe
3020	jxlo51kL52.exe
1148	ghaaer.exe

Loads dropped DLL 1 IoCs

pid	Process
1892	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ctIY43ed74.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	beTV10TZ49.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	beTV10TZ49.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ptmY3422pE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ptmY3422pE.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ef63aa1f88b9426b9784132ccb08b1d38d736dbbf5d5720d63da3a53486b2adb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ef63aa1f88b9426b9784132ccb08b1d38d736dbbf5d5720d63da3a53486b2adb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ptqK6132LB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ptqK6132LB.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ptAM7834RW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ptAM7834RW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1252	3684	WerFault.exe	89
2772	4524	WerFault.exe	96

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3684	beTV10TZ49.exe
3684	beTV10TZ49.exe
4404	ctIY43ed74.exe
4404	ctIY43ed74.exe
4524	drAP56AE73.exe
4524	drAP56AE73.exe
3020	jxlo51kL52.exe
3020	jxlo51kL52.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3684	beTV10TZ49.exe
Token: SeDebugPrivilege	4404	ctIY43ed74.exe
Token: SeDebugPrivilege	4524	drAP56AE73.exe
Token: SeDebugPrivilege	3020	jxlo51kL52.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 1064	2720	ef63aa1f88b9426b9784132ccb08b1d38d736dbbf5d5720d63da3a53486b2adb.exe	86
PID 2720 wrote to memory of 1064	2720	ef63aa1f88b9426b9784132ccb08b1d38d736dbbf5d5720d63da3a53486b2adb.exe	86
PID 2720 wrote to memory of 1064	2720	ef63aa1f88b9426b9784132ccb08b1d38d736dbbf5d5720d63da3a53486b2adb.exe	86
PID 1064 wrote to memory of 1804	1064	ptqK6132LB.exe	87
PID 1064 wrote to memory of 1804	1064	ptqK6132LB.exe	87
PID 1064 wrote to memory of 1804	1064	ptqK6132LB.exe	87
PID 1804 wrote to memory of 1684	1804	ptAM7834RW.exe	88
PID 1804 wrote to memory of 1684	1804	ptAM7834RW.exe	88
PID 1804 wrote to memory of 1684	1804	ptAM7834RW.exe	88
PID 1684 wrote to memory of 3684	1684	ptmY3422pE.exe	89
PID 1684 wrote to memory of 3684	1684	ptmY3422pE.exe	89
PID 1684 wrote to memory of 3684	1684	ptmY3422pE.exe	89
PID 1684 wrote to memory of 4404	1684	ptmY3422pE.exe	95
PID 1684 wrote to memory of 4404	1684	ptmY3422pE.exe	95
PID 1804 wrote to memory of 4524	1804	ptAM7834RW.exe	96
PID 1804 wrote to memory of 4524	1804	ptAM7834RW.exe	96
PID 1804 wrote to memory of 4524	1804	ptAM7834RW.exe	96
PID 1064 wrote to memory of 3104	1064	ptqK6132LB.exe	109
PID 1064 wrote to memory of 3104	1064	ptqK6132LB.exe	109
PID 1064 wrote to memory of 3104	1064	ptqK6132LB.exe	109
PID 3104 wrote to memory of 3924	3104	hk51il59Us71.exe	110
PID 3104 wrote to memory of 3924	3104	hk51il59Us71.exe	110
PID 3104 wrote to memory of 3924	3104	hk51il59Us71.exe	110
PID 2720 wrote to memory of 3020	2720	ef63aa1f88b9426b9784132ccb08b1d38d736dbbf5d5720d63da3a53486b2adb.exe	111
PID 2720 wrote to memory of 3020	2720	ef63aa1f88b9426b9784132ccb08b1d38d736dbbf5d5720d63da3a53486b2adb.exe	111
PID 2720 wrote to memory of 3020	2720	ef63aa1f88b9426b9784132ccb08b1d38d736dbbf5d5720d63da3a53486b2adb.exe	111
PID 3924 wrote to memory of 4220	3924	ghaaer.exe	112
PID 3924 wrote to memory of 4220	3924	ghaaer.exe	112
PID 3924 wrote to memory of 4220	3924	ghaaer.exe	112
PID 3924 wrote to memory of 2748	3924	ghaaer.exe	113
PID 3924 wrote to memory of 2748	3924	ghaaer.exe	113
PID 3924 wrote to memory of 2748	3924	ghaaer.exe	113
PID 2748 wrote to memory of 4328	2748	cmd.exe	116
PID 2748 wrote to memory of 4328	2748	cmd.exe	116
PID 2748 wrote to memory of 4328	2748	cmd.exe	116
PID 2748 wrote to memory of 4644	2748	cmd.exe	117
PID 2748 wrote to memory of 4644	2748	cmd.exe	117
PID 2748 wrote to memory of 4644	2748	cmd.exe	117
PID 2748 wrote to memory of 1456	2748	cmd.exe	118
PID 2748 wrote to memory of 1456	2748	cmd.exe	118
PID 2748 wrote to memory of 1456	2748	cmd.exe	118
PID 2748 wrote to memory of 976	2748	cmd.exe	119
PID 2748 wrote to memory of 976	2748	cmd.exe	119
PID 2748 wrote to memory of 976	2748	cmd.exe	119
PID 2748 wrote to memory of 636	2748	cmd.exe	120
PID 2748 wrote to memory of 636	2748	cmd.exe	120
PID 2748 wrote to memory of 636	2748	cmd.exe	120
PID 2748 wrote to memory of 1060	2748	cmd.exe	121
PID 2748 wrote to memory of 1060	2748	cmd.exe	121
PID 2748 wrote to memory of 1060	2748	cmd.exe	121
PID 3924 wrote to memory of 1892	3924	ghaaer.exe	123
PID 3924 wrote to memory of 1892	3924	ghaaer.exe	123
PID 3924 wrote to memory of 1892	3924	ghaaer.exe	123

C:\Users\Admin\AppData\Local\Temp\ef63aa1f88b9426b9784132ccb08b1d38d736dbbf5d5720d63da3a53486b2adb.exe
"C:\Users\Admin\AppData\Local\Temp\ef63aa1f88b9426b9784132ccb08b1d38d736dbbf5d5720d63da3a53486b2adb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptqK6132LB.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptqK6132LB.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptAM7834RW.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptAM7834RW.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptmY3422pE.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptmY3422pE.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beTV10TZ49.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beTV10TZ49.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1080
        6⤵
        Program crash
        
        PID:1252
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ctIY43ed74.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ctIY43ed74.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\drAP56AE73.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\drAP56AE73.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4524
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 1388
        5⤵
        Program crash
        
        PID:2772
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk51il59Us71.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk51il59Us71.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe
      "C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ghaaer.exe /TR "C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:4220
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "ghaaer.exe" /P "Admin:N"&&CACLS "ghaaer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\46aee2aca4" /P "Admin:N"&&CACLS "..\46aee2aca4" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4328
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "ghaaer.exe" /P "Admin:N"
        6⤵
        
        PID:4644
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "ghaaer.exe" /P "Admin:R" /E
        6⤵
        
        PID:1456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:976
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\46aee2aca4" /P "Admin:N"
        6⤵
        
        PID:636
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\46aee2aca4" /P "Admin:R" /E
        6⤵
        
        PID:1060
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:1892
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxlo51kL52.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxlo51kL52.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3684 -ip 3684
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4524 -ip 4524
1⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe
1⤵
- Executes dropped EXE
PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe

Filesize
235KB

MD5
5be5a732113282a7824ceb2a359b6468

SHA1
0d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7

SHA256
00b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee

SHA512
a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe

Filesize
235KB

MD5
5be5a732113282a7824ceb2a359b6468

SHA1
0d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7

SHA256
00b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee

SHA512
a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe

Filesize
235KB

MD5
5be5a732113282a7824ceb2a359b6468

SHA1
0d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7

SHA256
00b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee

SHA512
a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe

Filesize
235KB

MD5
5be5a732113282a7824ceb2a359b6468

SHA1
0d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7

SHA256
00b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee

SHA512
a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxlo51kL52.exe

Filesize
175KB

MD5
75ced8ad0d8cd237ebc9cb7b00852651

SHA1
adab63df3e0a40fd9f170ab57da66f01f226141c

SHA256
a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819

SHA512
f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxlo51kL52.exe

Filesize
175KB

MD5
75ced8ad0d8cd237ebc9cb7b00852651

SHA1
adab63df3e0a40fd9f170ab57da66f01f226141c

SHA256
a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819

SHA512
f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptqK6132LB.exe

Filesize
843KB

MD5
7dcf6ce3c9f67d5c09ef0f94a9d3805a

SHA1
866dc41c5f6a2ba86108dd888a405f0c5efe7b5d

SHA256
b766c9dcd772650d96ebdbf6cabb282dff5db3fc41e97a44f9aa94d9b6e55f4c

SHA512
67d9da463e95061fceb29ac0c3aded750099ac5cb33d1f4d9e3a3e37c80a2bc81c2bd7cf1ec30534052a3467e2962ff114728be63da317aa2b18ffff054b21c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptqK6132LB.exe

Filesize
843KB

MD5
7dcf6ce3c9f67d5c09ef0f94a9d3805a

SHA1
866dc41c5f6a2ba86108dd888a405f0c5efe7b5d

SHA256
b766c9dcd772650d96ebdbf6cabb282dff5db3fc41e97a44f9aa94d9b6e55f4c

SHA512
67d9da463e95061fceb29ac0c3aded750099ac5cb33d1f4d9e3a3e37c80a2bc81c2bd7cf1ec30534052a3467e2962ff114728be63da317aa2b18ffff054b21c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk51il59Us71.exe

Filesize
235KB

MD5
5be5a732113282a7824ceb2a359b6468

SHA1
0d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7

SHA256
00b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee

SHA512
a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk51il59Us71.exe

Filesize
235KB

MD5
5be5a732113282a7824ceb2a359b6468

SHA1
0d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7

SHA256
00b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee

SHA512
a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptAM7834RW.exe

Filesize
656KB

MD5
30ef8d9f62777573c1c881d9e63f6fd3

SHA1
c15484e6f5546fd11e3a337f276f613ed03c9a4b

SHA256
2a01bd09ff3146ca69a9665beccccd2837c373101f0ac5c4563c771811382188

SHA512
ffd528feb49c011e15c4f3a88d33f9acd5e39e5e8c82303e4cc1b725f1c81f6fc3f40fa2fa651047b5a3c0fd0633e3de1d65aabdb6967a813e339525d71ac1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptAM7834RW.exe

Filesize
656KB

MD5
30ef8d9f62777573c1c881d9e63f6fd3

SHA1
c15484e6f5546fd11e3a337f276f613ed03c9a4b

SHA256
2a01bd09ff3146ca69a9665beccccd2837c373101f0ac5c4563c771811382188

SHA512
ffd528feb49c011e15c4f3a88d33f9acd5e39e5e8c82303e4cc1b725f1c81f6fc3f40fa2fa651047b5a3c0fd0633e3de1d65aabdb6967a813e339525d71ac1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\drAP56AE73.exe

Filesize
289KB

MD5
1c795044102f7759152f7661b15c22bf

SHA1
66e3fee6ce5c4fd8974bb493b8ea7f63f0de4224

SHA256
8f76de3f10a19e704eaaa544d8b0aea616b3b55e5e9d4f91afed3db0c60714a4

SHA512
8c6313c1b71200f905a41b131ebb5a54f4057dd14fe062565674b4d86ebdb8ca2faf8655c970bb3ba279d34ea761c0d71d81c94f3fc9cec7dd2c49737b7653a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\drAP56AE73.exe

Filesize
289KB

MD5
1c795044102f7759152f7661b15c22bf

SHA1
66e3fee6ce5c4fd8974bb493b8ea7f63f0de4224

SHA256
8f76de3f10a19e704eaaa544d8b0aea616b3b55e5e9d4f91afed3db0c60714a4

SHA512
8c6313c1b71200f905a41b131ebb5a54f4057dd14fe062565674b4d86ebdb8ca2faf8655c970bb3ba279d34ea761c0d71d81c94f3fc9cec7dd2c49737b7653a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptmY3422pE.exe

Filesize
329KB

MD5
e35faf3454848f0b4c49dc455a96b9dc

SHA1
3d7bb6a7689f366f365f7d526222df3cb8831145

SHA256
6cb33031e7b3e5890255a8c748a382ba6b9e6c90f25e4ac01c54df0949cd6b1e

SHA512
db8cf7401357b852db3fd2f21a60f1f315c865c73654cc725d917045cda2d8dcefe14cdb299a7555dbc586af60f4092dcba0107fa3ae9aa9e78f67e1735853d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptmY3422pE.exe

Filesize
329KB

MD5
e35faf3454848f0b4c49dc455a96b9dc

SHA1
3d7bb6a7689f366f365f7d526222df3cb8831145

SHA256
6cb33031e7b3e5890255a8c748a382ba6b9e6c90f25e4ac01c54df0949cd6b1e

SHA512
db8cf7401357b852db3fd2f21a60f1f315c865c73654cc725d917045cda2d8dcefe14cdb299a7555dbc586af60f4092dcba0107fa3ae9aa9e78f67e1735853d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beTV10TZ49.exe

Filesize
232KB

MD5
654d38a192aa90f8f2d4c64647ed64d1

SHA1
366c844b2fc2b4c0b0191754d4a1470e1763ccb4

SHA256
93f2d867562d5187beac7b8d7a55a8f435b7bbab77152b0c7bb3f8c22c2d23a2

SHA512
9ce88068e0e4cfac55467fbccc2621bbe431353bf4faf6a0957a6ae38f083023fbd130abb423e35f344e4d3952aed8470eba47c3ab71ff7ec61ff5a79aa80303

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beTV10TZ49.exe

Filesize
232KB

MD5
654d38a192aa90f8f2d4c64647ed64d1

SHA1
366c844b2fc2b4c0b0191754d4a1470e1763ccb4

SHA256
93f2d867562d5187beac7b8d7a55a8f435b7bbab77152b0c7bb3f8c22c2d23a2

SHA512
9ce88068e0e4cfac55467fbccc2621bbe431353bf4faf6a0957a6ae38f083023fbd130abb423e35f344e4d3952aed8470eba47c3ab71ff7ec61ff5a79aa80303

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ctIY43ed74.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ctIY43ed74.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
89KB

MD5
29b9780bb2992d018ae312ed4180a663

SHA1
592a993f9518c1ceab3186a8b5007826fa204b60

SHA256
b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a

SHA512
988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
89KB

MD5
29b9780bb2992d018ae312ed4180a663

SHA1
592a993f9518c1ceab3186a8b5007826fa204b60

SHA256
b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a

SHA512
988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
89KB

MD5
29b9780bb2992d018ae312ed4180a663

SHA1
592a993f9518c1ceab3186a8b5007826fa204b60

SHA256
b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a

SHA512
988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/3020-1150-0x0000000000620000-0x0000000000652000-memory.dmp

Filesize
200KB

Download
memory/3020-1151-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/3020-1152-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/3684-163-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/3684-183-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-193-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-194-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3684-195-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3684-196-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3684-198-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/3684-189-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-162-0x0000000004D70000-0x0000000005314000-memory.dmp

Filesize
5.6MB

Download
memory/3684-187-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-185-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-191-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-181-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-179-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-177-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-175-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-173-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-171-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-169-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-166-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-167-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/3684-165-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3684-164-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4404-202-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/4524-219-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-239-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-241-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-258-0x00000000005C0000-0x000000000060B000-memory.dmp

Filesize
300KB

Download
memory/4524-262-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/4524-260-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/4524-1117-0x0000000005190000-0x00000000057A8000-memory.dmp

Filesize
6.1MB

Download
memory/4524-1118-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/4524-1119-0x0000000005970000-0x0000000005982000-memory.dmp

Filesize
72KB

Download
memory/4524-1120-0x0000000005990000-0x00000000059CC000-memory.dmp

Filesize
240KB

Download
memory/4524-1121-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/4524-1122-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/4524-1123-0x0000000006360000-0x00000000063F2000-memory.dmp

Filesize
584KB

Download
memory/4524-1126-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/4524-1125-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/4524-1127-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/4524-1128-0x00000000077F0000-0x00000000079B2000-memory.dmp

Filesize
1.8MB

Download
memory/4524-1129-0x00000000079C0000-0x0000000007EEC000-memory.dmp

Filesize
5.2MB

Download
memory/4524-1130-0x00000000023F0000-0x0000000002400000-memory.dmp

Filesize
64KB

Download
memory/4524-1131-0x0000000007FA0000-0x0000000008016000-memory.dmp

Filesize
472KB

Download
memory/4524-1132-0x0000000008020000-0x0000000008070000-memory.dmp

Filesize
320KB

Download
memory/4524-237-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-235-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-233-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-231-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-229-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-227-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-225-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-223-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-221-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-217-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-215-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-213-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-208-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-211-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download
memory/4524-209-0x00000000050F0000-0x000000000512E000-memory.dmp

Filesize
248KB

Download