amadey | 894fdea714b96a9e6c743e5c5a6ffbe5cc01e4fb6c7552600641a9bcc591e46b

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04/03/2023, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

894fdea714b96a9e6c743e5c5a6ffbe5cc01e4fb6c7552600641a9bcc591e46b.exe
Size

986KB
MD5

570124716b9f56be84d502502ae8034c
SHA1

44ee22ea34924b7fc896d35a7115ccd64168bcb8
SHA256

894fdea714b96a9e6c743e5c5a6ffbe5cc01e4fb6c7552600641a9bcc591e46b
SHA512

05371c5a567785ad05d04d53879c1806cabf10e2e78b21ddd1dcb3073d060a26609dbcb63be5306009d8419162cd6fb995a95e0f0ddd5d07c52eaae2d2a7205c
SSDEEP

12288:SMr7y90195SEXc4o6VHOsQMvoOE0RRXprKNQJW6qPve58hW9BK+fEAvEWdYyKVDj:1y0SEX4dsgOpUgQPM4fhWsD3OS

Score

10^/10

amadey redline foksa rosto discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosto

hueref.eu:4162

Attributes

auth_value
07d81eba8cad42bbd0ae60042d48eac6

Extracted

Family

amadey

Version

3.68

193.233.20.25/buH5N004d/index.php

Extracted

Family

redline

Botnet

foksa

hueref.eu:4162

Attributes

auth_value
6a9b2601a21672b285de3ed41b5402e4

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	beLn71El98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	beLn71El98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ctqm52UK61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ctqm52UK61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ctqm52UK61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ctqm52UK61.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ctqm52UK61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	beLn71El98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	beLn71El98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	beLn71El98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	beLn71El98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ctqm52UK61.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/2384-210-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-211-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-213-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-215-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-217-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-219-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-221-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-223-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-225-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-232-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-235-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-237-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-227-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-239-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-241-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-243-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-245-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline
behavioral1/memory/2384-247-0x0000000002430000-0x000000000246E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	hk82jN83Mg65.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	ghaaer.exe

Executes dropped EXE 11 IoCs

pid	Process
1936	ptZG1042ec.exe
408	ptAI9055vB.exe
492	ptoV6649Ii.exe
4792	beLn71El98.exe
2148	ctqm52UK61.exe
2384	drCm51KB67.exe
4844	hk82jN83Mg65.exe
224	ghaaer.exe
4792	jxHH46ax30.exe
5012	ghaaer.exe
4136	ghaaer.exe

Loads dropped DLL 1 IoCs

pid	Process
4172	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	beLn71El98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	beLn71El98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ctqm52UK61.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ptoV6649Ii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ptoV6649Ii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	894fdea714b96a9e6c743e5c5a6ffbe5cc01e4fb6c7552600641a9bcc591e46b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	894fdea714b96a9e6c743e5c5a6ffbe5cc01e4fb6c7552600641a9bcc591e46b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ptZG1042ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ptZG1042ec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ptAI9055vB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ptAI9055vB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5004	4792	WerFault.exe	88
2880	2384	WerFault.exe	103

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4792	beLn71El98.exe
4792	beLn71El98.exe
2148	ctqm52UK61.exe
2148	ctqm52UK61.exe
2384	drCm51KB67.exe
2384	drCm51KB67.exe
4792	jxHH46ax30.exe
4792	jxHH46ax30.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	beLn71El98.exe
Token: SeDebugPrivilege	2148	ctqm52UK61.exe
Token: SeDebugPrivilege	2384	drCm51KB67.exe
Token: SeDebugPrivilege	4792	jxHH46ax30.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1936	2548	894fdea714b96a9e6c743e5c5a6ffbe5cc01e4fb6c7552600641a9bcc591e46b.exe	85
PID 2548 wrote to memory of 1936	2548	894fdea714b96a9e6c743e5c5a6ffbe5cc01e4fb6c7552600641a9bcc591e46b.exe	85
PID 2548 wrote to memory of 1936	2548	894fdea714b96a9e6c743e5c5a6ffbe5cc01e4fb6c7552600641a9bcc591e46b.exe	85
PID 1936 wrote to memory of 408	1936	ptZG1042ec.exe	86
PID 1936 wrote to memory of 408	1936	ptZG1042ec.exe	86
PID 1936 wrote to memory of 408	1936	ptZG1042ec.exe	86
PID 408 wrote to memory of 492	408	ptAI9055vB.exe	87
PID 408 wrote to memory of 492	408	ptAI9055vB.exe	87
PID 408 wrote to memory of 492	408	ptAI9055vB.exe	87
PID 492 wrote to memory of 4792	492	ptoV6649Ii.exe	88
PID 492 wrote to memory of 4792	492	ptoV6649Ii.exe	88
PID 492 wrote to memory of 4792	492	ptoV6649Ii.exe	88
PID 492 wrote to memory of 2148	492	ptoV6649Ii.exe	102
PID 492 wrote to memory of 2148	492	ptoV6649Ii.exe	102
PID 408 wrote to memory of 2384	408	ptAI9055vB.exe	103
PID 408 wrote to memory of 2384	408	ptAI9055vB.exe	103
PID 408 wrote to memory of 2384	408	ptAI9055vB.exe	103
PID 1936 wrote to memory of 4844	1936	ptZG1042ec.exe	108
PID 1936 wrote to memory of 4844	1936	ptZG1042ec.exe	108
PID 1936 wrote to memory of 4844	1936	ptZG1042ec.exe	108
PID 4844 wrote to memory of 224	4844	hk82jN83Mg65.exe	109
PID 4844 wrote to memory of 224	4844	hk82jN83Mg65.exe	109
PID 4844 wrote to memory of 224	4844	hk82jN83Mg65.exe	109
PID 2548 wrote to memory of 4792	2548	894fdea714b96a9e6c743e5c5a6ffbe5cc01e4fb6c7552600641a9bcc591e46b.exe	110
PID 2548 wrote to memory of 4792	2548	894fdea714b96a9e6c743e5c5a6ffbe5cc01e4fb6c7552600641a9bcc591e46b.exe	110
PID 2548 wrote to memory of 4792	2548	894fdea714b96a9e6c743e5c5a6ffbe5cc01e4fb6c7552600641a9bcc591e46b.exe	110
PID 224 wrote to memory of 3664	224	ghaaer.exe	111
PID 224 wrote to memory of 3664	224	ghaaer.exe	111
PID 224 wrote to memory of 3664	224	ghaaer.exe	111
PID 224 wrote to memory of 1064	224	ghaaer.exe	113
PID 224 wrote to memory of 1064	224	ghaaer.exe	113
PID 224 wrote to memory of 1064	224	ghaaer.exe	113
PID 1064 wrote to memory of 4048	1064	cmd.exe	115
PID 1064 wrote to memory of 4048	1064	cmd.exe	115
PID 1064 wrote to memory of 4048	1064	cmd.exe	115
PID 1064 wrote to memory of 4504	1064	cmd.exe	116
PID 1064 wrote to memory of 4504	1064	cmd.exe	116
PID 1064 wrote to memory of 4504	1064	cmd.exe	116
PID 1064 wrote to memory of 4576	1064	cmd.exe	117
PID 1064 wrote to memory of 4576	1064	cmd.exe	117
PID 1064 wrote to memory of 4576	1064	cmd.exe	117
PID 1064 wrote to memory of 3448	1064	cmd.exe	119
PID 1064 wrote to memory of 3448	1064	cmd.exe	119
PID 1064 wrote to memory of 3448	1064	cmd.exe	119
PID 1064 wrote to memory of 4108	1064	cmd.exe	118
PID 1064 wrote to memory of 4108	1064	cmd.exe	118
PID 1064 wrote to memory of 4108	1064	cmd.exe	118
PID 1064 wrote to memory of 3292	1064	cmd.exe	120
PID 1064 wrote to memory of 3292	1064	cmd.exe	120
PID 1064 wrote to memory of 3292	1064	cmd.exe	120
PID 224 wrote to memory of 4172	224	ghaaer.exe	123
PID 224 wrote to memory of 4172	224	ghaaer.exe	123
PID 224 wrote to memory of 4172	224	ghaaer.exe	123

C:\Users\Admin\AppData\Local\Temp\894fdea714b96a9e6c743e5c5a6ffbe5cc01e4fb6c7552600641a9bcc591e46b.exe
"C:\Users\Admin\AppData\Local\Temp\894fdea714b96a9e6c743e5c5a6ffbe5cc01e4fb6c7552600641a9bcc591e46b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptZG1042ec.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptZG1042ec.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptAI9055vB.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptAI9055vB.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptoV6649Ii.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptoV6649Ii.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:492
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beLn71El98.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beLn71El98.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1084
        6⤵
        Program crash
        
        PID:5004
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ctqm52UK61.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ctqm52UK61.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\drCm51KB67.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\drCm51KB67.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 988
        5⤵
        Program crash
        
        PID:2880
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk82jN83Mg65.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk82jN83Mg65.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe
      "C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ghaaer.exe /TR "C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3664
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "ghaaer.exe" /P "Admin:N"&&CACLS "ghaaer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\46aee2aca4" /P "Admin:N"&&CACLS "..\46aee2aca4" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4048
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "ghaaer.exe" /P "Admin:N"
        6⤵
        
        PID:4504
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "ghaaer.exe" /P "Admin:R" /E
        6⤵
        
        PID:4576
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\46aee2aca4" /P "Admin:N"
        6⤵
        
        PID:4108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3448
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\46aee2aca4" /P "Admin:R" /E
        6⤵
        
        PID:3292
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:4172
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxHH46ax30.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxHH46ax30.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4792 -ip 4792
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2384 -ip 2384
1⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe
1⤵
- Executes dropped EXE
PID:5012

C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe
1⤵
- Executes dropped EXE
PID:4136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe

Filesize
235KB

MD5
5be5a732113282a7824ceb2a359b6468

SHA1
0d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7

SHA256
00b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee

SHA512
a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe

Filesize
235KB

MD5
5be5a732113282a7824ceb2a359b6468

SHA1
0d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7

SHA256
00b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee

SHA512
a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe

Filesize
235KB

MD5
5be5a732113282a7824ceb2a359b6468

SHA1
0d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7

SHA256
00b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee

SHA512
a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe

Filesize
235KB

MD5
5be5a732113282a7824ceb2a359b6468

SHA1
0d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7

SHA256
00b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee

SHA512
a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe

Filesize
235KB

MD5
5be5a732113282a7824ceb2a359b6468

SHA1
0d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7

SHA256
00b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee

SHA512
a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxHH46ax30.exe

Filesize
175KB

MD5
75ced8ad0d8cd237ebc9cb7b00852651

SHA1
adab63df3e0a40fd9f170ab57da66f01f226141c

SHA256
a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819

SHA512
f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxHH46ax30.exe

Filesize
175KB

MD5
75ced8ad0d8cd237ebc9cb7b00852651

SHA1
adab63df3e0a40fd9f170ab57da66f01f226141c

SHA256
a35a264162c124ffd066dd867ed96359131d37b243cb0445c1c9eba6a58de819

SHA512
f565a49b14671683a1e48cece82a437a79bf8bdb456a3c6f35fac020e5fef3cd666399208633b7d2da9407f7b334a311a416b0a969c8b62ff28e15e7d4a0c431

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptZG1042ec.exe

Filesize
843KB

MD5
9dc8cd9a4d5b7af7384a43d48371022d

SHA1
46b2d02d0b22618f4803814e242ecd3775335956

SHA256
808ea42b5cb426942da638dcd8fedf679f9370f57198882ccad2012e1d9be0e7

SHA512
77714d78b2d5f31840f712c1ecf61f2fa738d2ed74f98638e1150a59d381d35f3e26093c6ff94eb49da5065ebd4e45d49173355a2b11217049481f37fe403daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptZG1042ec.exe

Filesize
843KB

MD5
9dc8cd9a4d5b7af7384a43d48371022d

SHA1
46b2d02d0b22618f4803814e242ecd3775335956

SHA256
808ea42b5cb426942da638dcd8fedf679f9370f57198882ccad2012e1d9be0e7

SHA512
77714d78b2d5f31840f712c1ecf61f2fa738d2ed74f98638e1150a59d381d35f3e26093c6ff94eb49da5065ebd4e45d49173355a2b11217049481f37fe403daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk82jN83Mg65.exe

Filesize
235KB

MD5
5be5a732113282a7824ceb2a359b6468

SHA1
0d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7

SHA256
00b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee

SHA512
a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk82jN83Mg65.exe

Filesize
235KB

MD5
5be5a732113282a7824ceb2a359b6468

SHA1
0d7b6225bfd5a5fea2d9895e1470e86a0dc2ddd7

SHA256
00b159ce6ab2aa22a678a455d978814597d59942345ad9491ab5dd6ff3066bee

SHA512
a36556727e948b7e0e8e6ab5d8bb80fbeffeff020bf38a6f61cd7b498052cbc4972282e5a66a0998e42363468cf89a3a9b9bd17bc56e4160e7462f9086fa656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptAI9055vB.exe

Filesize
656KB

MD5
8303f216c104f83b885a74e119c0cee6

SHA1
f9967febaaa33ee967bf8361622754bc614ff74b

SHA256
19b335fd894d8114347c9ecbb753242960927fe0f06272bac2c1d41563622594

SHA512
0fcbd05079d031a5eff09438ba39f0942bf55014131b47cf6aa85d42b11379bebcbdebcd08a4a72333670d78c45dae14371559bdebd8560054b3b497526b8ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptAI9055vB.exe

Filesize
656KB

MD5
8303f216c104f83b885a74e119c0cee6

SHA1
f9967febaaa33ee967bf8361622754bc614ff74b

SHA256
19b335fd894d8114347c9ecbb753242960927fe0f06272bac2c1d41563622594

SHA512
0fcbd05079d031a5eff09438ba39f0942bf55014131b47cf6aa85d42b11379bebcbdebcd08a4a72333670d78c45dae14371559bdebd8560054b3b497526b8ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\drCm51KB67.exe

Filesize
290KB

MD5
8fee42f989bab807a7e66858ba5fe89d

SHA1
2f0c74aba0b54d351ac033248a718fa08edbfd91

SHA256
0b8c7c56907917d4b837cb95e0f7f47223d4457ddddd5986922cd7e3d61d70e5

SHA512
d4e1289b7bd0255a74eb8b85b552326ef288d45a9c69188a70215ecba62c984ecdb2ebb8ded103a699d109bf6d82ade212ed7c3dda8e04e780a79593cc3f6926

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\drCm51KB67.exe

Filesize
290KB

MD5
8fee42f989bab807a7e66858ba5fe89d

SHA1
2f0c74aba0b54d351ac033248a718fa08edbfd91

SHA256
0b8c7c56907917d4b837cb95e0f7f47223d4457ddddd5986922cd7e3d61d70e5

SHA512
d4e1289b7bd0255a74eb8b85b552326ef288d45a9c69188a70215ecba62c984ecdb2ebb8ded103a699d109bf6d82ade212ed7c3dda8e04e780a79593cc3f6926

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptoV6649Ii.exe

Filesize
328KB

MD5
86b4b8c67ddf32ada27576f71891c1ea

SHA1
06c4f3ddb5ea672e6afd87126788e8026a15f4a4

SHA256
f6882df3179a3b95e87f895bc8e8c7518b82ad53c3b2448b02cd2ec3138d6d7e

SHA512
72187735acf03cca1b3fa07e7dff1bef9dc1fd2c994b4dad1f4af6a9899c5233d6b8a66df4f0c01899144e0cc99c12cf6c342a8bea24d3e85afc7087307472f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptoV6649Ii.exe

Filesize
328KB

MD5
86b4b8c67ddf32ada27576f71891c1ea

SHA1
06c4f3ddb5ea672e6afd87126788e8026a15f4a4

SHA256
f6882df3179a3b95e87f895bc8e8c7518b82ad53c3b2448b02cd2ec3138d6d7e

SHA512
72187735acf03cca1b3fa07e7dff1bef9dc1fd2c994b4dad1f4af6a9899c5233d6b8a66df4f0c01899144e0cc99c12cf6c342a8bea24d3e85afc7087307472f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beLn71El98.exe

Filesize
232KB

MD5
be1c9ba8d385566aa2c1c0fe1001af3e

SHA1
bf40ca7120746478f12d9c7d430ae7945568a502

SHA256
8b7d7f82899b5d6718e90bea99fc1d9aabc09d961bada4eb29790661fa8260b4

SHA512
5c4edda4e7eb88164a82de739a373a388c1a7cf3e296aafffd95c2a4385ec63ca214455f53c33d1c86e7a268524d0d726e5f5775ab1c9c41d378c5c754215ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beLn71El98.exe

Filesize
232KB

MD5
be1c9ba8d385566aa2c1c0fe1001af3e

SHA1
bf40ca7120746478f12d9c7d430ae7945568a502

SHA256
8b7d7f82899b5d6718e90bea99fc1d9aabc09d961bada4eb29790661fa8260b4

SHA512
5c4edda4e7eb88164a82de739a373a388c1a7cf3e296aafffd95c2a4385ec63ca214455f53c33d1c86e7a268524d0d726e5f5775ab1c9c41d378c5c754215ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ctqm52UK61.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ctqm52UK61.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
89KB

MD5
29b9780bb2992d018ae312ed4180a663

SHA1
592a993f9518c1ceab3186a8b5007826fa204b60

SHA256
b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a

SHA512
988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
89KB

MD5
29b9780bb2992d018ae312ed4180a663

SHA1
592a993f9518c1ceab3186a8b5007826fa204b60

SHA256
b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a

SHA512
988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
89KB

MD5
29b9780bb2992d018ae312ed4180a663

SHA1
592a993f9518c1ceab3186a8b5007826fa204b60

SHA256
b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a

SHA512
988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/2148-204-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/2384-1127-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/2384-247-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-1135-0x0000000007AC0000-0x0000000007FEC000-memory.dmp

Filesize
5.2MB

Download
memory/2384-1134-0x00000000078F0000-0x0000000007AB2000-memory.dmp

Filesize
1.8MB

Download
memory/2384-1133-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/2384-1132-0x00000000064B0000-0x0000000006500000-memory.dmp

Filesize
320KB

Download
memory/2384-1131-0x0000000006430000-0x00000000064A6000-memory.dmp

Filesize
472KB

Download
memory/2384-1130-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/2384-1129-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/2384-1128-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/2384-1126-0x0000000005C90000-0x0000000005D22000-memory.dmp

Filesize
584KB

Download
memory/2384-1124-0x0000000005990000-0x00000000059CC000-memory.dmp

Filesize
240KB

Download
memory/2384-210-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-211-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-213-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-215-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-217-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-219-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-221-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-223-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-225-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-229-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/2384-228-0x0000000000590000-0x00000000005DB000-memory.dmp

Filesize
300KB

Download
memory/2384-232-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-234-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/2384-235-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-231-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/2384-237-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-227-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-239-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-241-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-243-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-245-0x0000000002430000-0x000000000246E000-memory.dmp

Filesize
248KB

Download
memory/2384-1123-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/2384-1120-0x00000000051D0000-0x00000000057E8000-memory.dmp

Filesize
6.1MB

Download
memory/2384-1121-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/2384-1122-0x0000000005970000-0x0000000005982000-memory.dmp

Filesize
72KB

Download
memory/4792-176-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-166-0x0000000004BC0000-0x0000000005164000-memory.dmp

Filesize
5.6MB

Download
memory/4792-186-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-182-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-194-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-190-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-192-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-200-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4792-198-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/4792-197-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/4792-196-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/4792-195-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4792-184-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-180-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-188-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-174-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-172-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-168-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-170-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-1153-0x0000000000B60000-0x0000000000B92000-memory.dmp

Filesize
200KB

Download
memory/4792-1154-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4792-1155-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4792-167-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-178-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/4792-165-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/4792-164-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/4792-163-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/4792-162-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download