amadey | fd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea

Analysis

max time kernel
149s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea.exe
Size

1023KB
MD5

fad90b59366c233be43783658886975c
SHA1

bc73cbf361a04a8fa448251977f5a17b220ded07
SHA256

fd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea
SHA512

283e056f1443c707fab8e91e4942d1d7b2c8904f493cb6fcb4deb8331273f7a7ae96889291ab1f124c707761ba4e30d57121b14531d5667af03e758cfb0c8447
SSDEEP

24576:eyoLJFiCBaqGGPOU45Jt56XiqtlasqftAp5oltyAEnHhF9k3Yxx:tmFMNGPT45Jt56Sqtlx4tA5Cxu+

Score

10^/10

amadey redline down lown discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

lown

193.233.20.31:4125

Attributes

auth_value
4cf836e062bcdc2a4fdbf410f5747ec7

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz3272.exev0733rK.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz3272.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz3272.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz3272.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz3272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0733rK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0733rK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0733rK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz3272.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz3272.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0733rK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0733rK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0733rK.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4308-210-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-211-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-213-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-215-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-217-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-221-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-222-0x00000000026D0000-0x00000000026E0000-memory.dmp	family_redline
behavioral1/memory/4308-224-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-227-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-229-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-231-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-233-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-235-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-237-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-239-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-241-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-243-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-245-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline
behavioral1/memory/4308-247-0x00000000052B0000-0x00000000052EE000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y25of37.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	y25of37.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 11 IoCs

Processes:

zap9093.exezap6412.exezap8862.exetz3272.exev0733rK.exew17It93.exexsWWx08.exey25of37.exelegenda.exelegenda.exelegenda.exe

pid	process
1540	zap9093.exe
2680	zap6412.exe
2672	zap8862.exe
228	tz3272.exe
2616	v0733rK.exe
4308	w17It93.exe
4868	xsWWx08.exe
4344	y25of37.exe
60	legenda.exe
3620	legenda.exe
4316	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4404 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4404	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v0733rK.exetz3272.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0733rK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz3272.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0733rK.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap8862.exefd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea.exezap9093.exezap6412.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap8862.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap9093.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6412.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap6412.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8862.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3724 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz3272.exev0733rK.exew17It93.exexsWWx08.exe

pid process

228 tz3272.exe
228 tz3272.exe
2616 v0733rK.exe
2616 v0733rK.exe
4308 w17It93.exe
4308 w17It93.exe
4868 xsWWx08.exe
4868 xsWWx08.exe

pid	process
3724	schtasks.exe

pid	process
228	tz3272.exe
228	tz3272.exe
2616	v0733rK.exe
2616	v0733rK.exe
4308	w17It93.exe
4308	w17It93.exe
4868	xsWWx08.exe
4868	xsWWx08.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz3272.exev0733rK.exew17It93.exexsWWx08.exe

description	pid	process
Token: SeDebugPrivilege	228	tz3272.exe
Token: SeDebugPrivilege	2616	v0733rK.exe
Token: SeDebugPrivilege	4308	w17It93.exe
Token: SeDebugPrivilege	4868	xsWWx08.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

fd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea.exezap9093.exezap6412.exezap8862.exey25of37.exelegenda.execmd.exe

description	pid	process	target process
PID 1520 wrote to memory of 1540	1520	fd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea.exe	zap9093.exe
PID 1520 wrote to memory of 1540	1520	fd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea.exe	zap9093.exe
PID 1520 wrote to memory of 1540	1520	fd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea.exe	zap9093.exe
PID 1540 wrote to memory of 2680	1540	zap9093.exe	zap6412.exe
PID 1540 wrote to memory of 2680	1540	zap9093.exe	zap6412.exe
PID 1540 wrote to memory of 2680	1540	zap9093.exe	zap6412.exe
PID 2680 wrote to memory of 2672	2680	zap6412.exe	zap8862.exe
PID 2680 wrote to memory of 2672	2680	zap6412.exe	zap8862.exe
PID 2680 wrote to memory of 2672	2680	zap6412.exe	zap8862.exe
PID 2672 wrote to memory of 228	2672	zap8862.exe	tz3272.exe
PID 2672 wrote to memory of 228	2672	zap8862.exe	tz3272.exe
PID 2672 wrote to memory of 2616	2672	zap8862.exe	v0733rK.exe
PID 2672 wrote to memory of 2616	2672	zap8862.exe	v0733rK.exe
PID 2672 wrote to memory of 2616	2672	zap8862.exe	v0733rK.exe
PID 2680 wrote to memory of 4308	2680	zap6412.exe	w17It93.exe
PID 2680 wrote to memory of 4308	2680	zap6412.exe	w17It93.exe
PID 2680 wrote to memory of 4308	2680	zap6412.exe	w17It93.exe
PID 1540 wrote to memory of 4868	1540	zap9093.exe	xsWWx08.exe
PID 1540 wrote to memory of 4868	1540	zap9093.exe	xsWWx08.exe
PID 1540 wrote to memory of 4868	1540	zap9093.exe	xsWWx08.exe
PID 1520 wrote to memory of 4344	1520	fd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea.exe	y25of37.exe
PID 1520 wrote to memory of 4344	1520	fd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea.exe	y25of37.exe
PID 1520 wrote to memory of 4344	1520	fd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea.exe	y25of37.exe
PID 4344 wrote to memory of 60	4344	y25of37.exe	legenda.exe
PID 4344 wrote to memory of 60	4344	y25of37.exe	legenda.exe
PID 4344 wrote to memory of 60	4344	y25of37.exe	legenda.exe
PID 60 wrote to memory of 3724	60	legenda.exe	schtasks.exe
PID 60 wrote to memory of 3724	60	legenda.exe	schtasks.exe
PID 60 wrote to memory of 3724	60	legenda.exe	schtasks.exe
PID 60 wrote to memory of 3548	60	legenda.exe	cmd.exe
PID 60 wrote to memory of 3548	60	legenda.exe	cmd.exe
PID 60 wrote to memory of 3548	60	legenda.exe	cmd.exe
PID 3548 wrote to memory of 4820	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 4820	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 4820	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 4348	3548	cmd.exe	cacls.exe
PID 3548 wrote to memory of 4348	3548	cmd.exe	cacls.exe
PID 3548 wrote to memory of 4348	3548	cmd.exe	cacls.exe
PID 3548 wrote to memory of 1204	3548	cmd.exe	cacls.exe
PID 3548 wrote to memory of 1204	3548	cmd.exe	cacls.exe
PID 3548 wrote to memory of 1204	3548	cmd.exe	cacls.exe
PID 3548 wrote to memory of 444	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 444	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 444	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 3712	3548	cmd.exe	cacls.exe
PID 3548 wrote to memory of 3712	3548	cmd.exe	cacls.exe
PID 3548 wrote to memory of 3712	3548	cmd.exe	cacls.exe
PID 3548 wrote to memory of 860	3548	cmd.exe	cacls.exe
PID 3548 wrote to memory of 860	3548	cmd.exe	cacls.exe
PID 3548 wrote to memory of 860	3548	cmd.exe	cacls.exe
PID 60 wrote to memory of 4404	60	legenda.exe	rundll32.exe
PID 60 wrote to memory of 4404	60	legenda.exe	rundll32.exe
PID 60 wrote to memory of 4404	60	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\fd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea.exe
"C:\Users\Admin\AppData\Local\Temp\fd0b00db3638d9ef832ea204d94d182271ba5159841930ed1cb2177ec7c9e8ea.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9093.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9093.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6412.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6412.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8862.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8862.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3272.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3272.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0733rK.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0733rK.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17It93.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17It93.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xsWWx08.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xsWWx08.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y25of37.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y25of37.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4820

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4348

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:444

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:3712

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:860

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4404

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:3620

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y25of37.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y25of37.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9093.exe
Filesize
838KB

MD5
9d1a081428f4b5c535eb1fc0afb0b940

SHA1
df98fa8d09a20f5ca466c72ffe97b327209f585a

SHA256
32ed9dcf1d621771b06c9c066c7c572b314a0d9b08c42e414fd1b5060d154f0c

SHA512
4256aa823900c4b960edc35019465c043078291078f39bdd7cea9e9c1dbe91e8fd9c505fcb087f9a675f323cc0533faf65d0003ad57b24fd5d2568c7cc6ea5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap9093.exe
Filesize
838KB

MD5
9d1a081428f4b5c535eb1fc0afb0b940

SHA1
df98fa8d09a20f5ca466c72ffe97b327209f585a

SHA256
32ed9dcf1d621771b06c9c066c7c572b314a0d9b08c42e414fd1b5060d154f0c

SHA512
4256aa823900c4b960edc35019465c043078291078f39bdd7cea9e9c1dbe91e8fd9c505fcb087f9a675f323cc0533faf65d0003ad57b24fd5d2568c7cc6ea5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xsWWx08.exe
Filesize
175KB

MD5
50809fe16d7c482c1f4a2ea19fdcbc0a

SHA1
11b6f69c06a724da15183b16039c5cbc86016158

SHA256
09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

SHA512
c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xsWWx08.exe
Filesize
175KB

MD5
50809fe16d7c482c1f4a2ea19fdcbc0a

SHA1
11b6f69c06a724da15183b16039c5cbc86016158

SHA256
09917b67829de37b5d6be8115c8f8321f436554f426a24e079257a8368051cb1

SHA512
c35170e5eb6dabda9fd2d289153df829957ca8e9665178529a1ba36395155bb34f489372993ec694d10bea490c86cef2ae152e2df480288aca8e796ba135261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6412.exe
Filesize
696KB

MD5
16a5e52e7f807769489bf08110318052

SHA1
a215cf980c17aa0ade9322641e334d23568b80cc

SHA256
643e103d404e70df7ccabcbab8550ac295f95b63705e4a61588a91dbe14551a7

SHA512
1d5cee49b629ed7b6b164b11072ba9d3ffb27d84d065c10eeb2cf5cca3660732f002d5771db31d37f2da5912cac67e172f71543e4f3d7e5ec702b9d5c3803284

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6412.exe
Filesize
696KB

MD5
16a5e52e7f807769489bf08110318052

SHA1
a215cf980c17aa0ade9322641e334d23568b80cc

SHA256
643e103d404e70df7ccabcbab8550ac295f95b63705e4a61588a91dbe14551a7

SHA512
1d5cee49b629ed7b6b164b11072ba9d3ffb27d84d065c10eeb2cf5cca3660732f002d5771db31d37f2da5912cac67e172f71543e4f3d7e5ec702b9d5c3803284

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17It93.exe
Filesize
349KB

MD5
b0664072b8e675e4977332256d180b94

SHA1
4c6ac063a08a1d908ebc63afea2615574b512249

SHA256
e4f595342b681bdc61cebd5b9c7860ee063a3068f4a00f61a52d4a3689553b70

SHA512
5b79f8e9d2553a3cccc12ea59a6d3fb9d7d250a7d1fffb7edb1e386841e8ff555716e8937c3f722a17091589030d695ab0e7cfd31db0e8d20a36bd56fc8ad478

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w17It93.exe
Filesize
349KB

MD5
b0664072b8e675e4977332256d180b94

SHA1
4c6ac063a08a1d908ebc63afea2615574b512249

SHA256
e4f595342b681bdc61cebd5b9c7860ee063a3068f4a00f61a52d4a3689553b70

SHA512
5b79f8e9d2553a3cccc12ea59a6d3fb9d7d250a7d1fffb7edb1e386841e8ff555716e8937c3f722a17091589030d695ab0e7cfd31db0e8d20a36bd56fc8ad478

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8862.exe
Filesize
345KB

MD5
e711a52cdec3ead1e96fbed6800c7da4

SHA1
e80a386f67ac651b3993e8b0d4fa7b546a8fa0e5

SHA256
8496a1bb8366cf5412e5e208176023026b277732bcb1ae18d9819341af6493e8

SHA512
ffa8a3f50b1af341dae945a3d30e3cc61b0d0f485e95d0bee9987aa4a5dc204f6133d5f5f65f8aa5526256f0997c321b99ed454757cb37d918ff26fdb632bf5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8862.exe
Filesize
345KB

MD5
e711a52cdec3ead1e96fbed6800c7da4

SHA1
e80a386f67ac651b3993e8b0d4fa7b546a8fa0e5

SHA256
8496a1bb8366cf5412e5e208176023026b277732bcb1ae18d9819341af6493e8

SHA512
ffa8a3f50b1af341dae945a3d30e3cc61b0d0f485e95d0bee9987aa4a5dc204f6133d5f5f65f8aa5526256f0997c321b99ed454757cb37d918ff26fdb632bf5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3272.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz3272.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0733rK.exe
Filesize
291KB

MD5
060208be6eac86ab47e5a3ae3b595a5f

SHA1
eac84e234902f6264f3980c6283104cb4d8a9fae

SHA256
5a42ae75c98415cd34174a3ae13b3632f6770d96725de82ba45e871eafcad80e

SHA512
fe01336795402be63af6285a4f52a00ea94eac1564d931544d0aa81567706681f25a93915e6928f2575b823ae8639e057dd7bf1ad4d4f8e1bfeb4b093756c748

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0733rK.exe
Filesize
291KB

MD5
060208be6eac86ab47e5a3ae3b595a5f

SHA1
eac84e234902f6264f3980c6283104cb4d8a9fae

SHA256
5a42ae75c98415cd34174a3ae13b3632f6770d96725de82ba45e871eafcad80e

SHA512
fe01336795402be63af6285a4f52a00ea94eac1564d931544d0aa81567706681f25a93915e6928f2575b823ae8639e057dd7bf1ad4d4f8e1bfeb4b093756c748

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
5086db99de54fca268169a1c6cf26122

SHA1
003f768ffcc99bda5cda1fb966fda8625a8fdc3e

SHA256
42873b0c5899f64b5f3205a4f3146210cc63152e529c69d6292b037844c81ec4

SHA512
90531b1b984b21ce62290b713ffc07917bbd766eef7d5e6f4c1c68b2fc7d29495cdd5f05fd71fe5107f1614bbb30922dcfb730f50599e44aeaff52c50f46b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/228-161-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/2616-181-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-187-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-189-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-191-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-193-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-195-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-197-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-199-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-200-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2616-201-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/2616-202-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/2616-203-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/2616-205-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2616-185-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-183-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-179-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-177-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-175-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-173-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-172-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2616-171-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/2616-170-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/2616-169-0x0000000002820000-0x0000000002830000-memory.dmp

Filesize
64KB

Download
memory/2616-168-0x0000000000880000-0x00000000008AD000-memory.dmp

Filesize
180KB

Download
memory/2616-167-0x0000000004E50000-0x00000000053F4000-memory.dmp

Filesize
5.6MB

Download
memory/4308-218-0x00000000008A0000-0x00000000008EB000-memory.dmp

Filesize
300KB

Download
memory/4308-1131-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4308-233-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-235-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-237-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-239-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-241-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-243-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-245-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-247-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-1120-0x0000000005320000-0x0000000005938000-memory.dmp

Filesize
6.1MB

Download
memory/4308-1121-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/4308-1122-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/4308-1123-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/4308-1124-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4308-1125-0x0000000005E10000-0x0000000005EA2000-memory.dmp

Filesize
584KB

Download
memory/4308-1126-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/4308-1127-0x00000000065D0000-0x0000000006792000-memory.dmp

Filesize
1.8MB

Download
memory/4308-1128-0x00000000067B0000-0x0000000006CDC000-memory.dmp

Filesize
5.2MB

Download
memory/4308-231-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-1130-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4308-1132-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4308-1133-0x0000000006E30000-0x0000000006EA6000-memory.dmp

Filesize
472KB

Download
memory/4308-1134-0x0000000006EB0000-0x0000000006F00000-memory.dmp

Filesize
320KB

Download
memory/4308-229-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-1135-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4308-210-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-211-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-227-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-220-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4308-225-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4308-224-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-222-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/4308-221-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-217-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-215-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4308-213-0x00000000052B0000-0x00000000052EE000-memory.dmp

Filesize
248KB

Download
memory/4868-1142-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/4868-1141-0x0000000000940000-0x0000000000972000-memory.dmp

Filesize
200KB

Download