amadey | 69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c

Analysis

max time kernel
136s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c.exe
Size

993KB
MD5

930ce480692e9127e43aa7652c92ee27
SHA1

aef6eadb8c1549a50668ae166379a25e766448af
SHA256

69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c
SHA512

339a10c67d596288e85e0769e50cbcb275d73d7415a5b511b258bd464a8732ae6c9b15d6b3cb5163ebbc649c2c2a30a86b790cbb76406fc8acce8dd70ee5e616
SSDEEP

24576:rywwd31OwWm5f6T8oP9IJEOjlelEDNMrYGP1:ewwzDWm5+EJtledrYGP

Score

10^/10

amadey redline lift rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

lift

176.113.115.145:4125

Attributes

auth_value
94f33c242a83de9dcc729e29ec435dfb

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v7627eB.exetz1195.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v7627eB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v7627eB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz1195.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz1195.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz1195.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v7627eB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v7627eB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v7627eB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz1195.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz1195.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz1195.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v7627eB.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4512-207-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-208-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-212-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-210-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-214-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-222-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-217-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-224-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-226-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-228-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-230-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-232-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-234-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-236-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-238-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-240-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-242-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-244-0x0000000004C10000-0x0000000004C4F000-memory.dmp	family_redline
behavioral1/memory/4512-1124-0x00000000073F0000-0x0000000007400000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y09sl69.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	y09sl69.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap1859.exezap2343.exezap0215.exetz1195.exev7627eB.exew99Hc29.exexBcLr51.exey09sl69.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
3760	zap1859.exe
3744	zap2343.exe
1512	zap0215.exe
1924	tz1195.exe
3680	v7627eB.exe
4512	w99Hc29.exe
1368	xBcLr51.exe
4828	y09sl69.exe
4836	oneetx.exe
2468	oneetx.exe
432	oneetx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz1195.exev7627eB.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz1195.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v7627eB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v7627eB.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap1859.exezap2343.exezap0215.exe69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap1859.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap2343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap2343.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap0215.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap0215.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4428 3680 WerFault.exe v7627eB.exe
3896 4512 WerFault.exe w99Hc29.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1592 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz1195.exev7627eB.exew99Hc29.exexBcLr51.exe

pid process

1924 tz1195.exe
1924 tz1195.exe
3680 v7627eB.exe
3680 v7627eB.exe
4512 w99Hc29.exe
4512 w99Hc29.exe
1368 xBcLr51.exe
1368 xBcLr51.exe

pid	pid_target	process	target process
4428	3680	WerFault.exe	v7627eB.exe
3896	4512	WerFault.exe	w99Hc29.exe

pid	process
1592	schtasks.exe

pid	process
1924	tz1195.exe
1924	tz1195.exe
3680	v7627eB.exe
3680	v7627eB.exe
4512	w99Hc29.exe
4512	w99Hc29.exe
1368	xBcLr51.exe
1368	xBcLr51.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz1195.exev7627eB.exew99Hc29.exexBcLr51.exe

description	pid	process
Token: SeDebugPrivilege	1924	tz1195.exe
Token: SeDebugPrivilege	3680	v7627eB.exe
Token: SeDebugPrivilege	4512	w99Hc29.exe
Token: SeDebugPrivilege	1368	xBcLr51.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y09sl69.exe

pid process

4828 y09sl69.exe

pid	process
4828	y09sl69.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c.exezap1859.exezap2343.exezap0215.exey09sl69.execmd.exe

description	pid	process	target process
PID 4708 wrote to memory of 3760	4708	69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c.exe	zap1859.exe
PID 4708 wrote to memory of 3760	4708	69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c.exe	zap1859.exe
PID 4708 wrote to memory of 3760	4708	69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c.exe	zap1859.exe
PID 3760 wrote to memory of 3744	3760	zap1859.exe	zap2343.exe
PID 3760 wrote to memory of 3744	3760	zap1859.exe	zap2343.exe
PID 3760 wrote to memory of 3744	3760	zap1859.exe	zap2343.exe
PID 3744 wrote to memory of 1512	3744	zap2343.exe	zap0215.exe
PID 3744 wrote to memory of 1512	3744	zap2343.exe	zap0215.exe
PID 3744 wrote to memory of 1512	3744	zap2343.exe	zap0215.exe
PID 1512 wrote to memory of 1924	1512	zap0215.exe	tz1195.exe
PID 1512 wrote to memory of 1924	1512	zap0215.exe	tz1195.exe
PID 1512 wrote to memory of 3680	1512	zap0215.exe	v7627eB.exe
PID 1512 wrote to memory of 3680	1512	zap0215.exe	v7627eB.exe
PID 1512 wrote to memory of 3680	1512	zap0215.exe	v7627eB.exe
PID 3744 wrote to memory of 4512	3744	zap2343.exe	w99Hc29.exe
PID 3744 wrote to memory of 4512	3744	zap2343.exe	w99Hc29.exe
PID 3744 wrote to memory of 4512	3744	zap2343.exe	w99Hc29.exe
PID 3760 wrote to memory of 1368	3760	zap1859.exe	xBcLr51.exe
PID 3760 wrote to memory of 1368	3760	zap1859.exe	xBcLr51.exe
PID 3760 wrote to memory of 1368	3760	zap1859.exe	xBcLr51.exe
PID 4708 wrote to memory of 4828	4708	69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c.exe	y09sl69.exe
PID 4708 wrote to memory of 4828	4708	69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c.exe	y09sl69.exe
PID 4708 wrote to memory of 4828	4708	69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c.exe	y09sl69.exe
PID 4828 wrote to memory of 4836	4828	y09sl69.exe	oneetx.exe
PID 4828 wrote to memory of 4836	4828	y09sl69.exe	oneetx.exe
PID 4828 wrote to memory of 4836	4828	y09sl69.exe	oneetx.exe
PID 4228 wrote to memory of 1988	4228	cmd.exe	cmd.exe
PID 4228 wrote to memory of 1988	4228	cmd.exe	cmd.exe
PID 4228 wrote to memory of 1988	4228	cmd.exe	cmd.exe
PID 4228 wrote to memory of 1808	4228	cmd.exe	cacls.exe
PID 4228 wrote to memory of 1808	4228	cmd.exe	cacls.exe
PID 4228 wrote to memory of 1808	4228	cmd.exe	cacls.exe
PID 4228 wrote to memory of 3684	4228	cmd.exe	cacls.exe
PID 4228 wrote to memory of 3684	4228	cmd.exe	cacls.exe
PID 4228 wrote to memory of 3684	4228	cmd.exe	cacls.exe
PID 4228 wrote to memory of 5104	4228	cmd.exe	cmd.exe
PID 4228 wrote to memory of 5104	4228	cmd.exe	cmd.exe
PID 4228 wrote to memory of 5104	4228	cmd.exe	cmd.exe
PID 4228 wrote to memory of 5108	4228	cmd.exe	cacls.exe
PID 4228 wrote to memory of 5108	4228	cmd.exe	cacls.exe
PID 4228 wrote to memory of 5108	4228	cmd.exe	cacls.exe
PID 4228 wrote to memory of 3364	4228	cmd.exe	cacls.exe
PID 4228 wrote to memory of 3364	4228	cmd.exe	cacls.exe
PID 4228 wrote to memory of 3364	4228	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c.exe
"C:\Users\Admin\AppData\Local\Temp\69398a10b437253c8589edaca324319c0024f930472cf36fc2591040c50cd36c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1859.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1859.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3760

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2343.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2343.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0215.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0215.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1195.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1195.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7627eB.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7627eB.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 1052
6⤵
- Program crash
PID:4428

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w99Hc29.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w99Hc29.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1364
5⤵
- Program crash
PID:3896

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xBcLr51.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xBcLr51.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y09sl69.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y09sl69.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:1592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1988

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:1808

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5104

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:5108

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:3364

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3680 -ip 3680
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4512 -ip 4512
1⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:2468

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y09sl69.exe
Filesize
236KB

MD5
bf4d0070536d5552a895a9aee8b899e1

SHA1
b6ae1ca6249a2a1f7b7604dd34dfe850b5ba5210

SHA256
64dda12e01caf234482a30e8ab35cb638279115e80368a6435e991ab8b8341aa

SHA512
0bdaccbe9fd196f7ae5316d2f9764d81c576e4f41fe66f7905b2ff282b1b6dcd5abdc88f79da2321d8d38716ee43f4afecd9a505c6b9266aad963e91eb337c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y09sl69.exe
Filesize
236KB

MD5
bf4d0070536d5552a895a9aee8b899e1

SHA1
b6ae1ca6249a2a1f7b7604dd34dfe850b5ba5210

SHA256
64dda12e01caf234482a30e8ab35cb638279115e80368a6435e991ab8b8341aa

SHA512
0bdaccbe9fd196f7ae5316d2f9764d81c576e4f41fe66f7905b2ff282b1b6dcd5abdc88f79da2321d8d38716ee43f4afecd9a505c6b9266aad963e91eb337c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1859.exe
Filesize
809KB

MD5
13e19acb7a717aa772483495a36b6c5f

SHA1
56efc0d2d5cd3464b20993bcb9c730203e068ec4

SHA256
2fe47310a12f82608e201b92ce41919c216d1d7bba783b1c8637391a4c530dc9

SHA512
e79180b3d6238598060b90478ea20f0af260033932d6f546364de40289ef86ea94676ddc32c2853fa3eee8a85e39a3c674dfa7e5c8ff4fcdf5fa2aa7ff834c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1859.exe
Filesize
809KB

MD5
13e19acb7a717aa772483495a36b6c5f

SHA1
56efc0d2d5cd3464b20993bcb9c730203e068ec4

SHA256
2fe47310a12f82608e201b92ce41919c216d1d7bba783b1c8637391a4c530dc9

SHA512
e79180b3d6238598060b90478ea20f0af260033932d6f546364de40289ef86ea94676ddc32c2853fa3eee8a85e39a3c674dfa7e5c8ff4fcdf5fa2aa7ff834c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xBcLr51.exe
Filesize
175KB

MD5
6805698990857fe552185307a2987755

SHA1
6b8dce3b429048dc47bfeadb9d92a53838bc61fa

SHA256
b0dbf358cf3c9580b07414a3f6c73f252debd0b944e694327cdfd3ed05cff556

SHA512
64057aefb5a8914bac5d8cf5091e2e631439a49dbe1d1f1fdebeace61e02d826c50aa3927bf98aa137287a2e160f5a36cc2c9e444c21e45bdce45592829dc423

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xBcLr51.exe
Filesize
175KB

MD5
6805698990857fe552185307a2987755

SHA1
6b8dce3b429048dc47bfeadb9d92a53838bc61fa

SHA256
b0dbf358cf3c9580b07414a3f6c73f252debd0b944e694327cdfd3ed05cff556

SHA512
64057aefb5a8914bac5d8cf5091e2e631439a49dbe1d1f1fdebeace61e02d826c50aa3927bf98aa137287a2e160f5a36cc2c9e444c21e45bdce45592829dc423

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2343.exe
Filesize
667KB

MD5
c1ad4f22c40d475fa5e513f7c798ad3b

SHA1
0225d0ce8a7074ce6dfa2b111434f25bb31ac86e

SHA256
1ebb72ea8d8cfc63294f52898f28a763fb83bf4e7ad0c383a564a7928ee44f5d

SHA512
d13e1181ee6adb43f9ffbe3270b26a620de58e6de72aab8698ef5205748c899e8454f5b4bad6bce94e502ec26fca73ffb9628cef1bc838f789eb976a9bb3f13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap2343.exe
Filesize
667KB

MD5
c1ad4f22c40d475fa5e513f7c798ad3b

SHA1
0225d0ce8a7074ce6dfa2b111434f25bb31ac86e

SHA256
1ebb72ea8d8cfc63294f52898f28a763fb83bf4e7ad0c383a564a7928ee44f5d

SHA512
d13e1181ee6adb43f9ffbe3270b26a620de58e6de72aab8698ef5205748c899e8454f5b4bad6bce94e502ec26fca73ffb9628cef1bc838f789eb976a9bb3f13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w99Hc29.exe
Filesize
355KB

MD5
ef654d4424d053f47f84c47eab4defa2

SHA1
aa4dd4a9e6607354aba7106cdbbc72d7e753c4c0

SHA256
5078de8c91433dacb02f19693ef3d2c0d4c203ddc39e36efc3ee289f72c2019e

SHA512
2fad965b9d2b5ec64c33c7b3f80ee3a19e00e9af586c17fd83e2343b9a3d8ce15939acf701445ac028a73e1ad42324023bf86f92e523a69a7713496566962f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w99Hc29.exe
Filesize
355KB

MD5
ef654d4424d053f47f84c47eab4defa2

SHA1
aa4dd4a9e6607354aba7106cdbbc72d7e753c4c0

SHA256
5078de8c91433dacb02f19693ef3d2c0d4c203ddc39e36efc3ee289f72c2019e

SHA512
2fad965b9d2b5ec64c33c7b3f80ee3a19e00e9af586c17fd83e2343b9a3d8ce15939acf701445ac028a73e1ad42324023bf86f92e523a69a7713496566962f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0215.exe
Filesize
329KB

MD5
aa37818f014df6d554a7767431066ad0

SHA1
bed7a9b4921c32204e509f15af9b54cdbb48ea3a

SHA256
0a67f15ab5c7974fdae5b0ceb903a4f2df14035f7ad2ce124b8e18dcf94d1131

SHA512
eaa10ef34e177fd7e40881ab7edd3da7a7748f7287d448f3a35ae3493dacb3dad578440f33f2b58ec9cfadca64538ad5fd13614f6d057dd78f7fa2735794bdb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap0215.exe
Filesize
329KB

MD5
aa37818f014df6d554a7767431066ad0

SHA1
bed7a9b4921c32204e509f15af9b54cdbb48ea3a

SHA256
0a67f15ab5c7974fdae5b0ceb903a4f2df14035f7ad2ce124b8e18dcf94d1131

SHA512
eaa10ef34e177fd7e40881ab7edd3da7a7748f7287d448f3a35ae3493dacb3dad578440f33f2b58ec9cfadca64538ad5fd13614f6d057dd78f7fa2735794bdb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1195.exe
Filesize
12KB

MD5
9d473c755bc73c1812a31eae40677142

SHA1
d3cf99e401320aade9ad012ddf57b2a6f68f8248

SHA256
cdae5ad5c21659166ed127586e85b2bbe582fa8a4b232238de6ca96b0d4cf9b5

SHA512
ae4a93ac25caaceb02059cafb8c813fd230047b0c8a5db934059b0ec6c35b3896407fb336db2f495263b0cb7fb4c341627d393447b519b681f98b00738c9d339

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz1195.exe
Filesize
12KB

MD5
9d473c755bc73c1812a31eae40677142

SHA1
d3cf99e401320aade9ad012ddf57b2a6f68f8248

SHA256
cdae5ad5c21659166ed127586e85b2bbe582fa8a4b232238de6ca96b0d4cf9b5

SHA512
ae4a93ac25caaceb02059cafb8c813fd230047b0c8a5db934059b0ec6c35b3896407fb336db2f495263b0cb7fb4c341627d393447b519b681f98b00738c9d339

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7627eB.exe
Filesize
296KB

MD5
f241eaf94db5812269b4e8eff95c7de2

SHA1
abb63e7d5387c8a8eb48fe1d77e7917535ef3658

SHA256
b2bc94c2936ee0b7fdb772fa727ad1504cc901ad80ff68453848d4ce2a70ff7c

SHA512
4ea9b9e5a71f75ef25a6f9b954d3988688165242e0c16441851682976ec87bf0b9d63f3b83abaa429c50a9d9d2d8f76f70a64934328f85a36d7c97aaaf23a3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7627eB.exe
Filesize
296KB

MD5
f241eaf94db5812269b4e8eff95c7de2

SHA1
abb63e7d5387c8a8eb48fe1d77e7917535ef3658

SHA256
b2bc94c2936ee0b7fdb772fa727ad1504cc901ad80ff68453848d4ce2a70ff7c

SHA512
4ea9b9e5a71f75ef25a6f9b954d3988688165242e0c16441851682976ec87bf0b9d63f3b83abaa429c50a9d9d2d8f76f70a64934328f85a36d7c97aaaf23a3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
bf4d0070536d5552a895a9aee8b899e1

SHA1
b6ae1ca6249a2a1f7b7604dd34dfe850b5ba5210

SHA256
64dda12e01caf234482a30e8ab35cb638279115e80368a6435e991ab8b8341aa

SHA512
0bdaccbe9fd196f7ae5316d2f9764d81c576e4f41fe66f7905b2ff282b1b6dcd5abdc88f79da2321d8d38716ee43f4afecd9a505c6b9266aad963e91eb337c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
bf4d0070536d5552a895a9aee8b899e1

SHA1
b6ae1ca6249a2a1f7b7604dd34dfe850b5ba5210

SHA256
64dda12e01caf234482a30e8ab35cb638279115e80368a6435e991ab8b8341aa

SHA512
0bdaccbe9fd196f7ae5316d2f9764d81c576e4f41fe66f7905b2ff282b1b6dcd5abdc88f79da2321d8d38716ee43f4afecd9a505c6b9266aad963e91eb337c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
bf4d0070536d5552a895a9aee8b899e1

SHA1
b6ae1ca6249a2a1f7b7604dd34dfe850b5ba5210

SHA256
64dda12e01caf234482a30e8ab35cb638279115e80368a6435e991ab8b8341aa

SHA512
0bdaccbe9fd196f7ae5316d2f9764d81c576e4f41fe66f7905b2ff282b1b6dcd5abdc88f79da2321d8d38716ee43f4afecd9a505c6b9266aad963e91eb337c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
bf4d0070536d5552a895a9aee8b899e1

SHA1
b6ae1ca6249a2a1f7b7604dd34dfe850b5ba5210

SHA256
64dda12e01caf234482a30e8ab35cb638279115e80368a6435e991ab8b8341aa

SHA512
0bdaccbe9fd196f7ae5316d2f9764d81c576e4f41fe66f7905b2ff282b1b6dcd5abdc88f79da2321d8d38716ee43f4afecd9a505c6b9266aad963e91eb337c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
bf4d0070536d5552a895a9aee8b899e1

SHA1
b6ae1ca6249a2a1f7b7604dd34dfe850b5ba5210

SHA256
64dda12e01caf234482a30e8ab35cb638279115e80368a6435e991ab8b8341aa

SHA512
0bdaccbe9fd196f7ae5316d2f9764d81c576e4f41fe66f7905b2ff282b1b6dcd5abdc88f79da2321d8d38716ee43f4afecd9a505c6b9266aad963e91eb337c01

Download Submit
memory/1368-1139-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/1368-1138-0x0000000000970000-0x00000000009A2000-memory.dmp

Filesize
200KB

Download
memory/1924-161-0x00000000008B0000-0x00000000008BA000-memory.dmp

Filesize
40KB

Download
memory/3680-177-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-183-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-185-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-187-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-189-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-191-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-193-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-195-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-197-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-198-0x0000000000400000-0x0000000002B78000-memory.dmp

Filesize
39.5MB

Download
memory/3680-199-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/3680-200-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/3680-202-0x0000000000400000-0x0000000002B78000-memory.dmp

Filesize
39.5MB

Download
memory/3680-181-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-179-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-175-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-173-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-171-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-170-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3680-169-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/3680-168-0x0000000002C00000-0x0000000002C2D000-memory.dmp

Filesize
180KB

Download
memory/3680-167-0x0000000007290000-0x0000000007834000-memory.dmp

Filesize
5.6MB

Download
memory/4512-210-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-217-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-224-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-226-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-228-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-230-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-232-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-234-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-236-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-238-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-240-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-242-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-244-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-1117-0x00000000079B0000-0x0000000007FC8000-memory.dmp

Filesize
6.1MB

Download
memory/4512-1118-0x0000000007FD0000-0x00000000080DA000-memory.dmp

Filesize
1.0MB

Download
memory/4512-1119-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/4512-1120-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/4512-1121-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/4512-1123-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/4512-1124-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/4512-1125-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/4512-1126-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/4512-1127-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/4512-1128-0x0000000008C70000-0x0000000008CE6000-memory.dmp

Filesize
472KB

Download
memory/4512-1129-0x0000000008CF0000-0x0000000008D40000-memory.dmp

Filesize
320KB

Download
memory/4512-1130-0x0000000008D70000-0x0000000008F32000-memory.dmp

Filesize
1.8MB

Download
memory/4512-221-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/4512-222-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-216-0x0000000002E20000-0x0000000002E6B000-memory.dmp

Filesize
300KB

Download
memory/4512-220-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/4512-218-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download
memory/4512-214-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-212-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-208-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-207-0x0000000004C10000-0x0000000004C4F000-memory.dmp

Filesize
252KB

Download
memory/4512-1131-0x0000000008F40000-0x000000000946C000-memory.dmp

Filesize
5.2MB

Download
memory/4512-1132-0x00000000073F0000-0x0000000007400000-memory.dmp

Filesize
64KB

Download