amadey | e0d30f3b6665d280dd38cc15059f8c9d558796b8ceb440c5d8bc5f01eb5ed7bd

Analysis

max time kernel
149s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2023, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0d30f3b6665d280dd38cc15059f8c9d558796b8ceb440c5d8bc5f01eb5ed7bd.exe
Size

1008KB
MD5

4271ef689311c1a35f1dc99f8226f6c3
SHA1

639e55fa47a321663b7168cbca4ea4a648a306a3
SHA256

e0d30f3b6665d280dd38cc15059f8c9d558796b8ceb440c5d8bc5f01eb5ed7bd
SHA512

637749a0ccb4aafeea995e3f80db350ae5dc92a66abd2bd5d44b04b25b4a8aa3c50958924530010ff81201fd8c1a5291b1afb680bf5c5e5acf3b105d0fcc0f5b
SSDEEP

24576:4yQwg8APAha5Tjl7DBBpgLGY9HpEwzvwlAd7UYT:/QwhIXtR5BpgLbHpSle7U

Score

10^/10

amadey redline nord rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

nord

176.113.115.145:4125

Attributes

auth_value
ebb7d38cdbd7c83cf6363ef3feb3a530

Extracted

Family

amadey

Version

3.69

193.233.20.29/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu922375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu922375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor0800.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor0800.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu922375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu922375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu922375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu922375.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor0800.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor0800.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor0800.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor0800.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4820-211-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-210-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-213-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-215-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-217-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-219-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-221-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-223-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-225-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-231-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-229-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-227-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-233-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-235-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-237-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-239-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-241-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-243-0x0000000002A90000-0x0000000002ACF000-memory.dmp	family_redline
behavioral1/memory/4820-440-0x0000000002A80000-0x0000000002A90000-memory.dmp	family_redline
behavioral1/memory/4820-1128-0x0000000002A80000-0x0000000002A90000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ge367599.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

pid	Process
1240	kina7466.exe
1464	kina9856.exe
4348	kina5480.exe
4436	bu922375.exe
1912	cor0800.exe
4820	dxj98s67.exe
1708	en413951.exe
3768	ge367599.exe
4104	oneetx.exe
4080	oneetx.exe
3656	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
4920	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu922375.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor0800.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor0800.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina7466.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina9856.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina9856.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina5480.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina5480.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e0d30f3b6665d280dd38cc15059f8c9d558796b8ceb440c5d8bc5f01eb5ed7bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e0d30f3b6665d280dd38cc15059f8c9d558796b8ceb440c5d8bc5f01eb5ed7bd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina7466.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2008	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3516	1912	WerFault.exe	93
756	4820	WerFault.exe	96

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4436	bu922375.exe
4436	bu922375.exe
1912	cor0800.exe
1912	cor0800.exe
4820	dxj98s67.exe
4820	dxj98s67.exe
1708	en413951.exe
1708	en413951.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	bu922375.exe
Token: SeDebugPrivilege	1912	cor0800.exe
Token: SeDebugPrivilege	4820	dxj98s67.exe
Token: SeDebugPrivilege	1708	en413951.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3768	ge367599.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 1240	5036	e0d30f3b6665d280dd38cc15059f8c9d558796b8ceb440c5d8bc5f01eb5ed7bd.exe	84
PID 5036 wrote to memory of 1240	5036	e0d30f3b6665d280dd38cc15059f8c9d558796b8ceb440c5d8bc5f01eb5ed7bd.exe	84
PID 5036 wrote to memory of 1240	5036	e0d30f3b6665d280dd38cc15059f8c9d558796b8ceb440c5d8bc5f01eb5ed7bd.exe	84
PID 1240 wrote to memory of 1464	1240	kina7466.exe	85
PID 1240 wrote to memory of 1464	1240	kina7466.exe	85
PID 1240 wrote to memory of 1464	1240	kina7466.exe	85
PID 1464 wrote to memory of 4348	1464	kina9856.exe	86
PID 1464 wrote to memory of 4348	1464	kina9856.exe	86
PID 1464 wrote to memory of 4348	1464	kina9856.exe	86
PID 4348 wrote to memory of 4436	4348	kina5480.exe	87
PID 4348 wrote to memory of 4436	4348	kina5480.exe	87
PID 4348 wrote to memory of 1912	4348	kina5480.exe	93
PID 4348 wrote to memory of 1912	4348	kina5480.exe	93
PID 4348 wrote to memory of 1912	4348	kina5480.exe	93
PID 1464 wrote to memory of 4820	1464	kina9856.exe	96
PID 1464 wrote to memory of 4820	1464	kina9856.exe	96
PID 1464 wrote to memory of 4820	1464	kina9856.exe	96
PID 1240 wrote to memory of 1708	1240	kina7466.exe	104
PID 1240 wrote to memory of 1708	1240	kina7466.exe	104
PID 1240 wrote to memory of 1708	1240	kina7466.exe	104
PID 5036 wrote to memory of 3768	5036	e0d30f3b6665d280dd38cc15059f8c9d558796b8ceb440c5d8bc5f01eb5ed7bd.exe	105
PID 5036 wrote to memory of 3768	5036	e0d30f3b6665d280dd38cc15059f8c9d558796b8ceb440c5d8bc5f01eb5ed7bd.exe	105
PID 5036 wrote to memory of 3768	5036	e0d30f3b6665d280dd38cc15059f8c9d558796b8ceb440c5d8bc5f01eb5ed7bd.exe	105
PID 3768 wrote to memory of 4104	3768	ge367599.exe	106
PID 3768 wrote to memory of 4104	3768	ge367599.exe	106
PID 3768 wrote to memory of 4104	3768	ge367599.exe	106
PID 4104 wrote to memory of 3652	4104	oneetx.exe	107
PID 4104 wrote to memory of 3652	4104	oneetx.exe	107
PID 4104 wrote to memory of 3652	4104	oneetx.exe	107
PID 4104 wrote to memory of 2856	4104	oneetx.exe	109
PID 4104 wrote to memory of 2856	4104	oneetx.exe	109
PID 4104 wrote to memory of 2856	4104	oneetx.exe	109
PID 2856 wrote to memory of 1692	2856	cmd.exe	111
PID 2856 wrote to memory of 1692	2856	cmd.exe	111
PID 2856 wrote to memory of 1692	2856	cmd.exe	111
PID 2856 wrote to memory of 768	2856	cmd.exe	112
PID 2856 wrote to memory of 768	2856	cmd.exe	112
PID 2856 wrote to memory of 768	2856	cmd.exe	112
PID 2856 wrote to memory of 4528	2856	cmd.exe	113
PID 2856 wrote to memory of 4528	2856	cmd.exe	113
PID 2856 wrote to memory of 4528	2856	cmd.exe	113
PID 2856 wrote to memory of 2564	2856	cmd.exe	114
PID 2856 wrote to memory of 2564	2856	cmd.exe	114
PID 2856 wrote to memory of 2564	2856	cmd.exe	114
PID 2856 wrote to memory of 3596	2856	cmd.exe	115
PID 2856 wrote to memory of 3596	2856	cmd.exe	115
PID 2856 wrote to memory of 3596	2856	cmd.exe	115
PID 2856 wrote to memory of 1020	2856	cmd.exe	116
PID 2856 wrote to memory of 1020	2856	cmd.exe	116
PID 2856 wrote to memory of 1020	2856	cmd.exe	116
PID 4104 wrote to memory of 4920	4104	oneetx.exe	118
PID 4104 wrote to memory of 4920	4104	oneetx.exe	118
PID 4104 wrote to memory of 4920	4104	oneetx.exe	118

C:\Users\Admin\AppData\Local\Temp\e0d30f3b6665d280dd38cc15059f8c9d558796b8ceb440c5d8bc5f01eb5ed7bd.exe
"C:\Users\Admin\AppData\Local\Temp\e0d30f3b6665d280dd38cc15059f8c9d558796b8ceb440c5d8bc5f01eb5ed7bd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7466.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7466.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9856.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9856.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5480.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5480.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu922375.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu922375.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0800.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0800.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1084
        6⤵
        Program crash
        
        PID:3516
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxj98s67.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxj98s67.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1996
        5⤵
        Program crash
        
        PID:756
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en413951.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en413951.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge367599.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge367599.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3652
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\550693dc87" /P "Admin:N"&&CACLS "..\550693dc87" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1692
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:768
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2564
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\550693dc87" /P "Admin:N"
        5⤵
        
        PID:3596
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\550693dc87" /P "Admin:R" /E
        5⤵
        
        PID:1020
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1912 -ip 1912
1⤵
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4820 -ip 4820
1⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2008

C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
1⤵
- Executes dropped EXE
PID:3656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe

Filesize
236KB

MD5
262f317b94bc0e24112012c239cafe14

SHA1
98d9dea589f742d683a9053c919bf23de87ba75c

SHA256
38c039e707038e4461e6449689280b61e8cc5c7a757dfe6a48aab26ff634db9f

SHA512
a249397a0e192faa256a34dbc231fa4c5b55f6291bed11b856ec242791cba7196043e3cc0882b3ae0e47bb26ebddb310168e7adb21b1e4addd960134f97cfec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe

Filesize
236KB

MD5
262f317b94bc0e24112012c239cafe14

SHA1
98d9dea589f742d683a9053c919bf23de87ba75c

SHA256
38c039e707038e4461e6449689280b61e8cc5c7a757dfe6a48aab26ff634db9f

SHA512
a249397a0e192faa256a34dbc231fa4c5b55f6291bed11b856ec242791cba7196043e3cc0882b3ae0e47bb26ebddb310168e7adb21b1e4addd960134f97cfec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe

Filesize
236KB

MD5
262f317b94bc0e24112012c239cafe14

SHA1
98d9dea589f742d683a9053c919bf23de87ba75c

SHA256
38c039e707038e4461e6449689280b61e8cc5c7a757dfe6a48aab26ff634db9f

SHA512
a249397a0e192faa256a34dbc231fa4c5b55f6291bed11b856ec242791cba7196043e3cc0882b3ae0e47bb26ebddb310168e7adb21b1e4addd960134f97cfec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe

Filesize
236KB

MD5
262f317b94bc0e24112012c239cafe14

SHA1
98d9dea589f742d683a9053c919bf23de87ba75c

SHA256
38c039e707038e4461e6449689280b61e8cc5c7a757dfe6a48aab26ff634db9f

SHA512
a249397a0e192faa256a34dbc231fa4c5b55f6291bed11b856ec242791cba7196043e3cc0882b3ae0e47bb26ebddb310168e7adb21b1e4addd960134f97cfec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe

Filesize
236KB

MD5
262f317b94bc0e24112012c239cafe14

SHA1
98d9dea589f742d683a9053c919bf23de87ba75c

SHA256
38c039e707038e4461e6449689280b61e8cc5c7a757dfe6a48aab26ff634db9f

SHA512
a249397a0e192faa256a34dbc231fa4c5b55f6291bed11b856ec242791cba7196043e3cc0882b3ae0e47bb26ebddb310168e7adb21b1e4addd960134f97cfec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge367599.exe

Filesize
236KB

MD5
262f317b94bc0e24112012c239cafe14

SHA1
98d9dea589f742d683a9053c919bf23de87ba75c

SHA256
38c039e707038e4461e6449689280b61e8cc5c7a757dfe6a48aab26ff634db9f

SHA512
a249397a0e192faa256a34dbc231fa4c5b55f6291bed11b856ec242791cba7196043e3cc0882b3ae0e47bb26ebddb310168e7adb21b1e4addd960134f97cfec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge367599.exe

Filesize
236KB

MD5
262f317b94bc0e24112012c239cafe14

SHA1
98d9dea589f742d683a9053c919bf23de87ba75c

SHA256
38c039e707038e4461e6449689280b61e8cc5c7a757dfe6a48aab26ff634db9f

SHA512
a249397a0e192faa256a34dbc231fa4c5b55f6291bed11b856ec242791cba7196043e3cc0882b3ae0e47bb26ebddb310168e7adb21b1e4addd960134f97cfec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7466.exe

Filesize
823KB

MD5
c566f704f8f0da232e985bb555d765d7

SHA1
21b2e1776596b5b28d198236fbbb54a954372fac

SHA256
a9a43e6a446576cba48294f104414d54dd4dc36a8ec86f0d37421aed707b34c3

SHA512
0a02778cea020fe31a3c55501b3dbd0e2e1b678e6ab9ad105b3ec0ad4d30684ae487c9a9cb00bcd5f24516947e647682d1e1d94965b62c39f4e2e42295ea6cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7466.exe

Filesize
823KB

MD5
c566f704f8f0da232e985bb555d765d7

SHA1
21b2e1776596b5b28d198236fbbb54a954372fac

SHA256
a9a43e6a446576cba48294f104414d54dd4dc36a8ec86f0d37421aed707b34c3

SHA512
0a02778cea020fe31a3c55501b3dbd0e2e1b678e6ab9ad105b3ec0ad4d30684ae487c9a9cb00bcd5f24516947e647682d1e1d94965b62c39f4e2e42295ea6cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en413951.exe

Filesize
176KB

MD5
90c532047deba4f816055e85d0b585df

SHA1
3fd4c2a89b5f9482f5de7811c149883437f9f197

SHA256
1db7e32dd55466fa778c044df52615384d65e8e17e865b0055d1ca6e7e777449

SHA512
48bba58268d198bde516ae0d54d988d1fa52eb60f219bb0a530f0504411844e0eed2671a1dbc661c336a0fae8233b41416fa7893aa9c615f91ffa5f4d8aa3dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en413951.exe

Filesize
176KB

MD5
90c532047deba4f816055e85d0b585df

SHA1
3fd4c2a89b5f9482f5de7811c149883437f9f197

SHA256
1db7e32dd55466fa778c044df52615384d65e8e17e865b0055d1ca6e7e777449

SHA512
48bba58268d198bde516ae0d54d988d1fa52eb60f219bb0a530f0504411844e0eed2671a1dbc661c336a0fae8233b41416fa7893aa9c615f91ffa5f4d8aa3dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9856.exe

Filesize
681KB

MD5
f6e8462593b4a50795cc09468687fe7d

SHA1
da5f1575c511517ec3e0dc7485e22fc28a371b24

SHA256
f66e6494623c1abb714ad5f43e51eea5b417076fe04f8df8bee1b483f3b16538

SHA512
8cf2006dc82557320c036b26b28d72493c93af69cb079687f81d688b6456aa68aa7f4c6fb1c477ac77af9332a04fa2e51e5190e60348fec1138f058d25b34be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9856.exe

Filesize
681KB

MD5
f6e8462593b4a50795cc09468687fe7d

SHA1
da5f1575c511517ec3e0dc7485e22fc28a371b24

SHA256
f66e6494623c1abb714ad5f43e51eea5b417076fe04f8df8bee1b483f3b16538

SHA512
8cf2006dc82557320c036b26b28d72493c93af69cb079687f81d688b6456aa68aa7f4c6fb1c477ac77af9332a04fa2e51e5190e60348fec1138f058d25b34be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxj98s67.exe

Filesize
352KB

MD5
84ec9483ed90a7d774ca7640d6a4ddde

SHA1
2491d16cfdf652b71b5f6a6950b49dfa4672dbca

SHA256
9d40f49fca39b99548e14dbc0be5a5ba97bfb9714fc94513d4fe00d959551e98

SHA512
3eefdbf39773c6025cb7606a8981f33f135cc434fc1c69390adfc5297454fc43d514f76813dc884e47d4e8bce81ff61afef696fc433fc8ec76f6b0cf59fb39de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxj98s67.exe

Filesize
352KB

MD5
84ec9483ed90a7d774ca7640d6a4ddde

SHA1
2491d16cfdf652b71b5f6a6950b49dfa4672dbca

SHA256
9d40f49fca39b99548e14dbc0be5a5ba97bfb9714fc94513d4fe00d959551e98

SHA512
3eefdbf39773c6025cb7606a8981f33f135cc434fc1c69390adfc5297454fc43d514f76813dc884e47d4e8bce81ff61afef696fc433fc8ec76f6b0cf59fb39de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5480.exe

Filesize
337KB

MD5
5790b23bcf86e7146f494a71dfdb4bb1

SHA1
0fea676653e6638df8538443234cc0abc366bd37

SHA256
700b01624ba3aaeb4e8ad6c6beeb8c28b50d03d1c4beeffef032a1fde33391dc

SHA512
b7f5daf40966e1abbe897fccb1680b62b44ac0cd154d7e4caa2d67c7f0d0578e6d3d5ce87698676d1f7887009ff2d25114cc01ac03160cdef7b744a9c4f31031

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5480.exe

Filesize
337KB

MD5
5790b23bcf86e7146f494a71dfdb4bb1

SHA1
0fea676653e6638df8538443234cc0abc366bd37

SHA256
700b01624ba3aaeb4e8ad6c6beeb8c28b50d03d1c4beeffef032a1fde33391dc

SHA512
b7f5daf40966e1abbe897fccb1680b62b44ac0cd154d7e4caa2d67c7f0d0578e6d3d5ce87698676d1f7887009ff2d25114cc01ac03160cdef7b744a9c4f31031

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu922375.exe

Filesize
14KB

MD5
b11fc284187848ef47a74dbabba142f9

SHA1
24a096210b0cd1ff447a31d38ed6757a283b4d7a

SHA256
dfba045c8210983d94e6c7abf671f4612511f3f007c5742e50d2ec6460e839ce

SHA512
30bbfc9f7d4b7948eba6cc055cb0e0d8fc994ff5edbda575f567093f42282321a13da3a5f3aa3154e0243f4875350a02f89b9ef8a699bb8de9a5fdec372bf5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu922375.exe

Filesize
14KB

MD5
b11fc284187848ef47a74dbabba142f9

SHA1
24a096210b0cd1ff447a31d38ed6757a283b4d7a

SHA256
dfba045c8210983d94e6c7abf671f4612511f3f007c5742e50d2ec6460e839ce

SHA512
30bbfc9f7d4b7948eba6cc055cb0e0d8fc994ff5edbda575f567093f42282321a13da3a5f3aa3154e0243f4875350a02f89b9ef8a699bb8de9a5fdec372bf5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0800.exe

Filesize
294KB

MD5
d79478e8492877092b4de747cb4db2cf

SHA1
bb787c4a86fcf7fc7726876192a6266671816877

SHA256
82fe4b76aab95bf6cee4895a3cddcb7650a7471752ea69e1b14777e655e3a077

SHA512
1a7b9e377e151a4f19ecd0cc4a6c9370af8d1ac9188f821d7ffcb5f5bc1be2a0c14d531660359e0d14fbf3421c4d501bee8963fa7b2540d37fc99daa984710c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0800.exe

Filesize
294KB

MD5
d79478e8492877092b4de747cb4db2cf

SHA1
bb787c4a86fcf7fc7726876192a6266671816877

SHA256
82fe4b76aab95bf6cee4895a3cddcb7650a7471752ea69e1b14777e655e3a077

SHA512
1a7b9e377e151a4f19ecd0cc4a6c9370af8d1ac9188f821d7ffcb5f5bc1be2a0c14d531660359e0d14fbf3421c4d501bee8963fa7b2540d37fc99daa984710c7

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
9e9f6b48159690d4916e38b26d8f92cb

SHA1
2016224921b0791d3de7d897a520d5d35eb84f34

SHA256
7705d3dc3b110aff6fd74fec7d343af5e49a0b7f696c231cc199ffaa6bf07053

SHA512
5737c8b7cb3f0a2657ad57811458be04c9852374e9a30b8c25be3bc777e74c2d6b5a8ec07f122b0b79989a25c464d507495b8c9850ba7c52d2104e3adae3dbf4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
9e9f6b48159690d4916e38b26d8f92cb

SHA1
2016224921b0791d3de7d897a520d5d35eb84f34

SHA256
7705d3dc3b110aff6fd74fec7d343af5e49a0b7f696c231cc199ffaa6bf07053

SHA512
5737c8b7cb3f0a2657ad57811458be04c9852374e9a30b8c25be3bc777e74c2d6b5a8ec07f122b0b79989a25c464d507495b8c9850ba7c52d2104e3adae3dbf4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
9e9f6b48159690d4916e38b26d8f92cb

SHA1
2016224921b0791d3de7d897a520d5d35eb84f34

SHA256
7705d3dc3b110aff6fd74fec7d343af5e49a0b7f696c231cc199ffaa6bf07053

SHA512
5737c8b7cb3f0a2657ad57811458be04c9852374e9a30b8c25be3bc777e74c2d6b5a8ec07f122b0b79989a25c464d507495b8c9850ba7c52d2104e3adae3dbf4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1708-1142-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/1708-1141-0x0000000000B90000-0x0000000000BC2000-memory.dmp

Filesize
200KB

Download
memory/1912-168-0x0000000004E80000-0x0000000005424000-memory.dmp

Filesize
5.6MB

Download
memory/1912-190-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1912-197-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/1912-198-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/1912-199-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/1912-200-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1912-203-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/1912-202-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/1912-204-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/1912-205-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1912-167-0x0000000000910000-0x000000000093D000-memory.dmp

Filesize
180KB

Download
memory/1912-194-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1912-192-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1912-196-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1912-188-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1912-186-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1912-184-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1912-182-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1912-180-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1912-178-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1912-176-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1912-174-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1912-172-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1912-170-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/1912-169-0x0000000002670000-0x0000000002682000-memory.dmp

Filesize
72KB

Download
memory/4436-161-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/4820-221-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-241-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-243-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-438-0x0000000000980000-0x00000000009CB000-memory.dmp

Filesize
300KB

Download
memory/4820-440-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/4820-442-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/4820-444-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/4820-1120-0x0000000005410000-0x0000000005A28000-memory.dmp

Filesize
6.1MB

Download
memory/4820-1121-0x0000000005AB0000-0x0000000005BBA000-memory.dmp

Filesize
1.0MB

Download
memory/4820-1122-0x0000000005BF0000-0x0000000005C02000-memory.dmp

Filesize
72KB

Download
memory/4820-1123-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/4820-1124-0x0000000005C10000-0x0000000005C4C000-memory.dmp

Filesize
240KB

Download
memory/4820-1126-0x0000000005F00000-0x0000000005F92000-memory.dmp

Filesize
584KB

Download
memory/4820-1127-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/4820-1128-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/4820-1129-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/4820-1130-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/4820-1131-0x0000000006900000-0x0000000006976000-memory.dmp

Filesize
472KB

Download
memory/4820-1132-0x0000000006990000-0x00000000069E0000-memory.dmp

Filesize
320KB

Download
memory/4820-1133-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/4820-1134-0x00000000069F0000-0x0000000006BB2000-memory.dmp

Filesize
1.8MB

Download
memory/4820-1135-0x0000000006BD0000-0x00000000070FC000-memory.dmp

Filesize
5.2MB

Download
memory/4820-239-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-237-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-235-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-233-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-227-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-229-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-231-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-225-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-223-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-219-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-217-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-215-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-213-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-210-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download
memory/4820-211-0x0000000002A90000-0x0000000002ACF000-memory.dmp

Filesize
252KB

Download