amadey | ab959b656f9fb68405e9fc19b8d67d0d8cc3ea10d1ffec9540283df03e5d9e66

Analysis

max time kernel
108s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2023 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab959b656f9fb68405e9fc19b8d67d0d8cc3ea10d1ffec9540283df03e5d9e66.exe
Size

976KB
MD5

4da0564106a533f68be682c3803837c2
SHA1

cfbe66f564b28ccd68a453d935122645cfc5673b
SHA256

ab959b656f9fb68405e9fc19b8d67d0d8cc3ea10d1ffec9540283df03e5d9e66
SHA512

c0201739c8f53b1d4b8f76a97d8658b6ad2f3a1962248ac36504b381bd73b7f98a66aec79e8679964d0d5fdc3e7004a549379ea2c57d2ccf20714855d1cdf2a0
SSDEEP

12288:VMrMy903HziCIzrJhUJEO+Nw3RevQpnKnRv8Aou7t4OXDXovd6BQ98FtvYP:1yqWCIeEYBeIpnK37t4OrovdMtvYP

Score

10^/10

amadey aurora redline link rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

link

176.113.115.145:4125

Attributes

auth_value
77e4c7bc6fea5ae755b29e8aea8f7012

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Extracted

Family

aurora

212.87.204.93:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v0034VE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v0034VE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz6939.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz6939.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v0034VE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz6939.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v0034VE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v0034VE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v0034VE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz6939.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz6939.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz6939.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/2972-211-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-213-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-210-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-215-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-217-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-219-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-221-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-223-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-225-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-227-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-229-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-231-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-233-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-235-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-237-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-239-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-241-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline
behavioral1/memory/2972-243-0x0000000002620000-0x000000000265F000-memory.dmp	family_redline

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y55Iz90.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

pid	Process
1348	zap8410.exe
2660	zap4794.exe
1704	zap9904.exe
2500	tz6939.exe
3720	v0034VE.exe
2972	w94Qj33.exe
400	xwqJH02.exe
2464	y55Iz90.exe
1336	oneetx.exe
3648	2023.exe
2552	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
2540	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz6939.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v0034VE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v0034VE.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap9904.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ab959b656f9fb68405e9fc19b8d67d0d8cc3ea10d1ffec9540283df03e5d9e66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ab959b656f9fb68405e9fc19b8d67d0d8cc3ea10d1ffec9540283df03e5d9e66.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8410.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap8410.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4794.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap4794.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap9904.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1812	3720	WerFault.exe	89
228	2972	WerFault.exe	95

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2500	tz6939.exe
2500	tz6939.exe
3720	v0034VE.exe
3720	v0034VE.exe
2972	w94Qj33.exe
2972	w94Qj33.exe
400	xwqJH02.exe
400	xwqJH02.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	tz6939.exe
Token: SeDebugPrivilege	3720	v0034VE.exe
Token: SeDebugPrivilege	2972	w94Qj33.exe
Token: SeDebugPrivilege	400	xwqJH02.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2464	y55Iz90.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 1348	3328	ab959b656f9fb68405e9fc19b8d67d0d8cc3ea10d1ffec9540283df03e5d9e66.exe	78
PID 3328 wrote to memory of 1348	3328	ab959b656f9fb68405e9fc19b8d67d0d8cc3ea10d1ffec9540283df03e5d9e66.exe	78
PID 3328 wrote to memory of 1348	3328	ab959b656f9fb68405e9fc19b8d67d0d8cc3ea10d1ffec9540283df03e5d9e66.exe	78
PID 1348 wrote to memory of 2660	1348	zap8410.exe	79
PID 1348 wrote to memory of 2660	1348	zap8410.exe	79
PID 1348 wrote to memory of 2660	1348	zap8410.exe	79
PID 2660 wrote to memory of 1704	2660	zap4794.exe	80
PID 2660 wrote to memory of 1704	2660	zap4794.exe	80
PID 2660 wrote to memory of 1704	2660	zap4794.exe	80
PID 1704 wrote to memory of 2500	1704	zap9904.exe	81
PID 1704 wrote to memory of 2500	1704	zap9904.exe	81
PID 1704 wrote to memory of 3720	1704	zap9904.exe	89
PID 1704 wrote to memory of 3720	1704	zap9904.exe	89
PID 1704 wrote to memory of 3720	1704	zap9904.exe	89
PID 2660 wrote to memory of 2972	2660	zap4794.exe	95
PID 2660 wrote to memory of 2972	2660	zap4794.exe	95
PID 2660 wrote to memory of 2972	2660	zap4794.exe	95
PID 1348 wrote to memory of 400	1348	zap8410.exe	99
PID 1348 wrote to memory of 400	1348	zap8410.exe	99
PID 1348 wrote to memory of 400	1348	zap8410.exe	99
PID 3328 wrote to memory of 2464	3328	ab959b656f9fb68405e9fc19b8d67d0d8cc3ea10d1ffec9540283df03e5d9e66.exe	100
PID 3328 wrote to memory of 2464	3328	ab959b656f9fb68405e9fc19b8d67d0d8cc3ea10d1ffec9540283df03e5d9e66.exe	100
PID 3328 wrote to memory of 2464	3328	ab959b656f9fb68405e9fc19b8d67d0d8cc3ea10d1ffec9540283df03e5d9e66.exe	100
PID 2464 wrote to memory of 1336	2464	y55Iz90.exe	101
PID 2464 wrote to memory of 1336	2464	y55Iz90.exe	101
PID 2464 wrote to memory of 1336	2464	y55Iz90.exe	101
PID 1336 wrote to memory of 2792	1336	oneetx.exe	102
PID 1336 wrote to memory of 2792	1336	oneetx.exe	102
PID 1336 wrote to memory of 2792	1336	oneetx.exe	102
PID 1336 wrote to memory of 544	1336	oneetx.exe	104
PID 1336 wrote to memory of 544	1336	oneetx.exe	104
PID 1336 wrote to memory of 544	1336	oneetx.exe	104
PID 544 wrote to memory of 1136	544	cmd.exe	106
PID 544 wrote to memory of 1136	544	cmd.exe	106
PID 544 wrote to memory of 1136	544	cmd.exe	106
PID 544 wrote to memory of 1408	544	cmd.exe	107
PID 544 wrote to memory of 1408	544	cmd.exe	107
PID 544 wrote to memory of 1408	544	cmd.exe	107
PID 544 wrote to memory of 1484	544	cmd.exe	108
PID 544 wrote to memory of 1484	544	cmd.exe	108
PID 544 wrote to memory of 1484	544	cmd.exe	108
PID 544 wrote to memory of 4896	544	cmd.exe	109
PID 544 wrote to memory of 4896	544	cmd.exe	109
PID 544 wrote to memory of 4896	544	cmd.exe	109
PID 544 wrote to memory of 1452	544	cmd.exe	110
PID 544 wrote to memory of 1452	544	cmd.exe	110
PID 544 wrote to memory of 1452	544	cmd.exe	110
PID 544 wrote to memory of 2172	544	cmd.exe	111
PID 544 wrote to memory of 2172	544	cmd.exe	111
PID 544 wrote to memory of 2172	544	cmd.exe	111
PID 1336 wrote to memory of 3648	1336	oneetx.exe	112
PID 1336 wrote to memory of 3648	1336	oneetx.exe	112
PID 1336 wrote to memory of 3648	1336	oneetx.exe	112
PID 1336 wrote to memory of 2540	1336	oneetx.exe	113
PID 1336 wrote to memory of 2540	1336	oneetx.exe	113
PID 1336 wrote to memory of 2540	1336	oneetx.exe	113

C:\Users\Admin\AppData\Local\Temp\ab959b656f9fb68405e9fc19b8d67d0d8cc3ea10d1ffec9540283df03e5d9e66.exe
"C:\Users\Admin\AppData\Local\Temp\ab959b656f9fb68405e9fc19b8d67d0d8cc3ea10d1ffec9540283df03e5d9e66.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8410.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8410.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4794.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4794.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9904.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9904.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6939.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6939.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0034VE.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0034VE.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1064
        6⤵
        Program crash
        
        PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w94Qj33.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w94Qj33.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1332
        5⤵
        Program crash
        
        PID:228
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwqJH02.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwqJH02.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y55Iz90.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y55Iz90.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1136
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:1408
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:1484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4896
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c5d2db5804" /P "Admin:N"
        5⤵
        
        PID:1452
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c5d2db5804" /P "Admin:R" /E
        5⤵
        
        PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\1000044001\2023.exe
      "C:\Users\Admin\AppData\Local\Temp\1000044001\2023.exe"
      4⤵
      Executes dropped EXE
      PID:3648
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3720 -ip 3720
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2972 -ip 2972
1⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:2552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000044001\2023.exe

Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\2023.exe

Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\2023.exe

Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y55Iz90.exe

Filesize
236KB

MD5
94001fe89ac86f846cb9d8613a4265b6

SHA1
497406e64b10a0440c3ad0ff95867a1f46b4b109

SHA256
83c3bdff52ebacb50cf040d09766a0bafc872e2d2329a548936690f7898a4430

SHA512
bf11358ab0d6354891c72fb4f8af9a8ae5a67a3e9e26b7ab538c33054c6acd5e1b1cc82b40acea48a5d3b541cd0dd596e823fb548c1ba373930f1d51f42ae146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y55Iz90.exe

Filesize
236KB

MD5
94001fe89ac86f846cb9d8613a4265b6

SHA1
497406e64b10a0440c3ad0ff95867a1f46b4b109

SHA256
83c3bdff52ebacb50cf040d09766a0bafc872e2d2329a548936690f7898a4430

SHA512
bf11358ab0d6354891c72fb4f8af9a8ae5a67a3e9e26b7ab538c33054c6acd5e1b1cc82b40acea48a5d3b541cd0dd596e823fb548c1ba373930f1d51f42ae146

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8410.exe

Filesize
793KB

MD5
84e3ac4ecd1fb544df4230d18b3095e2

SHA1
e67c49ac3f0e29443c586f4f765b97319d039a13

SHA256
24618e28b45ed826cbd5cc1676312e6d7be4424f708ab731fb489ab41ee8726b

SHA512
745f79dba7b64b15d6cb68fbb2370fc023534d7fc15105380dec3aac31bf4ad1ce9627dc74e81f53064a315cf137deb21bfe9e552e43ea33409034370aad55f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap8410.exe

Filesize
793KB

MD5
84e3ac4ecd1fb544df4230d18b3095e2

SHA1
e67c49ac3f0e29443c586f4f765b97319d039a13

SHA256
24618e28b45ed826cbd5cc1676312e6d7be4424f708ab731fb489ab41ee8726b

SHA512
745f79dba7b64b15d6cb68fbb2370fc023534d7fc15105380dec3aac31bf4ad1ce9627dc74e81f53064a315cf137deb21bfe9e552e43ea33409034370aad55f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwqJH02.exe

Filesize
175KB

MD5
2ecaf0144463d2a07ee1e54dbc29c615

SHA1
45d923f9d6e1b6eef3cd323d84b297b84de83b49

SHA256
41d2305b0a7a314f554f1500647432855b5c53d5ef6563a14b07cd0d3613c117

SHA512
2de9ecf0ccf7ed915e7566442325276d6eecf4d7aee8d3bd39a8e7546053fcdf851d0ec6618080c2a240df85754d005dad44cd5f9c5ec69fbda4b5925affb5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xwqJH02.exe

Filesize
175KB

MD5
2ecaf0144463d2a07ee1e54dbc29c615

SHA1
45d923f9d6e1b6eef3cd323d84b297b84de83b49

SHA256
41d2305b0a7a314f554f1500647432855b5c53d5ef6563a14b07cd0d3613c117

SHA512
2de9ecf0ccf7ed915e7566442325276d6eecf4d7aee8d3bd39a8e7546053fcdf851d0ec6618080c2a240df85754d005dad44cd5f9c5ec69fbda4b5925affb5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4794.exe

Filesize
650KB

MD5
8370c5db53e32d399fc759d1635c432c

SHA1
d964865c76c6a7f506de6c3420c06de157862959

SHA256
5de97079d635796a04c3e90fa1b48eb60a01c4d33c96d16d636bb6ee2baa2031

SHA512
1ad9e27560d9bae1c7e91e9c4609f65a6493f59a23df8feb5dfe63ddc9d0247049718cc5049621a95f2aefe70ad34dbe4558e09e544daa7b1e513e6dcaed735a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4794.exe

Filesize
650KB

MD5
8370c5db53e32d399fc759d1635c432c

SHA1
d964865c76c6a7f506de6c3420c06de157862959

SHA256
5de97079d635796a04c3e90fa1b48eb60a01c4d33c96d16d636bb6ee2baa2031

SHA512
1ad9e27560d9bae1c7e91e9c4609f65a6493f59a23df8feb5dfe63ddc9d0247049718cc5049621a95f2aefe70ad34dbe4558e09e544daa7b1e513e6dcaed735a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w94Qj33.exe

Filesize
295KB

MD5
954b33ecac2d7b6fb1d7870a2ed11166

SHA1
7948aecf0818b9660d392e096dc2870a8a597d2b

SHA256
ae63a4a8cdcb058e481f518ee06421c36bd7c8aa0c106242dcb245521934e609

SHA512
e09c60999cb489fbd5e9327bdc6782b308e589f2d5d0f777bde61c8647a5f32736c351cce12c07c29453f994aa6810ff50bbfb295c36137167aae5cb84ed9871

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w94Qj33.exe

Filesize
295KB

MD5
954b33ecac2d7b6fb1d7870a2ed11166

SHA1
7948aecf0818b9660d392e096dc2870a8a597d2b

SHA256
ae63a4a8cdcb058e481f518ee06421c36bd7c8aa0c106242dcb245521934e609

SHA512
e09c60999cb489fbd5e9327bdc6782b308e589f2d5d0f777bde61c8647a5f32736c351cce12c07c29453f994aa6810ff50bbfb295c36137167aae5cb84ed9871

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9904.exe

Filesize
321KB

MD5
fed3ba0f3271b3625994fcda8ad8f590

SHA1
ddf7b842ba6e4d698771c0d92b426fb645e0478f

SHA256
b23eb560a17f46bdfb6a6b0f8735658c014255d6d4e6dc5afa39b74903ba3420

SHA512
81a9e7d43c785b68bf0a787e559bfb6a0bfff649810fe2ef4eff9c962ab1613fe949560dfadaeae92468d51ebdfbda219e6b8c191ea2d5eb9512a290712616d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9904.exe

Filesize
321KB

MD5
fed3ba0f3271b3625994fcda8ad8f590

SHA1
ddf7b842ba6e4d698771c0d92b426fb645e0478f

SHA256
b23eb560a17f46bdfb6a6b0f8735658c014255d6d4e6dc5afa39b74903ba3420

SHA512
81a9e7d43c785b68bf0a787e559bfb6a0bfff649810fe2ef4eff9c962ab1613fe949560dfadaeae92468d51ebdfbda219e6b8c191ea2d5eb9512a290712616d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6939.exe

Filesize
14KB

MD5
f8fc347ece4b2df8bcc0fbf5bc5827a5

SHA1
09d8ba275536963b7fe72899e4a382df85a5197d

SHA256
42ec601912589cc0c823bbbf801e6840cde5fc62d2baea3daf72f366462f0145

SHA512
c89e674cc037654dbd563586af1404a55cbb184a588f2023d77050e48bb27ba03708a4618499977fc0734b610329d37a6036d5d70c1c1095db496b5312b97815

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz6939.exe

Filesize
14KB

MD5
f8fc347ece4b2df8bcc0fbf5bc5827a5

SHA1
09d8ba275536963b7fe72899e4a382df85a5197d

SHA256
42ec601912589cc0c823bbbf801e6840cde5fc62d2baea3daf72f366462f0145

SHA512
c89e674cc037654dbd563586af1404a55cbb184a588f2023d77050e48bb27ba03708a4618499977fc0734b610329d37a6036d5d70c1c1095db496b5312b97815

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0034VE.exe

Filesize
237KB

MD5
68cc197b819d651e11e79134a09ad38c

SHA1
63f10f9256080332bd4bdc998c9d07de23d25d6d

SHA256
7159aea9941dc62a7898c01ec6af2d3326f3aa794554f733e5e2f3c8fe20e35d

SHA512
c199b84c05d175149553e3cb91638bc181d9244644d0d16874312248badb721a95e89df259c3cf0cd333881f4fd5acde5f9ebb4fd252b02d62b6fec76adb5f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0034VE.exe

Filesize
237KB

MD5
68cc197b819d651e11e79134a09ad38c

SHA1
63f10f9256080332bd4bdc998c9d07de23d25d6d

SHA256
7159aea9941dc62a7898c01ec6af2d3326f3aa794554f733e5e2f3c8fe20e35d

SHA512
c199b84c05d175149553e3cb91638bc181d9244644d0d16874312248badb721a95e89df259c3cf0cd333881f4fd5acde5f9ebb4fd252b02d62b6fec76adb5f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe

Filesize
236KB

MD5
94001fe89ac86f846cb9d8613a4265b6

SHA1
497406e64b10a0440c3ad0ff95867a1f46b4b109

SHA256
83c3bdff52ebacb50cf040d09766a0bafc872e2d2329a548936690f7898a4430

SHA512
bf11358ab0d6354891c72fb4f8af9a8ae5a67a3e9e26b7ab538c33054c6acd5e1b1cc82b40acea48a5d3b541cd0dd596e823fb548c1ba373930f1d51f42ae146

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe

Filesize
236KB

MD5
94001fe89ac86f846cb9d8613a4265b6

SHA1
497406e64b10a0440c3ad0ff95867a1f46b4b109

SHA256
83c3bdff52ebacb50cf040d09766a0bafc872e2d2329a548936690f7898a4430

SHA512
bf11358ab0d6354891c72fb4f8af9a8ae5a67a3e9e26b7ab538c33054c6acd5e1b1cc82b40acea48a5d3b541cd0dd596e823fb548c1ba373930f1d51f42ae146

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe

Filesize
236KB

MD5
94001fe89ac86f846cb9d8613a4265b6

SHA1
497406e64b10a0440c3ad0ff95867a1f46b4b109

SHA256
83c3bdff52ebacb50cf040d09766a0bafc872e2d2329a548936690f7898a4430

SHA512
bf11358ab0d6354891c72fb4f8af9a8ae5a67a3e9e26b7ab538c33054c6acd5e1b1cc82b40acea48a5d3b541cd0dd596e823fb548c1ba373930f1d51f42ae146

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe

Filesize
236KB

MD5
94001fe89ac86f846cb9d8613a4265b6

SHA1
497406e64b10a0440c3ad0ff95867a1f46b4b109

SHA256
83c3bdff52ebacb50cf040d09766a0bafc872e2d2329a548936690f7898a4430

SHA512
bf11358ab0d6354891c72fb4f8af9a8ae5a67a3e9e26b7ab538c33054c6acd5e1b1cc82b40acea48a5d3b541cd0dd596e823fb548c1ba373930f1d51f42ae146

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/400-1142-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/400-1141-0x0000000000240000-0x0000000000272000-memory.dmp

Filesize
200KB

Download
memory/2500-161-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download
memory/2972-1130-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2972-1121-0x00000000058D0000-0x00000000059DA000-memory.dmp

Filesize
1.0MB

Download
memory/2972-1135-0x00000000069E0000-0x0000000006F0C000-memory.dmp

Filesize
5.2MB

Download
memory/2972-1134-0x0000000006810000-0x00000000069D2000-memory.dmp

Filesize
1.8MB

Download
memory/2972-1133-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2972-1132-0x0000000006680000-0x00000000066D0000-memory.dmp

Filesize
320KB

Download
memory/2972-1131-0x00000000065F0000-0x0000000006666000-memory.dmp

Filesize
472KB

Download
memory/2972-1129-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2972-211-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-213-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-210-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-215-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-217-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-219-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-221-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-223-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-225-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-227-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-229-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-231-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-233-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-235-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-237-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-239-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-241-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-243-0x0000000002620000-0x000000000265F000-memory.dmp

Filesize
252KB

Download
memory/2972-326-0x0000000000760000-0x00000000007AB000-memory.dmp

Filesize
300KB

Download
memory/2972-330-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2972-328-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2972-333-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2972-1120-0x00000000052B0000-0x00000000058C8000-memory.dmp

Filesize
6.1MB

Download
memory/2972-1128-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2972-1122-0x00000000059E0000-0x00000000059F2000-memory.dmp

Filesize
72KB

Download
memory/2972-1123-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/2972-1124-0x0000000005A00000-0x0000000005A3C000-memory.dmp

Filesize
240KB

Download
memory/2972-1125-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/2972-1126-0x00000000063B0000-0x0000000006442000-memory.dmp

Filesize
584KB

Download
memory/3720-188-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-205-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3720-200-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3720-199-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/3720-186-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-204-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/3720-203-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/3720-184-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-196-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-194-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-192-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-190-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-197-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/3720-198-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/3720-202-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/3720-182-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-180-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-178-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-176-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-174-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-172-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-170-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-169-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/3720-168-0x0000000004A00000-0x0000000004FA4000-memory.dmp

Filesize
5.6MB

Download
memory/3720-167-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download