amadey | a434c2953417a2d3b1786128a507fa67f416ddc9223fa29e6bdb1ca3fe4a7de9

Analysis

max time kernel
145s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2023, 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a434c2953417a2d3b1786128a507fa67f416ddc9223fa29e6bdb1ca3fe4a7de9.exe
Size

977KB
MD5

89d0d821668e9ead92d600be31b916a7
SHA1

d62da8f1a84d15d3b4310bcb831111db1ea59db1
SHA256

a434c2953417a2d3b1786128a507fa67f416ddc9223fa29e6bdb1ca3fe4a7de9
SHA512

8327cdb6d0b51545ac46aa30f04c4dce7f0eec1a24d8d0e5474c6cd8204fc58fb07effa28125d1236bce466aceb33548ec77f70f8085d784fec9d8cbf143f3a0
SSDEEP

24576:ay0TPMajXmFZ+DoRbs73xVMWWGr3fYn+CegtDa+x7Bm:huM/gOu3AWdgNeG3t

Score

10^/10

amadey redline nord rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

nord

176.113.115.145:4125

Attributes

auth_value
ebb7d38cdbd7c83cf6363ef3feb3a530

Extracted

Family

amadey

Version

3.69

193.233.20.29/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor1820.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu084572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu084572.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor1820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor1820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor1820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor1820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor1820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu084572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu084572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu084572.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu084572.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

resource	yara_rule
behavioral1/memory/4424-187-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-189-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-194-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-196-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-201-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-207-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-213-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-219-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-223-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-226-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-231-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-234-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-237-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-239-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-243-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-241-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/4424-245-0x0000000004A60000-0x0000000004A9F000-memory.dmp	family_redline
behavioral1/memory/3580-1129-0x0000000004B80000-0x0000000004B90000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	ge994737.exe

Executes dropped EXE 12 IoCs

pid	Process
2308	kina9818.exe
100	kina3229.exe
4832	kina2877.exe
3992	bu084572.exe
4000	cor1820.exe
3580	cor1820.exe
4424	dbN44s96.exe
4728	en523555.exe
4476	ge994737.exe
628	oneetx.exe
4944	oneetx.exe
1872	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
1992	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu084572.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor1820.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor1820.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a434c2953417a2d3b1786128a507fa67f416ddc9223fa29e6bdb1ca3fe4a7de9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina9818.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina9818.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina3229.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina3229.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina2877.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina2877.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a434c2953417a2d3b1786128a507fa67f416ddc9223fa29e6bdb1ca3fe4a7de9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4000 set thread context of 3580	4000	cor1820.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3096	4424	WerFault.exe	99

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3992	bu084572.exe
3992	bu084572.exe
3580	cor1820.exe
3580	cor1820.exe
4424	dbN44s96.exe
4424	dbN44s96.exe
4728	en523555.exe
4728	en523555.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3992	bu084572.exe
Token: SeDebugPrivilege	3580	cor1820.exe
Token: SeDebugPrivilege	4424	dbN44s96.exe
Token: SeDebugPrivilege	4728	en523555.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4476	ge994737.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 2308	3756	a434c2953417a2d3b1786128a507fa67f416ddc9223fa29e6bdb1ca3fe4a7de9.exe	87
PID 3756 wrote to memory of 2308	3756	a434c2953417a2d3b1786128a507fa67f416ddc9223fa29e6bdb1ca3fe4a7de9.exe	87
PID 3756 wrote to memory of 2308	3756	a434c2953417a2d3b1786128a507fa67f416ddc9223fa29e6bdb1ca3fe4a7de9.exe	87
PID 2308 wrote to memory of 100	2308	kina9818.exe	88
PID 2308 wrote to memory of 100	2308	kina9818.exe	88
PID 2308 wrote to memory of 100	2308	kina9818.exe	88
PID 100 wrote to memory of 4832	100	kina3229.exe	89
PID 100 wrote to memory of 4832	100	kina3229.exe	89
PID 100 wrote to memory of 4832	100	kina3229.exe	89
PID 4832 wrote to memory of 3992	4832	kina2877.exe	90
PID 4832 wrote to memory of 3992	4832	kina2877.exe	90
PID 4832 wrote to memory of 4000	4832	kina2877.exe	97
PID 4832 wrote to memory of 4000	4832	kina2877.exe	97
PID 4832 wrote to memory of 4000	4832	kina2877.exe	97
PID 4000 wrote to memory of 3580	4000	cor1820.exe	98
PID 4000 wrote to memory of 3580	4000	cor1820.exe	98
PID 4000 wrote to memory of 3580	4000	cor1820.exe	98
PID 4000 wrote to memory of 3580	4000	cor1820.exe	98
PID 4000 wrote to memory of 3580	4000	cor1820.exe	98
PID 4000 wrote to memory of 3580	4000	cor1820.exe	98
PID 4000 wrote to memory of 3580	4000	cor1820.exe	98
PID 4000 wrote to memory of 3580	4000	cor1820.exe	98
PID 4000 wrote to memory of 3580	4000	cor1820.exe	98
PID 100 wrote to memory of 4424	100	kina3229.exe	99
PID 100 wrote to memory of 4424	100	kina3229.exe	99
PID 100 wrote to memory of 4424	100	kina3229.exe	99
PID 2308 wrote to memory of 4728	2308	kina9818.exe	103
PID 2308 wrote to memory of 4728	2308	kina9818.exe	103
PID 2308 wrote to memory of 4728	2308	kina9818.exe	103
PID 3756 wrote to memory of 4476	3756	a434c2953417a2d3b1786128a507fa67f416ddc9223fa29e6bdb1ca3fe4a7de9.exe	104
PID 3756 wrote to memory of 4476	3756	a434c2953417a2d3b1786128a507fa67f416ddc9223fa29e6bdb1ca3fe4a7de9.exe	104
PID 3756 wrote to memory of 4476	3756	a434c2953417a2d3b1786128a507fa67f416ddc9223fa29e6bdb1ca3fe4a7de9.exe	104
PID 4476 wrote to memory of 628	4476	ge994737.exe	105
PID 4476 wrote to memory of 628	4476	ge994737.exe	105
PID 4476 wrote to memory of 628	4476	ge994737.exe	105
PID 628 wrote to memory of 1600	628	oneetx.exe	106
PID 628 wrote to memory of 1600	628	oneetx.exe	106
PID 628 wrote to memory of 1600	628	oneetx.exe	106
PID 628 wrote to memory of 4344	628	oneetx.exe	108
PID 628 wrote to memory of 4344	628	oneetx.exe	108
PID 628 wrote to memory of 4344	628	oneetx.exe	108
PID 4344 wrote to memory of 216	4344	cmd.exe	110
PID 4344 wrote to memory of 216	4344	cmd.exe	110
PID 4344 wrote to memory of 216	4344	cmd.exe	110
PID 4344 wrote to memory of 2880	4344	cmd.exe	111
PID 4344 wrote to memory of 2880	4344	cmd.exe	111
PID 4344 wrote to memory of 2880	4344	cmd.exe	111
PID 4344 wrote to memory of 208	4344	cmd.exe	112
PID 4344 wrote to memory of 208	4344	cmd.exe	112
PID 4344 wrote to memory of 208	4344	cmd.exe	112
PID 4344 wrote to memory of 3736	4344	cmd.exe	113
PID 4344 wrote to memory of 3736	4344	cmd.exe	113
PID 4344 wrote to memory of 3736	4344	cmd.exe	113
PID 4344 wrote to memory of 3616	4344	cmd.exe	114
PID 4344 wrote to memory of 3616	4344	cmd.exe	114
PID 4344 wrote to memory of 3616	4344	cmd.exe	114
PID 4344 wrote to memory of 4496	4344	cmd.exe	115
PID 4344 wrote to memory of 4496	4344	cmd.exe	115
PID 4344 wrote to memory of 4496	4344	cmd.exe	115
PID 628 wrote to memory of 1992	628	oneetx.exe	117
PID 628 wrote to memory of 1992	628	oneetx.exe	117
PID 628 wrote to memory of 1992	628	oneetx.exe	117

C:\Users\Admin\AppData\Local\Temp\a434c2953417a2d3b1786128a507fa67f416ddc9223fa29e6bdb1ca3fe4a7de9.exe
"C:\Users\Admin\AppData\Local\Temp\a434c2953417a2d3b1786128a507fa67f416ddc9223fa29e6bdb1ca3fe4a7de9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9818.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9818.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina3229.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina3229.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2877.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2877.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4832
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu084572.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu084572.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1820.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1820.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4000
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1820.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1820.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbN44s96.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbN44s96.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1472
        5⤵
        Program crash
        
        PID:3096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en523555.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en523555.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge994737.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge994737.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1600
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\550693dc87" /P "Admin:N"&&CACLS "..\550693dc87" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:216
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3736
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\550693dc87" /P "Admin:N"
        5⤵
        
        PID:3616
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\550693dc87" /P "Admin:R" /E
        5⤵
        
        PID:4496
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4424 -ip 4424
1⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
1⤵
- Executes dropped EXE
PID:4944

C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe
1⤵
- Executes dropped EXE
PID:1872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe

Filesize
236KB

MD5
08424f907e13c0e68b8402272e780ead

SHA1
8e00daecb326725c16510e318b93b962bdf79243

SHA256
11b50e0a97949e0aae888262a226dbdea185c7e6e903b99bb02793ce94ef9f58

SHA512
b23214f0579e206147a48d625407c303d71f75f32d7eaeb1293932b690620dfda04921ac5d0fd512f5506b0d3f2470d22600a2f13ceee4b7d4146badb5779daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe

Filesize
236KB

MD5
08424f907e13c0e68b8402272e780ead

SHA1
8e00daecb326725c16510e318b93b962bdf79243

SHA256
11b50e0a97949e0aae888262a226dbdea185c7e6e903b99bb02793ce94ef9f58

SHA512
b23214f0579e206147a48d625407c303d71f75f32d7eaeb1293932b690620dfda04921ac5d0fd512f5506b0d3f2470d22600a2f13ceee4b7d4146badb5779daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe

Filesize
236KB

MD5
08424f907e13c0e68b8402272e780ead

SHA1
8e00daecb326725c16510e318b93b962bdf79243

SHA256
11b50e0a97949e0aae888262a226dbdea185c7e6e903b99bb02793ce94ef9f58

SHA512
b23214f0579e206147a48d625407c303d71f75f32d7eaeb1293932b690620dfda04921ac5d0fd512f5506b0d3f2470d22600a2f13ceee4b7d4146badb5779daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe

Filesize
236KB

MD5
08424f907e13c0e68b8402272e780ead

SHA1
8e00daecb326725c16510e318b93b962bdf79243

SHA256
11b50e0a97949e0aae888262a226dbdea185c7e6e903b99bb02793ce94ef9f58

SHA512
b23214f0579e206147a48d625407c303d71f75f32d7eaeb1293932b690620dfda04921ac5d0fd512f5506b0d3f2470d22600a2f13ceee4b7d4146badb5779daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe

Filesize
236KB

MD5
08424f907e13c0e68b8402272e780ead

SHA1
8e00daecb326725c16510e318b93b962bdf79243

SHA256
11b50e0a97949e0aae888262a226dbdea185c7e6e903b99bb02793ce94ef9f58

SHA512
b23214f0579e206147a48d625407c303d71f75f32d7eaeb1293932b690620dfda04921ac5d0fd512f5506b0d3f2470d22600a2f13ceee4b7d4146badb5779daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge994737.exe

Filesize
236KB

MD5
08424f907e13c0e68b8402272e780ead

SHA1
8e00daecb326725c16510e318b93b962bdf79243

SHA256
11b50e0a97949e0aae888262a226dbdea185c7e6e903b99bb02793ce94ef9f58

SHA512
b23214f0579e206147a48d625407c303d71f75f32d7eaeb1293932b690620dfda04921ac5d0fd512f5506b0d3f2470d22600a2f13ceee4b7d4146badb5779daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge994737.exe

Filesize
236KB

MD5
08424f907e13c0e68b8402272e780ead

SHA1
8e00daecb326725c16510e318b93b962bdf79243

SHA256
11b50e0a97949e0aae888262a226dbdea185c7e6e903b99bb02793ce94ef9f58

SHA512
b23214f0579e206147a48d625407c303d71f75f32d7eaeb1293932b690620dfda04921ac5d0fd512f5506b0d3f2470d22600a2f13ceee4b7d4146badb5779daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9818.exe

Filesize
792KB

MD5
da74f9ddbb03649e845ce670b885cc1b

SHA1
8a85ac60e5e44f357223be9f1b2db78cd78fe908

SHA256
f7e09ce228674789b084e408d046b5ef1f95ca3c77fe6dfc31ea42a1a539ace5

SHA512
5f9d1b939ab9ba4ebf2792203442b46e02186e839fb38a6204f9104affcb6ce48f0b33020ae8776b77790ac7edd6f207cacceace3622d69e53c1fb29bf4f05f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9818.exe

Filesize
792KB

MD5
da74f9ddbb03649e845ce670b885cc1b

SHA1
8a85ac60e5e44f357223be9f1b2db78cd78fe908

SHA256
f7e09ce228674789b084e408d046b5ef1f95ca3c77fe6dfc31ea42a1a539ace5

SHA512
5f9d1b939ab9ba4ebf2792203442b46e02186e839fb38a6204f9104affcb6ce48f0b33020ae8776b77790ac7edd6f207cacceace3622d69e53c1fb29bf4f05f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en523555.exe

Filesize
175KB

MD5
0377fd29ccab8212030db942b0021848

SHA1
46c8c6ebbb718cda74caf79f46ba282d81d7fc88

SHA256
cdbfd5888f90669d90e225fa58d5711a29032192dedabdcedee8191c3dc22ede

SHA512
7c1f397ca42668946883fb7ab2f723bed40872bf3a539b559ad988dd2264495fe840660960692ca9f093186a2160cb86bf53fa15e574b32e842a5ccb8d31c52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en523555.exe

Filesize
175KB

MD5
0377fd29ccab8212030db942b0021848

SHA1
46c8c6ebbb718cda74caf79f46ba282d81d7fc88

SHA256
cdbfd5888f90669d90e225fa58d5711a29032192dedabdcedee8191c3dc22ede

SHA512
7c1f397ca42668946883fb7ab2f723bed40872bf3a539b559ad988dd2264495fe840660960692ca9f093186a2160cb86bf53fa15e574b32e842a5ccb8d31c52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina3229.exe

Filesize
650KB

MD5
8e31835792ca669b7fa0330acd453eb2

SHA1
36b4b8744623b077e7a3a87a99ed9d26a9878ce9

SHA256
ae4e47816519a578d3612246cb97519eaffa5bcf23dda7bb7595c150fc506439

SHA512
a222eac2384480d7a08d7cdbdb7a0d5da1c9e9c292d62a73b1793fd91481e3beaf1b91cd6e670ecab0e669caaff8870fa86325e3a026f9c20197ea90a2e6b8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina3229.exe

Filesize
650KB

MD5
8e31835792ca669b7fa0330acd453eb2

SHA1
36b4b8744623b077e7a3a87a99ed9d26a9878ce9

SHA256
ae4e47816519a578d3612246cb97519eaffa5bcf23dda7bb7595c150fc506439

SHA512
a222eac2384480d7a08d7cdbdb7a0d5da1c9e9c292d62a73b1793fd91481e3beaf1b91cd6e670ecab0e669caaff8870fa86325e3a026f9c20197ea90a2e6b8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbN44s96.exe

Filesize
294KB

MD5
97e8295293c77c932abbee3fa1fe9547

SHA1
6ac4dd3868579a50166fe9b6381454bbfa871e53

SHA256
c18ba93c5c168f086d85405e1540767d1833410a426a6ae4b0c5be072f4ef8f0

SHA512
a10a1ac59e845ae764daeb731f39cc8d6c5e331b7506b75f6233a9335e98b129474a48e85842ac48dd8f3fa242bb7073f5e6fa1eff9ea5d271ece2e5d6fec849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbN44s96.exe

Filesize
294KB

MD5
97e8295293c77c932abbee3fa1fe9547

SHA1
6ac4dd3868579a50166fe9b6381454bbfa871e53

SHA256
c18ba93c5c168f086d85405e1540767d1833410a426a6ae4b0c5be072f4ef8f0

SHA512
a10a1ac59e845ae764daeb731f39cc8d6c5e331b7506b75f6233a9335e98b129474a48e85842ac48dd8f3fa242bb7073f5e6fa1eff9ea5d271ece2e5d6fec849

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2877.exe

Filesize
322KB

MD5
20a5c32e0eac484573d9b3705cd369d3

SHA1
dcb91f680e53c396c2bc39e812f6ddc54391f3e3

SHA256
4c2d679b7763b2af5b1a22e06d99ac667e140755f72e6598e61c9dc23232af77

SHA512
aa56d1477094f9831f5b0f9cd40fabe5949b83febd8f0b784852b0a32a92b2ac9f623c3ea4280805877243293599a3d62cf8d2d9e082302a20354aa0ed027726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2877.exe

Filesize
322KB

MD5
20a5c32e0eac484573d9b3705cd369d3

SHA1
dcb91f680e53c396c2bc39e812f6ddc54391f3e3

SHA256
4c2d679b7763b2af5b1a22e06d99ac667e140755f72e6598e61c9dc23232af77

SHA512
aa56d1477094f9831f5b0f9cd40fabe5949b83febd8f0b784852b0a32a92b2ac9f623c3ea4280805877243293599a3d62cf8d2d9e082302a20354aa0ed027726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu084572.exe

Filesize
11KB

MD5
b7d164a4031432253af1704813dbd012

SHA1
016b8126ca1b26bf928e640a44b6d0233de703e6

SHA256
a1b31a22da9cde3eefc0af7ea5298a29a84fb38f4e8b8b4ab2ab4f0a27a5e301

SHA512
8b08e34c1c9d33d5587216a12c39991845613b2a949e3d06f30dbe9623f18f71f6c808d93d3b5d9bfd2b5efb3621a34b1e6a796f4933f96d48d199850f6863ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu084572.exe

Filesize
11KB

MD5
b7d164a4031432253af1704813dbd012

SHA1
016b8126ca1b26bf928e640a44b6d0233de703e6

SHA256
a1b31a22da9cde3eefc0af7ea5298a29a84fb38f4e8b8b4ab2ab4f0a27a5e301

SHA512
8b08e34c1c9d33d5587216a12c39991845613b2a949e3d06f30dbe9623f18f71f6c808d93d3b5d9bfd2b5efb3621a34b1e6a796f4933f96d48d199850f6863ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1820.exe

Filesize
237KB

MD5
763a749c5cfff06e68b1313aa9936109

SHA1
2af1ccda84106e2fbd76aca28617226304aa1a5a

SHA256
7337221e8f1d58c94e0e37f7e1cebb465f529e7920bb91f8aae93dad43ec5040

SHA512
f6135bd1b9df58ae88ab9e9cd983a7c938887e5eda4b9707d2a2eda5ebbb133e66447b22525369019626459be68aa170a7bde21c000bd36da3cbf162def709e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1820.exe

Filesize
237KB

MD5
763a749c5cfff06e68b1313aa9936109

SHA1
2af1ccda84106e2fbd76aca28617226304aa1a5a

SHA256
7337221e8f1d58c94e0e37f7e1cebb465f529e7920bb91f8aae93dad43ec5040

SHA512
f6135bd1b9df58ae88ab9e9cd983a7c938887e5eda4b9707d2a2eda5ebbb133e66447b22525369019626459be68aa170a7bde21c000bd36da3cbf162def709e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1820.exe

Filesize
237KB

MD5
763a749c5cfff06e68b1313aa9936109

SHA1
2af1ccda84106e2fbd76aca28617226304aa1a5a

SHA256
7337221e8f1d58c94e0e37f7e1cebb465f529e7920bb91f8aae93dad43ec5040

SHA512
f6135bd1b9df58ae88ab9e9cd983a7c938887e5eda4b9707d2a2eda5ebbb133e66447b22525369019626459be68aa170a7bde21c000bd36da3cbf162def709e7

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
9e9f6b48159690d4916e38b26d8f92cb

SHA1
2016224921b0791d3de7d897a520d5d35eb84f34

SHA256
7705d3dc3b110aff6fd74fec7d343af5e49a0b7f696c231cc199ffaa6bf07053

SHA512
5737c8b7cb3f0a2657ad57811458be04c9852374e9a30b8c25be3bc777e74c2d6b5a8ec07f122b0b79989a25c464d507495b8c9850ba7c52d2104e3adae3dbf4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
9e9f6b48159690d4916e38b26d8f92cb

SHA1
2016224921b0791d3de7d897a520d5d35eb84f34

SHA256
7705d3dc3b110aff6fd74fec7d343af5e49a0b7f696c231cc199ffaa6bf07053

SHA512
5737c8b7cb3f0a2657ad57811458be04c9852374e9a30b8c25be3bc777e74c2d6b5a8ec07f122b0b79989a25c464d507495b8c9850ba7c52d2104e3adae3dbf4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
9e9f6b48159690d4916e38b26d8f92cb

SHA1
2016224921b0791d3de7d897a520d5d35eb84f34

SHA256
7705d3dc3b110aff6fd74fec7d343af5e49a0b7f696c231cc199ffaa6bf07053

SHA512
5737c8b7cb3f0a2657ad57811458be04c9852374e9a30b8c25be3bc777e74c2d6b5a8ec07f122b0b79989a25c464d507495b8c9850ba7c52d2104e3adae3dbf4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/3580-200-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3580-217-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-235-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-167-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3580-193-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-1130-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3580-199-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-203-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3580-206-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3580-170-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3580-171-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3580-211-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-177-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3580-178-0x0000000004B90000-0x0000000005134000-memory.dmp

Filesize
5.6MB

Download
memory/3580-179-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-1129-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3580-180-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-182-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-205-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-190-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-222-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-184-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-227-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-186-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-1136-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3580-230-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3580-1131-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/3992-161-0x0000000000790000-0x000000000079A000-memory.dmp

Filesize
40KB

Download
memory/4000-169-0x00000000005F0000-0x000000000061E000-memory.dmp

Filesize
184KB

Download
memory/4424-1120-0x0000000005140000-0x0000000005758000-memory.dmp

Filesize
6.1MB

Download
memory/4424-1138-0x0000000006550000-0x0000000006A7C000-memory.dmp

Filesize
5.2MB

Download
memory/4424-241-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-245-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-189-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-1121-0x0000000005760000-0x000000000586A000-memory.dmp

Filesize
1.0MB

Download
memory/4424-1122-0x00000000058A0000-0x00000000058B2000-memory.dmp

Filesize
72KB

Download
memory/4424-1123-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4424-1124-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/4424-1127-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/4424-1128-0x0000000006280000-0x0000000006312000-memory.dmp

Filesize
584KB

Download
memory/4424-239-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-237-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-234-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-1132-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4424-231-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-1137-0x0000000006370000-0x0000000006532000-memory.dmp

Filesize
1.8MB

Download
memory/4424-243-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-1139-0x0000000006DF0000-0x0000000006E66000-memory.dmp

Filesize
472KB

Download
memory/4424-1140-0x0000000006E80000-0x0000000006ED0000-memory.dmp

Filesize
320KB

Download
memory/4424-1141-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4424-226-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-187-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-194-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-196-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-223-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-209-0x0000000000560000-0x00000000005AB000-memory.dmp

Filesize
300KB

Download
memory/4424-215-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4424-219-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-218-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4424-213-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-212-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4424-207-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4424-201-0x0000000004A60000-0x0000000004A9F000-memory.dmp

Filesize
252KB

Download
memory/4728-1148-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/4728-1147-0x00000000009A0000-0x00000000009D2000-memory.dmp

Filesize
200KB

Download