amadey | 2b972bac27b72257e8504b248d877537d0dec93784e4400fd297c7051bd19979

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2023, 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b972bac27b72257e8504b248d877537d0dec93784e4400fd297c7051bd19979.exe
Size

515KB
MD5

9773e127ab299d713769f1827fc1f443
SHA1

a50cd6e577e58bd3e2855a2238e3104da7641820
SHA256

2b972bac27b72257e8504b248d877537d0dec93784e4400fd297c7051bd19979
SHA512

2586e6a41020dbc7967704a98487043edd3a9534eecbe49948815fc6bc24ba8f298bc7f2cb3e5f62e9e43e00813faa9ed9adca50961331b3d8f442d9aa0f4064
SSDEEP

12288:WMrpy90DGyZ6Izwz+1+1El2FrmaZeD938KDUirRU:Hy6GyZ6IUzM+1c2N1Z2l1/rRU

Score

10^/10

amadey healer redline smokeloader grom backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.85

77.91.68.3/home/love/index.php

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grom

77.91.68.68:19071

Attributes

auth_value
9ec3129bff410b89097d656d7abc33dc

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000800000002320c-152.dat	healer
behavioral1/files/0x000800000002320c-153.dat	healer
behavioral1/memory/4560-154-0x0000000000F30000-0x0000000000F3A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8976039.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8976039.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8976039.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8976039.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8976039.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a8976039.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	b9301680.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	danke.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	F8E2.exe

Executes dropped EXE 10 IoCs

pid	Process
1728	v2628955.exe
2928	v6530913.exe
4560	a8976039.exe
4024	b9301680.exe
2224	danke.exe
2044	c5240566.exe
1960	d2562653.exe
1128	danke.exe
2204	danke.exe
244	F8E2.exe

Loads dropped DLL 3 IoCs

pid	Process
1712	rundll32.exe
3024	rundll32.exe
1316	rundll32.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8976039.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2628955.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6530913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6530913.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2b972bac27b72257e8504b248d877537d0dec93784e4400fd297c7051bd19979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b972bac27b72257e8504b248d877537d0dec93784e4400fd297c7051bd19979.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2628955.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5240566.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5240566.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5240566.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4508	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	F8E2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4560	a8976039.exe
4560	a8976039.exe
2044	c5240566.exe
2044	c5240566.exe
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found
408	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
408	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2044	c5240566.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	4560	a8976039.exe
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found
Token: SeShutdownPrivilege	408	Process not Found
Token: SeCreatePagefilePrivilege	408	Process not Found

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4024	b9301680.exe
408	Process not Found
408	Process not Found

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 1728	4404	2b972bac27b72257e8504b248d877537d0dec93784e4400fd297c7051bd19979.exe	84
PID 4404 wrote to memory of 1728	4404	2b972bac27b72257e8504b248d877537d0dec93784e4400fd297c7051bd19979.exe	84
PID 4404 wrote to memory of 1728	4404	2b972bac27b72257e8504b248d877537d0dec93784e4400fd297c7051bd19979.exe	84
PID 1728 wrote to memory of 2928	1728	v2628955.exe	85
PID 1728 wrote to memory of 2928	1728	v2628955.exe	85
PID 1728 wrote to memory of 2928	1728	v2628955.exe	85
PID 2928 wrote to memory of 4560	2928	v6530913.exe	87
PID 2928 wrote to memory of 4560	2928	v6530913.exe	87
PID 2928 wrote to memory of 4024	2928	v6530913.exe	95
PID 2928 wrote to memory of 4024	2928	v6530913.exe	95
PID 2928 wrote to memory of 4024	2928	v6530913.exe	95
PID 4024 wrote to memory of 2224	4024	b9301680.exe	96
PID 4024 wrote to memory of 2224	4024	b9301680.exe	96
PID 4024 wrote to memory of 2224	4024	b9301680.exe	96
PID 1728 wrote to memory of 2044	1728	v2628955.exe	97
PID 1728 wrote to memory of 2044	1728	v2628955.exe	97
PID 1728 wrote to memory of 2044	1728	v2628955.exe	97
PID 2224 wrote to memory of 4508	2224	danke.exe	98
PID 2224 wrote to memory of 4508	2224	danke.exe	98
PID 2224 wrote to memory of 4508	2224	danke.exe	98
PID 2224 wrote to memory of 4172	2224	danke.exe	99
PID 2224 wrote to memory of 4172	2224	danke.exe	99
PID 2224 wrote to memory of 4172	2224	danke.exe	99
PID 4172 wrote to memory of 5016	4172	cmd.exe	102
PID 4172 wrote to memory of 5016	4172	cmd.exe	102
PID 4172 wrote to memory of 5016	4172	cmd.exe	102
PID 4172 wrote to memory of 3168	4172	cmd.exe	103
PID 4172 wrote to memory of 3168	4172	cmd.exe	103
PID 4172 wrote to memory of 3168	4172	cmd.exe	103
PID 4172 wrote to memory of 220	4172	cmd.exe	104
PID 4172 wrote to memory of 220	4172	cmd.exe	104
PID 4172 wrote to memory of 220	4172	cmd.exe	104
PID 4172 wrote to memory of 3656	4172	cmd.exe	105
PID 4172 wrote to memory of 3656	4172	cmd.exe	105
PID 4172 wrote to memory of 3656	4172	cmd.exe	105
PID 4172 wrote to memory of 1252	4172	cmd.exe	106
PID 4172 wrote to memory of 1252	4172	cmd.exe	106
PID 4172 wrote to memory of 1252	4172	cmd.exe	106
PID 4172 wrote to memory of 4340	4172	cmd.exe	107
PID 4172 wrote to memory of 4340	4172	cmd.exe	107
PID 4172 wrote to memory of 4340	4172	cmd.exe	107
PID 4404 wrote to memory of 1960	4404	2b972bac27b72257e8504b248d877537d0dec93784e4400fd297c7051bd19979.exe	109
PID 4404 wrote to memory of 1960	4404	2b972bac27b72257e8504b248d877537d0dec93784e4400fd297c7051bd19979.exe	109
PID 4404 wrote to memory of 1960	4404	2b972bac27b72257e8504b248d877537d0dec93784e4400fd297c7051bd19979.exe	109
PID 2224 wrote to memory of 1712	2224	danke.exe	119
PID 2224 wrote to memory of 1712	2224	danke.exe	119
PID 2224 wrote to memory of 1712	2224	danke.exe	119
PID 408 wrote to memory of 244	408	Process not Found	122
PID 408 wrote to memory of 244	408	Process not Found	122
PID 408 wrote to memory of 244	408	Process not Found	122
PID 244 wrote to memory of 4700	244	F8E2.exe	123
PID 244 wrote to memory of 4700	244	F8E2.exe	123
PID 244 wrote to memory of 4700	244	F8E2.exe	123
PID 4700 wrote to memory of 3024	4700	control.exe	125
PID 4700 wrote to memory of 3024	4700	control.exe	125
PID 4700 wrote to memory of 3024	4700	control.exe	125
PID 3024 wrote to memory of 3148	3024	rundll32.exe	126
PID 3024 wrote to memory of 3148	3024	rundll32.exe	126
PID 3148 wrote to memory of 1316	3148	RunDll32.exe	127
PID 3148 wrote to memory of 1316	3148	RunDll32.exe	127
PID 3148 wrote to memory of 1316	3148	RunDll32.exe	127

C:\Users\Admin\AppData\Local\Temp\2b972bac27b72257e8504b248d877537d0dec93784e4400fd297c7051bd19979.exe
"C:\Users\Admin\AppData\Local\Temp\2b972bac27b72257e8504b248d877537d0dec93784e4400fd297c7051bd19979.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2628955.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2628955.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6530913.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6530913.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8976039.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8976039.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9301680.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9301680.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4024
    - - C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2224
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4508
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "danke.exe" /P "Admin:N"
        7⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "danke.exe" /P "Admin:R" /E
        7⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\3ec1f323b5" /P "Admin:N"
        7⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\3ec1f323b5" /P "Admin:R" /E
        7⤵
        
        PID:4340
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:1712
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5240566.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5240566.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2562653.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2562653.exe
  2⤵
  - Executes dropped EXE
  PID:1960

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:1128

C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
1⤵
- Executes dropped EXE
PID:2204

C:\Users\Admin\AppData\Local\Temp\F8E2.exe
C:\Users\Admin\AppData\Local\Temp\F8E2.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\1GV5.cpl",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\1GV5.cpl",
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\1GV5.cpl",
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3148
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\1GV5.cpl",
        5⤵
        Loads dropped DLL
        
        PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1GV5.cpl

Filesize
1.2MB

MD5
f399f314f8fe0b4418a090201b7efbe1

SHA1
9d8642794a199c8eb51fa7aaf2b900b55e1c974f

SHA256
259ca1c9668f86c26d6184a3a8c3277c127fd95441fe9254835ef2fbe458a31d

SHA512
fa9465cf548dd8818715a23add33215b14baab9ad829f6b9b77f6cfb129b098aa02b8845d23001d651fd43c5afa20886a35fb9056635b336867953336ac87eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1GV5.cpl

Filesize
1.2MB

MD5
f399f314f8fe0b4418a090201b7efbe1

SHA1
9d8642794a199c8eb51fa7aaf2b900b55e1c974f

SHA256
259ca1c9668f86c26d6184a3a8c3277c127fd95441fe9254835ef2fbe458a31d

SHA512
fa9465cf548dd8818715a23add33215b14baab9ad829f6b9b77f6cfb129b098aa02b8845d23001d651fd43c5afa20886a35fb9056635b336867953336ac87eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1GV5.cpl

Filesize
1.2MB

MD5
f399f314f8fe0b4418a090201b7efbe1

SHA1
9d8642794a199c8eb51fa7aaf2b900b55e1c974f

SHA256
259ca1c9668f86c26d6184a3a8c3277c127fd95441fe9254835ef2fbe458a31d

SHA512
fa9465cf548dd8818715a23add33215b14baab9ad829f6b9b77f6cfb129b098aa02b8845d23001d651fd43c5afa20886a35fb9056635b336867953336ac87eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1GV5.cpl

Filesize
1.2MB

MD5
f399f314f8fe0b4418a090201b7efbe1

SHA1
9d8642794a199c8eb51fa7aaf2b900b55e1c974f

SHA256
259ca1c9668f86c26d6184a3a8c3277c127fd95441fe9254835ef2fbe458a31d

SHA512
fa9465cf548dd8818715a23add33215b14baab9ad829f6b9b77f6cfb129b098aa02b8845d23001d651fd43c5afa20886a35fb9056635b336867953336ac87eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
229KB

MD5
a0cf7a9dabc677a1144fa7b636a86902

SHA1
b50b98a08e4a1f4bbe5ce0aa0dcc7ecd015313c7

SHA256
0a4f3cd1d8bef2bd008f57f7f2e780903616251208325c4b0da228c138e4805e

SHA512
e7d58a93ded28f2480d2bbf5c43af11e27c2281e2d332ce7abd28a39e42b50c74b6570286567baee203ed999a85fa5a11d7b65f7003a3dab660f46566434f4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
229KB

MD5
a0cf7a9dabc677a1144fa7b636a86902

SHA1
b50b98a08e4a1f4bbe5ce0aa0dcc7ecd015313c7

SHA256
0a4f3cd1d8bef2bd008f57f7f2e780903616251208325c4b0da228c138e4805e

SHA512
e7d58a93ded28f2480d2bbf5c43af11e27c2281e2d332ce7abd28a39e42b50c74b6570286567baee203ed999a85fa5a11d7b65f7003a3dab660f46566434f4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
229KB

MD5
a0cf7a9dabc677a1144fa7b636a86902

SHA1
b50b98a08e4a1f4bbe5ce0aa0dcc7ecd015313c7

SHA256
0a4f3cd1d8bef2bd008f57f7f2e780903616251208325c4b0da228c138e4805e

SHA512
e7d58a93ded28f2480d2bbf5c43af11e27c2281e2d332ce7abd28a39e42b50c74b6570286567baee203ed999a85fa5a11d7b65f7003a3dab660f46566434f4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
229KB

MD5
a0cf7a9dabc677a1144fa7b636a86902

SHA1
b50b98a08e4a1f4bbe5ce0aa0dcc7ecd015313c7

SHA256
0a4f3cd1d8bef2bd008f57f7f2e780903616251208325c4b0da228c138e4805e

SHA512
e7d58a93ded28f2480d2bbf5c43af11e27c2281e2d332ce7abd28a39e42b50c74b6570286567baee203ed999a85fa5a11d7b65f7003a3dab660f46566434f4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe

Filesize
229KB

MD5
a0cf7a9dabc677a1144fa7b636a86902

SHA1
b50b98a08e4a1f4bbe5ce0aa0dcc7ecd015313c7

SHA256
0a4f3cd1d8bef2bd008f57f7f2e780903616251208325c4b0da228c138e4805e

SHA512
e7d58a93ded28f2480d2bbf5c43af11e27c2281e2d332ce7abd28a39e42b50c74b6570286567baee203ed999a85fa5a11d7b65f7003a3dab660f46566434f4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8E2.exe

Filesize
1.5MB

MD5
97ae11ed68d6620ddb9dd9adfbd91550

SHA1
b28a155e106371b86b4f7911954bda2a07a8fa3f

SHA256
ee2ebb139451c16bb288be5764298e91ef67243e00963239c512e6af71369eed

SHA512
9720d1608fe7124c607cef026061d4950c67be3134c73f53eae0b4b73f5274cb1ec98350b1f0d0d8ea20fdaa5740ba63082d5fde6aca41e796621b9b708f61d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8E2.exe

Filesize
1.5MB

MD5
97ae11ed68d6620ddb9dd9adfbd91550

SHA1
b28a155e106371b86b4f7911954bda2a07a8fa3f

SHA256
ee2ebb139451c16bb288be5764298e91ef67243e00963239c512e6af71369eed

SHA512
9720d1608fe7124c607cef026061d4950c67be3134c73f53eae0b4b73f5274cb1ec98350b1f0d0d8ea20fdaa5740ba63082d5fde6aca41e796621b9b708f61d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2562653.exe

Filesize
173KB

MD5
21b16f17321450b6c4861a8e526dd22b

SHA1
d47eb8a855ac75abdba5abc4f6f8ed5cd600244a

SHA256
3831cd9b935ca664419f3e01d2edd3657d5cb40d9129688f997a1ff94248cbd2

SHA512
fd18d9e2a7bfbeaddae1ff2d6bde58d834f3d6d727d23236c2d52a6f3c109bb21174216c53e80d1ad85e9eeaf3c257d107c996d57cabf403ffc27f9fc2afece0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2562653.exe

Filesize
173KB

MD5
21b16f17321450b6c4861a8e526dd22b

SHA1
d47eb8a855ac75abdba5abc4f6f8ed5cd600244a

SHA256
3831cd9b935ca664419f3e01d2edd3657d5cb40d9129688f997a1ff94248cbd2

SHA512
fd18d9e2a7bfbeaddae1ff2d6bde58d834f3d6d727d23236c2d52a6f3c109bb21174216c53e80d1ad85e9eeaf3c257d107c996d57cabf403ffc27f9fc2afece0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2628955.exe

Filesize
359KB

MD5
e29ee5bae0314d4f56c296141295e58a

SHA1
e7538cf3a089c12bb8d5ae3e03ee4b23ae165218

SHA256
1633bf36a599062b24e9768e9fdefb9874c4c7d099317ddd8ba9fe7e695dd380

SHA512
876b899f5f62ed916d2165be5b5828a763e7c8b16bd61c7637bc067f39b0c2726644606480a1b4f94cccffc39e2b233613d6a4f1fb695819070e511e65cc3efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2628955.exe

Filesize
359KB

MD5
e29ee5bae0314d4f56c296141295e58a

SHA1
e7538cf3a089c12bb8d5ae3e03ee4b23ae165218

SHA256
1633bf36a599062b24e9768e9fdefb9874c4c7d099317ddd8ba9fe7e695dd380

SHA512
876b899f5f62ed916d2165be5b5828a763e7c8b16bd61c7637bc067f39b0c2726644606480a1b4f94cccffc39e2b233613d6a4f1fb695819070e511e65cc3efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5240566.exe

Filesize
33KB

MD5
26dac27869ee4fd3fe3e1b75748cb575

SHA1
2088ec98f8d6ddd2b4cb82cfcb6209f1acca0af1

SHA256
6d660f3cfc9e5866ffe036f6061a9eea6179c20dfe214894980f76ba5cdc2c61

SHA512
ecd36a59768f9bc1ad6c413fce34f9694bfbb7419c60fa115cb369a367c113d29c187de6a43f17060ef7206263ff4a9ac5ae5aa19966ce62b07ae7a8bc3e33ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5240566.exe

Filesize
33KB

MD5
26dac27869ee4fd3fe3e1b75748cb575

SHA1
2088ec98f8d6ddd2b4cb82cfcb6209f1acca0af1

SHA256
6d660f3cfc9e5866ffe036f6061a9eea6179c20dfe214894980f76ba5cdc2c61

SHA512
ecd36a59768f9bc1ad6c413fce34f9694bfbb7419c60fa115cb369a367c113d29c187de6a43f17060ef7206263ff4a9ac5ae5aa19966ce62b07ae7a8bc3e33ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6530913.exe

Filesize
235KB

MD5
e709192d4c5f2fb4f6dc8412c4e60b87

SHA1
3388b60298096bc02945ac0eb8e043d948390237

SHA256
698ad6964cbafc1f057a3a6453e83fc23e9aa0b1e99f6d7e61a35a2dc1c6f385

SHA512
87c190ca55caf876483a378d3d82434571bf4cbccb10a5522dfce5fd8258b8bf16acf303dfa23e0ab989e20dffa5b5c5f66e694109ae8a369624a9e53f79b4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6530913.exe

Filesize
235KB

MD5
e709192d4c5f2fb4f6dc8412c4e60b87

SHA1
3388b60298096bc02945ac0eb8e043d948390237

SHA256
698ad6964cbafc1f057a3a6453e83fc23e9aa0b1e99f6d7e61a35a2dc1c6f385

SHA512
87c190ca55caf876483a378d3d82434571bf4cbccb10a5522dfce5fd8258b8bf16acf303dfa23e0ab989e20dffa5b5c5f66e694109ae8a369624a9e53f79b4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8976039.exe

Filesize
11KB

MD5
f98262dafbc87c8f25177129b13c62f0

SHA1
15185689422140bacdec8095d5eb0407347993b7

SHA256
34243e0a87cee8c94d413dd9d3d478fe849e29d3ab802b99f4ada3e0dbf0eaa4

SHA512
e0fdf9ab1e81bbb3de224a07607dcb94859a6e2bd2855a66fd3be4d1a59aac60ed36c296cbcff9c3e8d65be82f9defd1c2a556d038ec469699bea645a67831c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8976039.exe

Filesize
11KB

MD5
f98262dafbc87c8f25177129b13c62f0

SHA1
15185689422140bacdec8095d5eb0407347993b7

SHA256
34243e0a87cee8c94d413dd9d3d478fe849e29d3ab802b99f4ada3e0dbf0eaa4

SHA512
e0fdf9ab1e81bbb3de224a07607dcb94859a6e2bd2855a66fd3be4d1a59aac60ed36c296cbcff9c3e8d65be82f9defd1c2a556d038ec469699bea645a67831c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9301680.exe

Filesize
229KB

MD5
a0cf7a9dabc677a1144fa7b636a86902

SHA1
b50b98a08e4a1f4bbe5ce0aa0dcc7ecd015313c7

SHA256
0a4f3cd1d8bef2bd008f57f7f2e780903616251208325c4b0da228c138e4805e

SHA512
e7d58a93ded28f2480d2bbf5c43af11e27c2281e2d332ce7abd28a39e42b50c74b6570286567baee203ed999a85fa5a11d7b65f7003a3dab660f46566434f4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b9301680.exe

Filesize
229KB

MD5
a0cf7a9dabc677a1144fa7b636a86902

SHA1
b50b98a08e4a1f4bbe5ce0aa0dcc7ecd015313c7

SHA256
0a4f3cd1d8bef2bd008f57f7f2e780903616251208325c4b0da228c138e4805e

SHA512
e7d58a93ded28f2480d2bbf5c43af11e27c2281e2d332ce7abd28a39e42b50c74b6570286567baee203ed999a85fa5a11d7b65f7003a3dab660f46566434f4eb

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
dc587d08b8ca3cd62e5dc057d41a966b

SHA1
0ba6a88377c74a0c53b956d405ad17dd5f8c4164

SHA256
7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

SHA512
7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
dc587d08b8ca3cd62e5dc057d41a966b

SHA1
0ba6a88377c74a0c53b956d405ad17dd5f8c4164

SHA256
7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

SHA512
7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
dc587d08b8ca3cd62e5dc057d41a966b

SHA1
0ba6a88377c74a0c53b956d405ad17dd5f8c4164

SHA256
7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

SHA512
7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
272B

MD5
d867eabb1be5b45bc77bb06814e23640

SHA1
3139a51ce7e8462c31070363b9532c13cc52c82d

SHA256
38c69e3f9f3927f8178d55cde9774a2b170c057b349b73932b87b76499d03349

SHA512
afc40d5fa7bcd41b8445f597990d150d57e3621ddef9400af742471aa0d14c2e66cfecc34482dadbaeb6f20912fda8ab786e584bf7fd1ad5fa23d3b95425fd59

Download Submit
memory/408-175-0x0000000000F40000-0x0000000000F56000-memory.dmp

Filesize
88KB

Download
memory/1316-243-0x00000000032C0000-0x00000000033C8000-memory.dmp

Filesize
1.0MB

Download
memory/1316-247-0x00000000033E0000-0x00000000034CF000-memory.dmp

Filesize
956KB

Download
memory/1316-248-0x00000000033E0000-0x00000000034CF000-memory.dmp

Filesize
956KB

Download
memory/1316-239-0x0000000003100000-0x0000000003106000-memory.dmp

Filesize
24KB

Download
memory/1316-244-0x00000000033E0000-0x00000000034CF000-memory.dmp

Filesize
956KB

Download
memory/1960-190-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/1960-183-0x0000000073030000-0x00000000737E0000-memory.dmp

Filesize
7.7MB

Download
memory/1960-189-0x0000000073030000-0x00000000737E0000-memory.dmp

Filesize
7.7MB

Download
memory/1960-188-0x00000000053D0000-0x000000000540C000-memory.dmp

Filesize
240KB

Download
memory/1960-187-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/1960-186-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/1960-185-0x0000000005430000-0x000000000553A000-memory.dmp

Filesize
1.0MB

Download
memory/1960-184-0x00000000058F0000-0x0000000005F08000-memory.dmp

Filesize
6.1MB

Download
memory/1960-182-0x00000000008A0000-0x00000000008D0000-memory.dmp

Filesize
192KB

Download
memory/2044-174-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2044-176-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3024-228-0x0000000001000000-0x0000000001006000-memory.dmp

Filesize
24KB

Download
memory/3024-236-0x00000000031A0000-0x000000000328F000-memory.dmp

Filesize
956KB

Download
memory/3024-237-0x00000000031A0000-0x000000000328F000-memory.dmp

Filesize
956KB

Download
memory/3024-233-0x00000000031A0000-0x000000000328F000-memory.dmp

Filesize
956KB

Download
memory/3024-232-0x0000000003090000-0x0000000003198000-memory.dmp

Filesize
1.0MB

Download
memory/3024-227-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/4560-155-0x00007FF9BDCE0000-0x00007FF9BE7A1000-memory.dmp

Filesize
10.8MB

Download
memory/4560-154-0x0000000000F30000-0x0000000000F3A000-memory.dmp

Filesize
40KB

Download
memory/4560-157-0x00007FF9BDCE0000-0x00007FF9BE7A1000-memory.dmp

Filesize
10.8MB

Download