amadey | 5d9c968b49dc856c5e41e8d8d3512b244461405eb60951cc6970e0242b18d695

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d4d0c42bbfa13c0ab600d72198a95580_JC.exe
Size

1.2MB
MD5

d4d0c42bbfa13c0ab600d72198a95580
SHA1

b5659e95591b329ed7e21536c80c72dfbc958150
SHA256

5d9c968b49dc856c5e41e8d8d3512b244461405eb60951cc6970e0242b18d695
SHA512

5494297170cb99a5282536f5533311a8757294816c256842c09be5a373687ac74a8fe11976e23ab96f124dbc87195540530864c09edfb4d93b8f125923f3543d
SSDEEP

24576:ayexhVM/ncnNLJoz6OeYRYm7Wtdrs2ZelDZuJX:hA7MvgS6OeYRYm7Wtm2ZelDYJ

Score

10^/10

amadey redline smokeloader grome backdoor evasion infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

grome

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3244-52-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5Zk2eF4.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	5Zk2eF4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 11 IoCs

Processes:

SU5Wl82.exeAb7CM27.exeFS8yq07.exe1Du72xA2.exe2Eq3380.exe3rT90xT.exe4LQ967Bj.exe5Zk2eF4.exeexplothe.exeexplothe.exeexplothe.exe

pid	process
4996	SU5Wl82.exe
3756	Ab7CM27.exe
2536	FS8yq07.exe
916	1Du72xA2.exe
3368	2Eq3380.exe
3892	3rT90xT.exe
3808	4LQ967Bj.exe
840	5Zk2eF4.exe
5112	explothe.exe
1732	explothe.exe
2768	explothe.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.d4d0c42bbfa13c0ab600d72198a95580_JC.exeSU5Wl82.exeAb7CM27.exeFS8yq07.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.d4d0c42bbfa13c0ab600d72198a95580_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	SU5Wl82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ab7CM27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	FS8yq07.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1Du72xA2.exe2Eq3380.exe4LQ967Bj.exe

description	pid	process	target process
PID 916 set thread context of 1876	916	1Du72xA2.exe	AppLaunch.exe
PID 3368 set thread context of 4264	3368	2Eq3380.exe	AppLaunch.exe
PID 3808 set thread context of 3244	3808	4LQ967Bj.exe	AppLaunch.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1408 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2180 4264 WerFault.exe AppLaunch.exe

pid	process
1408	sc.exe

pid	pid_target	process	target process
2180	4264	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3rT90xT.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3rT90xT.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3rT90xT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3rT90xT.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1112 schtasks.exe

pid	process
1112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exe3rT90xT.exe

pid	process
1876	AppLaunch.exe
1876	AppLaunch.exe
3892	3rT90xT.exe
3892	3rT90xT.exe
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312
3312

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3312
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3rT90xT.exe

pid process

3892 3rT90xT.exe

pid	process
3312

pid	process
3892	3rT90xT.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1876	AppLaunch.exe
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312
Token: SeShutdownPrivilege	3312
Token: SeCreatePagefilePrivilege	3312

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3312
3312

pid	process
3312
3312

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NEAS.d4d0c42bbfa13c0ab600d72198a95580_JC.exeSU5Wl82.exeAb7CM27.exeFS8yq07.exe1Du72xA2.exe2Eq3380.exe4LQ967Bj.exe5Zk2eF4.exeexplothe.execmd.exe

description	pid	process	target process
PID 3232 wrote to memory of 4996	3232	NEAS.d4d0c42bbfa13c0ab600d72198a95580_JC.exe	SU5Wl82.exe
PID 3232 wrote to memory of 4996	3232	NEAS.d4d0c42bbfa13c0ab600d72198a95580_JC.exe	SU5Wl82.exe
PID 3232 wrote to memory of 4996	3232	NEAS.d4d0c42bbfa13c0ab600d72198a95580_JC.exe	SU5Wl82.exe
PID 4996 wrote to memory of 3756	4996	SU5Wl82.exe	Ab7CM27.exe
PID 4996 wrote to memory of 3756	4996	SU5Wl82.exe	Ab7CM27.exe
PID 4996 wrote to memory of 3756	4996	SU5Wl82.exe	Ab7CM27.exe
PID 3756 wrote to memory of 2536	3756	Ab7CM27.exe	FS8yq07.exe
PID 3756 wrote to memory of 2536	3756	Ab7CM27.exe	FS8yq07.exe
PID 3756 wrote to memory of 2536	3756	Ab7CM27.exe	FS8yq07.exe
PID 2536 wrote to memory of 916	2536	FS8yq07.exe	1Du72xA2.exe
PID 2536 wrote to memory of 916	2536	FS8yq07.exe	1Du72xA2.exe
PID 2536 wrote to memory of 916	2536	FS8yq07.exe	1Du72xA2.exe
PID 916 wrote to memory of 1876	916	1Du72xA2.exe	AppLaunch.exe
PID 916 wrote to memory of 1876	916	1Du72xA2.exe	AppLaunch.exe
PID 916 wrote to memory of 1876	916	1Du72xA2.exe	AppLaunch.exe
PID 916 wrote to memory of 1876	916	1Du72xA2.exe	AppLaunch.exe
PID 916 wrote to memory of 1876	916	1Du72xA2.exe	AppLaunch.exe
PID 916 wrote to memory of 1876	916	1Du72xA2.exe	AppLaunch.exe
PID 916 wrote to memory of 1876	916	1Du72xA2.exe	AppLaunch.exe
PID 916 wrote to memory of 1876	916	1Du72xA2.exe	AppLaunch.exe
PID 2536 wrote to memory of 3368	2536	FS8yq07.exe	2Eq3380.exe
PID 2536 wrote to memory of 3368	2536	FS8yq07.exe	2Eq3380.exe
PID 2536 wrote to memory of 3368	2536	FS8yq07.exe	2Eq3380.exe
PID 3368 wrote to memory of 4264	3368	2Eq3380.exe	AppLaunch.exe
PID 3368 wrote to memory of 4264	3368	2Eq3380.exe	AppLaunch.exe
PID 3368 wrote to memory of 4264	3368	2Eq3380.exe	AppLaunch.exe
PID 3368 wrote to memory of 4264	3368	2Eq3380.exe	AppLaunch.exe
PID 3368 wrote to memory of 4264	3368	2Eq3380.exe	AppLaunch.exe
PID 3368 wrote to memory of 4264	3368	2Eq3380.exe	AppLaunch.exe
PID 3368 wrote to memory of 4264	3368	2Eq3380.exe	AppLaunch.exe
PID 3368 wrote to memory of 4264	3368	2Eq3380.exe	AppLaunch.exe
PID 3368 wrote to memory of 4264	3368	2Eq3380.exe	AppLaunch.exe
PID 3368 wrote to memory of 4264	3368	2Eq3380.exe	AppLaunch.exe
PID 3756 wrote to memory of 3892	3756	Ab7CM27.exe	3rT90xT.exe
PID 3756 wrote to memory of 3892	3756	Ab7CM27.exe	3rT90xT.exe
PID 3756 wrote to memory of 3892	3756	Ab7CM27.exe	3rT90xT.exe
PID 4996 wrote to memory of 3808	4996	SU5Wl82.exe	4LQ967Bj.exe
PID 4996 wrote to memory of 3808	4996	SU5Wl82.exe	4LQ967Bj.exe
PID 4996 wrote to memory of 3808	4996	SU5Wl82.exe	4LQ967Bj.exe
PID 3808 wrote to memory of 3244	3808	4LQ967Bj.exe	AppLaunch.exe
PID 3808 wrote to memory of 3244	3808	4LQ967Bj.exe	AppLaunch.exe
PID 3808 wrote to memory of 3244	3808	4LQ967Bj.exe	AppLaunch.exe
PID 3808 wrote to memory of 3244	3808	4LQ967Bj.exe	AppLaunch.exe
PID 3808 wrote to memory of 3244	3808	4LQ967Bj.exe	AppLaunch.exe
PID 3808 wrote to memory of 3244	3808	4LQ967Bj.exe	AppLaunch.exe
PID 3808 wrote to memory of 3244	3808	4LQ967Bj.exe	AppLaunch.exe
PID 3808 wrote to memory of 3244	3808	4LQ967Bj.exe	AppLaunch.exe
PID 3232 wrote to memory of 840	3232	NEAS.d4d0c42bbfa13c0ab600d72198a95580_JC.exe	5Zk2eF4.exe
PID 3232 wrote to memory of 840	3232	NEAS.d4d0c42bbfa13c0ab600d72198a95580_JC.exe	5Zk2eF4.exe
PID 3232 wrote to memory of 840	3232	NEAS.d4d0c42bbfa13c0ab600d72198a95580_JC.exe	5Zk2eF4.exe
PID 840 wrote to memory of 5112	840	5Zk2eF4.exe	explothe.exe
PID 840 wrote to memory of 5112	840	5Zk2eF4.exe	explothe.exe
PID 840 wrote to memory of 5112	840	5Zk2eF4.exe	explothe.exe
PID 5112 wrote to memory of 1112	5112	explothe.exe	schtasks.exe
PID 5112 wrote to memory of 1112	5112	explothe.exe	schtasks.exe
PID 5112 wrote to memory of 1112	5112	explothe.exe	schtasks.exe
PID 5112 wrote to memory of 4932	5112	explothe.exe	cmd.exe
PID 5112 wrote to memory of 4932	5112	explothe.exe	cmd.exe
PID 5112 wrote to memory of 4932	5112	explothe.exe	cmd.exe
PID 4932 wrote to memory of 4296	4932	cmd.exe	cmd.exe
PID 4932 wrote to memory of 4296	4932	cmd.exe	cmd.exe
PID 4932 wrote to memory of 4296	4932	cmd.exe	cmd.exe
PID 4932 wrote to memory of 3324	4932	cmd.exe	cacls.exe
PID 4932 wrote to memory of 3324	4932	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.d4d0c42bbfa13c0ab600d72198a95580_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d4d0c42bbfa13c0ab600d72198a95580_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SU5Wl82.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SU5Wl82.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ab7CM27.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ab7CM27.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FS8yq07.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FS8yq07.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Du72xA2.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Du72xA2.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Eq3380.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Eq3380.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 540
7⤵
- Program crash
PID:2180

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rT90xT.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rT90xT.exe
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3892

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4LQ967Bj.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4LQ967Bj.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Zk2eF4.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Zk2eF4.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
4⤵
- Creates scheduled task(s)
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4296

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
5⤵
PID:3324

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
5⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4548

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
5⤵
PID:3192

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
5⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4264 -ip 4264
1⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Zk2eF4.exe
Filesize
221KB

MD5
99694446fb5ee7ed513b3035eefc95e6

SHA1
0ff25b72cf25807a92d0a3c6d032093a1221401a

SHA256
39a2e1c62037d9c5dcefa6b01e5662abe83196bbea04dc4b0c624877699e2ad1

SHA512
e190e7d76472ad549528e5c2ca6ccaf1d9c8ab244ba164a85f9c5c27f50f8152d6377a5b6ab4ad1b601646be1b1480a5a73f253d40620d20a49d3aec4156f27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Zk2eF4.exe
Filesize
221KB

MD5
99694446fb5ee7ed513b3035eefc95e6

SHA1
0ff25b72cf25807a92d0a3c6d032093a1221401a

SHA256
39a2e1c62037d9c5dcefa6b01e5662abe83196bbea04dc4b0c624877699e2ad1

SHA512
e190e7d76472ad549528e5c2ca6ccaf1d9c8ab244ba164a85f9c5c27f50f8152d6377a5b6ab4ad1b601646be1b1480a5a73f253d40620d20a49d3aec4156f27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SU5Wl82.exe
Filesize
1.1MB

MD5
79b3ad08d0276f85872a852558891457

SHA1
07447918829d00a4726ec271932268af21eff94e

SHA256
c21b8576a7e1d33f0a1feb81a3329dfc75e4972db29e93cf1193f1536f2f7657

SHA512
9d5e64f6bc7af325d2b4a2ff01ff746595decc619eff563ebb38eb1faf59649a40ee2e21153d1b177439df967c0e7265614f929285a0d9e87369e2a7f2e8f399

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SU5Wl82.exe
Filesize
1.1MB

MD5
79b3ad08d0276f85872a852558891457

SHA1
07447918829d00a4726ec271932268af21eff94e

SHA256
c21b8576a7e1d33f0a1feb81a3329dfc75e4972db29e93cf1193f1536f2f7657

SHA512
9d5e64f6bc7af325d2b4a2ff01ff746595decc619eff563ebb38eb1faf59649a40ee2e21153d1b177439df967c0e7265614f929285a0d9e87369e2a7f2e8f399

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4LQ967Bj.exe
Filesize
1.2MB

MD5
c6e34d6f1de028d83f5e976d18b3b860

SHA1
242c2ab11ff48f1c693babdf94da2b200bce77ba

SHA256
5fedf0f70e45f838eb5dcac716ed9270a8e1381ef2bd954ca4a2ff6d38501b62

SHA512
5765e130fd9ed99fae133091540f95dab37e749f5825bf06ebdeab71cab367ee337db67515106607416c6eabccd85c5d1051735f8923183c3a11f96741d0cf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4LQ967Bj.exe
Filesize
1.2MB

MD5
c6e34d6f1de028d83f5e976d18b3b860

SHA1
242c2ab11ff48f1c693babdf94da2b200bce77ba

SHA256
5fedf0f70e45f838eb5dcac716ed9270a8e1381ef2bd954ca4a2ff6d38501b62

SHA512
5765e130fd9ed99fae133091540f95dab37e749f5825bf06ebdeab71cab367ee337db67515106607416c6eabccd85c5d1051735f8923183c3a11f96741d0cf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ab7CM27.exe
Filesize
663KB

MD5
43f0cc7eafb8f740a82969960d656d58

SHA1
249fedd26a7ef3b606c0db69f1642e6f9ba345d7

SHA256
b638a023c862afa3f3d6148f85b8b7dc2194a668ee2fc36c912bafcd36d3d7c1

SHA512
e4c9b592e2b29fbf7295b4dbc3c712e23f86d762c461d72ebc50aa0a142ad4f36ce30661ea300729b07e07064482e53c4bd70c8093eb57ab259deffff1b577a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ab7CM27.exe
Filesize
663KB

MD5
43f0cc7eafb8f740a82969960d656d58

SHA1
249fedd26a7ef3b606c0db69f1642e6f9ba345d7

SHA256
b638a023c862afa3f3d6148f85b8b7dc2194a668ee2fc36c912bafcd36d3d7c1

SHA512
e4c9b592e2b29fbf7295b4dbc3c712e23f86d762c461d72ebc50aa0a142ad4f36ce30661ea300729b07e07064482e53c4bd70c8093eb57ab259deffff1b577a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rT90xT.exe
Filesize
31KB

MD5
195c8853b4d6ca7a6e011801cd6a8671

SHA1
29a8e45cd736962eb3e70c27a02274b78743d5b1

SHA256
332ee5785f416768c34078539104929a6852b3a48be845df4c9d68815043ca27

SHA512
3ebc2d3cb92440defed15ce2ceddcf82d0bd6ba4af571abdd37a2d40f12a9bd0e2848cf6e74d1c41a9a7ebf3f61893f39695c64201d08599b369018c0b417bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3rT90xT.exe
Filesize
31KB

MD5
195c8853b4d6ca7a6e011801cd6a8671

SHA1
29a8e45cd736962eb3e70c27a02274b78743d5b1

SHA256
332ee5785f416768c34078539104929a6852b3a48be845df4c9d68815043ca27

SHA512
3ebc2d3cb92440defed15ce2ceddcf82d0bd6ba4af571abdd37a2d40f12a9bd0e2848cf6e74d1c41a9a7ebf3f61893f39695c64201d08599b369018c0b417bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FS8yq07.exe
Filesize
539KB

MD5
7d68571a7f2553a89e39dec942381b19

SHA1
d07e1c45e43183971053109b7add5e77a1ed5b4f

SHA256
69d446e5246e69b1e6cac0fe556b6e4eb7f58a69fd24c2a509bed0c78f8f6972

SHA512
dbedb58a4277d18674be7a66071ead6063ed173d7c7457e8c18e70a1df73f7451779a55f601e08efb936b7440b25bce150ec8f13f1b08070251f4671fcbc0c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\FS8yq07.exe
Filesize
539KB

MD5
7d68571a7f2553a89e39dec942381b19

SHA1
d07e1c45e43183971053109b7add5e77a1ed5b4f

SHA256
69d446e5246e69b1e6cac0fe556b6e4eb7f58a69fd24c2a509bed0c78f8f6972

SHA512
dbedb58a4277d18674be7a66071ead6063ed173d7c7457e8c18e70a1df73f7451779a55f601e08efb936b7440b25bce150ec8f13f1b08070251f4671fcbc0c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Du72xA2.exe
Filesize
933KB

MD5
2d02a394e785b5c7d3a0d1fa3602fae1

SHA1
b3291002fd1aa6098a1b741b74830fe55c288a83

SHA256
c64ad8d3e6ac47f61dd069c71196ffb9993b2484de39feca4e6fafac5c5f8309

SHA512
3db8128bfe24ee0c45358340b4ed91c469f0796239c8509ab7343d5b8b72ef1020a46a508966975c5724f2a99e207fe983d470b477319879cefac15dbb1d11ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Du72xA2.exe
Filesize
933KB

MD5
2d02a394e785b5c7d3a0d1fa3602fae1

SHA1
b3291002fd1aa6098a1b741b74830fe55c288a83

SHA256
c64ad8d3e6ac47f61dd069c71196ffb9993b2484de39feca4e6fafac5c5f8309

SHA512
3db8128bfe24ee0c45358340b4ed91c469f0796239c8509ab7343d5b8b72ef1020a46a508966975c5724f2a99e207fe983d470b477319879cefac15dbb1d11ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Eq3380.exe
Filesize
1.1MB

MD5
9d7ef84c218894b9426b8da97a5213f7

SHA1
e4df3880046aef55fab42cfe5c4346c5f15e0bf1

SHA256
d63cfcbd58f9eda149c6eef48928db1deb34e16767453d2803da92a16fd583f2

SHA512
be04337ddb737298e7418312a678722e4a41a63b3835827a63f559f1f01da1a78c8d583e34136f93fce5910a4683bf0358226603ebe805bdb5588956917888da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Eq3380.exe
Filesize
1.1MB

MD5
9d7ef84c218894b9426b8da97a5213f7

SHA1
e4df3880046aef55fab42cfe5c4346c5f15e0bf1

SHA256
d63cfcbd58f9eda149c6eef48928db1deb34e16767453d2803da92a16fd583f2

SHA512
be04337ddb737298e7418312a678722e4a41a63b3835827a63f559f1f01da1a78c8d583e34136f93fce5910a4683bf0358226603ebe805bdb5588956917888da

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
99694446fb5ee7ed513b3035eefc95e6

SHA1
0ff25b72cf25807a92d0a3c6d032093a1221401a

SHA256
39a2e1c62037d9c5dcefa6b01e5662abe83196bbea04dc4b0c624877699e2ad1

SHA512
e190e7d76472ad549528e5c2ca6ccaf1d9c8ab244ba164a85f9c5c27f50f8152d6377a5b6ab4ad1b601646be1b1480a5a73f253d40620d20a49d3aec4156f27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
99694446fb5ee7ed513b3035eefc95e6

SHA1
0ff25b72cf25807a92d0a3c6d032093a1221401a

SHA256
39a2e1c62037d9c5dcefa6b01e5662abe83196bbea04dc4b0c624877699e2ad1

SHA512
e190e7d76472ad549528e5c2ca6ccaf1d9c8ab244ba164a85f9c5c27f50f8152d6377a5b6ab4ad1b601646be1b1480a5a73f253d40620d20a49d3aec4156f27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
99694446fb5ee7ed513b3035eefc95e6

SHA1
0ff25b72cf25807a92d0a3c6d032093a1221401a

SHA256
39a2e1c62037d9c5dcefa6b01e5662abe83196bbea04dc4b0c624877699e2ad1

SHA512
e190e7d76472ad549528e5c2ca6ccaf1d9c8ab244ba164a85f9c5c27f50f8152d6377a5b6ab4ad1b601646be1b1480a5a73f253d40620d20a49d3aec4156f27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
99694446fb5ee7ed513b3035eefc95e6

SHA1
0ff25b72cf25807a92d0a3c6d032093a1221401a

SHA256
39a2e1c62037d9c5dcefa6b01e5662abe83196bbea04dc4b0c624877699e2ad1

SHA512
e190e7d76472ad549528e5c2ca6ccaf1d9c8ab244ba164a85f9c5c27f50f8152d6377a5b6ab4ad1b601646be1b1480a5a73f253d40620d20a49d3aec4156f27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
221KB

MD5
99694446fb5ee7ed513b3035eefc95e6

SHA1
0ff25b72cf25807a92d0a3c6d032093a1221401a

SHA256
39a2e1c62037d9c5dcefa6b01e5662abe83196bbea04dc4b0c624877699e2ad1

SHA512
e190e7d76472ad549528e5c2ca6ccaf1d9c8ab244ba164a85f9c5c27f50f8152d6377a5b6ab4ad1b601646be1b1480a5a73f253d40620d20a49d3aec4156f27d

Download Submit
memory/1876-32-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/1876-49-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/1876-51-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/1876-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3244-72-0x0000000007FD0000-0x00000000080DA000-memory.dmp

Filesize
1.0MB

Download
memory/3244-73-0x0000000007EA0000-0x0000000007EB2000-memory.dmp

Filesize
72KB

Download
memory/3244-52-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3244-57-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/3244-77-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/3244-60-0x0000000008150000-0x00000000086F4000-memory.dmp

Filesize
5.6MB

Download
memory/3244-61-0x0000000007C40000-0x0000000007CD2000-memory.dmp

Filesize
584KB

Download
memory/3244-62-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

Filesize
64KB

Download
memory/3244-63-0x0000000007C30000-0x0000000007C3A000-memory.dmp

Filesize
40KB

Download
memory/3244-76-0x00000000744F0000-0x0000000074CA0000-memory.dmp

Filesize
7.7MB

Download
memory/3244-75-0x0000000007F40000-0x0000000007F8C000-memory.dmp

Filesize
304KB

Download
memory/3244-71-0x0000000008D20000-0x0000000009338000-memory.dmp

Filesize
6.1MB

Download
memory/3244-74-0x0000000007F00000-0x0000000007F3C000-memory.dmp

Filesize
240KB

Download
memory/3312-42-0x00000000031D0000-0x00000000031E6000-memory.dmp

Filesize
88KB

Download
memory/3892-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3892-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4264-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download