amadey | 19403a2ae53ec309c1724fe9dac47423fa3bcc0697f7c8e63d14d3075470ce68

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19403a2ae53ec309c1724fe9dac47423fa3bcc0697f7c8e63d14d3075470ce68N.exe
Size

1.1MB
MD5

e7081dc8b146a3d56c504582dc9ecae0
SHA1

ab35e1b311490623890e5d829a5feca5b11642a5
SHA256

19403a2ae53ec309c1724fe9dac47423fa3bcc0697f7c8e63d14d3075470ce68
SHA512

a90f2a3203fd451aa79b227a12fedad5101e115d5366e68e69d86155033868413a417b75125ca29c84b34e39074f9215e016e7705ddae80ab5ec2d3dab4f4b08
SSDEEP

24576:qymFaHYMdTVdgf1U6CCub/MUcBV8sC+tBGKExf8/gjPluW:xmF7MXdqq1NTJcB1Ce8K43jd

Score

10^/10

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

http://193.3.19.154

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
23b27c80db2465a8e1dc15491b69b82f
url_paths
/store/games/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3360-28-0x00000000021E0000-0x00000000021FA000-memory.dmp	healer
behavioral1/memory/3360-30-0x00000000024E0000-0x00000000024F8000-memory.dmp	healer
behavioral1/memory/3360-54-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer
behavioral1/memory/3360-58-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer
behavioral1/memory/3360-56-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer
behavioral1/memory/3360-52-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer
behavioral1/memory/3360-50-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer
behavioral1/memory/3360-48-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer
behavioral1/memory/3360-46-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer
behavioral1/memory/3360-42-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer
behavioral1/memory/3360-40-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer
behavioral1/memory/3360-38-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer
behavioral1/memory/3360-36-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer
behavioral1/memory/3360-34-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer
behavioral1/memory/3360-31-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer
behavioral1/memory/3360-44-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer
behavioral1/memory/3360-32-0x00000000024E0000-0x00000000024F3000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	291030990.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	174901570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	174901570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	174901570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	174901570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	174901570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	291030990.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	291030990.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	291030990.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	174901570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	291030990.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/1040-112-0x0000000004BD0000-0x0000000004C0C000-memory.dmp	family_redline
behavioral1/memory/1040-113-0x0000000004C60000-0x0000000004C9A000-memory.dmp	family_redline
behavioral1/memory/1040-117-0x0000000004C60000-0x0000000004C95000-memory.dmp	family_redline
behavioral1/memory/1040-115-0x0000000004C60000-0x0000000004C95000-memory.dmp	family_redline
behavioral1/memory/1040-114-0x0000000004C60000-0x0000000004C95000-memory.dmp	family_redline
behavioral1/memory/1040-119-0x0000000004C60000-0x0000000004C95000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	320597777.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 9 IoCs

pid	Process
1260	tY442061.exe
900	lR639481.exe
2328	oV692184.exe
3360	174901570.exe
2432	291030990.exe
1824	320597777.exe
4516	oneetx.exe
1040	457746423.exe
448	oneetx.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	291030990.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	174901570.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	174901570.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tY442061.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	lR639481.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	oV692184.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	19403a2ae53ec309c1724fe9dac47423fa3bcc0697f7c8e63d14d3075470ce68N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2152	2432	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tY442061.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lR639481.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oV692184.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	174901570.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	291030990.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19403a2ae53ec309c1724fe9dac47423fa3bcc0697f7c8e63d14d3075470ce68N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	320597777.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	457746423.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3360	174901570.exe
3360	174901570.exe
2432	291030990.exe
2432	291030990.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3360	174901570.exe
Token: SeDebugPrivilege	2432	291030990.exe
Token: SeDebugPrivilege	1040	457746423.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1824	320597777.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1260	4948	19403a2ae53ec309c1724fe9dac47423fa3bcc0697f7c8e63d14d3075470ce68N.exe	83
PID 4948 wrote to memory of 1260	4948	19403a2ae53ec309c1724fe9dac47423fa3bcc0697f7c8e63d14d3075470ce68N.exe	83
PID 4948 wrote to memory of 1260	4948	19403a2ae53ec309c1724fe9dac47423fa3bcc0697f7c8e63d14d3075470ce68N.exe	83
PID 1260 wrote to memory of 900	1260	tY442061.exe	84
PID 1260 wrote to memory of 900	1260	tY442061.exe	84
PID 1260 wrote to memory of 900	1260	tY442061.exe	84
PID 900 wrote to memory of 2328	900	lR639481.exe	86
PID 900 wrote to memory of 2328	900	lR639481.exe	86
PID 900 wrote to memory of 2328	900	lR639481.exe	86
PID 2328 wrote to memory of 3360	2328	oV692184.exe	87
PID 2328 wrote to memory of 3360	2328	oV692184.exe	87
PID 2328 wrote to memory of 3360	2328	oV692184.exe	87
PID 2328 wrote to memory of 2432	2328	oV692184.exe	95
PID 2328 wrote to memory of 2432	2328	oV692184.exe	95
PID 2328 wrote to memory of 2432	2328	oV692184.exe	95
PID 900 wrote to memory of 1824	900	lR639481.exe	99
PID 900 wrote to memory of 1824	900	lR639481.exe	99
PID 900 wrote to memory of 1824	900	lR639481.exe	99
PID 1824 wrote to memory of 4516	1824	320597777.exe	100
PID 1824 wrote to memory of 4516	1824	320597777.exe	100
PID 1824 wrote to memory of 4516	1824	320597777.exe	100
PID 1260 wrote to memory of 1040	1260	tY442061.exe	101
PID 1260 wrote to memory of 1040	1260	tY442061.exe	101
PID 1260 wrote to memory of 1040	1260	tY442061.exe	101
PID 4516 wrote to memory of 2888	4516	oneetx.exe	102
PID 4516 wrote to memory of 2888	4516	oneetx.exe	102
PID 4516 wrote to memory of 2888	4516	oneetx.exe	102
PID 4516 wrote to memory of 772	4516	oneetx.exe	104
PID 4516 wrote to memory of 772	4516	oneetx.exe	104
PID 4516 wrote to memory of 772	4516	oneetx.exe	104
PID 772 wrote to memory of 4044	772	cmd.exe	106
PID 772 wrote to memory of 4044	772	cmd.exe	106
PID 772 wrote to memory of 4044	772	cmd.exe	106
PID 772 wrote to memory of 2392	772	cmd.exe	107
PID 772 wrote to memory of 2392	772	cmd.exe	107
PID 772 wrote to memory of 2392	772	cmd.exe	107
PID 772 wrote to memory of 1092	772	cmd.exe	108
PID 772 wrote to memory of 1092	772	cmd.exe	108
PID 772 wrote to memory of 1092	772	cmd.exe	108
PID 772 wrote to memory of 4332	772	cmd.exe	109
PID 772 wrote to memory of 4332	772	cmd.exe	109
PID 772 wrote to memory of 4332	772	cmd.exe	109
PID 772 wrote to memory of 2292	772	cmd.exe	110
PID 772 wrote to memory of 2292	772	cmd.exe	110
PID 772 wrote to memory of 2292	772	cmd.exe	110
PID 772 wrote to memory of 4972	772	cmd.exe	111
PID 772 wrote to memory of 4972	772	cmd.exe	111
PID 772 wrote to memory of 4972	772	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\19403a2ae53ec309c1724fe9dac47423fa3bcc0697f7c8e63d14d3075470ce68N.exe
"C:\Users\Admin\AppData\Local\Temp\19403a2ae53ec309c1724fe9dac47423fa3bcc0697f7c8e63d14d3075470ce68N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tY442061.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tY442061.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lR639481.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lR639481.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV692184.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV692184.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\174901570.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\174901570.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\291030990.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\291030990.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1084
        6⤵
        Program crash
        
        PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\320597777.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\320597777.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4516
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2888
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\457746423.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\457746423.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2432 -ip 2432
1⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tY442061.exe

Filesize
932KB

MD5
f8fc72fc874f09b5ae1722448b3f81d7

SHA1
f4b1c373f354c58620122d71e1ebad5c87b93dfa

SHA256
5819b95484a17623e7249b55dff77c11430407536fbac1cf171a782f3e953bb7

SHA512
a1f0ce33cae799930ae2456bd47e1ca79bf88850c15ccab27aa74312a28cf6b15fde336571cf8e60cad1699754ba05db41dcf6576aa131769f2210d5e8a0929c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\457746423.exe

Filesize
347KB

MD5
6ccaf403c165e0fa402519961d2d1ad4

SHA1
956a99849827d970bb2b75e0142cc154ea0efadb

SHA256
b3c118f5d36c6dc250ecbe932265795303b349b3e14d4c16cead0d30379b5f3b

SHA512
0b5bb55f1bdcae893f951602d06d4e27717958b6d57ded4d02a54a789d8a41e38f1e8688db576cd93719a2f8fc50822fbfc0a168bd95b1dec4e8a899167ae0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lR639481.exe

Filesize
578KB

MD5
bf1e45cec45bde73e3b38e8fa170dddb

SHA1
98dd5026c7350cbcf7fe91837aa91e7b288d425a

SHA256
89285e0d00e996deb9ac43caff4483c5ad8a2172a09a30d7d83ca33defd081a6

SHA512
1dd2264bd4b7563c7e9e8e8bda8cd43bb05aa4383ff9e6a12894597f3c8ccce75b2b843c82b7eb49602ffa08662d968779c4e4db9ea8236dbd2124425332bb65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\320597777.exe

Filesize
204KB

MD5
1304f384653e08ae497008ff13498608

SHA1
d9a76ed63d74d4217c5027757cb9a7a0d0093080

SHA256
2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa

SHA512
4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\oV692184.exe

Filesize
407KB

MD5
b6dbe6208f70d2d4a30ab64cecdb6479

SHA1
3b8ed87fcca81e7536be5a729a4be88938b95fe0

SHA256
892f133b7e6d3d19b3f567d905695a7707f6345483e7eaf2c5074ebb4cf13d70

SHA512
95f7598046e9144a3ffacbb894bd0945acafa8a0e3736e047d91421f478e5d8f44e20c9b3352c339484ff1e8b2713b2cf31b217a7ea3c7bc657ea34f2d90859d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\174901570.exe

Filesize
176KB

MD5
2b71f4b18ac8214a2bff547b6ce2f64f

SHA1
b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5

SHA256
f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc

SHA512
33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\291030990.exe

Filesize
265KB

MD5
c8b8130dd3f067d410d9ec9c4938e418

SHA1
2be8ac184ca64311c5ff99d803e30b5a8f2b73c3

SHA256
80d9da07e412763cdaadbdd506f2e7dc09780439beccf93d0f142e5fd5f18b8a

SHA512
c85de2d66321e6528056d86c236d376519922cc48749fdedec9bbcca195d1909f028f0c454a2ad4347200cdbc679ec152177a63596ce8bc0132b1052228838bc

Download Submit
memory/1040-119-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/1040-906-0x0000000009CD0000-0x000000000A2E8000-memory.dmp

Filesize
6.1MB

Download
memory/1040-907-0x000000000A340000-0x000000000A352000-memory.dmp

Filesize
72KB

Download
memory/1040-908-0x000000000A360000-0x000000000A46A000-memory.dmp

Filesize
1.0MB

Download
memory/1040-114-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/1040-115-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/1040-117-0x0000000004C60000-0x0000000004C95000-memory.dmp

Filesize
212KB

Download
memory/1040-113-0x0000000004C60000-0x0000000004C9A000-memory.dmp

Filesize
232KB

Download
memory/1040-112-0x0000000004BD0000-0x0000000004C0C000-memory.dmp

Filesize
240KB

Download
memory/1040-909-0x000000000A480000-0x000000000A4BC000-memory.dmp

Filesize
240KB

Download
memory/1040-910-0x00000000049D0000-0x0000000004A1C000-memory.dmp

Filesize
304KB

Download
memory/2432-94-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/2432-92-0x0000000000400000-0x0000000002B9D000-memory.dmp

Filesize
39.6MB

Download
memory/3360-56-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-32-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-44-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-31-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-34-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-36-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-38-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-40-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-42-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-46-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-48-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-50-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-52-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-58-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-54-0x00000000024E0000-0x00000000024F3000-memory.dmp

Filesize
76KB

Download
memory/3360-30-0x00000000024E0000-0x00000000024F8000-memory.dmp

Filesize
96KB

Download
memory/3360-29-0x0000000004B30000-0x00000000050D4000-memory.dmp

Filesize
5.6MB

Download
memory/3360-28-0x00000000021E0000-0x00000000021FA000-memory.dmp

Filesize
104KB

Download