amadey | bdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145

Analysis

max time kernel
115s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145.exe
Size

1023KB
MD5

66c92f1543bf8250eeaa02a43ab6c48f
SHA1

4587bc81607f0902ae85a2bab45567357d9675c8
SHA256

bdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145
SHA512

fe00f16b94a6d3d314c7c16fe495dfb8034291725d947a3932e93b2b38e55429a92e1a492ef3dbd42f366a630fcb39c8457e0628f072e9e501421cff9123ae06
SSDEEP

24576:vyScp/I8rpW/3oz6uOS+watFt4Bqk849+7q:6Scp/7rp4YOuSwIfk8q

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor9025.exebus3186.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor9025.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus3186.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus3186.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor9025.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor9025.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor9025.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor9025.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor9025.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus3186.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus3186.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus3186.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus3186.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2004-209-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-210-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-212-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-214-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-216-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-218-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-220-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-224-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-228-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-230-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-232-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-234-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-236-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-238-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-240-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-242-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-244-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline
behavioral1/memory/2004-246-0x0000000004CE0000-0x0000000004D1E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge212713.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	ge212713.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino6969.exekino4292.exekino7229.exebus3186.execor9025.exedJG78s17.exeen966870.exege212713.exemetafor.exemetafor.exemetafor.exe

pid	process
1840	kino6969.exe
1028	kino4292.exe
436	kino7229.exe
1248	bus3186.exe
3748	cor9025.exe
2004	dJG78s17.exe
4892	en966870.exe
1288	ge212713.exe
4124	metafor.exe
2264	metafor.exe
1372	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus3186.execor9025.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus3186.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor9025.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor9025.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino4292.exekino7229.exebdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145.exekino6969.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino4292.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino7229.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino7229.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6969.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino6969.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino4292.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4016 3748 WerFault.exe cor9025.exe
2328 2004 WerFault.exe dJG78s17.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4684 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus3186.execor9025.exedJG78s17.exeen966870.exe

pid process

1248 bus3186.exe
1248 bus3186.exe
3748 cor9025.exe
3748 cor9025.exe
2004 dJG78s17.exe
2004 dJG78s17.exe
4892 en966870.exe
4892 en966870.exe

pid	pid_target	process	target process
4016	3748	WerFault.exe	cor9025.exe
2328	2004	WerFault.exe	dJG78s17.exe

pid	process
4684	schtasks.exe

pid	process
1248	bus3186.exe
1248	bus3186.exe
3748	cor9025.exe
3748	cor9025.exe
2004	dJG78s17.exe
2004	dJG78s17.exe
4892	en966870.exe
4892	en966870.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus3186.execor9025.exedJG78s17.exeen966870.exe

description	pid	process
Token: SeDebugPrivilege	1248	bus3186.exe
Token: SeDebugPrivilege	3748	cor9025.exe
Token: SeDebugPrivilege	2004	dJG78s17.exe
Token: SeDebugPrivilege	4892	en966870.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

bdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145.exekino6969.exekino4292.exekino7229.exege212713.exemetafor.execmd.exe

description	pid	process	target process
PID 4232 wrote to memory of 1840	4232	bdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145.exe	kino6969.exe
PID 4232 wrote to memory of 1840	4232	bdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145.exe	kino6969.exe
PID 4232 wrote to memory of 1840	4232	bdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145.exe	kino6969.exe
PID 1840 wrote to memory of 1028	1840	kino6969.exe	kino4292.exe
PID 1840 wrote to memory of 1028	1840	kino6969.exe	kino4292.exe
PID 1840 wrote to memory of 1028	1840	kino6969.exe	kino4292.exe
PID 1028 wrote to memory of 436	1028	kino4292.exe	kino7229.exe
PID 1028 wrote to memory of 436	1028	kino4292.exe	kino7229.exe
PID 1028 wrote to memory of 436	1028	kino4292.exe	kino7229.exe
PID 436 wrote to memory of 1248	436	kino7229.exe	bus3186.exe
PID 436 wrote to memory of 1248	436	kino7229.exe	bus3186.exe
PID 436 wrote to memory of 3748	436	kino7229.exe	cor9025.exe
PID 436 wrote to memory of 3748	436	kino7229.exe	cor9025.exe
PID 436 wrote to memory of 3748	436	kino7229.exe	cor9025.exe
PID 1028 wrote to memory of 2004	1028	kino4292.exe	dJG78s17.exe
PID 1028 wrote to memory of 2004	1028	kino4292.exe	dJG78s17.exe
PID 1028 wrote to memory of 2004	1028	kino4292.exe	dJG78s17.exe
PID 1840 wrote to memory of 4892	1840	kino6969.exe	en966870.exe
PID 1840 wrote to memory of 4892	1840	kino6969.exe	en966870.exe
PID 1840 wrote to memory of 4892	1840	kino6969.exe	en966870.exe
PID 4232 wrote to memory of 1288	4232	bdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145.exe	ge212713.exe
PID 4232 wrote to memory of 1288	4232	bdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145.exe	ge212713.exe
PID 4232 wrote to memory of 1288	4232	bdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145.exe	ge212713.exe
PID 1288 wrote to memory of 4124	1288	ge212713.exe	metafor.exe
PID 1288 wrote to memory of 4124	1288	ge212713.exe	metafor.exe
PID 1288 wrote to memory of 4124	1288	ge212713.exe	metafor.exe
PID 4124 wrote to memory of 4684	4124	metafor.exe	schtasks.exe
PID 4124 wrote to memory of 4684	4124	metafor.exe	schtasks.exe
PID 4124 wrote to memory of 4684	4124	metafor.exe	schtasks.exe
PID 4124 wrote to memory of 2420	4124	metafor.exe	cmd.exe
PID 4124 wrote to memory of 2420	4124	metafor.exe	cmd.exe
PID 4124 wrote to memory of 2420	4124	metafor.exe	cmd.exe
PID 2420 wrote to memory of 1504	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 1504	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 1504	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 1780	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 1780	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 1780	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 4748	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 4748	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 4748	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 220	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 220	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 220	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 116	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 116	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 116	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 232	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 232	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 232	2420	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\bdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145.exe
"C:\Users\Admin\AppData\Local\Temp\bdb5f89d9b80ba89848374648fd22875bb4e481aba88012740d250020cbe9145.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4232

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6969.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6969.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4292.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4292.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7229.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7229.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3186.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3186.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9025.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9025.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 1084
6⤵
- Program crash
PID:4016

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dJG78s17.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dJG78s17.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1908
5⤵
- Program crash
PID:2328

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en966870.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en966870.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge212713.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge212713.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:4684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1504

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:1780

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:220

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:116

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3748 -ip 3748
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2004 -ip 2004
1⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge212713.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge212713.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6969.exe
Filesize
842KB

MD5
da81b44f23838b4602b0b0660e18b4eb

SHA1
6edd75a61bc34961965f9ba29e052073ac3b673b

SHA256
c90c70b6e7c004e15309e9a0617080313c346bfbf8ebc77f9921c419ee83de29

SHA512
da33e04744f64b9c7de756c609a2e87945aff3570e402c50b23a2f6e4b0e97b907a0915899371c5609e49eef3ecee271ea179f32183482ebe24f0211baee7221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6969.exe
Filesize
842KB

MD5
da81b44f23838b4602b0b0660e18b4eb

SHA1
6edd75a61bc34961965f9ba29e052073ac3b673b

SHA256
c90c70b6e7c004e15309e9a0617080313c346bfbf8ebc77f9921c419ee83de29

SHA512
da33e04744f64b9c7de756c609a2e87945aff3570e402c50b23a2f6e4b0e97b907a0915899371c5609e49eef3ecee271ea179f32183482ebe24f0211baee7221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en966870.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en966870.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4292.exe
Filesize
699KB

MD5
6720ccae7e5755bde5d877bf3114fc5f

SHA1
5b5b4a197b24fd4f94050199b2fd4fdfc768bb5c

SHA256
418ef88493d5368186d5228d37d4e3b250a6959c30f8aebe320f30f675072e9c

SHA512
132d89671f66ad4ae6802e6de7bf5d5bb6dc36b04e18940a8afe0be6800b1a4ad54b19c329ad71f2a56a5f628c8ed74d1cfd989b03ede7fc9ded56141eb57904

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4292.exe
Filesize
699KB

MD5
6720ccae7e5755bde5d877bf3114fc5f

SHA1
5b5b4a197b24fd4f94050199b2fd4fdfc768bb5c

SHA256
418ef88493d5368186d5228d37d4e3b250a6959c30f8aebe320f30f675072e9c

SHA512
132d89671f66ad4ae6802e6de7bf5d5bb6dc36b04e18940a8afe0be6800b1a4ad54b19c329ad71f2a56a5f628c8ed74d1cfd989b03ede7fc9ded56141eb57904

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dJG78s17.exe
Filesize
358KB

MD5
26bfcac1a72f08c96f1391249779fd01

SHA1
6b9bfd9c762e0cfb5245b967f0111bc79e727dbd

SHA256
c2374a38d13ea9ad83113c4934abf09f9c2b0e4a775c89dea4b4feee6e4948d4

SHA512
c566c13289caad8a7583cfc6c28ff3c968a5d24cd41d64e0a161339e89e6e9ac5110cde3d883f9db233955a6e3b647b43c76b6e1109ff58685f7e07df85dcbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dJG78s17.exe
Filesize
358KB

MD5
26bfcac1a72f08c96f1391249779fd01

SHA1
6b9bfd9c762e0cfb5245b967f0111bc79e727dbd

SHA256
c2374a38d13ea9ad83113c4934abf09f9c2b0e4a775c89dea4b4feee6e4948d4

SHA512
c566c13289caad8a7583cfc6c28ff3c968a5d24cd41d64e0a161339e89e6e9ac5110cde3d883f9db233955a6e3b647b43c76b6e1109ff58685f7e07df85dcbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7229.exe
Filesize
346KB

MD5
7e4fb08b1cd989f2de3073f98ba1b89a

SHA1
b5e7b4fc4a6a8640b5aaa99e2f543cf190e15796

SHA256
fc9a8ddc17ba5899b43c864f5a61bdffa4a9a7125284ccce3d4425538f3603a8

SHA512
ab30c6cc53f28ff57f27e77c33341b116f871928f59a60eac9734c5a7e308a3fdbedba0629c4b4d061fbbf6093ed02245d1731aa2c1bf102f7e5531ccfba96f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7229.exe
Filesize
346KB

MD5
7e4fb08b1cd989f2de3073f98ba1b89a

SHA1
b5e7b4fc4a6a8640b5aaa99e2f543cf190e15796

SHA256
fc9a8ddc17ba5899b43c864f5a61bdffa4a9a7125284ccce3d4425538f3603a8

SHA512
ab30c6cc53f28ff57f27e77c33341b116f871928f59a60eac9734c5a7e308a3fdbedba0629c4b4d061fbbf6093ed02245d1731aa2c1bf102f7e5531ccfba96f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3186.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3186.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9025.exe
Filesize
300KB

MD5
6fcb0c4972a297ae0291543fbe467e6c

SHA1
a459386971cd86df90e47aea6a37b7f3cff97118

SHA256
b71645e027e887af6afc6b86b8ef2b8b4608d574f7f55f9003d76c7358a8a529

SHA512
77d42ac8cdb59089507d91d66cf38d19e3d730ed1c6e0140dbcc26ad4072aa03f0f38f555e667a4f3900813184979af495591e2ecc1a0b4903bd77dc7b288ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9025.exe
Filesize
300KB

MD5
6fcb0c4972a297ae0291543fbe467e6c

SHA1
a459386971cd86df90e47aea6a37b7f3cff97118

SHA256
b71645e027e887af6afc6b86b8ef2b8b4608d574f7f55f9003d76c7358a8a529

SHA512
77d42ac8cdb59089507d91d66cf38d19e3d730ed1c6e0140dbcc26ad4072aa03f0f38f555e667a4f3900813184979af495591e2ecc1a0b4903bd77dc7b288ec3

Download Submit
memory/1248-161-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/2004-1123-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2004-236-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-1133-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2004-1132-0x0000000006C50000-0x000000000717C000-memory.dmp

Filesize
5.2MB

Download
memory/2004-1131-0x0000000006A80000-0x0000000006C42000-memory.dmp

Filesize
1.8MB

Download
memory/2004-1130-0x0000000006A10000-0x0000000006A60000-memory.dmp

Filesize
320KB

Download
memory/2004-1129-0x0000000006990000-0x0000000006A06000-memory.dmp

Filesize
472KB

Download
memory/2004-1128-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2004-1127-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2004-1125-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/2004-1124-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/2004-1122-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/2004-1121-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/2004-1120-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/2004-1119-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/2004-209-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-210-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-212-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-214-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-216-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-218-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-220-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-221-0x00000000023B0000-0x00000000023FB000-memory.dmp

Filesize
300KB

Download
memory/2004-223-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2004-225-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2004-224-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-226-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2004-228-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-230-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-232-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-234-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-246-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-238-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-240-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-242-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/2004-244-0x0000000004CE0000-0x0000000004D1E000-memory.dmp

Filesize
248KB

Download
memory/3748-192-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-184-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-190-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-188-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-200-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/3748-180-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-202-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/3748-201-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/3748-199-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/3748-198-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-196-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-194-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-169-0x0000000004EA0000-0x0000000005444000-memory.dmp

Filesize
5.6MB

Download
memory/3748-182-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-204-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/3748-178-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-176-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-186-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-168-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/3748-174-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-172-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-171-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3748-170-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/3748-167-0x0000000000890000-0x00000000008BD000-memory.dmp

Filesize
180KB

Download
memory/4892-1140-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/4892-1139-0x0000000000660000-0x0000000000692000-memory.dmp

Filesize
200KB

Download