amadey | 76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc

Analysis

max time kernel
108s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc.exe
Size

1.0MB
MD5

177ece4bb1d02e6dab46e5fdba1292b6
SHA1

577906874f352ad0a86c068c3988d6626381f77e
SHA256

76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc
SHA512

8e74a0bda2d22343cfdc32b4d7c93f19fb099e28f6a794da75869d7e538b0ad9d4a301053944f3dc46586a3e5e8d23443971da18180dda113a31195fef54b3a5
SSDEEP

24576:ryUI+NA3JumnWetZ/9dAOVcGJ5tohSv0D8FI1cgkva:ezieFWcZ1dAOVclSv0DRy

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor8371.exebus8179.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor8371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor8371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor8371.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus8179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus8179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus8179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus8179.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor8371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor8371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus8179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus8179.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor8371.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3140-210-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-211-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-213-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-215-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-217-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-219-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-221-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-223-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-225-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-227-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-229-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-231-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-233-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-235-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-237-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-239-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-241-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-243-0x00000000052E0000-0x000000000531E000-memory.dmp	family_redline
behavioral1/memory/3140-388-0x0000000004D20000-0x0000000004D30000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge711532.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	ge711532.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kino8900.exekino2079.exekino3704.exebus8179.execor8371.exedDM39s09.exeen889730.exege711532.exemetafor.exemetafor.exe

pid	process
1620	kino8900.exe
4008	kino2079.exe
444	kino3704.exe
312	bus8179.exe
1252	cor8371.exe
3140	dDM39s09.exe
1804	en889730.exe
4780	ge711532.exe
5080	metafor.exe
4944	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus8179.execor8371.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus8179.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor8371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor8371.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino3704.exe76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc.exekino8900.exekino2079.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino3704.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino8900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino8900.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino2079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino2079.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4348 1252 WerFault.exe cor8371.exe
3976 3140 WerFault.exe dDM39s09.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

648 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus8179.execor8371.exedDM39s09.exeen889730.exe

pid process

312 bus8179.exe
312 bus8179.exe
1252 cor8371.exe
1252 cor8371.exe
3140 dDM39s09.exe
3140 dDM39s09.exe
1804 en889730.exe
1804 en889730.exe

pid	pid_target	process	target process
4348	1252	WerFault.exe	cor8371.exe
3976	3140	WerFault.exe	dDM39s09.exe

pid	process
648	schtasks.exe

pid	process
312	bus8179.exe
312	bus8179.exe
1252	cor8371.exe
1252	cor8371.exe
3140	dDM39s09.exe
3140	dDM39s09.exe
1804	en889730.exe
1804	en889730.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus8179.execor8371.exedDM39s09.exeen889730.exe

description	pid	process
Token: SeDebugPrivilege	312	bus8179.exe
Token: SeDebugPrivilege	1252	cor8371.exe
Token: SeDebugPrivilege	3140	dDM39s09.exe
Token: SeDebugPrivilege	1804	en889730.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc.exekino8900.exekino2079.exekino3704.exege711532.exemetafor.execmd.exe

description	pid	process	target process
PID 1528 wrote to memory of 1620	1528	76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc.exe	kino8900.exe
PID 1528 wrote to memory of 1620	1528	76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc.exe	kino8900.exe
PID 1528 wrote to memory of 1620	1528	76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc.exe	kino8900.exe
PID 1620 wrote to memory of 4008	1620	kino8900.exe	kino2079.exe
PID 1620 wrote to memory of 4008	1620	kino8900.exe	kino2079.exe
PID 1620 wrote to memory of 4008	1620	kino8900.exe	kino2079.exe
PID 4008 wrote to memory of 444	4008	kino2079.exe	kino3704.exe
PID 4008 wrote to memory of 444	4008	kino2079.exe	kino3704.exe
PID 4008 wrote to memory of 444	4008	kino2079.exe	kino3704.exe
PID 444 wrote to memory of 312	444	kino3704.exe	bus8179.exe
PID 444 wrote to memory of 312	444	kino3704.exe	bus8179.exe
PID 444 wrote to memory of 1252	444	kino3704.exe	cor8371.exe
PID 444 wrote to memory of 1252	444	kino3704.exe	cor8371.exe
PID 444 wrote to memory of 1252	444	kino3704.exe	cor8371.exe
PID 4008 wrote to memory of 3140	4008	kino2079.exe	dDM39s09.exe
PID 4008 wrote to memory of 3140	4008	kino2079.exe	dDM39s09.exe
PID 4008 wrote to memory of 3140	4008	kino2079.exe	dDM39s09.exe
PID 1620 wrote to memory of 1804	1620	kino8900.exe	en889730.exe
PID 1620 wrote to memory of 1804	1620	kino8900.exe	en889730.exe
PID 1620 wrote to memory of 1804	1620	kino8900.exe	en889730.exe
PID 1528 wrote to memory of 4780	1528	76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc.exe	ge711532.exe
PID 1528 wrote to memory of 4780	1528	76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc.exe	ge711532.exe
PID 1528 wrote to memory of 4780	1528	76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc.exe	ge711532.exe
PID 4780 wrote to memory of 5080	4780	ge711532.exe	metafor.exe
PID 4780 wrote to memory of 5080	4780	ge711532.exe	metafor.exe
PID 4780 wrote to memory of 5080	4780	ge711532.exe	metafor.exe
PID 5080 wrote to memory of 648	5080	metafor.exe	schtasks.exe
PID 5080 wrote to memory of 648	5080	metafor.exe	schtasks.exe
PID 5080 wrote to memory of 648	5080	metafor.exe	schtasks.exe
PID 5080 wrote to memory of 4952	5080	metafor.exe	cmd.exe
PID 5080 wrote to memory of 4952	5080	metafor.exe	cmd.exe
PID 5080 wrote to memory of 4952	5080	metafor.exe	cmd.exe
PID 4952 wrote to memory of 4724	4952	cmd.exe	cmd.exe
PID 4952 wrote to memory of 4724	4952	cmd.exe	cmd.exe
PID 4952 wrote to memory of 4724	4952	cmd.exe	cmd.exe
PID 4952 wrote to memory of 2972	4952	cmd.exe	cacls.exe
PID 4952 wrote to memory of 2972	4952	cmd.exe	cacls.exe
PID 4952 wrote to memory of 2972	4952	cmd.exe	cacls.exe
PID 4952 wrote to memory of 3788	4952	cmd.exe	cacls.exe
PID 4952 wrote to memory of 3788	4952	cmd.exe	cacls.exe
PID 4952 wrote to memory of 3788	4952	cmd.exe	cacls.exe
PID 4952 wrote to memory of 764	4952	cmd.exe	cmd.exe
PID 4952 wrote to memory of 764	4952	cmd.exe	cmd.exe
PID 4952 wrote to memory of 764	4952	cmd.exe	cmd.exe
PID 4952 wrote to memory of 3252	4952	cmd.exe	cacls.exe
PID 4952 wrote to memory of 3252	4952	cmd.exe	cacls.exe
PID 4952 wrote to memory of 3252	4952	cmd.exe	cacls.exe
PID 4952 wrote to memory of 1100	4952	cmd.exe	cacls.exe
PID 4952 wrote to memory of 1100	4952	cmd.exe	cacls.exe
PID 4952 wrote to memory of 1100	4952	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc.exe
"C:\Users\Admin\AppData\Local\Temp\76d702293a82d7ff09d45763b574b9c3d5973d08dbe29f85ffa6316ea3ed5fdc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8900.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8900.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2079.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2079.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4008

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3704.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3704.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:444

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8179.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8179.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8371.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8371.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1080
6⤵
- Program crash
PID:4348

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDM39s09.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDM39s09.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1348
5⤵
- Program crash
PID:3976

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en889730.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en889730.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge711532.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge711532.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4724

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:2972

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:764

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:3252

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1252 -ip 1252
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3140 -ip 3140
1⤵
PID:732

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge711532.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge711532.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8900.exe
Filesize
842KB

MD5
fc5fb20a63869eff0c7b04bfea11764d

SHA1
4b583a10940093123a47340cd10a24d8838af827

SHA256
214b923a320d54188eb78c38227203aa3a3d304c4633b70711e3c41bfa7d8562

SHA512
23a16faa2f157c2ae6a365291ff2807a7fd6c775484cf105dcca0713ae1025fc68f862206a2d006c7c10600151f4448688beb5a64a16a9a1d0f9a1c2f12027cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino8900.exe
Filesize
842KB

MD5
fc5fb20a63869eff0c7b04bfea11764d

SHA1
4b583a10940093123a47340cd10a24d8838af827

SHA256
214b923a320d54188eb78c38227203aa3a3d304c4633b70711e3c41bfa7d8562

SHA512
23a16faa2f157c2ae6a365291ff2807a7fd6c775484cf105dcca0713ae1025fc68f862206a2d006c7c10600151f4448688beb5a64a16a9a1d0f9a1c2f12027cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en889730.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en889730.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2079.exe
Filesize
700KB

MD5
0c6ec80dd4f22fbefaf7f65e45572ff4

SHA1
1cf38af4548987dc46fbbfc0d6fd3a3402633983

SHA256
699d47313855d44930f4128c1aa2f6256267f3f92f68c21fe900c662cb110496

SHA512
09f4e06e79ee27ed793774eccd33bdf8bd3084ab25fcdcb29da4f0f3b364dd1651bbb046df4b2b080176c63edcf6ef91f6fc105fecebaf24fd9c561412b568bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2079.exe
Filesize
700KB

MD5
0c6ec80dd4f22fbefaf7f65e45572ff4

SHA1
1cf38af4548987dc46fbbfc0d6fd3a3402633983

SHA256
699d47313855d44930f4128c1aa2f6256267f3f92f68c21fe900c662cb110496

SHA512
09f4e06e79ee27ed793774eccd33bdf8bd3084ab25fcdcb29da4f0f3b364dd1651bbb046df4b2b080176c63edcf6ef91f6fc105fecebaf24fd9c561412b568bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDM39s09.exe
Filesize
358KB

MD5
65534b329c68a51931fd9911af0363a4

SHA1
7f37e63b35b4f57164622e8b1df0ce716f078265

SHA256
f20005bd8344f0ba8558283b553b2cd30d38412b5f977135801b1cf2a8c0dce4

SHA512
d739bd7ea13d4725fae4710b18e86fe0d1f900a9b1ad95ab70c2bb754f1ad7a7b1afaf9b1837da6418f3289d1c575bcaced6dcb32a1a38872f1bf60614980ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dDM39s09.exe
Filesize
358KB

MD5
65534b329c68a51931fd9911af0363a4

SHA1
7f37e63b35b4f57164622e8b1df0ce716f078265

SHA256
f20005bd8344f0ba8558283b553b2cd30d38412b5f977135801b1cf2a8c0dce4

SHA512
d739bd7ea13d4725fae4710b18e86fe0d1f900a9b1ad95ab70c2bb754f1ad7a7b1afaf9b1837da6418f3289d1c575bcaced6dcb32a1a38872f1bf60614980ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3704.exe
Filesize
347KB

MD5
fad495c039638da8bbbb7c8c331a1888

SHA1
dae4eb9da5d056d82bd48489876a3f45b65b5fca

SHA256
ef57e5b4767d0d47c6a214efc7837c16ac7bbcbcd971be2181b27dda900808f4

SHA512
5047f53be02442db75df228c4cd5bfd7c1d69fc0eebe90c6daa51bc0ab5ff27b43e22ec43857ab02535164a947a9cb5fe4108f333dacd39258c045f2603ac830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3704.exe
Filesize
347KB

MD5
fad495c039638da8bbbb7c8c331a1888

SHA1
dae4eb9da5d056d82bd48489876a3f45b65b5fca

SHA256
ef57e5b4767d0d47c6a214efc7837c16ac7bbcbcd971be2181b27dda900808f4

SHA512
5047f53be02442db75df228c4cd5bfd7c1d69fc0eebe90c6daa51bc0ab5ff27b43e22ec43857ab02535164a947a9cb5fe4108f333dacd39258c045f2603ac830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8179.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8179.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8371.exe
Filesize
300KB

MD5
a1dee45140bc8e997aa58ff41d9ad823

SHA1
4fcfac83a4abaa1cb534eae722c4c7fd679ff42b

SHA256
ea1a4651911dbf2228d203212c741c20a2d980a6168eec5459560d60866da47d

SHA512
bde9ef815b797f0662386b70d625278bce229f8c1ff54e4dbc57a1f4f108624d07873bb3e37143a78c65db9b775a00e205c5f2b5ad94fc409b058d7a2f2188e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor8371.exe
Filesize
300KB

MD5
a1dee45140bc8e997aa58ff41d9ad823

SHA1
4fcfac83a4abaa1cb534eae722c4c7fd679ff42b

SHA256
ea1a4651911dbf2228d203212c741c20a2d980a6168eec5459560d60866da47d

SHA512
bde9ef815b797f0662386b70d625278bce229f8c1ff54e4dbc57a1f4f108624d07873bb3e37143a78c65db9b775a00e205c5f2b5ad94fc409b058d7a2f2188e5

Download Submit
memory/312-161-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download
memory/1252-176-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-199-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/1252-178-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-180-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-182-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-184-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-188-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-186-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-190-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-192-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-194-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-196-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-198-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-167-0x0000000002250000-0x000000000227D000-memory.dmp

Filesize
180KB

Download
memory/1252-200-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/1252-201-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/1252-202-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/1252-204-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/1252-174-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-172-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-171-0x0000000005230000-0x0000000005242000-memory.dmp

Filesize
72KB

Download
memory/1252-168-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/1252-170-0x00000000024F0000-0x0000000002500000-memory.dmp

Filesize
64KB

Download
memory/1252-169-0x0000000004C40000-0x00000000051E4000-memory.dmp

Filesize
5.6MB

Download
memory/1804-1138-0x00000000000C0000-0x00000000000F2000-memory.dmp

Filesize
200KB

Download
memory/1804-1139-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/3140-210-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-225-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-227-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-229-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-231-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-233-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-235-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-237-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-239-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-241-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-243-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-387-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/3140-388-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/3140-1118-0x0000000005320000-0x0000000005938000-memory.dmp

Filesize
6.1MB

Download
memory/3140-1119-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/3140-1120-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/3140-1121-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/3140-1122-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/3140-1123-0x0000000005E10000-0x0000000005EA2000-memory.dmp

Filesize
584KB

Download
memory/3140-1124-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/3140-1126-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/3140-1127-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/3140-1128-0x0000000006810000-0x0000000006886000-memory.dmp

Filesize
472KB

Download
memory/3140-1129-0x00000000068B0000-0x0000000006900000-memory.dmp

Filesize
320KB

Download
memory/3140-1130-0x0000000006B30000-0x0000000006CF2000-memory.dmp

Filesize
1.8MB

Download
memory/3140-223-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-221-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-219-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-217-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-215-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-213-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-211-0x00000000052E0000-0x000000000531E000-memory.dmp

Filesize
248KB

Download
memory/3140-209-0x0000000002260000-0x00000000022AB000-memory.dmp

Filesize
300KB

Download
memory/3140-1131-0x0000000006D00000-0x000000000722C000-memory.dmp

Filesize
5.2MB

Download
memory/3140-1133-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download