amadey | 474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06

Analysis

max time kernel
103s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06.exe
Size

1023KB
MD5

82caed81e2ba19204a51269f7526c758
SHA1

3b52a2b472b1675c781e2d879e5d18f2e4fc4461
SHA256

474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06
SHA512

b01a0e20cc8a369e0a6c0befe28fc6f9485a6eafb6e2ceb1812d0ecbcf845c26596fc1c278cc77964765970197c959c9894a04d25a6cf07e31608e49ca306236
SSDEEP

12288:8Mruy90T6MRWxzGeQGjnKcBhpk4XVYPAFJC40sDdda3ygthBL7MBtLMwEZaRQUsa:ayX7Q8N04XosJC40sRMxqHM0QUsCTX

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor6821.exebus9826.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor6821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor6821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor6821.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus9826.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus9826.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus9826.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus9826.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus9826.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor6821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus9826.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor6821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor6821.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4844-212-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-213-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-215-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-217-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-219-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-221-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-223-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-225-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-227-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-231-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-229-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-233-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-235-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-237-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-239-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-241-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-243-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline
behavioral1/memory/4844-245-0x0000000004D10000-0x0000000004D4E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge258056.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ge258056.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kino4173.exekino9539.exekino6628.exebus9826.execor6821.exedci38s61.exeen907266.exege258056.exemetafor.exemetafor.exe

pid	process
4612	kino4173.exe
868	kino9539.exe
688	kino6628.exe
3528	bus9826.exe
2176	cor6821.exe
4844	dci38s61.exe
1964	en907266.exe
1308	ge258056.exe
4800	metafor.exe
1172	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor6821.exebus9826.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor6821.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus9826.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor6821.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino6628.exe474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06.exekino4173.exekino9539.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino6628.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino4173.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino4173.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino9539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino9539.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6628.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1128 2176 WerFault.exe cor6821.exe
4180 4844 WerFault.exe dci38s61.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2644 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus9826.execor6821.exedci38s61.exeen907266.exe

pid process

3528 bus9826.exe
3528 bus9826.exe
2176 cor6821.exe
2176 cor6821.exe
4844 dci38s61.exe
4844 dci38s61.exe
1964 en907266.exe
1964 en907266.exe

pid	pid_target	process	target process
1128	2176	WerFault.exe	cor6821.exe
4180	4844	WerFault.exe	dci38s61.exe

pid	process
2644	schtasks.exe

pid	process
3528	bus9826.exe
3528	bus9826.exe
2176	cor6821.exe
2176	cor6821.exe
4844	dci38s61.exe
4844	dci38s61.exe
1964	en907266.exe
1964	en907266.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus9826.execor6821.exedci38s61.exeen907266.exe

description	pid	process
Token: SeDebugPrivilege	3528	bus9826.exe
Token: SeDebugPrivilege	2176	cor6821.exe
Token: SeDebugPrivilege	4844	dci38s61.exe
Token: SeDebugPrivilege	1964	en907266.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06.exekino4173.exekino9539.exekino6628.exege258056.exemetafor.execmd.exe

description	pid	process	target process
PID 4108 wrote to memory of 4612	4108	474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06.exe	kino4173.exe
PID 4108 wrote to memory of 4612	4108	474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06.exe	kino4173.exe
PID 4108 wrote to memory of 4612	4108	474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06.exe	kino4173.exe
PID 4612 wrote to memory of 868	4612	kino4173.exe	kino9539.exe
PID 4612 wrote to memory of 868	4612	kino4173.exe	kino9539.exe
PID 4612 wrote to memory of 868	4612	kino4173.exe	kino9539.exe
PID 868 wrote to memory of 688	868	kino9539.exe	kino6628.exe
PID 868 wrote to memory of 688	868	kino9539.exe	kino6628.exe
PID 868 wrote to memory of 688	868	kino9539.exe	kino6628.exe
PID 688 wrote to memory of 3528	688	kino6628.exe	bus9826.exe
PID 688 wrote to memory of 3528	688	kino6628.exe	bus9826.exe
PID 688 wrote to memory of 2176	688	kino6628.exe	cor6821.exe
PID 688 wrote to memory of 2176	688	kino6628.exe	cor6821.exe
PID 688 wrote to memory of 2176	688	kino6628.exe	cor6821.exe
PID 868 wrote to memory of 4844	868	kino9539.exe	dci38s61.exe
PID 868 wrote to memory of 4844	868	kino9539.exe	dci38s61.exe
PID 868 wrote to memory of 4844	868	kino9539.exe	dci38s61.exe
PID 4612 wrote to memory of 1964	4612	kino4173.exe	en907266.exe
PID 4612 wrote to memory of 1964	4612	kino4173.exe	en907266.exe
PID 4612 wrote to memory of 1964	4612	kino4173.exe	en907266.exe
PID 4108 wrote to memory of 1308	4108	474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06.exe	ge258056.exe
PID 4108 wrote to memory of 1308	4108	474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06.exe	ge258056.exe
PID 4108 wrote to memory of 1308	4108	474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06.exe	ge258056.exe
PID 1308 wrote to memory of 4800	1308	ge258056.exe	metafor.exe
PID 1308 wrote to memory of 4800	1308	ge258056.exe	metafor.exe
PID 1308 wrote to memory of 4800	1308	ge258056.exe	metafor.exe
PID 4800 wrote to memory of 2644	4800	metafor.exe	schtasks.exe
PID 4800 wrote to memory of 2644	4800	metafor.exe	schtasks.exe
PID 4800 wrote to memory of 2644	4800	metafor.exe	schtasks.exe
PID 4800 wrote to memory of 4636	4800	metafor.exe	cmd.exe
PID 4800 wrote to memory of 4636	4800	metafor.exe	cmd.exe
PID 4800 wrote to memory of 4636	4800	metafor.exe	cmd.exe
PID 4636 wrote to memory of 4480	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 4480	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 4480	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 4444	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4444	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4444	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 2840	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 2840	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 2840	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 1408	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 1408	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 1408	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 4624	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4624	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4624	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 1680	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 1680	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 1680	4636	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06.exe
"C:\Users\Admin\AppData\Local\Temp\474b3d494f5ea4d9b1d28fa743ca2d7a4d8a1047f32b02a84079e27b43865a06.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4108

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4173.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4173.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4612

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9539.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9539.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6628.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6628.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus9826.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus9826.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6821.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6821.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1080
6⤵
- Program crash
PID:1128

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dci38s61.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dci38s61.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1336
5⤵
- Program crash
PID:4180

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en907266.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en907266.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge258056.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge258056.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:2644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4480

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:4444

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1408

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:4624

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2176 -ip 2176
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4844 -ip 4844
1⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge258056.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge258056.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4173.exe
Filesize
841KB

MD5
7286aa686e594b1090cd97a9e5afe4d3

SHA1
a5ab75a9f2538b5970a522c164f4dd1d370fb4ff

SHA256
255b2995a96cb1c3a4785574d643a6e16326ac11bb35f777e7707ed1f6ced076

SHA512
ac9bf9feec60b97a84cfd57cf12c25aaf3e66af784448a46ac34c9db6eba177621545b88b7c1944c49f0acae9449c2b4164a47659af209d69e432b549f406a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4173.exe
Filesize
841KB

MD5
7286aa686e594b1090cd97a9e5afe4d3

SHA1
a5ab75a9f2538b5970a522c164f4dd1d370fb4ff

SHA256
255b2995a96cb1c3a4785574d643a6e16326ac11bb35f777e7707ed1f6ced076

SHA512
ac9bf9feec60b97a84cfd57cf12c25aaf3e66af784448a46ac34c9db6eba177621545b88b7c1944c49f0acae9449c2b4164a47659af209d69e432b549f406a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en907266.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en907266.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9539.exe
Filesize
699KB

MD5
8b97cbcc8425fd04d2df48ffdc55401d

SHA1
2d00c26fbd8029870e04271d2fed1df6bd0b090b

SHA256
5e3270ab84dc98b0bc09759477b31452283fa2b223c999cc71e670df8008155b

SHA512
c9a9c6631b47ef8ae825b63a813c95d3a57d5efd68f2c6ff2b110251e01ada96b4518bd2c599c0a036c2592b9c0a51f4335a34a3e0d9520eb9d2774ccb8b7139

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino9539.exe
Filesize
699KB

MD5
8b97cbcc8425fd04d2df48ffdc55401d

SHA1
2d00c26fbd8029870e04271d2fed1df6bd0b090b

SHA256
5e3270ab84dc98b0bc09759477b31452283fa2b223c999cc71e670df8008155b

SHA512
c9a9c6631b47ef8ae825b63a813c95d3a57d5efd68f2c6ff2b110251e01ada96b4518bd2c599c0a036c2592b9c0a51f4335a34a3e0d9520eb9d2774ccb8b7139

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dci38s61.exe
Filesize
358KB

MD5
d2230bbeff7f89a0c2aab8d5e4f9d73d

SHA1
8bad95211e401066708abc27ba26b05b86695ea2

SHA256
d1460bf62c7eda478dedf8fe182acb1ef577e4860bb9e806995bf6f0d966856d

SHA512
ed4e0161784e6c78318a21aa928dc2d6d3728079ef1ef8ce13aaf59942a36f0cc88d441f0c2335a7c75b9f3eea4df18bbd13acdbd890b5fd2b7ee39d59a3b9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dci38s61.exe
Filesize
358KB

MD5
d2230bbeff7f89a0c2aab8d5e4f9d73d

SHA1
8bad95211e401066708abc27ba26b05b86695ea2

SHA256
d1460bf62c7eda478dedf8fe182acb1ef577e4860bb9e806995bf6f0d966856d

SHA512
ed4e0161784e6c78318a21aa928dc2d6d3728079ef1ef8ce13aaf59942a36f0cc88d441f0c2335a7c75b9f3eea4df18bbd13acdbd890b5fd2b7ee39d59a3b9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6628.exe
Filesize
346KB

MD5
abfa7b3096994bb06ab5db047b36d032

SHA1
23d6aeaead6d582d5c547935ce7af61356d772e0

SHA256
0b96d5e9afbfb74dbde12baf4e55ff3fa79004a6b368b38243a32308bce4ee38

SHA512
41fa8b868327b7dc2e00238ed84d67bcfb93d32e6ef06476f3908a90c7bf1fb294720814d387eaadf16ce04758ce303aea8345ced8d3744a5cdd25417071abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6628.exe
Filesize
346KB

MD5
abfa7b3096994bb06ab5db047b36d032

SHA1
23d6aeaead6d582d5c547935ce7af61356d772e0

SHA256
0b96d5e9afbfb74dbde12baf4e55ff3fa79004a6b368b38243a32308bce4ee38

SHA512
41fa8b868327b7dc2e00238ed84d67bcfb93d32e6ef06476f3908a90c7bf1fb294720814d387eaadf16ce04758ce303aea8345ced8d3744a5cdd25417071abcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus9826.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus9826.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6821.exe
Filesize
300KB

MD5
7b76a5b70705d1013e3d680df449b79c

SHA1
a11fbbdf9341fc6f7cb498d315fcaac58a1653a3

SHA256
bed81d58e8ad2cbe74a97f60924da6b447eae282b60804cb6c21e878414396fb

SHA512
fb446a0a6146dc5dc3f83fb36b496b4fdd0ae267921cffce7806e56c32de0c8ae79822ae3ee856d1a5b50673549d32f434c79b2e5bb46c400d7c12d101a00d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6821.exe
Filesize
300KB

MD5
7b76a5b70705d1013e3d680df449b79c

SHA1
a11fbbdf9341fc6f7cb498d315fcaac58a1653a3

SHA256
bed81d58e8ad2cbe74a97f60924da6b447eae282b60804cb6c21e878414396fb

SHA512
fb446a0a6146dc5dc3f83fb36b496b4fdd0ae267921cffce7806e56c32de0c8ae79822ae3ee856d1a5b50673549d32f434c79b2e5bb46c400d7c12d101a00d18

Download Submit
memory/1964-1140-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/1964-1139-0x0000000000DC0000-0x0000000000DF2000-memory.dmp

Filesize
200KB

Download
memory/2176-178-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-201-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2176-182-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-184-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-186-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-188-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-190-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-192-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-194-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-196-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-198-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-199-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/2176-200-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2176-180-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-202-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2176-204-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/2176-167-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/2176-176-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-174-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-172-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-171-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/2176-170-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2176-169-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2176-168-0x00000000007A0000-0x00000000007CD000-memory.dmp

Filesize
180KB

Download
memory/3528-161-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/4844-209-0x0000000000890000-0x00000000008DB000-memory.dmp

Filesize
300KB

Download
memory/4844-223-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-225-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-227-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-231-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-229-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-233-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-235-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-237-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-239-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-241-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-243-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-245-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-1118-0x0000000005410000-0x0000000005A28000-memory.dmp

Filesize
6.1MB

Download
memory/4844-1119-0x0000000005A30000-0x0000000005B3A000-memory.dmp

Filesize
1.0MB

Download
memory/4844-1120-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/4844-1121-0x0000000005B40000-0x0000000005B7C000-memory.dmp

Filesize
240KB

Download
memory/4844-1122-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4844-1123-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/4844-1124-0x00000000064E0000-0x0000000006572000-memory.dmp

Filesize
584KB

Download
memory/4844-1125-0x0000000006810000-0x0000000006886000-memory.dmp

Filesize
472KB

Download
memory/4844-1126-0x0000000006890000-0x00000000068E0000-memory.dmp

Filesize
320KB

Download
memory/4844-1128-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4844-1129-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4844-1130-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4844-1131-0x0000000006900000-0x0000000006AC2000-memory.dmp

Filesize
1.8MB

Download
memory/4844-221-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-219-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-217-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-215-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-213-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-212-0x0000000004D10000-0x0000000004D4E000-memory.dmp

Filesize
248KB

Download
memory/4844-211-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4844-210-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/4844-1132-0x0000000006AD0000-0x0000000006FFC000-memory.dmp

Filesize
5.2MB

Download
memory/4844-1133-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download