amadey | e2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade

Analysis

max time kernel
115s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade.exe
Size

1010KB
MD5

92a0341430cb2b11c84bf2376859badf
SHA1

005935ed26864ea661edd9e9138e828c93ff099d
SHA256

e2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade
SHA512

c1361e2a8a3b8cb8def2fbef34732122f74e29d4aed5ba7ef8e7bf33531cb475d93e8c8662d85eb81e839228049d04a7ae3b10e7869e65e2e6fb322c1c8152d9
SSDEEP

12288:6Mrfy902LiDCo8+f7yms8n3A2EM7fCFO5IXFcpeQtvMziJJCs7DCwGcgssHW66bU:ty0Wo8+tpEYfC+YQtqwGcc2v/GI4z1R

Score

10^/10

amadey redline down volya discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

volya

193.233.20.31:4125

Attributes

auth_value
0efc9f002a9fbeec5f8b8338141d546a

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus8698.execor7605.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus8698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus8698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus8698.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor7605.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor7605.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor7605.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus8698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus8698.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor7605.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor7605.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor7605.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus8698.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3824-210-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-211-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-213-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-215-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-217-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-219-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-221-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-223-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-225-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-227-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-229-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-231-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-233-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-238-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-241-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-243-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-245-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-247-0x0000000007150000-0x000000000718E000-memory.dmp	family_redline
behavioral1/memory/3824-1133-0x0000000007220000-0x0000000007230000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

metafor.exege040813.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	metafor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ge040813.exe

Executes dropped EXE 10 IoCs

Processes:

kino9427.exekino2642.exekino8851.exebus8698.execor7605.exedCR83s10.exeen736196.exege040813.exemetafor.exemetafor.exe

pid	process
1100	kino9427.exe
4996	kino2642.exe
1620	kino8851.exe
1892	bus8698.exe
388	cor7605.exe
3824	dCR83s10.exe
4580	en736196.exe
4376	ge040813.exe
3264	metafor.exe
2436	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus8698.execor7605.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus8698.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor7605.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor7605.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino2642.exekino8851.exee2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade.exekino9427.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino2642.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino8851.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino8851.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino9427.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino9427.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino2642.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

376 388 WerFault.exe cor7605.exe
4608 3824 WerFault.exe dCR83s10.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4228 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus8698.execor7605.exedCR83s10.exeen736196.exe

pid process

1892 bus8698.exe
1892 bus8698.exe
388 cor7605.exe
388 cor7605.exe
3824 dCR83s10.exe
3824 dCR83s10.exe
4580 en736196.exe
4580 en736196.exe

pid	pid_target	process	target process
376	388	WerFault.exe	cor7605.exe
4608	3824	WerFault.exe	dCR83s10.exe

pid	process
4228	schtasks.exe

pid	process
1892	bus8698.exe
1892	bus8698.exe
388	cor7605.exe
388	cor7605.exe
3824	dCR83s10.exe
3824	dCR83s10.exe
4580	en736196.exe
4580	en736196.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus8698.execor7605.exedCR83s10.exeen736196.exe

description	pid	process
Token: SeDebugPrivilege	1892	bus8698.exe
Token: SeDebugPrivilege	388	cor7605.exe
Token: SeDebugPrivilege	3824	dCR83s10.exe
Token: SeDebugPrivilege	4580	en736196.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

e2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade.exekino9427.exekino2642.exekino8851.exege040813.exemetafor.execmd.exe

description	pid	process	target process
PID 4420 wrote to memory of 1100	4420	e2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade.exe	kino9427.exe
PID 4420 wrote to memory of 1100	4420	e2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade.exe	kino9427.exe
PID 4420 wrote to memory of 1100	4420	e2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade.exe	kino9427.exe
PID 1100 wrote to memory of 4996	1100	kino9427.exe	kino2642.exe
PID 1100 wrote to memory of 4996	1100	kino9427.exe	kino2642.exe
PID 1100 wrote to memory of 4996	1100	kino9427.exe	kino2642.exe
PID 4996 wrote to memory of 1620	4996	kino2642.exe	kino8851.exe
PID 4996 wrote to memory of 1620	4996	kino2642.exe	kino8851.exe
PID 4996 wrote to memory of 1620	4996	kino2642.exe	kino8851.exe
PID 1620 wrote to memory of 1892	1620	kino8851.exe	bus8698.exe
PID 1620 wrote to memory of 1892	1620	kino8851.exe	bus8698.exe
PID 1620 wrote to memory of 388	1620	kino8851.exe	cor7605.exe
PID 1620 wrote to memory of 388	1620	kino8851.exe	cor7605.exe
PID 1620 wrote to memory of 388	1620	kino8851.exe	cor7605.exe
PID 4996 wrote to memory of 3824	4996	kino2642.exe	dCR83s10.exe
PID 4996 wrote to memory of 3824	4996	kino2642.exe	dCR83s10.exe
PID 4996 wrote to memory of 3824	4996	kino2642.exe	dCR83s10.exe
PID 1100 wrote to memory of 4580	1100	kino9427.exe	en736196.exe
PID 1100 wrote to memory of 4580	1100	kino9427.exe	en736196.exe
PID 1100 wrote to memory of 4580	1100	kino9427.exe	en736196.exe
PID 4420 wrote to memory of 4376	4420	e2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade.exe	ge040813.exe
PID 4420 wrote to memory of 4376	4420	e2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade.exe	ge040813.exe
PID 4420 wrote to memory of 4376	4420	e2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade.exe	ge040813.exe
PID 4376 wrote to memory of 3264	4376	ge040813.exe	metafor.exe
PID 4376 wrote to memory of 3264	4376	ge040813.exe	metafor.exe
PID 4376 wrote to memory of 3264	4376	ge040813.exe	metafor.exe
PID 3264 wrote to memory of 4228	3264	metafor.exe	schtasks.exe
PID 3264 wrote to memory of 4228	3264	metafor.exe	schtasks.exe
PID 3264 wrote to memory of 4228	3264	metafor.exe	schtasks.exe
PID 3264 wrote to memory of 5072	3264	metafor.exe	cmd.exe
PID 3264 wrote to memory of 5072	3264	metafor.exe	cmd.exe
PID 3264 wrote to memory of 5072	3264	metafor.exe	cmd.exe
PID 5072 wrote to memory of 3184	5072	cmd.exe	cmd.exe
PID 5072 wrote to memory of 3184	5072	cmd.exe	cmd.exe
PID 5072 wrote to memory of 3184	5072	cmd.exe	cmd.exe
PID 5072 wrote to memory of 2788	5072	cmd.exe	cacls.exe
PID 5072 wrote to memory of 2788	5072	cmd.exe	cacls.exe
PID 5072 wrote to memory of 2788	5072	cmd.exe	cacls.exe
PID 5072 wrote to memory of 3620	5072	cmd.exe	cacls.exe
PID 5072 wrote to memory of 3620	5072	cmd.exe	cacls.exe
PID 5072 wrote to memory of 3620	5072	cmd.exe	cacls.exe
PID 5072 wrote to memory of 1368	5072	cmd.exe	cmd.exe
PID 5072 wrote to memory of 1368	5072	cmd.exe	cmd.exe
PID 5072 wrote to memory of 1368	5072	cmd.exe	cmd.exe
PID 5072 wrote to memory of 3404	5072	cmd.exe	cacls.exe
PID 5072 wrote to memory of 3404	5072	cmd.exe	cacls.exe
PID 5072 wrote to memory of 3404	5072	cmd.exe	cacls.exe
PID 5072 wrote to memory of 1464	5072	cmd.exe	cacls.exe
PID 5072 wrote to memory of 1464	5072	cmd.exe	cacls.exe
PID 5072 wrote to memory of 1464	5072	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\e2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade.exe
"C:\Users\Admin\AppData\Local\Temp\e2f0dbcf43bb2886bf9d5aa81cdc281184145098044000884e37be8f9f4e1ade.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4420

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9427.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9427.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2642.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2642.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8851.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8851.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8698.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8698.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7605.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7605.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 1080
6⤵
- Program crash
PID:376

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dCR83s10.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dCR83s10.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 1352
5⤵
- Program crash
PID:4608

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en736196.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en736196.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge040813.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge040813.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:4228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3184

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:2788

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1368

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:3404

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 388 -ip 388
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3824 -ip 3824
1⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge040813.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge040813.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9427.exe
Filesize
827KB

MD5
98697b1e931971aa7ab4ab18168fac56

SHA1
feaacc27db40b5248c222d2442f36e45e23b9a01

SHA256
acd2ce50d34b1bdba30727536c074f17862c1abfd5388f96398244f3b604786d

SHA512
6713e191ec4fd69504157bc1e5a2a168677a0478e4b34a7753a20410a590b418002eb904e4fa1b89c728efa520e9d12f00b62c83ca904169e7a103463bc60e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9427.exe
Filesize
827KB

MD5
98697b1e931971aa7ab4ab18168fac56

SHA1
feaacc27db40b5248c222d2442f36e45e23b9a01

SHA256
acd2ce50d34b1bdba30727536c074f17862c1abfd5388f96398244f3b604786d

SHA512
6713e191ec4fd69504157bc1e5a2a168677a0478e4b34a7753a20410a590b418002eb904e4fa1b89c728efa520e9d12f00b62c83ca904169e7a103463bc60e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en736196.exe
Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en736196.exe
Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2642.exe
Filesize
685KB

MD5
2d76c66a31bfbc53ce4a52d9430382c7

SHA1
6de63ae93b7ab794aca017d0df8d7790dc30d408

SHA256
cbaf65824096905c51f117c4b0192025110a27fb539cc14f331f50dab1fcb26b

SHA512
1465e33221c6e096000a95568d2c231ae944174b748fd334491bc919232708a91f789b0a81e16fa56df66f026729edcfb3e41c08bc075de7b41e06693e80089f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2642.exe
Filesize
685KB

MD5
2d76c66a31bfbc53ce4a52d9430382c7

SHA1
6de63ae93b7ab794aca017d0df8d7790dc30d408

SHA256
cbaf65824096905c51f117c4b0192025110a27fb539cc14f331f50dab1fcb26b

SHA512
1465e33221c6e096000a95568d2c231ae944174b748fd334491bc919232708a91f789b0a81e16fa56df66f026729edcfb3e41c08bc075de7b41e06693e80089f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dCR83s10.exe
Filesize
356KB

MD5
d456b987b94cfcf634ccd244dcf2fe32

SHA1
f18a90fb156a8a3bbdced3b197ed46d89854f5b7

SHA256
9c3695c043b074eea04cccb22fe5b6409e46b718141ada415fa000309b075232

SHA512
be83b7bc7943705070dfcad59ac09698e552a2e14ab2dfb9fd579d6cfe58d905ad2c04dafb6f88fb1f47bd2148c2675526bcd2549caff764933049ac4e161297

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dCR83s10.exe
Filesize
356KB

MD5
d456b987b94cfcf634ccd244dcf2fe32

SHA1
f18a90fb156a8a3bbdced3b197ed46d89854f5b7

SHA256
9c3695c043b074eea04cccb22fe5b6409e46b718141ada415fa000309b075232

SHA512
be83b7bc7943705070dfcad59ac09698e552a2e14ab2dfb9fd579d6cfe58d905ad2c04dafb6f88fb1f47bd2148c2675526bcd2549caff764933049ac4e161297

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8851.exe
Filesize
339KB

MD5
3538ebaeb0c22a5256ba2fadc5ef350f

SHA1
cafa9f7242fa6e07c0c23c7f5ac5800f74b6f705

SHA256
eec3e506a0d87d83d2517f651d1fcc9ca803d92e3de0924363deca4540332cb1

SHA512
d142f500592809bc4305923e4acc5d25c54cd5ab838a39f0e6f487aa00d8127a7a25a220d45b45dedc9bd6945fb8e874cbe3953e211a8fa25a478059a7ca1609

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8851.exe
Filesize
339KB

MD5
3538ebaeb0c22a5256ba2fadc5ef350f

SHA1
cafa9f7242fa6e07c0c23c7f5ac5800f74b6f705

SHA256
eec3e506a0d87d83d2517f651d1fcc9ca803d92e3de0924363deca4540332cb1

SHA512
d142f500592809bc4305923e4acc5d25c54cd5ab838a39f0e6f487aa00d8127a7a25a220d45b45dedc9bd6945fb8e874cbe3953e211a8fa25a478059a7ca1609

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8698.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8698.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7605.exe
Filesize
298KB

MD5
0ba3b52fbf982fc6beff50dc5a2f85eb

SHA1
4d3161efaf45d7855599b08e037448bfb991bc94

SHA256
cf3922a13239dccf48dd591a7d9d98c8ee7b858ef94760937e48e406ba503351

SHA512
2bc6b96f7cdb2bce63d47278913c7d34f8bd35cfee01315fb9f7a1d0464a872256ec9c6acfb7f53f4b8f206a4b09bafc597257879cbe106d48fd919064826b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7605.exe
Filesize
298KB

MD5
0ba3b52fbf982fc6beff50dc5a2f85eb

SHA1
4d3161efaf45d7855599b08e037448bfb991bc94

SHA256
cf3922a13239dccf48dd591a7d9d98c8ee7b858ef94760937e48e406ba503351

SHA512
2bc6b96f7cdb2bce63d47278913c7d34f8bd35cfee01315fb9f7a1d0464a872256ec9c6acfb7f53f4b8f206a4b09bafc597257879cbe106d48fd919064826b5d

Download Submit
memory/388-177-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-197-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-173-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-179-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-181-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-183-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-185-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-187-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-189-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-191-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-193-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-195-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-199-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-175-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-200-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/388-201-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/388-202-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/388-204-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/388-205-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/388-167-0x00000000072F0000-0x0000000007894000-memory.dmp

Filesize
5.6MB

Download
memory/388-172-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/388-171-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/388-169-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/388-170-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/388-168-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/1892-161-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/3824-213-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/3824-225-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-227-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-229-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-231-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-233-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-236-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3824-234-0x0000000002DA0000-0x0000000002DEB000-memory.dmp

Filesize
300KB

Download
memory/3824-239-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3824-238-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-237-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3824-241-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-243-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-245-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-247-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-1120-0x00000000078E0000-0x0000000007EF8000-memory.dmp

Filesize
6.1MB

Download
memory/3824-1121-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/3824-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/3824-223-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-1124-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3824-1126-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/3824-1127-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/3824-1128-0x0000000008C60000-0x0000000008CD6000-memory.dmp

Filesize
472KB

Download
memory/3824-1129-0x0000000008CF0000-0x0000000008D40000-memory.dmp

Filesize
320KB

Download
memory/3824-1130-0x0000000008D70000-0x0000000008F32000-memory.dmp

Filesize
1.8MB

Download
memory/3824-1131-0x0000000008F40000-0x000000000946C000-memory.dmp

Filesize
5.2MB

Download
memory/3824-1132-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3824-1133-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3824-1134-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3824-1136-0x0000000007220000-0x0000000007230000-memory.dmp

Filesize
64KB

Download
memory/3824-210-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-211-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-221-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-219-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-217-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/3824-215-0x0000000007150000-0x000000000718E000-memory.dmp

Filesize
248KB

Download
memory/4580-1142-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/4580-1141-0x0000000000460000-0x0000000000492000-memory.dmp

Filesize
200KB

Download