amadey | b97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0

Analysis

max time kernel
101s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0.exe
Size

1004KB
MD5

39437de35c916a3f1f58b43e7e8c19e8
SHA1

582c17fe126d79db11160b561a38fc3c828b3c32
SHA256

b97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0
SHA512

1308e174247d89f857f0b85d21b0e09c56e54d252ab03086a5b34c49b955f64f035d9a8f436e5c93bf33f06873a65620a142fb1c2b00cbbb60911b004af2f95c
SSDEEP

24576:2yw6IMpwvFz5Ue/Tlwm7aBhis+CaGhBFMSEZagMX8uVQofsOh:Fw6gFf/JwEavis+LgsDM8uVvf

Score

10^/10

amadey redline renta rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

renta

176.113.115.145:4125

Attributes

auth_value
359596fd5b36e9925ade4d9a1846bafb

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bu124814.execor1877.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu124814.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu124814.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu124814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor1877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor1877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu124814.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu124814.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu124814.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor1877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor1877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor1877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor1877.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4424-210-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-211-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-213-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-215-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-217-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-219-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-221-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-223-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-225-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-227-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-229-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-231-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-233-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-235-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-237-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-239-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-241-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-243-0x00000000038C0000-0x00000000038FF000-memory.dmp	family_redline
behavioral1/memory/4424-1131-0x00000000061E0000-0x00000000061F0000-memory.dmp	family_redline
behavioral1/memory/4424-1132-0x00000000061E0000-0x00000000061F0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge512791.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	ge512791.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kina7124.exekina2670.exekina2624.exebu124814.execor1877.exedYx23s43.exeen468806.exege512791.exemetafor.exemetafor.exe

pid	process
2932	kina7124.exe
636	kina2670.exe
2044	kina2624.exe
896	bu124814.exe
4992	cor1877.exe
4424	dYx23s43.exe
2780	en468806.exe
4136	ge512791.exe
4568	metafor.exe
3196	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bu124814.execor1877.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu124814.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor1877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor1877.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina2624.exeb97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0.exekina7124.exekina2670.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina2624.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina7124.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina7124.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina2670.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina2670.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina2624.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4808 4992 WerFault.exe cor1877.exe
1400 4424 WerFault.exe dYx23s43.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

528 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu124814.execor1877.exedYx23s43.exeen468806.exe

pid process

896 bu124814.exe
896 bu124814.exe
4992 cor1877.exe
4992 cor1877.exe
4424 dYx23s43.exe
4424 dYx23s43.exe
2780 en468806.exe
2780 en468806.exe

pid	pid_target	process	target process
4808	4992	WerFault.exe	cor1877.exe
1400	4424	WerFault.exe	dYx23s43.exe

pid	process
528	schtasks.exe

pid	process
896	bu124814.exe
896	bu124814.exe
4992	cor1877.exe
4992	cor1877.exe
4424	dYx23s43.exe
4424	dYx23s43.exe
2780	en468806.exe
2780	en468806.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu124814.execor1877.exedYx23s43.exeen468806.exe

description	pid	process
Token: SeDebugPrivilege	896	bu124814.exe
Token: SeDebugPrivilege	4992	cor1877.exe
Token: SeDebugPrivilege	4424	dYx23s43.exe
Token: SeDebugPrivilege	2780	en468806.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

b97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0.exekina7124.exekina2670.exekina2624.exege512791.exemetafor.execmd.exe

description	pid	process	target process
PID 3524 wrote to memory of 2932	3524	b97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0.exe	kina7124.exe
PID 3524 wrote to memory of 2932	3524	b97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0.exe	kina7124.exe
PID 3524 wrote to memory of 2932	3524	b97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0.exe	kina7124.exe
PID 2932 wrote to memory of 636	2932	kina7124.exe	kina2670.exe
PID 2932 wrote to memory of 636	2932	kina7124.exe	kina2670.exe
PID 2932 wrote to memory of 636	2932	kina7124.exe	kina2670.exe
PID 636 wrote to memory of 2044	636	kina2670.exe	kina2624.exe
PID 636 wrote to memory of 2044	636	kina2670.exe	kina2624.exe
PID 636 wrote to memory of 2044	636	kina2670.exe	kina2624.exe
PID 2044 wrote to memory of 896	2044	kina2624.exe	bu124814.exe
PID 2044 wrote to memory of 896	2044	kina2624.exe	bu124814.exe
PID 2044 wrote to memory of 4992	2044	kina2624.exe	cor1877.exe
PID 2044 wrote to memory of 4992	2044	kina2624.exe	cor1877.exe
PID 2044 wrote to memory of 4992	2044	kina2624.exe	cor1877.exe
PID 636 wrote to memory of 4424	636	kina2670.exe	dYx23s43.exe
PID 636 wrote to memory of 4424	636	kina2670.exe	dYx23s43.exe
PID 636 wrote to memory of 4424	636	kina2670.exe	dYx23s43.exe
PID 2932 wrote to memory of 2780	2932	kina7124.exe	en468806.exe
PID 2932 wrote to memory of 2780	2932	kina7124.exe	en468806.exe
PID 2932 wrote to memory of 2780	2932	kina7124.exe	en468806.exe
PID 3524 wrote to memory of 4136	3524	b97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0.exe	ge512791.exe
PID 3524 wrote to memory of 4136	3524	b97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0.exe	ge512791.exe
PID 3524 wrote to memory of 4136	3524	b97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0.exe	ge512791.exe
PID 4136 wrote to memory of 4568	4136	ge512791.exe	metafor.exe
PID 4136 wrote to memory of 4568	4136	ge512791.exe	metafor.exe
PID 4136 wrote to memory of 4568	4136	ge512791.exe	metafor.exe
PID 4568 wrote to memory of 528	4568	metafor.exe	schtasks.exe
PID 4568 wrote to memory of 528	4568	metafor.exe	schtasks.exe
PID 4568 wrote to memory of 528	4568	metafor.exe	schtasks.exe
PID 4568 wrote to memory of 4416	4568	metafor.exe	cmd.exe
PID 4568 wrote to memory of 4416	4568	metafor.exe	cmd.exe
PID 4568 wrote to memory of 4416	4568	metafor.exe	cmd.exe
PID 4416 wrote to memory of 3336	4416	cmd.exe	cmd.exe
PID 4416 wrote to memory of 3336	4416	cmd.exe	cmd.exe
PID 4416 wrote to memory of 3336	4416	cmd.exe	cmd.exe
PID 4416 wrote to memory of 3900	4416	cmd.exe	cacls.exe
PID 4416 wrote to memory of 3900	4416	cmd.exe	cacls.exe
PID 4416 wrote to memory of 3900	4416	cmd.exe	cacls.exe
PID 4416 wrote to memory of 2216	4416	cmd.exe	cacls.exe
PID 4416 wrote to memory of 2216	4416	cmd.exe	cacls.exe
PID 4416 wrote to memory of 2216	4416	cmd.exe	cacls.exe
PID 4416 wrote to memory of 900	4416	cmd.exe	cmd.exe
PID 4416 wrote to memory of 900	4416	cmd.exe	cmd.exe
PID 4416 wrote to memory of 900	4416	cmd.exe	cmd.exe
PID 4416 wrote to memory of 5040	4416	cmd.exe	cacls.exe
PID 4416 wrote to memory of 5040	4416	cmd.exe	cacls.exe
PID 4416 wrote to memory of 5040	4416	cmd.exe	cacls.exe
PID 4416 wrote to memory of 1928	4416	cmd.exe	cacls.exe
PID 4416 wrote to memory of 1928	4416	cmd.exe	cacls.exe
PID 4416 wrote to memory of 1928	4416	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\b97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0.exe
"C:\Users\Admin\AppData\Local\Temp\b97265219925c279bfc140fac828df1ac72638e4818b2fda0de13ff99e8a6df0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3524

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7124.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7124.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina2670.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina2670.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2624.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2624.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu124814.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu124814.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1877.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1877.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 1080
6⤵
- Program crash
PID:4808

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dYx23s43.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dYx23s43.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1328
5⤵
- Program crash
PID:1400

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en468806.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en468806.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge512791.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge512791.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3336

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:3900

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:900

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:5040

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4992 -ip 4992
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4424 -ip 4424
1⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
9f3b186462287fd873041c488bd26fee

SHA1
a644b2fc38f3ffacf76aa263dd00be0692bebbdb

SHA256
75bded5de919a78687a132f287af32907e777ee85007f89d3d4f92bbc172c8cc

SHA512
0a4e3951964524f34b2abb940688d8d96ec5d9d3ef5094bd1cd6f698de86ae07056254815028918de892cce3272149b59d8cfaec13704d5a5925e11059791466

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
9f3b186462287fd873041c488bd26fee

SHA1
a644b2fc38f3ffacf76aa263dd00be0692bebbdb

SHA256
75bded5de919a78687a132f287af32907e777ee85007f89d3d4f92bbc172c8cc

SHA512
0a4e3951964524f34b2abb940688d8d96ec5d9d3ef5094bd1cd6f698de86ae07056254815028918de892cce3272149b59d8cfaec13704d5a5925e11059791466

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
9f3b186462287fd873041c488bd26fee

SHA1
a644b2fc38f3ffacf76aa263dd00be0692bebbdb

SHA256
75bded5de919a78687a132f287af32907e777ee85007f89d3d4f92bbc172c8cc

SHA512
0a4e3951964524f34b2abb940688d8d96ec5d9d3ef5094bd1cd6f698de86ae07056254815028918de892cce3272149b59d8cfaec13704d5a5925e11059791466

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
9f3b186462287fd873041c488bd26fee

SHA1
a644b2fc38f3ffacf76aa263dd00be0692bebbdb

SHA256
75bded5de919a78687a132f287af32907e777ee85007f89d3d4f92bbc172c8cc

SHA512
0a4e3951964524f34b2abb940688d8d96ec5d9d3ef5094bd1cd6f698de86ae07056254815028918de892cce3272149b59d8cfaec13704d5a5925e11059791466

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge512791.exe
Filesize
227KB

MD5
9f3b186462287fd873041c488bd26fee

SHA1
a644b2fc38f3ffacf76aa263dd00be0692bebbdb

SHA256
75bded5de919a78687a132f287af32907e777ee85007f89d3d4f92bbc172c8cc

SHA512
0a4e3951964524f34b2abb940688d8d96ec5d9d3ef5094bd1cd6f698de86ae07056254815028918de892cce3272149b59d8cfaec13704d5a5925e11059791466

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge512791.exe
Filesize
227KB

MD5
9f3b186462287fd873041c488bd26fee

SHA1
a644b2fc38f3ffacf76aa263dd00be0692bebbdb

SHA256
75bded5de919a78687a132f287af32907e777ee85007f89d3d4f92bbc172c8cc

SHA512
0a4e3951964524f34b2abb940688d8d96ec5d9d3ef5094bd1cd6f698de86ae07056254815028918de892cce3272149b59d8cfaec13704d5a5925e11059791466

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7124.exe
Filesize
822KB

MD5
e9569ba8a1175525ecd45c6799b6af90

SHA1
c6f3bf16f54790a83a868b1827089ac8a09c784e

SHA256
4b8b9846f2b8fdf14112094bceb69eb899cee17a5549bc2ee9e92c25d6ad6c89

SHA512
7e50c48b9f3dbf15d55d2a055afbd202e1db8e19d7d3bc7b3c13bee99122690af362b4048b8e74472bb8a5b46be204b082636282c51305acbb005ba23e83298d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7124.exe
Filesize
822KB

MD5
e9569ba8a1175525ecd45c6799b6af90

SHA1
c6f3bf16f54790a83a868b1827089ac8a09c784e

SHA256
4b8b9846f2b8fdf14112094bceb69eb899cee17a5549bc2ee9e92c25d6ad6c89

SHA512
7e50c48b9f3dbf15d55d2a055afbd202e1db8e19d7d3bc7b3c13bee99122690af362b4048b8e74472bb8a5b46be204b082636282c51305acbb005ba23e83298d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en468806.exe
Filesize
175KB

MD5
ee26d2f1454bb326c4e956c834d5729d

SHA1
63155a6aba2b20de30ac8ae67811ea1f385bb6a7

SHA256
b00b5611648cda72d68e4c6221da1815f8d57a6804a68bd27eedfbbdc296189a

SHA512
e4d71f6781a5ccc556977edc392ec2c82ff7962df05f8d99d29327f558e2bdfa1739708cfbda5bbdfa84d2567a79027e6a87439068eae4d3f4082d438e94c8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en468806.exe
Filesize
175KB

MD5
ee26d2f1454bb326c4e956c834d5729d

SHA1
63155a6aba2b20de30ac8ae67811ea1f385bb6a7

SHA256
b00b5611648cda72d68e4c6221da1815f8d57a6804a68bd27eedfbbdc296189a

SHA512
e4d71f6781a5ccc556977edc392ec2c82ff7962df05f8d99d29327f558e2bdfa1739708cfbda5bbdfa84d2567a79027e6a87439068eae4d3f4082d438e94c8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina2670.exe
Filesize
680KB

MD5
80805dc373ffd78798e51c53b3eee71f

SHA1
5f3b3aa37dc91e091dacfe95d1d3e1b3ef012a82

SHA256
c537b8bad96dc0d02e6c6ddad5dea2b3d1203036ca58022eb6ea6bebd8fa2ed8

SHA512
e2011df0ed4acdbacf5dfed766586e19833766ab8da27daf0c0f314a3ced7b9a0b65c136558b3a61fa54d537ea03838ea8c341a0a71979199b2297ab9d237dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina2670.exe
Filesize
680KB

MD5
80805dc373ffd78798e51c53b3eee71f

SHA1
5f3b3aa37dc91e091dacfe95d1d3e1b3ef012a82

SHA256
c537b8bad96dc0d02e6c6ddad5dea2b3d1203036ca58022eb6ea6bebd8fa2ed8

SHA512
e2011df0ed4acdbacf5dfed766586e19833766ab8da27daf0c0f314a3ced7b9a0b65c136558b3a61fa54d537ea03838ea8c341a0a71979199b2297ab9d237dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dYx23s43.exe
Filesize
345KB

MD5
0919aef2499a76683369370926487276

SHA1
5f4dd55e3b7160ab3e7f4f8744d7107a1fd4f0c7

SHA256
7ddeb51ef8c6bbf6b177b40f605dcf16dde24d3a90079ebb670bb4e2fe05374f

SHA512
9d80c98c3112a4132247d698e81a69eb71d4965558f7fd5bbb9b23e11c708e8481f283c46303eb1c6ef34f053993c35a999b3dc868acbb1f579467897e5e108b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dYx23s43.exe
Filesize
345KB

MD5
0919aef2499a76683369370926487276

SHA1
5f4dd55e3b7160ab3e7f4f8744d7107a1fd4f0c7

SHA256
7ddeb51ef8c6bbf6b177b40f605dcf16dde24d3a90079ebb670bb4e2fe05374f

SHA512
9d80c98c3112a4132247d698e81a69eb71d4965558f7fd5bbb9b23e11c708e8481f283c46303eb1c6ef34f053993c35a999b3dc868acbb1f579467897e5e108b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2624.exe
Filesize
344KB

MD5
1d9d720e4cf19767316fd106308131c3

SHA1
ce6480a333f14b46e8205eb5d63b4d383d44c4c2

SHA256
89a7c5eaff64f5c6497499673e9379b29a57b647a93e73d26ca7f0f95bd1a112

SHA512
b0c1c7433a534b62f668af7851a276c2d7b1d93c8e638acce3e60d04000860ad3c1e9f76ce67e0830bdca72d83138b2778f626ffd72c84bab67abaaaf0c7d661

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2624.exe
Filesize
344KB

MD5
1d9d720e4cf19767316fd106308131c3

SHA1
ce6480a333f14b46e8205eb5d63b4d383d44c4c2

SHA256
89a7c5eaff64f5c6497499673e9379b29a57b647a93e73d26ca7f0f95bd1a112

SHA512
b0c1c7433a534b62f668af7851a276c2d7b1d93c8e638acce3e60d04000860ad3c1e9f76ce67e0830bdca72d83138b2778f626ffd72c84bab67abaaaf0c7d661

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu124814.exe
Filesize
11KB

MD5
1064c8e873b8ef7b683a5228cbc88b8b

SHA1
18fd3ab0f542ae640f158b5ac20615c4b1940699

SHA256
cad5902d256fd6e9f3a64166925193a0ffbe66db4ec317b38bb76050f3367787

SHA512
db04baf087525ab2c23221a977d970ea6c280975c94895d007f676af4ed66b9787c0ab23cf2282046504ef40cf7e936dbd6b57a777f4039ebaf6de17f0fd327d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu124814.exe
Filesize
11KB

MD5
1064c8e873b8ef7b683a5228cbc88b8b

SHA1
18fd3ab0f542ae640f158b5ac20615c4b1940699

SHA256
cad5902d256fd6e9f3a64166925193a0ffbe66db4ec317b38bb76050f3367787

SHA512
db04baf087525ab2c23221a977d970ea6c280975c94895d007f676af4ed66b9787c0ab23cf2282046504ef40cf7e936dbd6b57a777f4039ebaf6de17f0fd327d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1877.exe
Filesize
291KB

MD5
296a06510b38598ffa6f3773226768c6

SHA1
2ac3cd499d6be839c8f0c49b4f7e6db51e88b04a

SHA256
3c8e51a6aded85f87ce429083c7eb8f5fc582e6d2559518c64d3f7b69e890721

SHA512
f3d8172a77291c00f978268db600050e243505601fad23d56e97ece576d3ced9dcc3edc677b4be25fa7b6f8e81a5927543d38c2e0ab9d96237888bf06bd1c758

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1877.exe
Filesize
291KB

MD5
296a06510b38598ffa6f3773226768c6

SHA1
2ac3cd499d6be839c8f0c49b4f7e6db51e88b04a

SHA256
3c8e51a6aded85f87ce429083c7eb8f5fc582e6d2559518c64d3f7b69e890721

SHA512
f3d8172a77291c00f978268db600050e243505601fad23d56e97ece576d3ced9dcc3edc677b4be25fa7b6f8e81a5927543d38c2e0ab9d96237888bf06bd1c758

Download Submit
memory/896-161-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/2780-1142-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/2780-1141-0x00000000007F0000-0x0000000000822000-memory.dmp

Filesize
200KB

Download
memory/4424-1123-0x0000000006F70000-0x0000000006FAC000-memory.dmp

Filesize
240KB

Download
memory/4424-241-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-1135-0x00000000061E0000-0x00000000061F0000-memory.dmp

Filesize
64KB

Download
memory/4424-1134-0x0000000007CD0000-0x00000000081FC000-memory.dmp

Filesize
5.2MB

Download
memory/4424-1132-0x00000000061E0000-0x00000000061F0000-memory.dmp

Filesize
64KB

Download
memory/4424-1133-0x00000000061E0000-0x00000000061F0000-memory.dmp

Filesize
64KB

Download
memory/4424-1131-0x00000000061E0000-0x00000000061F0000-memory.dmp

Filesize
64KB

Download
memory/4424-1130-0x0000000007B00000-0x0000000007CC2000-memory.dmp

Filesize
1.8MB

Download
memory/4424-1129-0x0000000007A90000-0x0000000007AE0000-memory.dmp

Filesize
320KB

Download
memory/4424-1128-0x0000000007A00000-0x0000000007A76000-memory.dmp

Filesize
472KB

Download
memory/4424-1127-0x0000000007910000-0x00000000079A2000-memory.dmp

Filesize
584KB

Download
memory/4424-1125-0x0000000007260000-0x00000000072C6000-memory.dmp

Filesize
408KB

Download
memory/4424-1124-0x00000000061E0000-0x00000000061F0000-memory.dmp

Filesize
64KB

Download
memory/4424-1122-0x0000000006F50000-0x0000000006F62000-memory.dmp

Filesize
72KB

Download
memory/4424-1121-0x0000000006E10000-0x0000000006F1A000-memory.dmp

Filesize
1.0MB

Download
memory/4424-210-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-211-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-213-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-215-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-217-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-219-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-221-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-223-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-225-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-227-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-229-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-231-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-233-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-235-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-237-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-239-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-1120-0x00000000067A0000-0x0000000006DB8000-memory.dmp

Filesize
6.1MB

Download
memory/4424-243-0x00000000038C0000-0x00000000038FF000-memory.dmp

Filesize
252KB

Download
memory/4424-305-0x0000000001B00000-0x0000000001B4B000-memory.dmp

Filesize
300KB

Download
memory/4424-307-0x00000000061E0000-0x00000000061F0000-memory.dmp

Filesize
64KB

Download
memory/4424-309-0x00000000061E0000-0x00000000061F0000-memory.dmp

Filesize
64KB

Download
memory/4424-311-0x00000000061E0000-0x00000000061F0000-memory.dmp

Filesize
64KB

Download
memory/4992-193-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-205-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4992-184-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4992-182-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4992-191-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-204-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4992-202-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4992-189-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-200-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4992-199-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-197-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-195-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-187-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4992-186-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-201-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/4992-183-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-180-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-178-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-176-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-174-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-172-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-170-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-169-0x00000000028E0000-0x00000000028F2000-memory.dmp

Filesize
72KB

Download
memory/4992-168-0x0000000004DF0000-0x0000000005394000-memory.dmp

Filesize
5.6MB

Download
memory/4992-167-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download