amadey | 4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa

Analysis

max time kernel
121s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa.exe
Size

1.0MB
MD5

8d707a15c49bc6eefa53c49f12f0525b
SHA1

e90906c987aaa44d9e9962e56c6c3fe9b84e5a48
SHA256

4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa
SHA512

621069228723fcee703fc79222e3eddce5a08e5388d80ec4de3c49bd938be498e75c6fb6a0a4193ea6c39bacda0a04ea769f58ee7da90cf70684d2ddeb322e7c
SSDEEP

24576:xyNup3RRX4XNF2Pgn8NHmqL9PL/qpMyx:kN8heXNF2Pg8NpL9PDqpv

Score

10^/10

amadey redline renta rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

renta

176.113.115.145:4125

Attributes

auth_value
359596fd5b36e9925ade4d9a1846bafb

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bu561242.execor0136.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu561242.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu561242.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu561242.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor0136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor0136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor0136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor0136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu561242.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu561242.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu561242.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor0136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor0136.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4852-213-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-214-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-216-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-218-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-220-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-222-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-224-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-226-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-228-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-230-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-232-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-234-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-236-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-238-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-240-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-242-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-244-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline
behavioral1/memory/4852-246-0x0000000004F30000-0x0000000004F6F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge595205.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	ge595205.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kina6058.exekina9909.exekina4788.exebu561242.execor0136.exedRL81s79.exeen243634.exege595205.exemetafor.exemetafor.exe

pid	process
1344	kina6058.exe
1984	kina9909.exe
4464	kina4788.exe
1316	bu561242.exe
4132	cor0136.exe
4852	dRL81s79.exe
448	en243634.exe
2164	ge595205.exe
4816	metafor.exe
2460	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bu561242.execor0136.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu561242.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor0136.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor0136.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina4788.exe4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa.exekina6058.exekina9909.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina4788.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina6058.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina6058.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina9909.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina9909.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina4788.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

548 4132 WerFault.exe cor0136.exe
4684 4852 WerFault.exe dRL81s79.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3364 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu561242.execor0136.exedRL81s79.exeen243634.exe

pid process

1316 bu561242.exe
1316 bu561242.exe
4132 cor0136.exe
4132 cor0136.exe
4852 dRL81s79.exe
4852 dRL81s79.exe
448 en243634.exe
448 en243634.exe

pid	pid_target	process	target process
548	4132	WerFault.exe	cor0136.exe
4684	4852	WerFault.exe	dRL81s79.exe

pid	process
3364	schtasks.exe

pid	process
1316	bu561242.exe
1316	bu561242.exe
4132	cor0136.exe
4132	cor0136.exe
4852	dRL81s79.exe
4852	dRL81s79.exe
448	en243634.exe
448	en243634.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu561242.execor0136.exedRL81s79.exeen243634.exe

description	pid	process
Token: SeDebugPrivilege	1316	bu561242.exe
Token: SeDebugPrivilege	4132	cor0136.exe
Token: SeDebugPrivilege	4852	dRL81s79.exe
Token: SeDebugPrivilege	448	en243634.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa.exekina6058.exekina9909.exekina4788.exege595205.exemetafor.execmd.exe

description	pid	process	target process
PID 1448 wrote to memory of 1344	1448	4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa.exe	kina6058.exe
PID 1448 wrote to memory of 1344	1448	4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa.exe	kina6058.exe
PID 1448 wrote to memory of 1344	1448	4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa.exe	kina6058.exe
PID 1344 wrote to memory of 1984	1344	kina6058.exe	kina9909.exe
PID 1344 wrote to memory of 1984	1344	kina6058.exe	kina9909.exe
PID 1344 wrote to memory of 1984	1344	kina6058.exe	kina9909.exe
PID 1984 wrote to memory of 4464	1984	kina9909.exe	kina4788.exe
PID 1984 wrote to memory of 4464	1984	kina9909.exe	kina4788.exe
PID 1984 wrote to memory of 4464	1984	kina9909.exe	kina4788.exe
PID 4464 wrote to memory of 1316	4464	kina4788.exe	bu561242.exe
PID 4464 wrote to memory of 1316	4464	kina4788.exe	bu561242.exe
PID 4464 wrote to memory of 4132	4464	kina4788.exe	cor0136.exe
PID 4464 wrote to memory of 4132	4464	kina4788.exe	cor0136.exe
PID 4464 wrote to memory of 4132	4464	kina4788.exe	cor0136.exe
PID 1984 wrote to memory of 4852	1984	kina9909.exe	dRL81s79.exe
PID 1984 wrote to memory of 4852	1984	kina9909.exe	dRL81s79.exe
PID 1984 wrote to memory of 4852	1984	kina9909.exe	dRL81s79.exe
PID 1344 wrote to memory of 448	1344	kina6058.exe	en243634.exe
PID 1344 wrote to memory of 448	1344	kina6058.exe	en243634.exe
PID 1344 wrote to memory of 448	1344	kina6058.exe	en243634.exe
PID 1448 wrote to memory of 2164	1448	4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa.exe	ge595205.exe
PID 1448 wrote to memory of 2164	1448	4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa.exe	ge595205.exe
PID 1448 wrote to memory of 2164	1448	4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa.exe	ge595205.exe
PID 2164 wrote to memory of 4816	2164	ge595205.exe	metafor.exe
PID 2164 wrote to memory of 4816	2164	ge595205.exe	metafor.exe
PID 2164 wrote to memory of 4816	2164	ge595205.exe	metafor.exe
PID 4816 wrote to memory of 3364	4816	metafor.exe	schtasks.exe
PID 4816 wrote to memory of 3364	4816	metafor.exe	schtasks.exe
PID 4816 wrote to memory of 3364	4816	metafor.exe	schtasks.exe
PID 4816 wrote to memory of 3836	4816	metafor.exe	cmd.exe
PID 4816 wrote to memory of 3836	4816	metafor.exe	cmd.exe
PID 4816 wrote to memory of 3836	4816	metafor.exe	cmd.exe
PID 3836 wrote to memory of 2984	3836	cmd.exe	cmd.exe
PID 3836 wrote to memory of 2984	3836	cmd.exe	cmd.exe
PID 3836 wrote to memory of 2984	3836	cmd.exe	cmd.exe
PID 3836 wrote to memory of 2980	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 2980	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 2980	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 764	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 764	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 764	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 400	3836	cmd.exe	cmd.exe
PID 3836 wrote to memory of 400	3836	cmd.exe	cmd.exe
PID 3836 wrote to memory of 400	3836	cmd.exe	cmd.exe
PID 3836 wrote to memory of 4472	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 4472	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 4472	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 1308	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 1308	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 1308	3836	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa.exe
"C:\Users\Admin\AppData\Local\Temp\4ec988f913f8ea3e66e604af9dbbe488f87fc71851162b41c511f99b6125bfaa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina6058.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina6058.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9909.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9909.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4788.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4788.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu561242.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu561242.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0136.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0136.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1088
6⤵
- Program crash
PID:548

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRL81s79.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRL81s79.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 1356
5⤵
- Program crash
PID:4684

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en243634.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en243634.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge595205.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge595205.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:3364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2984

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:2980

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:400

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:4472

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4132 -ip 4132
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4852 -ip 4852
1⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
d115ce8350bc7b0769d3a791e62cf170

SHA1
16ba49a9193d3d82a38424020435cf085b500656

SHA256
b72f28165fee6c14d8f818e9a0507e51f148454c8d45358b0b44bfe2dae1c86f

SHA512
1e9292a189baf217978e909dee9f0fdcb5e42883c19f635cb6b9eb667c87dda3be70ace4575513385845b56fff4e6e787224a4645e3e4a19b81b3ed3d50f6059

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
d115ce8350bc7b0769d3a791e62cf170

SHA1
16ba49a9193d3d82a38424020435cf085b500656

SHA256
b72f28165fee6c14d8f818e9a0507e51f148454c8d45358b0b44bfe2dae1c86f

SHA512
1e9292a189baf217978e909dee9f0fdcb5e42883c19f635cb6b9eb667c87dda3be70ace4575513385845b56fff4e6e787224a4645e3e4a19b81b3ed3d50f6059

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
d115ce8350bc7b0769d3a791e62cf170

SHA1
16ba49a9193d3d82a38424020435cf085b500656

SHA256
b72f28165fee6c14d8f818e9a0507e51f148454c8d45358b0b44bfe2dae1c86f

SHA512
1e9292a189baf217978e909dee9f0fdcb5e42883c19f635cb6b9eb667c87dda3be70ace4575513385845b56fff4e6e787224a4645e3e4a19b81b3ed3d50f6059

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
d115ce8350bc7b0769d3a791e62cf170

SHA1
16ba49a9193d3d82a38424020435cf085b500656

SHA256
b72f28165fee6c14d8f818e9a0507e51f148454c8d45358b0b44bfe2dae1c86f

SHA512
1e9292a189baf217978e909dee9f0fdcb5e42883c19f635cb6b9eb667c87dda3be70ace4575513385845b56fff4e6e787224a4645e3e4a19b81b3ed3d50f6059

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge595205.exe
Filesize
227KB

MD5
d115ce8350bc7b0769d3a791e62cf170

SHA1
16ba49a9193d3d82a38424020435cf085b500656

SHA256
b72f28165fee6c14d8f818e9a0507e51f148454c8d45358b0b44bfe2dae1c86f

SHA512
1e9292a189baf217978e909dee9f0fdcb5e42883c19f635cb6b9eb667c87dda3be70ace4575513385845b56fff4e6e787224a4645e3e4a19b81b3ed3d50f6059

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge595205.exe
Filesize
227KB

MD5
d115ce8350bc7b0769d3a791e62cf170

SHA1
16ba49a9193d3d82a38424020435cf085b500656

SHA256
b72f28165fee6c14d8f818e9a0507e51f148454c8d45358b0b44bfe2dae1c86f

SHA512
1e9292a189baf217978e909dee9f0fdcb5e42883c19f635cb6b9eb667c87dda3be70ace4575513385845b56fff4e6e787224a4645e3e4a19b81b3ed3d50f6059

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina6058.exe
Filesize
847KB

MD5
1907a04df1483ef013512de642981320

SHA1
b8822ca00d8f65d751655bb72ec6456c03d5fbe4

SHA256
0835d9a10bc7a81b24126522ee3c9f0d1ba99de6585ad5522e6b5f23fc6c5ab3

SHA512
9e7caaaf844cfec28543f31a4ffaa5934ab73a42f200f134d9286e00175516e392f4beb9655a4d6b914265c4db32e04def743e90696ebc5681fa5bc4bb1ab95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina6058.exe
Filesize
847KB

MD5
1907a04df1483ef013512de642981320

SHA1
b8822ca00d8f65d751655bb72ec6456c03d5fbe4

SHA256
0835d9a10bc7a81b24126522ee3c9f0d1ba99de6585ad5522e6b5f23fc6c5ab3

SHA512
9e7caaaf844cfec28543f31a4ffaa5934ab73a42f200f134d9286e00175516e392f4beb9655a4d6b914265c4db32e04def743e90696ebc5681fa5bc4bb1ab95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en243634.exe
Filesize
175KB

MD5
39a69fbac75d44b18ce687df5317d8ab

SHA1
2a9db16e727e75bf606a0f67e5fa265e2fa7b305

SHA256
9e626d06441e87a2ffab2cea65f9045b9c79b46283191c9a952b2003d24830f8

SHA512
d7e59a39f3570699cbe26701bbec468012b8c3f1594da8168391df8659155294353784dd7c45b2f4f43394fce9283a3faed8616797d1cd5438f4b8513af8d7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en243634.exe
Filesize
175KB

MD5
39a69fbac75d44b18ce687df5317d8ab

SHA1
2a9db16e727e75bf606a0f67e5fa265e2fa7b305

SHA256
9e626d06441e87a2ffab2cea65f9045b9c79b46283191c9a952b2003d24830f8

SHA512
d7e59a39f3570699cbe26701bbec468012b8c3f1594da8168391df8659155294353784dd7c45b2f4f43394fce9283a3faed8616797d1cd5438f4b8513af8d7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9909.exe
Filesize
705KB

MD5
8b79b657d72001a36bb9a41b36399b1b

SHA1
c3b2b9697d3bed74d290a5b6cdd3f8cc94e28697

SHA256
30faff74f752767af02dbbd34c26891a3224812b071771278f1993a8a359bdd1

SHA512
03c64b5a5c41173559952a7e62925632f05fa341f48ed625ba5f5ac8b9fcb0d3e2d3835485523af6dfd8ca1e7388643681b06e6dc6bf7c52f6faa1beeeb38115

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9909.exe
Filesize
705KB

MD5
8b79b657d72001a36bb9a41b36399b1b

SHA1
c3b2b9697d3bed74d290a5b6cdd3f8cc94e28697

SHA256
30faff74f752767af02dbbd34c26891a3224812b071771278f1993a8a359bdd1

SHA512
03c64b5a5c41173559952a7e62925632f05fa341f48ed625ba5f5ac8b9fcb0d3e2d3835485523af6dfd8ca1e7388643681b06e6dc6bf7c52f6faa1beeeb38115

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRL81s79.exe
Filesize
380KB

MD5
adf81e6879edeef123eed36c1a8ac929

SHA1
0c310dc292d97d523f2351f465c1b52a6a9a2ade

SHA256
13e0535e10fed2d402510a09cfcd1a8b98714a541feb6cf39d5c38f91215d079

SHA512
b04276ca01f71c16caba3ce383663cdee9a4fb90cb19a7d264263c39e52c04f0d2b95100cc7e4cb2bb01d766f9fe703c87c3e65a9685f75a226d340ff5edc637

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dRL81s79.exe
Filesize
380KB

MD5
adf81e6879edeef123eed36c1a8ac929

SHA1
0c310dc292d97d523f2351f465c1b52a6a9a2ade

SHA256
13e0535e10fed2d402510a09cfcd1a8b98714a541feb6cf39d5c38f91215d079

SHA512
b04276ca01f71c16caba3ce383663cdee9a4fb90cb19a7d264263c39e52c04f0d2b95100cc7e4cb2bb01d766f9fe703c87c3e65a9685f75a226d340ff5edc637

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4788.exe
Filesize
349KB

MD5
ada974e0640ae77ddc9ac598b55d7040

SHA1
e28d84fb93e9a9faee231119c2a96ce6ea88ae9e

SHA256
6823ff26d0f5728ba9fd22a90243b9c08fe4eec0ae9742e5993cf39c78098195

SHA512
ed4e68079981c71f7e2cdb0d5625a69789818b0654305e3cbd1a04fd77af99454f3097e828e7e2e0e55565e144674a0ae911bb2d6a6ec9b404e2490a4e8c57d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4788.exe
Filesize
349KB

MD5
ada974e0640ae77ddc9ac598b55d7040

SHA1
e28d84fb93e9a9faee231119c2a96ce6ea88ae9e

SHA256
6823ff26d0f5728ba9fd22a90243b9c08fe4eec0ae9742e5993cf39c78098195

SHA512
ed4e68079981c71f7e2cdb0d5625a69789818b0654305e3cbd1a04fd77af99454f3097e828e7e2e0e55565e144674a0ae911bb2d6a6ec9b404e2490a4e8c57d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu561242.exe
Filesize
11KB

MD5
27ce2d170ab35b1ab3b0cc00b8ae9a69

SHA1
b5de7fba219dfad61b56bfbafc3022cf05959bf7

SHA256
911c3a02cac4d3f21ce97ddcff973ba819b691c6ef7f117257631022370f731d

SHA512
974f63ffb1dfe203463180281d293d7279648a40e60288c9de3b2a49d36315c4120c5ef02873daa91a07257623d79ebfe9907904c8b665eff591a93a439dfe61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu561242.exe
Filesize
11KB

MD5
27ce2d170ab35b1ab3b0cc00b8ae9a69

SHA1
b5de7fba219dfad61b56bfbafc3022cf05959bf7

SHA256
911c3a02cac4d3f21ce97ddcff973ba819b691c6ef7f117257631022370f731d

SHA512
974f63ffb1dfe203463180281d293d7279648a40e60288c9de3b2a49d36315c4120c5ef02873daa91a07257623d79ebfe9907904c8b665eff591a93a439dfe61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0136.exe
Filesize
321KB

MD5
377e4cd52f3913f022b93969b10de333

SHA1
d3a4d0febbcc2d1a0a0cf48ff957202d7b1e6630

SHA256
7c6c7f21c02234980643d28455a546b84fd1787f7849d4c06c5b40eaee0d3cf6

SHA512
960ed1ab05ec413c9052002ceb3a5f6383b59b40dd15e13e8f4f21c7205ff6371e7e7f157105844e5f410bf0d65be126299779386e79ca5c02959f6ddb8ca73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0136.exe
Filesize
321KB

MD5
377e4cd52f3913f022b93969b10de333

SHA1
d3a4d0febbcc2d1a0a0cf48ff957202d7b1e6630

SHA256
7c6c7f21c02234980643d28455a546b84fd1787f7849d4c06c5b40eaee0d3cf6

SHA512
960ed1ab05ec413c9052002ceb3a5f6383b59b40dd15e13e8f4f21c7205ff6371e7e7f157105844e5f410bf0d65be126299779386e79ca5c02959f6ddb8ca73c

Download Submit
memory/448-1140-0x0000000000A20000-0x0000000000A52000-memory.dmp

Filesize
200KB

Download
memory/448-1141-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/448-1142-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/1316-161-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/4132-181-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-183-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-185-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-187-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-189-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-191-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-193-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-195-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-197-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-199-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4132-201-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/4132-202-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/4132-204-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4132-179-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-177-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-175-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-173-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-172-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/4132-171-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/4132-169-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/4132-170-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/4132-168-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4132-167-0x0000000007390000-0x0000000007934000-memory.dmp

Filesize
5.6MB

Download
memory/4852-213-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-226-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-228-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-230-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-232-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-234-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-236-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-238-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-240-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-242-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-244-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-246-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-1119-0x00000000079F0000-0x0000000008008000-memory.dmp

Filesize
6.1MB

Download
memory/4852-1120-0x0000000008070000-0x000000000817A000-memory.dmp

Filesize
1.0MB

Download
memory/4852-1121-0x00000000081B0000-0x00000000081C2000-memory.dmp

Filesize
72KB

Download
memory/4852-1122-0x00000000082D0000-0x000000000830C000-memory.dmp

Filesize
240KB

Download
memory/4852-1123-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/4852-1125-0x00000000084C0000-0x0000000008526000-memory.dmp

Filesize
408KB

Download
memory/4852-1126-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/4852-1127-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/4852-1128-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/4852-1129-0x0000000008CC0000-0x0000000008D52000-memory.dmp

Filesize
584KB

Download
memory/4852-1130-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/4852-1131-0x000000000A270000-0x000000000A432000-memory.dmp

Filesize
1.8MB

Download
memory/4852-1132-0x000000000A440000-0x000000000A96C000-memory.dmp

Filesize
5.2MB

Download
memory/4852-1133-0x000000000AA10000-0x000000000AA86000-memory.dmp

Filesize
472KB

Download
memory/4852-224-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-222-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-220-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-218-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-216-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-214-0x0000000004F30000-0x0000000004F6F000-memory.dmp

Filesize
252KB

Download
memory/4852-211-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/4852-212-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/4852-210-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/4852-209-0x0000000002D90000-0x0000000002DDB000-memory.dmp

Filesize
300KB

Download
memory/4852-1134-0x000000000AAB0000-0x000000000AB00000-memory.dmp

Filesize
320KB

Download