amadey | c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a

Analysis

max time kernel
91s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a.exe
Size

1.0MB
MD5

be0de28f97a36234f42fe1298b3331da
SHA1

dcb7758da555afa18ee2f327922a8eea791167d0
SHA256

c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a
SHA512

a2ab0b5dc5a36ffd439d539b31c1e0e820fe461f7f158ecd97d4597b8018b0610e8f20fafd41fa95fe1352b6c3699b520df1aa9af135fb1c37ed0c4c9dd3bf2d
SSDEEP

24576:NyokpkKbv2JQF5rmkCyTsE5KmWdNxAp0GTKGDjWfhcx3dne6v8xF:oKJC5rHgE5KmW7xa+GDjWfhcx3dndg

Score

10^/10

amadey redline luza rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

luza

176.113.115.145:4125

Attributes

auth_value
1261701914d508e02e8b4f25d38bc7f9

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor9215.exebu697175.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor9215.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor9215.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor9215.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor9215.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu697175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu697175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu697175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu697175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor9215.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor9215.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu697175.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu697175.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3200-211-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-213-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-216-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-218-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-220-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-222-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-224-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-226-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-228-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-230-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-232-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-234-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-236-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-238-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-240-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-242-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-244-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline
behavioral1/memory/3200-246-0x0000000004AE0000-0x0000000004B1F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge049983.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ge049983.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kina4160.exekina8217.exekina4727.exebu697175.execor9215.exedJo40s00.exeen943482.exege049983.exemetafor.exemetafor.exe

pid	process
2008	kina4160.exe
2588	kina8217.exe
4532	kina4727.exe
3624	bu697175.exe
3612	cor9215.exe
3200	dJo40s00.exe
4988	en943482.exe
2220	ge049983.exe
4536	metafor.exe
2328	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor9215.exebu697175.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor9215.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu697175.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor9215.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a.exekina4160.exekina8217.exekina4727.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina4160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina4160.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina8217.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina8217.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina4727.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina4727.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2056 3612 WerFault.exe cor9215.exe
4308 3200 WerFault.exe dJo40s00.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3724 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu697175.execor9215.exedJo40s00.exeen943482.exe

pid process

3624 bu697175.exe
3624 bu697175.exe
3612 cor9215.exe
3612 cor9215.exe
3200 dJo40s00.exe
3200 dJo40s00.exe
4988 en943482.exe
4988 en943482.exe

pid	pid_target	process	target process
2056	3612	WerFault.exe	cor9215.exe
4308	3200	WerFault.exe	dJo40s00.exe

pid	process
3724	schtasks.exe

pid	process
3624	bu697175.exe
3624	bu697175.exe
3612	cor9215.exe
3612	cor9215.exe
3200	dJo40s00.exe
3200	dJo40s00.exe
4988	en943482.exe
4988	en943482.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu697175.execor9215.exedJo40s00.exeen943482.exe

description	pid	process
Token: SeDebugPrivilege	3624	bu697175.exe
Token: SeDebugPrivilege	3612	cor9215.exe
Token: SeDebugPrivilege	3200	dJo40s00.exe
Token: SeDebugPrivilege	4988	en943482.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a.exekina4160.exekina8217.exekina4727.exege049983.exemetafor.execmd.exe

description	pid	process	target process
PID 2116 wrote to memory of 2008	2116	c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a.exe	kina4160.exe
PID 2116 wrote to memory of 2008	2116	c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a.exe	kina4160.exe
PID 2116 wrote to memory of 2008	2116	c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a.exe	kina4160.exe
PID 2008 wrote to memory of 2588	2008	kina4160.exe	kina8217.exe
PID 2008 wrote to memory of 2588	2008	kina4160.exe	kina8217.exe
PID 2008 wrote to memory of 2588	2008	kina4160.exe	kina8217.exe
PID 2588 wrote to memory of 4532	2588	kina8217.exe	kina4727.exe
PID 2588 wrote to memory of 4532	2588	kina8217.exe	kina4727.exe
PID 2588 wrote to memory of 4532	2588	kina8217.exe	kina4727.exe
PID 4532 wrote to memory of 3624	4532	kina4727.exe	bu697175.exe
PID 4532 wrote to memory of 3624	4532	kina4727.exe	bu697175.exe
PID 4532 wrote to memory of 3612	4532	kina4727.exe	cor9215.exe
PID 4532 wrote to memory of 3612	4532	kina4727.exe	cor9215.exe
PID 4532 wrote to memory of 3612	4532	kina4727.exe	cor9215.exe
PID 2588 wrote to memory of 3200	2588	kina8217.exe	dJo40s00.exe
PID 2588 wrote to memory of 3200	2588	kina8217.exe	dJo40s00.exe
PID 2588 wrote to memory of 3200	2588	kina8217.exe	dJo40s00.exe
PID 2008 wrote to memory of 4988	2008	kina4160.exe	en943482.exe
PID 2008 wrote to memory of 4988	2008	kina4160.exe	en943482.exe
PID 2008 wrote to memory of 4988	2008	kina4160.exe	en943482.exe
PID 2116 wrote to memory of 2220	2116	c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a.exe	ge049983.exe
PID 2116 wrote to memory of 2220	2116	c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a.exe	ge049983.exe
PID 2116 wrote to memory of 2220	2116	c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a.exe	ge049983.exe
PID 2220 wrote to memory of 4536	2220	ge049983.exe	metafor.exe
PID 2220 wrote to memory of 4536	2220	ge049983.exe	metafor.exe
PID 2220 wrote to memory of 4536	2220	ge049983.exe	metafor.exe
PID 4536 wrote to memory of 3724	4536	metafor.exe	schtasks.exe
PID 4536 wrote to memory of 3724	4536	metafor.exe	schtasks.exe
PID 4536 wrote to memory of 3724	4536	metafor.exe	schtasks.exe
PID 4536 wrote to memory of 1344	4536	metafor.exe	cmd.exe
PID 4536 wrote to memory of 1344	4536	metafor.exe	cmd.exe
PID 4536 wrote to memory of 1344	4536	metafor.exe	cmd.exe
PID 1344 wrote to memory of 2804	1344	cmd.exe	cmd.exe
PID 1344 wrote to memory of 2804	1344	cmd.exe	cmd.exe
PID 1344 wrote to memory of 2804	1344	cmd.exe	cmd.exe
PID 1344 wrote to memory of 1580	1344	cmd.exe	cacls.exe
PID 1344 wrote to memory of 1580	1344	cmd.exe	cacls.exe
PID 1344 wrote to memory of 1580	1344	cmd.exe	cacls.exe
PID 1344 wrote to memory of 5036	1344	cmd.exe	cacls.exe
PID 1344 wrote to memory of 5036	1344	cmd.exe	cacls.exe
PID 1344 wrote to memory of 5036	1344	cmd.exe	cacls.exe
PID 1344 wrote to memory of 3188	1344	cmd.exe	cmd.exe
PID 1344 wrote to memory of 3188	1344	cmd.exe	cmd.exe
PID 1344 wrote to memory of 3188	1344	cmd.exe	cmd.exe
PID 1344 wrote to memory of 5032	1344	cmd.exe	cacls.exe
PID 1344 wrote to memory of 5032	1344	cmd.exe	cacls.exe
PID 1344 wrote to memory of 5032	1344	cmd.exe	cacls.exe
PID 1344 wrote to memory of 2452	1344	cmd.exe	cacls.exe
PID 1344 wrote to memory of 2452	1344	cmd.exe	cacls.exe
PID 1344 wrote to memory of 2452	1344	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a.exe
"C:\Users\Admin\AppData\Local\Temp\c844ad933731a710fbaa9236e5ec33a53441c517ef0a265265e0a8d67a572f6a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4160.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4160.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina8217.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina8217.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4727.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4727.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu697175.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu697175.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9215.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9215.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 1088
6⤵
- Program crash
PID:2056

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dJo40s00.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dJo40s00.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 1336
5⤵
- Program crash
PID:4308

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en943482.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en943482.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge049983.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge049983.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:3724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2804

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:1580

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3188

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:5032

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3612 -ip 3612
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3200 -ip 3200
1⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
6f0779e7d52f58a43dca7300f78881eb

SHA1
62ee27dd683403d46f7f8994bc8825d019bce9e6

SHA256
67e61dd0baa40e61d3133a070eeb1349b391081720e47ec87df41e3da24b2c78

SHA512
f65c77fdedeed66ac8d27a7aaadb91cbcb1255339dd681489cf991d53582f00d6c239b3f08cd70434d8f22f76d942b9f0798d158637ae62e5269d9a1ee52e54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
6f0779e7d52f58a43dca7300f78881eb

SHA1
62ee27dd683403d46f7f8994bc8825d019bce9e6

SHA256
67e61dd0baa40e61d3133a070eeb1349b391081720e47ec87df41e3da24b2c78

SHA512
f65c77fdedeed66ac8d27a7aaadb91cbcb1255339dd681489cf991d53582f00d6c239b3f08cd70434d8f22f76d942b9f0798d158637ae62e5269d9a1ee52e54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
6f0779e7d52f58a43dca7300f78881eb

SHA1
62ee27dd683403d46f7f8994bc8825d019bce9e6

SHA256
67e61dd0baa40e61d3133a070eeb1349b391081720e47ec87df41e3da24b2c78

SHA512
f65c77fdedeed66ac8d27a7aaadb91cbcb1255339dd681489cf991d53582f00d6c239b3f08cd70434d8f22f76d942b9f0798d158637ae62e5269d9a1ee52e54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
6f0779e7d52f58a43dca7300f78881eb

SHA1
62ee27dd683403d46f7f8994bc8825d019bce9e6

SHA256
67e61dd0baa40e61d3133a070eeb1349b391081720e47ec87df41e3da24b2c78

SHA512
f65c77fdedeed66ac8d27a7aaadb91cbcb1255339dd681489cf991d53582f00d6c239b3f08cd70434d8f22f76d942b9f0798d158637ae62e5269d9a1ee52e54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge049983.exe
Filesize
227KB

MD5
6f0779e7d52f58a43dca7300f78881eb

SHA1
62ee27dd683403d46f7f8994bc8825d019bce9e6

SHA256
67e61dd0baa40e61d3133a070eeb1349b391081720e47ec87df41e3da24b2c78

SHA512
f65c77fdedeed66ac8d27a7aaadb91cbcb1255339dd681489cf991d53582f00d6c239b3f08cd70434d8f22f76d942b9f0798d158637ae62e5269d9a1ee52e54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge049983.exe
Filesize
227KB

MD5
6f0779e7d52f58a43dca7300f78881eb

SHA1
62ee27dd683403d46f7f8994bc8825d019bce9e6

SHA256
67e61dd0baa40e61d3133a070eeb1349b391081720e47ec87df41e3da24b2c78

SHA512
f65c77fdedeed66ac8d27a7aaadb91cbcb1255339dd681489cf991d53582f00d6c239b3f08cd70434d8f22f76d942b9f0798d158637ae62e5269d9a1ee52e54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4160.exe
Filesize
861KB

MD5
5ef98c8819d666cf091078682c035302

SHA1
13f44dc2082778ca5ad6f72604a0e25f1c48d2d4

SHA256
0e765214ffdcb07906e0da5cec1d2eed8f9c3abda263f5264b26b25e6d0ca7a0

SHA512
4257bdf614cf0e9dafd532e52d3037f0e1b8e0f0d4adc24e2b58428bf924f6af6f02d37c196956a30d31256472fa78aeed533147561586bfd4183d99f4c7f087

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina4160.exe
Filesize
861KB

MD5
5ef98c8819d666cf091078682c035302

SHA1
13f44dc2082778ca5ad6f72604a0e25f1c48d2d4

SHA256
0e765214ffdcb07906e0da5cec1d2eed8f9c3abda263f5264b26b25e6d0ca7a0

SHA512
4257bdf614cf0e9dafd532e52d3037f0e1b8e0f0d4adc24e2b58428bf924f6af6f02d37c196956a30d31256472fa78aeed533147561586bfd4183d99f4c7f087

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en943482.exe
Filesize
175KB

MD5
26fc8bee8121bfa7bf8970b635f90335

SHA1
e8038b5a2880f3223e41ceef0d78c47f82433b13

SHA256
0812f6856b35c54ebb1a484c867d4ae03d021e542beae5c43abf3fa455cdf04e

SHA512
1c6f323edbbde97371435b770db4638862488a8f8d2019ec3d1d357690f5b58821c1c1bcdbd2e7b40548b81ee54d1e979488a5de19aa3b6efdf1567d79111f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en943482.exe
Filesize
175KB

MD5
26fc8bee8121bfa7bf8970b635f90335

SHA1
e8038b5a2880f3223e41ceef0d78c47f82433b13

SHA256
0812f6856b35c54ebb1a484c867d4ae03d021e542beae5c43abf3fa455cdf04e

SHA512
1c6f323edbbde97371435b770db4638862488a8f8d2019ec3d1d357690f5b58821c1c1bcdbd2e7b40548b81ee54d1e979488a5de19aa3b6efdf1567d79111f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina8217.exe
Filesize
718KB

MD5
6c9c8d8e484f1a5c48669e4deabbe6f9

SHA1
a9185b0ea0360b43bc8d8ceb8fd2db4522c87976

SHA256
927ba64387be7dc03205731bbc89c8960b0a5aded34965f661ece71953a8ecb3

SHA512
c754a270530f686a9752efedf144eb4b7476a7ce38d220b45ca2f74985fcd480e507c83b957b199ec34b6c5a7726142714141a4d422484d39be2ab20c1be08c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina8217.exe
Filesize
718KB

MD5
6c9c8d8e484f1a5c48669e4deabbe6f9

SHA1
a9185b0ea0360b43bc8d8ceb8fd2db4522c87976

SHA256
927ba64387be7dc03205731bbc89c8960b0a5aded34965f661ece71953a8ecb3

SHA512
c754a270530f686a9752efedf144eb4b7476a7ce38d220b45ca2f74985fcd480e507c83b957b199ec34b6c5a7726142714141a4d422484d39be2ab20c1be08c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dJo40s00.exe
Filesize
406KB

MD5
82e29baa4450c6aba72c8d2875d25a08

SHA1
463902c74a81c22cd53e2af759c054dfa6fd5cf2

SHA256
e12c0cb71c455c1a2756fc0f83266c4ac2337f58d862ada987a221edcd4b47a8

SHA512
612f31a4ab86241d940c8a4f2fd32e77a220e9babff900d0981d89bfc9adced1f196fadd578f2c52aa07dc9d015219b766774f8bad7bbe278fda36ff1429e5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dJo40s00.exe
Filesize
406KB

MD5
82e29baa4450c6aba72c8d2875d25a08

SHA1
463902c74a81c22cd53e2af759c054dfa6fd5cf2

SHA256
e12c0cb71c455c1a2756fc0f83266c4ac2337f58d862ada987a221edcd4b47a8

SHA512
612f31a4ab86241d940c8a4f2fd32e77a220e9babff900d0981d89bfc9adced1f196fadd578f2c52aa07dc9d015219b766774f8bad7bbe278fda36ff1429e5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4727.exe
Filesize
349KB

MD5
2d68c92ab5f32a1d3c9574718a3b5946

SHA1
8de791ddbe61ca6615609172ce5bc4d603f996a6

SHA256
33f97e5052360e7892409c38d9786d7765528106cab80ce48a26a78c63bf3a72

SHA512
e4acf79e50a48c66082b3363b8a46634c153852c4497d81223793b9675934656fc3dc8439908515f563535c1cd8fa286e184f82be6c153ee2198054954b20f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4727.exe
Filesize
349KB

MD5
2d68c92ab5f32a1d3c9574718a3b5946

SHA1
8de791ddbe61ca6615609172ce5bc4d603f996a6

SHA256
33f97e5052360e7892409c38d9786d7765528106cab80ce48a26a78c63bf3a72

SHA512
e4acf79e50a48c66082b3363b8a46634c153852c4497d81223793b9675934656fc3dc8439908515f563535c1cd8fa286e184f82be6c153ee2198054954b20f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu697175.exe
Filesize
11KB

MD5
16e7cc807f53ce38eb67dad191a7c3a4

SHA1
9c4140d8e70d69e66a9ed3e663579a1391fd5725

SHA256
89bbab4c734612c2db9625463044573d30d03f2cd515ed05ddbcad56b8c43e79

SHA512
2c6df5b3ae8c11ff710320de231ba6fa0ac7326ac32507550f574a0c824bc521c017992706f7277a3f34c688b7fa9e5732e9aaf7e1d1db263d433bcfa6efb98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu697175.exe
Filesize
11KB

MD5
16e7cc807f53ce38eb67dad191a7c3a4

SHA1
9c4140d8e70d69e66a9ed3e663579a1391fd5725

SHA256
89bbab4c734612c2db9625463044573d30d03f2cd515ed05ddbcad56b8c43e79

SHA512
2c6df5b3ae8c11ff710320de231ba6fa0ac7326ac32507550f574a0c824bc521c017992706f7277a3f34c688b7fa9e5732e9aaf7e1d1db263d433bcfa6efb98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9215.exe
Filesize
322KB

MD5
71dd8bdb8e1f939c63d85f364e308d40

SHA1
fcc98e22b55fd6b72f3bf2884928bfab5e3ed559

SHA256
58191f1a21095738171b7a31265970d7caf96b01e777d88ea7d2170f2d8047ce

SHA512
3e66bd0d65638626b4bc41c72ad369475d9c21012639514e9708bf84838c2f244c079e2add8a843697f9b9c5a45ec2b29f6703c657c87e5fb49e0fd2e96459ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9215.exe
Filesize
322KB

MD5
71dd8bdb8e1f939c63d85f364e308d40

SHA1
fcc98e22b55fd6b72f3bf2884928bfab5e3ed559

SHA256
58191f1a21095738171b7a31265970d7caf96b01e777d88ea7d2170f2d8047ce

SHA512
3e66bd0d65638626b4bc41c72ad369475d9c21012639514e9708bf84838c2f244c079e2add8a843697f9b9c5a45ec2b29f6703c657c87e5fb49e0fd2e96459ab

Download Submit
memory/3200-1123-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3200-1127-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3200-1134-0x00000000096B0000-0x0000000009700000-memory.dmp

Filesize
320KB

Download
memory/3200-1133-0x0000000009630000-0x00000000096A6000-memory.dmp

Filesize
472KB

Download
memory/3200-1132-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3200-1131-0x0000000008FB0000-0x00000000094DC000-memory.dmp

Filesize
5.2MB

Download
memory/3200-1130-0x0000000008DD0000-0x0000000008F92000-memory.dmp

Filesize
1.8MB

Download
memory/3200-1129-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3200-1128-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3200-1126-0x0000000008330000-0x0000000008396000-memory.dmp

Filesize
408KB

Download
memory/3200-1125-0x0000000008290000-0x0000000008322000-memory.dmp

Filesize
584KB

Download
memory/3200-1122-0x0000000007FA0000-0x0000000007FDC000-memory.dmp

Filesize
240KB

Download
memory/3200-1121-0x0000000007F80000-0x0000000007F92000-memory.dmp

Filesize
72KB

Download
memory/3200-1120-0x0000000007E40000-0x0000000007F4A000-memory.dmp

Filesize
1.0MB

Download
memory/3200-1119-0x00000000077D0000-0x0000000007DE8000-memory.dmp

Filesize
6.1MB

Download
memory/3200-246-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-244-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-209-0x0000000002CC0000-0x0000000002D0B000-memory.dmp

Filesize
300KB

Download
memory/3200-210-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3200-211-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-213-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-212-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3200-214-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3200-216-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-218-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-220-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-222-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-224-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-226-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-228-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-230-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-232-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-234-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-236-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-238-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-240-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3200-242-0x0000000004AE0000-0x0000000004B1F000-memory.dmp

Filesize
252KB

Download
memory/3612-191-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-193-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-177-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-202-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3612-201-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3612-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/3612-175-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-199-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-197-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-181-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-195-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-168-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/3612-204-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/3612-179-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-171-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3612-185-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-183-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-173-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-172-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-189-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-167-0x0000000007200000-0x00000000077A4000-memory.dmp

Filesize
5.6MB

Download
memory/3612-187-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/3612-169-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3612-170-0x00000000071F0000-0x0000000007200000-memory.dmp

Filesize
64KB

Download
memory/3624-161-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

Filesize
40KB

Download
memory/4988-1141-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/4988-1140-0x0000000000BB0000-0x0000000000BE2000-memory.dmp

Filesize
200KB

Download