Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2023, 10:46
Static task
static1
General
-
Target
c92f9391efa6bbd3697ac59ee8837e9ded146312114c1166938f0d615f404a16.exe
-
Size
1.1MB
-
MD5
fadccf579a09e7c2f325b41395a43c95
-
SHA1
3ac2d3fe0442a983ac6d4621088a590e0f071879
-
SHA256
c92f9391efa6bbd3697ac59ee8837e9ded146312114c1166938f0d615f404a16
-
SHA512
a247cef951191e6c76e8c4c645a2d3560311cf051fa29f9b8e12db689b375f14660661aaeeb69830e4329072dcf5e920d521bae1b95306b7052bbe97dd71de6c
-
SSDEEP
24576:jmP7BbTymTVzxFnHDzCOiqZavIqFwFU9hOpyugGYfhO9C3PvWjZ:jmP7BnzVnjzCTqZ57Q48ugBO9C3PO
Malware Config
Extracted
redline
mango
193.233.20.28:4125
-
auth_value
ecf79d7f5227d998a3501c972d915d23
Extracted
redline
vina
193.233.20.28:4125
-
auth_value
7e90e85c9cea0965a2bfd23e1cfc6bc8
Extracted
amadey
3.68
31.41.244.200/games/category/index.php
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" t52uS34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection bus8215.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" s9074mz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" s9074mz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" s9074mz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" t52uS34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bus8215.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" s9074mz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" s9074mz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" t52uS34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bus8215.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bus8215.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" t52uS34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" t52uS34.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bus8215.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bus8215.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
resource yara_rule behavioral1/memory/4480-214-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-215-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-217-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-219-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-221-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-223-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-225-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-227-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-229-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-231-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-233-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-235-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-237-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-239-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-241-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-243-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-245-0x0000000002490000-0x00000000024CE000-memory.dmp family_redline behavioral1/memory/4480-1135-0x0000000004C00000-0x0000000004C10000-memory.dmp family_redline -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation ge214537.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation metafor.exe -
Executes dropped EXE 16 IoCs
pid Process 4980 kino6909.exe 3608 kino4649.exe 2680 kino9726.exe 3116 bus8215.exe 1928 con8871.exe 4480 dvt46s77.exe 4192 en185244.exe 4804 ge214537.exe 2228 metafor.exe 2348 foto0101.exe 4404 wine2463.exe 4952 s9074mz.exe 4556 t52uS34.exe 4584 uvwGE72.exe 4736 metafor.exe 548 metafor.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" bus8215.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" con8871.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" s9074mz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" t52uS34.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" kino9726.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" foto0101.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce c92f9391efa6bbd3697ac59ee8837e9ded146312114c1166938f0d615f404a16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c92f9391efa6bbd3697ac59ee8837e9ded146312114c1166938f0d615f404a16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" kino6909.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce kino4649.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" kino4649.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce kino9726.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wine2463.exe Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foto0101.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000003051\\foto0101.exe" metafor.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce kino6909.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce foto0101.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" wine2463.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3032 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
pid pid_target Process procid_target 4800 1928 WerFault.exe 91 3888 4480 WerFault.exe 96 3688 3528 WerFault.exe 79 4592 4556 WerFault.exe 129 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4464 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3116 bus8215.exe 3116 bus8215.exe 1928 con8871.exe 1928 con8871.exe 4480 dvt46s77.exe 4480 dvt46s77.exe 4192 en185244.exe 4192 en185244.exe 4952 s9074mz.exe 4952 s9074mz.exe 4556 t52uS34.exe 4556 t52uS34.exe 4584 uvwGE72.exe 4584 uvwGE72.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 3116 bus8215.exe Token: SeDebugPrivilege 1928 con8871.exe Token: SeDebugPrivilege 4480 dvt46s77.exe Token: SeDebugPrivilege 4192 en185244.exe Token: SeDebugPrivilege 4952 s9074mz.exe Token: SeDebugPrivilege 4556 t52uS34.exe Token: SeDebugPrivilege 4584 uvwGE72.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3528 wrote to memory of 4980 3528 c92f9391efa6bbd3697ac59ee8837e9ded146312114c1166938f0d615f404a16.exe 82 PID 3528 wrote to memory of 4980 3528 c92f9391efa6bbd3697ac59ee8837e9ded146312114c1166938f0d615f404a16.exe 82 PID 3528 wrote to memory of 4980 3528 c92f9391efa6bbd3697ac59ee8837e9ded146312114c1166938f0d615f404a16.exe 82 PID 4980 wrote to memory of 3608 4980 kino6909.exe 83 PID 4980 wrote to memory of 3608 4980 kino6909.exe 83 PID 4980 wrote to memory of 3608 4980 kino6909.exe 83 PID 3608 wrote to memory of 2680 3608 kino4649.exe 84 PID 3608 wrote to memory of 2680 3608 kino4649.exe 84 PID 3608 wrote to memory of 2680 3608 kino4649.exe 84 PID 2680 wrote to memory of 3116 2680 kino9726.exe 85 PID 2680 wrote to memory of 3116 2680 kino9726.exe 85 PID 2680 wrote to memory of 1928 2680 kino9726.exe 91 PID 2680 wrote to memory of 1928 2680 kino9726.exe 91 PID 2680 wrote to memory of 1928 2680 kino9726.exe 91 PID 3608 wrote to memory of 4480 3608 kino4649.exe 96 PID 3608 wrote to memory of 4480 3608 kino4649.exe 96 PID 3608 wrote to memory of 4480 3608 kino4649.exe 96 PID 4980 wrote to memory of 4192 4980 kino6909.exe 106 PID 4980 wrote to memory of 4192 4980 kino6909.exe 106 PID 4980 wrote to memory of 4192 4980 kino6909.exe 106 PID 3528 wrote to memory of 4804 3528 c92f9391efa6bbd3697ac59ee8837e9ded146312114c1166938f0d615f404a16.exe 112 PID 3528 wrote to memory of 4804 3528 c92f9391efa6bbd3697ac59ee8837e9ded146312114c1166938f0d615f404a16.exe 112 PID 3528 wrote to memory of 4804 3528 c92f9391efa6bbd3697ac59ee8837e9ded146312114c1166938f0d615f404a16.exe 112 PID 4804 wrote to memory of 2228 4804 ge214537.exe 113 PID 4804 wrote to memory of 2228 4804 ge214537.exe 113 PID 4804 wrote to memory of 2228 4804 ge214537.exe 113 PID 2228 wrote to memory of 4464 2228 metafor.exe 116 PID 2228 wrote to memory of 4464 2228 metafor.exe 116 PID 2228 wrote to memory of 4464 2228 metafor.exe 116 PID 2228 wrote to memory of 4200 2228 metafor.exe 118 PID 2228 wrote to memory of 4200 2228 metafor.exe 118 PID 2228 wrote to memory of 4200 2228 metafor.exe 118 PID 4200 wrote to memory of 4824 4200 cmd.exe 120 PID 4200 wrote to memory of 4824 4200 cmd.exe 120 PID 4200 wrote to memory of 4824 4200 cmd.exe 120 PID 4200 wrote to memory of 4436 4200 cmd.exe 121 PID 4200 wrote to memory of 4436 4200 cmd.exe 121 PID 4200 wrote to memory of 4436 4200 cmd.exe 121 PID 4200 wrote to memory of 2044 4200 cmd.exe 122 PID 4200 wrote to memory of 2044 4200 cmd.exe 122 PID 4200 wrote to memory of 2044 4200 cmd.exe 122 PID 4200 wrote to memory of 560 4200 cmd.exe 123 PID 4200 wrote to memory of 560 4200 cmd.exe 123 PID 4200 wrote to memory of 560 4200 cmd.exe 123 PID 4200 wrote to memory of 448 4200 cmd.exe 124 PID 4200 wrote to memory of 448 4200 cmd.exe 124 PID 4200 wrote to memory of 448 4200 cmd.exe 124 PID 4200 wrote to memory of 796 4200 cmd.exe 125 PID 4200 wrote to memory of 796 4200 cmd.exe 125 PID 4200 wrote to memory of 796 4200 cmd.exe 125 PID 2228 wrote to memory of 2348 2228 metafor.exe 126 PID 2228 wrote to memory of 2348 2228 metafor.exe 126 PID 2228 wrote to memory of 2348 2228 metafor.exe 126 PID 2348 wrote to memory of 4404 2348 foto0101.exe 127 PID 2348 wrote to memory of 4404 2348 foto0101.exe 127 PID 2348 wrote to memory of 4404 2348 foto0101.exe 127 PID 4404 wrote to memory of 4952 4404 wine2463.exe 128 PID 4404 wrote to memory of 4952 4404 wine2463.exe 128 PID 4404 wrote to memory of 4556 4404 wine2463.exe 129 PID 4404 wrote to memory of 4556 4404 wine2463.exe 129 PID 4404 wrote to memory of 4556 4404 wine2463.exe 129 PID 2348 wrote to memory of 4584 2348 foto0101.exe 132 PID 2348 wrote to memory of 4584 2348 foto0101.exe 132 PID 2348 wrote to memory of 4584 2348 foto0101.exe 132
Processes
-
C:\Users\Admin\AppData\Local\Temp\c92f9391efa6bbd3697ac59ee8837e9ded146312114c1166938f0d615f404a16.exe"C:\Users\Admin\AppData\Local\Temp\c92f9391efa6bbd3697ac59ee8837e9ded146312114c1166938f0d615f404a16.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6909.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6909.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4649.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4649.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9726.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9726.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8215.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8215.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8871.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con8871.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 10806⤵
- Program crash
PID:4800
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dvt46s77.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dvt46s77.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 15645⤵
- Program crash
PID:3888
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en185244.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en185244.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge214537.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge214537.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F4⤵
- Creates scheduled task(s)
PID:4464
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4824
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:N"5⤵PID:4436
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:R" /E5⤵PID:2044
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:560
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:N"5⤵PID:448
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:R" /E5⤵PID:796
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000003051\foto0101.exe"C:\Users\Admin\AppData\Local\Temp\1000003051\foto0101.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wine2463.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wine2463.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s9074mz.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s9074mz.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t52uS34.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t52uS34.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 10727⤵
- Program crash
PID:4592
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uvwGE72.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uvwGE72.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 5322⤵
- Program crash
PID:3688
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1928 -ip 19281⤵PID:3604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4480 -ip 44801⤵PID:1836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3528 -ip 35281⤵PID:2132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4556 -ip 45561⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe1⤵
- Executes dropped EXE
PID:4736
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3032
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe1⤵
- Executes dropped EXE
PID:548
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
492KB
MD58f93d7e3f2414c142956edc0078a0f1e
SHA165655e1dc7c94ba5a10a57c8e2bd1e4ec55cdf75
SHA2562315b7ac54867a8a0fa33aa151a8d8e74962299e09a9fb338e9075bb7104d721
SHA512df55dc8ac4e6980f40528faba926aa3d7ba80f2c54577c30d219f4671ee0493d870468a4982f6da8e8f05c323787cd6e49a74cc8fd3eb6390d167ece408407ea
-
Filesize
492KB
MD58f93d7e3f2414c142956edc0078a0f1e
SHA165655e1dc7c94ba5a10a57c8e2bd1e4ec55cdf75
SHA2562315b7ac54867a8a0fa33aa151a8d8e74962299e09a9fb338e9075bb7104d721
SHA512df55dc8ac4e6980f40528faba926aa3d7ba80f2c54577c30d219f4671ee0493d870468a4982f6da8e8f05c323787cd6e49a74cc8fd3eb6390d167ece408407ea
-
Filesize
492KB
MD58f93d7e3f2414c142956edc0078a0f1e
SHA165655e1dc7c94ba5a10a57c8e2bd1e4ec55cdf75
SHA2562315b7ac54867a8a0fa33aa151a8d8e74962299e09a9fb338e9075bb7104d721
SHA512df55dc8ac4e6980f40528faba926aa3d7ba80f2c54577c30d219f4671ee0493d870468a4982f6da8e8f05c323787cd6e49a74cc8fd3eb6390d167ece408407ea
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
823KB
MD53f6ee6e4420abf99de71289f74c55d0e
SHA1d97bc3954988e228f74e54a103ac16540f5609ef
SHA25678e8c6b9aca10f170e2460302e00e98dbeb717b7c1b810e6cb538c2b5b037e1f
SHA5128920f3dc52059777d09f72d2bbc287debeb31bdfcb02168428f3cc16cafa266e3c9181b7b70c4169356042d4a10ce93a2ed1e450756d2aa18afacb390d16c9d4
-
Filesize
823KB
MD53f6ee6e4420abf99de71289f74c55d0e
SHA1d97bc3954988e228f74e54a103ac16540f5609ef
SHA25678e8c6b9aca10f170e2460302e00e98dbeb717b7c1b810e6cb538c2b5b037e1f
SHA5128920f3dc52059777d09f72d2bbc287debeb31bdfcb02168428f3cc16cafa266e3c9181b7b70c4169356042d4a10ce93a2ed1e450756d2aa18afacb390d16c9d4
-
Filesize
175KB
MD59796505f0e48281006d920d7c01dfe7b
SHA1409d6a3760f682cc6e10c4f63e16755081d1342e
SHA256acf7be67bc04fc3b5f30c386ad0425b3fdbd7350dee6f7ab8b200b2bd9509479
SHA512c0ab3a9eb70564d04500a0e53e429925afdf0268e015ec1ec515ed2e7c9416273be51c9f86cbf99fa1a5ccd6e6f6f5a62fadc6e256fd7a53295295e4008f5d72
-
Filesize
175KB
MD59796505f0e48281006d920d7c01dfe7b
SHA1409d6a3760f682cc6e10c4f63e16755081d1342e
SHA256acf7be67bc04fc3b5f30c386ad0425b3fdbd7350dee6f7ab8b200b2bd9509479
SHA512c0ab3a9eb70564d04500a0e53e429925afdf0268e015ec1ec515ed2e7c9416273be51c9f86cbf99fa1a5ccd6e6f6f5a62fadc6e256fd7a53295295e4008f5d72
-
Filesize
175KB
MD59796505f0e48281006d920d7c01dfe7b
SHA1409d6a3760f682cc6e10c4f63e16755081d1342e
SHA256acf7be67bc04fc3b5f30c386ad0425b3fdbd7350dee6f7ab8b200b2bd9509479
SHA512c0ab3a9eb70564d04500a0e53e429925afdf0268e015ec1ec515ed2e7c9416273be51c9f86cbf99fa1a5ccd6e6f6f5a62fadc6e256fd7a53295295e4008f5d72
-
Filesize
347KB
MD54f705959f453a364916f0f95147f135a
SHA131eab542c04f9e041750e558c4d98aba2a4cd5e5
SHA2567162417b7992a936c4060e5490e2d4998b2f677c6a4da661a9ba70e27de2eeef
SHA512520a824de65952a0a64beb1354b8a1b303efae5e4524525807d8feb8bd0d8de20b4a833c822ab80ce04a7cf784b8b380fdb580e21608157e4cd1c8fe74f4757e
-
Filesize
347KB
MD54f705959f453a364916f0f95147f135a
SHA131eab542c04f9e041750e558c4d98aba2a4cd5e5
SHA2567162417b7992a936c4060e5490e2d4998b2f677c6a4da661a9ba70e27de2eeef
SHA512520a824de65952a0a64beb1354b8a1b303efae5e4524525807d8feb8bd0d8de20b4a833c822ab80ce04a7cf784b8b380fdb580e21608157e4cd1c8fe74f4757e
-
Filesize
175KB
MD59796505f0e48281006d920d7c01dfe7b
SHA1409d6a3760f682cc6e10c4f63e16755081d1342e
SHA256acf7be67bc04fc3b5f30c386ad0425b3fdbd7350dee6f7ab8b200b2bd9509479
SHA512c0ab3a9eb70564d04500a0e53e429925afdf0268e015ec1ec515ed2e7c9416273be51c9f86cbf99fa1a5ccd6e6f6f5a62fadc6e256fd7a53295295e4008f5d72
-
Filesize
175KB
MD59796505f0e48281006d920d7c01dfe7b
SHA1409d6a3760f682cc6e10c4f63e16755081d1342e
SHA256acf7be67bc04fc3b5f30c386ad0425b3fdbd7350dee6f7ab8b200b2bd9509479
SHA512c0ab3a9eb70564d04500a0e53e429925afdf0268e015ec1ec515ed2e7c9416273be51c9f86cbf99fa1a5ccd6e6f6f5a62fadc6e256fd7a53295295e4008f5d72
-
Filesize
681KB
MD5a17645b0619c9cee206b9b5005938f62
SHA117dc77dbd22dda49435980ea64f16f50af712135
SHA2561ffdc86c5082859f407c64f0957cb96fc0f493d7965361576917b6b81ec06611
SHA512ecd8b7336e01de9fbfb530a7a9c52c667fe3cc80691e731e7d986ef0704649d1468417610ba74fc318cfac9bccaa75e16a89b2d0ea8fc4423c96601eedad53f5
-
Filesize
681KB
MD5a17645b0619c9cee206b9b5005938f62
SHA117dc77dbd22dda49435980ea64f16f50af712135
SHA2561ffdc86c5082859f407c64f0957cb96fc0f493d7965361576917b6b81ec06611
SHA512ecd8b7336e01de9fbfb530a7a9c52c667fe3cc80691e731e7d986ef0704649d1468417610ba74fc318cfac9bccaa75e16a89b2d0ea8fc4423c96601eedad53f5
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
285KB
MD540b4ab9e96854e5e40cddd008dc16944
SHA1d54c699823a2e643ad00368fdf210902c4ec8453
SHA256547ff1dcfbb0f3f785a8f3fe540208933f4380a79093032ed2c95c98b5527c42
SHA51215e3807e3f95767ed20ed60a45f4afb635e17d9992c361f3d0b8958e9631a793a8ca88e9a6852e5180b20bc5d60bba8057a3c49348d5d5d7001baa74c758b426
-
Filesize
285KB
MD540b4ab9e96854e5e40cddd008dc16944
SHA1d54c699823a2e643ad00368fdf210902c4ec8453
SHA256547ff1dcfbb0f3f785a8f3fe540208933f4380a79093032ed2c95c98b5527c42
SHA51215e3807e3f95767ed20ed60a45f4afb635e17d9992c361f3d0b8958e9631a793a8ca88e9a6852e5180b20bc5d60bba8057a3c49348d5d5d7001baa74c758b426
-
Filesize
343KB
MD5b58a3c5b0cc5922dbd8cec1bf434f743
SHA11807b33a35f497e2ef919c921b609ee391a0e33a
SHA25612f3bdf0699561e14986911f14e79b63621511d1e13e9b922f9395714953f487
SHA512cea3f662e7cf35de07333e3dd95e4f5c011a8bb815c85d4898ef4ac3868f992ac37f466640b1bcc2b7f1891f225fb21054fe8fa8e310d883be029ae33bc91cb7
-
Filesize
343KB
MD5b58a3c5b0cc5922dbd8cec1bf434f743
SHA11807b33a35f497e2ef919c921b609ee391a0e33a
SHA25612f3bdf0699561e14986911f14e79b63621511d1e13e9b922f9395714953f487
SHA512cea3f662e7cf35de07333e3dd95e4f5c011a8bb815c85d4898ef4ac3868f992ac37f466640b1bcc2b7f1891f225fb21054fe8fa8e310d883be029ae33bc91cb7
-
Filesize
337KB
MD58cb92be8a236eb8f633e552aaa0f7e22
SHA11d174a28c35dc7b47ce83924e83b1e0099802265
SHA2563ad53ce31b9dadbd99fa7b714b29b80416e0ccd109d117476f4baba2cb70cf11
SHA512bea06f502bfaba18eff6a4d06bd91dfff1642c441d1320ec62a8e61ee03d78b5a4784186366ea5cc861b8b9ebb0a7245480c1c2e47378be87f6b3c1970f30c85
-
Filesize
337KB
MD58cb92be8a236eb8f633e552aaa0f7e22
SHA11d174a28c35dc7b47ce83924e83b1e0099802265
SHA2563ad53ce31b9dadbd99fa7b714b29b80416e0ccd109d117476f4baba2cb70cf11
SHA512bea06f502bfaba18eff6a4d06bd91dfff1642c441d1320ec62a8e61ee03d78b5a4784186366ea5cc861b8b9ebb0a7245480c1c2e47378be87f6b3c1970f30c85
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
285KB
MD5aeafc76d80a9302266a9f1b29c902301
SHA19b08310586c10f22439b66d8ce7ef536003c6b4e
SHA25614dfd877335d4eea9a0dbdbba765b6e8ce676a6f6ad3d837022cf5ccf1e00400
SHA5123da5535584a3753103e4b60864fe62e82f6bdd72ad3624dc43aa698a97f5eb54e5503304a284327ae3a1779b58d9863feeeb588564e706a3494ea06565eba6f6
-
Filesize
285KB
MD5aeafc76d80a9302266a9f1b29c902301
SHA19b08310586c10f22439b66d8ce7ef536003c6b4e
SHA25614dfd877335d4eea9a0dbdbba765b6e8ce676a6f6ad3d837022cf5ccf1e00400
SHA5123da5535584a3753103e4b60864fe62e82f6bdd72ad3624dc43aa698a97f5eb54e5503304a284327ae3a1779b58d9863feeeb588564e706a3494ea06565eba6f6