amadey | e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469

Analysis

max time kernel
123s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469.exe
Size

1020KB
MD5

827254bea8524e7eb1fdd3faa84dd082
SHA1

2be9665b3d8df9811d8497b2b96f1de1e680f827
SHA256

e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469
SHA512

57d542079c5f110cd03e6ec893d1f656713a24e7393d9eda43585c77da79b9febf1aa69be7a24ff87357c56f6130b18e1b74b2140923b79410c18df4b6f9dfb0
SSDEEP

24576:EyIxHY9SokPXwluvfvp37grVOCfUlK6MYuDwM/9xj/+j:TUY9Sokolw3p3cROyaK6AcCFW

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor3783.exebus1877.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor3783.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus1877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus1877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus1877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus1877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus1877.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor3783.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor3783.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus1877.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor3783.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor3783.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor3783.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4624-209-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-210-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-212-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-214-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-216-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-218-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-220-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-222-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-224-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-226-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-228-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-232-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-235-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-231-0x0000000002AB0000-0x0000000002AC0000-memory.dmp	family_redline
behavioral1/memory/4624-237-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-239-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-241-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-243-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline
behavioral1/memory/4624-245-0x00000000029B0000-0x00000000029EE000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge348675.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ge348675.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino2830.exekino7755.exekino1340.exebus1877.execor3783.exedqN41s04.exeen842575.exege348675.exemetafor.exemetafor.exemetafor.exe

pid	process
1136	kino2830.exe
2544	kino7755.exe
3812	kino1340.exe
320	bus1877.exe
1532	cor3783.exe
4624	dqN41s04.exe
3748	en842575.exe
2856	ge348675.exe
3564	metafor.exe
2988	metafor.exe
3220	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus1877.execor3783.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus1877.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor3783.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor3783.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469.exekino2830.exekino7755.exekino1340.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino2830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino2830.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino7755.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino7755.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino1340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino1340.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1788 1532 WerFault.exe cor3783.exe
1284 4624 WerFault.exe dqN41s04.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2732 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus1877.execor3783.exedqN41s04.exeen842575.exe

pid process

320 bus1877.exe
320 bus1877.exe
1532 cor3783.exe
1532 cor3783.exe
4624 dqN41s04.exe
4624 dqN41s04.exe
3748 en842575.exe
3748 en842575.exe

pid	pid_target	process	target process
1788	1532	WerFault.exe	cor3783.exe
1284	4624	WerFault.exe	dqN41s04.exe

pid	process
2732	schtasks.exe

pid	process
320	bus1877.exe
320	bus1877.exe
1532	cor3783.exe
1532	cor3783.exe
4624	dqN41s04.exe
4624	dqN41s04.exe
3748	en842575.exe
3748	en842575.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus1877.execor3783.exedqN41s04.exeen842575.exe

description	pid	process
Token: SeDebugPrivilege	320	bus1877.exe
Token: SeDebugPrivilege	1532	cor3783.exe
Token: SeDebugPrivilege	4624	dqN41s04.exe
Token: SeDebugPrivilege	3748	en842575.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469.exekino2830.exekino7755.exekino1340.exege348675.exemetafor.execmd.exe

description	pid	process	target process
PID 4100 wrote to memory of 1136	4100	e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469.exe	kino2830.exe
PID 4100 wrote to memory of 1136	4100	e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469.exe	kino2830.exe
PID 4100 wrote to memory of 1136	4100	e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469.exe	kino2830.exe
PID 1136 wrote to memory of 2544	1136	kino2830.exe	kino7755.exe
PID 1136 wrote to memory of 2544	1136	kino2830.exe	kino7755.exe
PID 1136 wrote to memory of 2544	1136	kino2830.exe	kino7755.exe
PID 2544 wrote to memory of 3812	2544	kino7755.exe	kino1340.exe
PID 2544 wrote to memory of 3812	2544	kino7755.exe	kino1340.exe
PID 2544 wrote to memory of 3812	2544	kino7755.exe	kino1340.exe
PID 3812 wrote to memory of 320	3812	kino1340.exe	bus1877.exe
PID 3812 wrote to memory of 320	3812	kino1340.exe	bus1877.exe
PID 3812 wrote to memory of 1532	3812	kino1340.exe	cor3783.exe
PID 3812 wrote to memory of 1532	3812	kino1340.exe	cor3783.exe
PID 3812 wrote to memory of 1532	3812	kino1340.exe	cor3783.exe
PID 2544 wrote to memory of 4624	2544	kino7755.exe	dqN41s04.exe
PID 2544 wrote to memory of 4624	2544	kino7755.exe	dqN41s04.exe
PID 2544 wrote to memory of 4624	2544	kino7755.exe	dqN41s04.exe
PID 1136 wrote to memory of 3748	1136	kino2830.exe	en842575.exe
PID 1136 wrote to memory of 3748	1136	kino2830.exe	en842575.exe
PID 1136 wrote to memory of 3748	1136	kino2830.exe	en842575.exe
PID 4100 wrote to memory of 2856	4100	e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469.exe	ge348675.exe
PID 4100 wrote to memory of 2856	4100	e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469.exe	ge348675.exe
PID 4100 wrote to memory of 2856	4100	e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469.exe	ge348675.exe
PID 2856 wrote to memory of 3564	2856	ge348675.exe	metafor.exe
PID 2856 wrote to memory of 3564	2856	ge348675.exe	metafor.exe
PID 2856 wrote to memory of 3564	2856	ge348675.exe	metafor.exe
PID 3564 wrote to memory of 2732	3564	metafor.exe	schtasks.exe
PID 3564 wrote to memory of 2732	3564	metafor.exe	schtasks.exe
PID 3564 wrote to memory of 2732	3564	metafor.exe	schtasks.exe
PID 3564 wrote to memory of 4636	3564	metafor.exe	cmd.exe
PID 3564 wrote to memory of 4636	3564	metafor.exe	cmd.exe
PID 3564 wrote to memory of 4636	3564	metafor.exe	cmd.exe
PID 4636 wrote to memory of 548	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 548	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 548	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 4408	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4408	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4408	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 5040	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 5040	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 5040	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 3100	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 3100	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 3100	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 5100	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 5100	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 5100	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4200	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4200	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4200	4636	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469.exe
"C:\Users\Admin\AppData\Local\Temp\e40a3923a39a74fbff5a58065285f8b49a8b603714bed268e4ff3690bb892469.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2830.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2830.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7755.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7755.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1340.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1340.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3812

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1877.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1877.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3783.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3783.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1064
6⤵
- Program crash
PID:1788

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dqN41s04.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dqN41s04.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1860
5⤵
- Program crash
PID:1284

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en842575.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en842575.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge348675.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge348675.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:2732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:548

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:4408

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3100

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:5100

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1532 -ip 1532
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4624 -ip 4624
1⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge348675.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge348675.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2830.exe
Filesize
837KB

MD5
2956fe85d9f1afd41ba9def270af0513

SHA1
1ec8624f97c9281f5f19099519f114af276a1b5b

SHA256
09390a4a583abed603a774dc747848815b9efafb036fbbc04f56bfa1f4619252

SHA512
ebd6f11837f053048f754b360eceff1a09781017e5bd33b3ff40d639e2871800d60ea5aa1d75b8e787593d32aa630fd3d5486c98a02ce3233668bfcf3dc1263f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2830.exe
Filesize
837KB

MD5
2956fe85d9f1afd41ba9def270af0513

SHA1
1ec8624f97c9281f5f19099519f114af276a1b5b

SHA256
09390a4a583abed603a774dc747848815b9efafb036fbbc04f56bfa1f4619252

SHA512
ebd6f11837f053048f754b360eceff1a09781017e5bd33b3ff40d639e2871800d60ea5aa1d75b8e787593d32aa630fd3d5486c98a02ce3233668bfcf3dc1263f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en842575.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en842575.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7755.exe
Filesize
695KB

MD5
ebaec87b8f18a4401f6c21f5e4ba6627

SHA1
95ba88a728e909f95c42a9a575f35a13f83e76ce

SHA256
001c7b3526ce2e0c2d84cd3b0195212e5dc0dfdd53fbacc734812d0c07ffe970

SHA512
9204e2808d7fb493787f46acb62cc5cdc8b7139bd3e4f798848d99d2c24115c4bd31fca90fa72f4c46bff0b5c65b066f66148427e62f92e021fcac8ad40904c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7755.exe
Filesize
695KB

MD5
ebaec87b8f18a4401f6c21f5e4ba6627

SHA1
95ba88a728e909f95c42a9a575f35a13f83e76ce

SHA256
001c7b3526ce2e0c2d84cd3b0195212e5dc0dfdd53fbacc734812d0c07ffe970

SHA512
9204e2808d7fb493787f46acb62cc5cdc8b7139bd3e4f798848d99d2c24115c4bd31fca90fa72f4c46bff0b5c65b066f66148427e62f92e021fcac8ad40904c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dqN41s04.exe
Filesize
349KB

MD5
4a4cfafb54e6039d9895ceee6655959e

SHA1
24666cb4bb3c101bb15d6ba7219de649ee49e344

SHA256
0cbfe5f975db966f765fe1aa4c88b169ff0038213066beeb3d80887e4b5a3d02

SHA512
f60ca9504c401ef03dfdaae5580a46c18269d067b56d8f64903e18dc09dacbca25175cf72457e6ecacd22aa1817a1ada2acb8903f6136939473d40e70c936240

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dqN41s04.exe
Filesize
349KB

MD5
4a4cfafb54e6039d9895ceee6655959e

SHA1
24666cb4bb3c101bb15d6ba7219de649ee49e344

SHA256
0cbfe5f975db966f765fe1aa4c88b169ff0038213066beeb3d80887e4b5a3d02

SHA512
f60ca9504c401ef03dfdaae5580a46c18269d067b56d8f64903e18dc09dacbca25175cf72457e6ecacd22aa1817a1ada2acb8903f6136939473d40e70c936240

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1340.exe
Filesize
344KB

MD5
99a4ff152b8ba1f2d0461c9bfad0d9c7

SHA1
ad92d99d88484e9c42d3dc8588930ba1e53a40eb

SHA256
bce4586d131043f865b9db75dcd054c06ae2715cb05f9d4d70d1b0b2d04d59ca

SHA512
969e2ca1711b84361f8ef8591c349131370ee1e21f6d04eb1f1e13e03b8436229f39509152d4cd086fd78ea4be129a0d846e7171303727fcf3ed4f534732eeef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino1340.exe
Filesize
344KB

MD5
99a4ff152b8ba1f2d0461c9bfad0d9c7

SHA1
ad92d99d88484e9c42d3dc8588930ba1e53a40eb

SHA256
bce4586d131043f865b9db75dcd054c06ae2715cb05f9d4d70d1b0b2d04d59ca

SHA512
969e2ca1711b84361f8ef8591c349131370ee1e21f6d04eb1f1e13e03b8436229f39509152d4cd086fd78ea4be129a0d846e7171303727fcf3ed4f534732eeef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1877.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1877.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3783.exe
Filesize
291KB

MD5
e79ff99cfa8970be01dd8ddc233cc004

SHA1
f0545e6cb0be2d8899c466138b5a3379f1de0b5f

SHA256
f59614a2633c43ca8c518cffe30e456c87e475eaf8a12c1cb476d3716cc77791

SHA512
2404d13d09a514415786662eb10390cf92ac6615b9bed616d437a03553f8d9450d939c2b08d4a0e204ac573a73fcfe3565ec3f84da002863593c5d22c5f0c6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3783.exe
Filesize
291KB

MD5
e79ff99cfa8970be01dd8ddc233cc004

SHA1
f0545e6cb0be2d8899c466138b5a3379f1de0b5f

SHA256
f59614a2633c43ca8c518cffe30e456c87e475eaf8a12c1cb476d3716cc77791

SHA512
2404d13d09a514415786662eb10390cf92ac6615b9bed616d437a03553f8d9450d939c2b08d4a0e204ac573a73fcfe3565ec3f84da002863593c5d22c5f0c6da

Download Submit
memory/320-161-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/1532-184-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-203-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1532-182-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-186-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-188-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-190-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-192-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-194-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-196-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-198-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-199-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1532-201-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1532-202-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1532-181-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1532-204-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1532-177-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-180-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/1532-178-0x0000000000970000-0x000000000099D000-memory.dmp

Filesize
180KB

Download
memory/1532-175-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-173-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-171-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-169-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-168-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/1532-167-0x0000000004D00000-0x00000000052A4000-memory.dmp

Filesize
5.6MB

Download
memory/3748-1139-0x0000000000FF0000-0x0000000001022000-memory.dmp

Filesize
200KB

Download
memory/3748-1140-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/4624-218-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-232-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-234-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/4624-235-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-231-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/4624-237-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-239-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-241-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-243-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-245-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-1118-0x0000000005510000-0x0000000005B28000-memory.dmp

Filesize
6.1MB

Download
memory/4624-1119-0x0000000005B30000-0x0000000005C3A000-memory.dmp

Filesize
1.0MB

Download
memory/4624-1120-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/4624-1121-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/4624-1122-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/4624-1123-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/4624-1124-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/4624-1126-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/4624-1127-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/4624-1128-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/4624-1129-0x0000000006950000-0x0000000006B12000-memory.dmp

Filesize
1.8MB

Download
memory/4624-1130-0x0000000006B30000-0x000000000705C000-memory.dmp

Filesize
5.2MB

Download
memory/4624-1131-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/4624-1132-0x0000000007190000-0x0000000007206000-memory.dmp

Filesize
472KB

Download
memory/4624-1133-0x0000000007220000-0x0000000007270000-memory.dmp

Filesize
320KB

Download
memory/4624-229-0x0000000000870000-0x00000000008BB000-memory.dmp

Filesize
300KB

Download
memory/4624-228-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-226-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-224-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-222-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-220-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-216-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-214-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-212-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-210-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download
memory/4624-209-0x00000000029B0000-0x00000000029EE000-memory.dmp

Filesize
248KB

Download