amadey | 50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c

Analysis

max time kernel
144s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c.exe
Size

1.0MB
MD5

f86bcbd6120712e0b03a0892f69d05dc
SHA1

ef7a1202801fd0c59896a9407e549f608733e316
SHA256

50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c
SHA512

6cdeb8035747c0d78c978979b8676ac2bbde47ad45dd3ca3120bc227b72e9bd4faedc9f141702964ce58fc50219890c452cea7c1d61f5ae6accf3525bac39197
SSDEEP

12288:VMrry90AW+sdd5kl6+d9v1nVrDIX0nJPfP1yJBOvq2g2cpQNAkNyb0g2X7szDuSW:uyMPicwbDIX0JXPoWZN3Qc7uDuSW

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus2594.execor7338.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus2594.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus2594.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor7338.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus2594.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus2594.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus2594.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus2594.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor7338.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor7338.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor7338.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor7338.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor7338.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2444-210-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-211-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-213-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-215-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-217-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-219-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-221-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-223-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-225-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-227-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-229-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-231-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-233-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-235-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-237-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-239-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-241-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-243-0x00000000029A0000-0x00000000029DE000-memory.dmp	family_redline
behavioral1/memory/2444-254-0x0000000004ED0000-0x0000000004EE0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge358934.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	ge358934.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kino6846.exekino7241.exekino6901.exebus2594.execor7338.exedvW40s17.exeen668955.exege358934.exemetafor.exemetafor.exe

pid	process
3088	kino6846.exe
2988	kino7241.exe
3068	kino6901.exe
3004	bus2594.exe
1856	cor7338.exe
2444	dvW40s17.exe
2512	en668955.exe
1916	ge358934.exe
2652	metafor.exe
3344	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus2594.execor7338.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus2594.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor7338.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor7338.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c.exekino6846.exekino7241.exekino6901.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6846.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino6846.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino7241.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino7241.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6901.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino6901.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3744 1856 WerFault.exe cor7338.exe
4960 2444 WerFault.exe dvW40s17.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3804 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus2594.execor7338.exedvW40s17.exeen668955.exe

pid process

3004 bus2594.exe
3004 bus2594.exe
1856 cor7338.exe
1856 cor7338.exe
2444 dvW40s17.exe
2444 dvW40s17.exe
2512 en668955.exe
2512 en668955.exe

pid	pid_target	process	target process
3744	1856	WerFault.exe	cor7338.exe
4960	2444	WerFault.exe	dvW40s17.exe

pid	process
3804	schtasks.exe

pid	process
3004	bus2594.exe
3004	bus2594.exe
1856	cor7338.exe
1856	cor7338.exe
2444	dvW40s17.exe
2444	dvW40s17.exe
2512	en668955.exe
2512	en668955.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus2594.execor7338.exedvW40s17.exeen668955.exe

description	pid	process
Token: SeDebugPrivilege	3004	bus2594.exe
Token: SeDebugPrivilege	1856	cor7338.exe
Token: SeDebugPrivilege	2444	dvW40s17.exe
Token: SeDebugPrivilege	2512	en668955.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c.exekino6846.exekino7241.exekino6901.exege358934.exemetafor.execmd.exe

description	pid	process	target process
PID 2392 wrote to memory of 3088	2392	50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c.exe	kino6846.exe
PID 2392 wrote to memory of 3088	2392	50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c.exe	kino6846.exe
PID 2392 wrote to memory of 3088	2392	50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c.exe	kino6846.exe
PID 3088 wrote to memory of 2988	3088	kino6846.exe	kino7241.exe
PID 3088 wrote to memory of 2988	3088	kino6846.exe	kino7241.exe
PID 3088 wrote to memory of 2988	3088	kino6846.exe	kino7241.exe
PID 2988 wrote to memory of 3068	2988	kino7241.exe	kino6901.exe
PID 2988 wrote to memory of 3068	2988	kino7241.exe	kino6901.exe
PID 2988 wrote to memory of 3068	2988	kino7241.exe	kino6901.exe
PID 3068 wrote to memory of 3004	3068	kino6901.exe	bus2594.exe
PID 3068 wrote to memory of 3004	3068	kino6901.exe	bus2594.exe
PID 3068 wrote to memory of 1856	3068	kino6901.exe	cor7338.exe
PID 3068 wrote to memory of 1856	3068	kino6901.exe	cor7338.exe
PID 3068 wrote to memory of 1856	3068	kino6901.exe	cor7338.exe
PID 2988 wrote to memory of 2444	2988	kino7241.exe	dvW40s17.exe
PID 2988 wrote to memory of 2444	2988	kino7241.exe	dvW40s17.exe
PID 2988 wrote to memory of 2444	2988	kino7241.exe	dvW40s17.exe
PID 3088 wrote to memory of 2512	3088	kino6846.exe	en668955.exe
PID 3088 wrote to memory of 2512	3088	kino6846.exe	en668955.exe
PID 3088 wrote to memory of 2512	3088	kino6846.exe	en668955.exe
PID 2392 wrote to memory of 1916	2392	50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c.exe	ge358934.exe
PID 2392 wrote to memory of 1916	2392	50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c.exe	ge358934.exe
PID 2392 wrote to memory of 1916	2392	50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c.exe	ge358934.exe
PID 1916 wrote to memory of 2652	1916	ge358934.exe	metafor.exe
PID 1916 wrote to memory of 2652	1916	ge358934.exe	metafor.exe
PID 1916 wrote to memory of 2652	1916	ge358934.exe	metafor.exe
PID 2652 wrote to memory of 3804	2652	metafor.exe	schtasks.exe
PID 2652 wrote to memory of 3804	2652	metafor.exe	schtasks.exe
PID 2652 wrote to memory of 3804	2652	metafor.exe	schtasks.exe
PID 2652 wrote to memory of 1440	2652	metafor.exe	cmd.exe
PID 2652 wrote to memory of 1440	2652	metafor.exe	cmd.exe
PID 2652 wrote to memory of 1440	2652	metafor.exe	cmd.exe
PID 1440 wrote to memory of 708	1440	cmd.exe	cmd.exe
PID 1440 wrote to memory of 708	1440	cmd.exe	cmd.exe
PID 1440 wrote to memory of 708	1440	cmd.exe	cmd.exe
PID 1440 wrote to memory of 4012	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 4012	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 4012	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 4016	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 4016	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 4016	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 5028	1440	cmd.exe	cmd.exe
PID 1440 wrote to memory of 5028	1440	cmd.exe	cmd.exe
PID 1440 wrote to memory of 5028	1440	cmd.exe	cmd.exe
PID 1440 wrote to memory of 4256	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 4256	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 4256	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 4460	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 4460	1440	cmd.exe	cacls.exe
PID 1440 wrote to memory of 4460	1440	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c.exe
"C:\Users\Admin\AppData\Local\Temp\50a3b15265ee23bc2e5bcbe0eb9d9db30ad062b24afdf2534cf0dc149b8f3d4c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6846.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6846.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3088

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7241.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7241.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6901.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6901.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2594.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2594.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7338.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7338.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1092
6⤵
- Program crash
PID:3744

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dvW40s17.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dvW40s17.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 1760
5⤵
- Program crash
PID:4960

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en668955.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en668955.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge358934.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge358934.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:3804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:708

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:4012

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:5028

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:4256

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1856 -ip 1856
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2444 -ip 2444
1⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge358934.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge358934.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6846.exe
Filesize
842KB

MD5
6071dd3b32b467b4f8d1887c2aeff868

SHA1
75ea80e5989f123b1b4baf1f59bcde53f6c94414

SHA256
8c14a283ad51854e2eaed2de4057e499d65f0da58d104534fc3c7ee092b0db03

SHA512
3d68f4c3c948769ecccc8a8cb88048fcf89d96c8e343c390deb2c58ab145f672ca3f7604defa3b28321b5a280a1f82fbeeecdf301a820f03089962c23a6d4466

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6846.exe
Filesize
842KB

MD5
6071dd3b32b467b4f8d1887c2aeff868

SHA1
75ea80e5989f123b1b4baf1f59bcde53f6c94414

SHA256
8c14a283ad51854e2eaed2de4057e499d65f0da58d104534fc3c7ee092b0db03

SHA512
3d68f4c3c948769ecccc8a8cb88048fcf89d96c8e343c390deb2c58ab145f672ca3f7604defa3b28321b5a280a1f82fbeeecdf301a820f03089962c23a6d4466

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en668955.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en668955.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7241.exe
Filesize
699KB

MD5
ad3a393d27afd2e949a9a9df17a04f97

SHA1
2ef06b935c9c4dbb9a8e161fbaf320c7d6bddc3b

SHA256
d9b56d148fd993a1bd59c708b587c23df37b171cde6018cb71c24ee9083c71fd

SHA512
e1ff822c9c5a1c17650515e70f4fbff7d6b157264828951dde143ae52a3ea093c5e30630f5794774378e25c962e309cf84db25da9a0a808395193b564904c1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7241.exe
Filesize
699KB

MD5
ad3a393d27afd2e949a9a9df17a04f97

SHA1
2ef06b935c9c4dbb9a8e161fbaf320c7d6bddc3b

SHA256
d9b56d148fd993a1bd59c708b587c23df37b171cde6018cb71c24ee9083c71fd

SHA512
e1ff822c9c5a1c17650515e70f4fbff7d6b157264828951dde143ae52a3ea093c5e30630f5794774378e25c962e309cf84db25da9a0a808395193b564904c1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dvW40s17.exe
Filesize
358KB

MD5
6b7cf4aab9cfd4704635892d214bac2a

SHA1
6d2d6b0e1058c9a75aa966c7810f64b10967c1ae

SHA256
0e45e91b485b2bb54d0e0c5cbbf0e8128bb2477d828d5bc438b656ead7d345fe

SHA512
229b6111df76a79309582af3e59210bc7cdfa755b87402d4156d803a893f276cb7a94704b067a97dc40666ab1db614c08e53edc70afeb696591c985b7c103ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dvW40s17.exe
Filesize
358KB

MD5
6b7cf4aab9cfd4704635892d214bac2a

SHA1
6d2d6b0e1058c9a75aa966c7810f64b10967c1ae

SHA256
0e45e91b485b2bb54d0e0c5cbbf0e8128bb2477d828d5bc438b656ead7d345fe

SHA512
229b6111df76a79309582af3e59210bc7cdfa755b87402d4156d803a893f276cb7a94704b067a97dc40666ab1db614c08e53edc70afeb696591c985b7c103ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6901.exe
Filesize
346KB

MD5
a43f0821724a700ea8a0eadbb0ae7cd8

SHA1
bcd328b0783c7ea35422c700d296584e29412012

SHA256
9a0f2fafdcd5b6e691c72a94219083e0967f2e86c4e2937fd68f2b60ac337dcc

SHA512
2d62111ad9237fe350f4f53d56e0b9b0a06cd0105370f0919a22a5d4444ab4da1fc1c8f2243bae8efae1b26f1f3b5e33cf31b967c32340984f74e221ac27d3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6901.exe
Filesize
346KB

MD5
a43f0821724a700ea8a0eadbb0ae7cd8

SHA1
bcd328b0783c7ea35422c700d296584e29412012

SHA256
9a0f2fafdcd5b6e691c72a94219083e0967f2e86c4e2937fd68f2b60ac337dcc

SHA512
2d62111ad9237fe350f4f53d56e0b9b0a06cd0105370f0919a22a5d4444ab4da1fc1c8f2243bae8efae1b26f1f3b5e33cf31b967c32340984f74e221ac27d3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2594.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2594.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7338.exe
Filesize
300KB

MD5
43ef69b10d1876973d22ca172c924630

SHA1
7df42c0817706ef35fb152522010eaaa92baa149

SHA256
12908e1d5cdc97f5f3ca6bbf9707eb83b2575ef0b3be89e32b0225cd3ec54fed

SHA512
830fa8e85053be8b590f51324c23e5d2953e9d1cb5007c571206df1266c8fef91a8b57bf3272d03829dc94bb542953f5441b7e2a7ca8fd1e2565a8402c658ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7338.exe
Filesize
300KB

MD5
43ef69b10d1876973d22ca172c924630

SHA1
7df42c0817706ef35fb152522010eaaa92baa149

SHA256
12908e1d5cdc97f5f3ca6bbf9707eb83b2575ef0b3be89e32b0225cd3ec54fed

SHA512
830fa8e85053be8b590f51324c23e5d2953e9d1cb5007c571206df1266c8fef91a8b57bf3272d03829dc94bb542953f5441b7e2a7ca8fd1e2565a8402c658ba7

Download Submit
memory/1856-179-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-200-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/1856-175-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-181-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-183-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-185-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-187-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-189-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-191-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-193-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-195-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-197-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-199-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-177-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-201-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/1856-202-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/1856-203-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/1856-205-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/1856-173-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-172-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/1856-171-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/1856-170-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/1856-169-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/1856-168-0x0000000000860000-0x000000000088D000-memory.dmp

Filesize
180KB

Download
memory/1856-167-0x0000000004F40000-0x00000000054E4000-memory.dmp

Filesize
5.6MB

Download
memory/2444-217-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-1124-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2444-227-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-229-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-231-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-233-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-235-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-237-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-239-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-241-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-243-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-253-0x00000000008B0000-0x00000000008FB000-memory.dmp

Filesize
300KB

Download
memory/2444-254-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2444-256-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2444-258-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2444-1120-0x0000000005490000-0x0000000005AA8000-memory.dmp

Filesize
6.1MB

Download
memory/2444-1121-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/2444-1122-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/2444-1123-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/2444-225-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-1126-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/2444-1127-0x0000000006700000-0x0000000006792000-memory.dmp

Filesize
584KB

Download
memory/2444-1128-0x0000000006930000-0x00000000069A6000-memory.dmp

Filesize
472KB

Download
memory/2444-1129-0x00000000069C0000-0x0000000006A10000-memory.dmp

Filesize
320KB

Download
memory/2444-1130-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2444-1131-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2444-1132-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2444-1133-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2444-1134-0x0000000006A70000-0x0000000006C32000-memory.dmp

Filesize
1.8MB

Download
memory/2444-223-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-1135-0x0000000006C40000-0x000000000716C000-memory.dmp

Filesize
5.2MB

Download
memory/2444-210-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-211-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-221-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-219-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-215-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2444-213-0x00000000029A0000-0x00000000029DE000-memory.dmp

Filesize
248KB

Download
memory/2512-1142-0x0000000004940000-0x0000000004950000-memory.dmp

Filesize
64KB

Download
memory/2512-1141-0x00000000000D0000-0x0000000000102000-memory.dmp

Filesize
200KB

Download
memory/3004-161-0x0000000000B00000-0x0000000000B0A000-memory.dmp

Filesize
40KB

Download