amadey | cc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee

Analysis

max time kernel
142s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee.exe
Size

1023KB
MD5

ed48e3a16ac79cf6c6b07ebf544a07e6
SHA1

287126fd716849b00487298bf95900aa784771d0
SHA256

cc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee
SHA512

9d9184c12dea2f976f0112d7b66d1f01ab6d8bbe7aeb7dbb1c4f558e27450347db46cdc5ac3010312b9a55db5004180acf18ea8b4fd4a808d4aeb7c39b2f37e5
SSDEEP

12288:WMray90TTVFrbci7v1UtpoLQzF/LdlawzWgQgoCkMjvQkBiotY/LuVJf+AjFAu/P:IymF17v2pw1wGPVkQkx4uFVY5woqbO2

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor2638.exebus9433.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor2638.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor2638.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor2638.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor2638.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor2638.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus9433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus9433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus9433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus9433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor2638.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus9433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus9433.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2792-210-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-211-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-213-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-215-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-217-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-219-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-221-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-223-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-225-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-228-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-232-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-237-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-235-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-239-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-241-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-243-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-245-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-247-0x0000000005300000-0x000000000533E000-memory.dmp	family_redline
behavioral1/memory/2792-1130-0x0000000004D00000-0x0000000004D10000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge976905.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ge976905.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino5077.exekino3708.exekino8236.exebus9433.execor2638.exedKx65s13.exeen225863.exege976905.exemetafor.exemetafor.exemetafor.exe

pid	process
632	kino5077.exe
1748	kino3708.exe
1692	kino8236.exe
4856	bus9433.exe
3560	cor2638.exe
2792	dKx65s13.exe
4792	en225863.exe
2128	ge976905.exe
812	metafor.exe
4816	metafor.exe
2892	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus9433.execor2638.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus9433.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor2638.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor2638.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino5077.exekino3708.exekino8236.execc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino5077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino5077.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3708.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino3708.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino8236.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino8236.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4464 3560 WerFault.exe cor2638.exe
2804 2792 WerFault.exe dKx65s13.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4188 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus9433.execor2638.exedKx65s13.exeen225863.exe

pid process

4856 bus9433.exe
4856 bus9433.exe
3560 cor2638.exe
3560 cor2638.exe
2792 dKx65s13.exe
2792 dKx65s13.exe
4792 en225863.exe
4792 en225863.exe

pid	pid_target	process	target process
4464	3560	WerFault.exe	cor2638.exe
2804	2792	WerFault.exe	dKx65s13.exe

pid	process
4188	schtasks.exe

pid	process
4856	bus9433.exe
4856	bus9433.exe
3560	cor2638.exe
3560	cor2638.exe
2792	dKx65s13.exe
2792	dKx65s13.exe
4792	en225863.exe
4792	en225863.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus9433.execor2638.exedKx65s13.exeen225863.exe

description	pid	process
Token: SeDebugPrivilege	4856	bus9433.exe
Token: SeDebugPrivilege	3560	cor2638.exe
Token: SeDebugPrivilege	2792	dKx65s13.exe
Token: SeDebugPrivilege	4792	en225863.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

cc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee.exekino5077.exekino3708.exekino8236.exege976905.exemetafor.execmd.exe

description	pid	process	target process
PID 1640 wrote to memory of 632	1640	cc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee.exe	kino5077.exe
PID 1640 wrote to memory of 632	1640	cc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee.exe	kino5077.exe
PID 1640 wrote to memory of 632	1640	cc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee.exe	kino5077.exe
PID 632 wrote to memory of 1748	632	kino5077.exe	kino3708.exe
PID 632 wrote to memory of 1748	632	kino5077.exe	kino3708.exe
PID 632 wrote to memory of 1748	632	kino5077.exe	kino3708.exe
PID 1748 wrote to memory of 1692	1748	kino3708.exe	kino8236.exe
PID 1748 wrote to memory of 1692	1748	kino3708.exe	kino8236.exe
PID 1748 wrote to memory of 1692	1748	kino3708.exe	kino8236.exe
PID 1692 wrote to memory of 4856	1692	kino8236.exe	bus9433.exe
PID 1692 wrote to memory of 4856	1692	kino8236.exe	bus9433.exe
PID 1692 wrote to memory of 3560	1692	kino8236.exe	cor2638.exe
PID 1692 wrote to memory of 3560	1692	kino8236.exe	cor2638.exe
PID 1692 wrote to memory of 3560	1692	kino8236.exe	cor2638.exe
PID 1748 wrote to memory of 2792	1748	kino3708.exe	dKx65s13.exe
PID 1748 wrote to memory of 2792	1748	kino3708.exe	dKx65s13.exe
PID 1748 wrote to memory of 2792	1748	kino3708.exe	dKx65s13.exe
PID 632 wrote to memory of 4792	632	kino5077.exe	en225863.exe
PID 632 wrote to memory of 4792	632	kino5077.exe	en225863.exe
PID 632 wrote to memory of 4792	632	kino5077.exe	en225863.exe
PID 1640 wrote to memory of 2128	1640	cc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee.exe	ge976905.exe
PID 1640 wrote to memory of 2128	1640	cc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee.exe	ge976905.exe
PID 1640 wrote to memory of 2128	1640	cc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee.exe	ge976905.exe
PID 2128 wrote to memory of 812	2128	ge976905.exe	metafor.exe
PID 2128 wrote to memory of 812	2128	ge976905.exe	metafor.exe
PID 2128 wrote to memory of 812	2128	ge976905.exe	metafor.exe
PID 812 wrote to memory of 4188	812	metafor.exe	schtasks.exe
PID 812 wrote to memory of 4188	812	metafor.exe	schtasks.exe
PID 812 wrote to memory of 4188	812	metafor.exe	schtasks.exe
PID 812 wrote to memory of 232	812	metafor.exe	cmd.exe
PID 812 wrote to memory of 232	812	metafor.exe	cmd.exe
PID 812 wrote to memory of 232	812	metafor.exe	cmd.exe
PID 232 wrote to memory of 1088	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 1088	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 1088	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 4624	232	cmd.exe	cacls.exe
PID 232 wrote to memory of 4624	232	cmd.exe	cacls.exe
PID 232 wrote to memory of 4624	232	cmd.exe	cacls.exe
PID 232 wrote to memory of 3932	232	cmd.exe	cacls.exe
PID 232 wrote to memory of 3932	232	cmd.exe	cacls.exe
PID 232 wrote to memory of 3932	232	cmd.exe	cacls.exe
PID 232 wrote to memory of 3552	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 3552	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 3552	232	cmd.exe	cmd.exe
PID 232 wrote to memory of 1528	232	cmd.exe	cacls.exe
PID 232 wrote to memory of 1528	232	cmd.exe	cacls.exe
PID 232 wrote to memory of 1528	232	cmd.exe	cacls.exe
PID 232 wrote to memory of 2464	232	cmd.exe	cacls.exe
PID 232 wrote to memory of 2464	232	cmd.exe	cacls.exe
PID 232 wrote to memory of 2464	232	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\cc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee.exe
"C:\Users\Admin\AppData\Local\Temp\cc61dc2cfb1edf921387a00452b9b1c066479a508b8697c6bbb81632b1ae74ee.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5077.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5077.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3708.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3708.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8236.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8236.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus9433.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus9433.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2638.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2638.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 1084
6⤵
- Program crash
PID:4464

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dKx65s13.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dKx65s13.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1328
5⤵
- Program crash
PID:2804

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en225863.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en225863.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge976905.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge976905.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:4188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1088

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:4624

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3552

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:1528

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3560 -ip 3560
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2792 -ip 2792
1⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge976905.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge976905.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5077.exe
Filesize
842KB

MD5
057f623921d5a2c9a80c4009bfe232a7

SHA1
c27ef08bc74061c362a16a013ce50d29953a2752

SHA256
3b4db015f9f80a81d9acacb99e583cb8bf2e6b9300c685a49d35b47302bb6f18

SHA512
168639b82d12c5d1bb82b92bd6f44e92be8f3ec30290ec120e68b788894b8f3835474c18bef195b861746bab434a477b56415a6bbb68dd07e6690d18bbfcbe36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5077.exe
Filesize
842KB

MD5
057f623921d5a2c9a80c4009bfe232a7

SHA1
c27ef08bc74061c362a16a013ce50d29953a2752

SHA256
3b4db015f9f80a81d9acacb99e583cb8bf2e6b9300c685a49d35b47302bb6f18

SHA512
168639b82d12c5d1bb82b92bd6f44e92be8f3ec30290ec120e68b788894b8f3835474c18bef195b861746bab434a477b56415a6bbb68dd07e6690d18bbfcbe36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en225863.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en225863.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3708.exe
Filesize
699KB

MD5
74e97eda2055f08f4c919f9ffb7f2614

SHA1
41f092c66666a458e6ce16d2b751ef85baf0be20

SHA256
1faed6544c7306e08080a99eecee3ecde4c410da4a8acf3bf8fe2f10873e6d3b

SHA512
cfc5cfd819e701cf5c10b6fba7e5dcceb42e4428c78c27e6676f8ede820ae79c548ce0ad19fbd5c80621619f24baf3734648bdc5e997473ca3452713e935618d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3708.exe
Filesize
699KB

MD5
74e97eda2055f08f4c919f9ffb7f2614

SHA1
41f092c66666a458e6ce16d2b751ef85baf0be20

SHA256
1faed6544c7306e08080a99eecee3ecde4c410da4a8acf3bf8fe2f10873e6d3b

SHA512
cfc5cfd819e701cf5c10b6fba7e5dcceb42e4428c78c27e6676f8ede820ae79c548ce0ad19fbd5c80621619f24baf3734648bdc5e997473ca3452713e935618d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dKx65s13.exe
Filesize
358KB

MD5
cb039eee8ea1ab7643127ce0ba690475

SHA1
5ada68299baaa3079cf6b8cac0b1f81b0f86d566

SHA256
5a3ec2958c3e169c1357f3e89db23fe096b55c1f52d3ff19a2e3370aa3794847

SHA512
295e427d0098df7c09635a3552c343836bf1db9555cc7494908d6eebabf8e329198089aa519479e9948047e77c3a8113c61a4da16fac0ab13cea43aa0a530df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dKx65s13.exe
Filesize
358KB

MD5
cb039eee8ea1ab7643127ce0ba690475

SHA1
5ada68299baaa3079cf6b8cac0b1f81b0f86d566

SHA256
5a3ec2958c3e169c1357f3e89db23fe096b55c1f52d3ff19a2e3370aa3794847

SHA512
295e427d0098df7c09635a3552c343836bf1db9555cc7494908d6eebabf8e329198089aa519479e9948047e77c3a8113c61a4da16fac0ab13cea43aa0a530df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8236.exe
Filesize
347KB

MD5
a1b78eec020103144e843c0ee2f463bf

SHA1
b88bdbba02860b7704cbd9741bc2dda1211bce09

SHA256
e65f67201aaf3230a14826d4d473f8008595f0d29ae38006debfe5267849dc24

SHA512
fe80c32adeeaef4c02934d8b6d8a10533e756b955ff2d8d63302d3b3a1c7d113ab64d72b72413e001510ab21fe3de0a0655f03efdc09cbc0f11461ad563e6a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8236.exe
Filesize
347KB

MD5
a1b78eec020103144e843c0ee2f463bf

SHA1
b88bdbba02860b7704cbd9741bc2dda1211bce09

SHA256
e65f67201aaf3230a14826d4d473f8008595f0d29ae38006debfe5267849dc24

SHA512
fe80c32adeeaef4c02934d8b6d8a10533e756b955ff2d8d63302d3b3a1c7d113ab64d72b72413e001510ab21fe3de0a0655f03efdc09cbc0f11461ad563e6a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus9433.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus9433.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2638.exe
Filesize
300KB

MD5
768e275b409f3103b6a1b4243f1fd0fd

SHA1
11b65ca64c262376d1f4486d60bdc11934e8be51

SHA256
fe93f96343c8a670c79a0374b6d378c9dcdae84551245c6e94cabe6a13b4eed0

SHA512
821eacfeaf999dc053be020ad112bb77348f0ff864ca34762b2a2b5dab772ef502ae9b4f97dca4050b82eb1ce2d5a2caaf539654d10d6c1424a736147d39a2d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2638.exe
Filesize
300KB

MD5
768e275b409f3103b6a1b4243f1fd0fd

SHA1
11b65ca64c262376d1f4486d60bdc11934e8be51

SHA256
fe93f96343c8a670c79a0374b6d378c9dcdae84551245c6e94cabe6a13b4eed0

SHA512
821eacfeaf999dc053be020ad112bb77348f0ff864ca34762b2a2b5dab772ef502ae9b4f97dca4050b82eb1ce2d5a2caaf539654d10d6c1424a736147d39a2d4

Download Submit
memory/2792-1123-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/2792-235-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-1135-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2792-1134-0x00000000072F0000-0x0000000007340000-memory.dmp

Filesize
320KB

Download
memory/2792-1133-0x0000000007260000-0x00000000072D6000-memory.dmp

Filesize
472KB

Download
memory/2792-1132-0x00000000069F0000-0x0000000006F1C000-memory.dmp

Filesize
5.2MB

Download
memory/2792-1131-0x0000000006810000-0x00000000069D2000-memory.dmp

Filesize
1.8MB

Download
memory/2792-1130-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2792-1129-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2792-1128-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2792-1126-0x00000000064E0000-0x0000000006572000-memory.dmp

Filesize
584KB

Download
memory/2792-1125-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/2792-1124-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2792-1122-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/2792-1121-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/2792-1120-0x0000000005340000-0x0000000005958000-memory.dmp

Filesize
6.1MB

Download
memory/2792-247-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-210-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-211-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-213-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-215-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-217-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-219-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-221-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-223-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-225-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-227-0x0000000002330000-0x000000000237B000-memory.dmp

Filesize
300KB

Download
memory/2792-228-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-229-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2792-231-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2792-232-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-234-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/2792-237-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-245-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-239-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-241-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/2792-243-0x0000000005300000-0x000000000533E000-memory.dmp

Filesize
248KB

Download
memory/3560-189-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-168-0x0000000000BB0000-0x0000000000BDD000-memory.dmp

Filesize
180KB

Download
memory/3560-181-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-205-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/3560-203-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3560-177-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-202-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3560-201-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3560-200-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/3560-199-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-197-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-195-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-193-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-179-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-173-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-187-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-185-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-175-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-183-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-167-0x0000000005030000-0x00000000055D4000-memory.dmp

Filesize
5.6MB

Download
memory/3560-191-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-172-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/3560-171-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3560-170-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3560-169-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4792-1142-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/4792-1141-0x00000000002E0000-0x0000000000312000-memory.dmp

Filesize
200KB

Download
memory/4856-161-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download