amadey | a657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612

Analysis

max time kernel
138s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612.exe
Size

1024KB
MD5

8480dfdde6ac39eec049620a7ddf0462
SHA1

88c77de98e4086779f693934d7aea4c07efef4d0
SHA256

a657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612
SHA512

41599d6e463f3f7f5f24ce5318af13e05aa8be0ffdf355e61f4ce802a23f92c83aea1be9559b3640bfbe835c98aa6bcf0014d994a5da924f181403dc8865a376
SSDEEP

12288:9Mryy90qItRBvECJ3dbhPQFl9381k+P1oPqqA3U+wgGbhGXUWJeZVnVclvUc2GLz:jyORD3vPwsoPUgbhgsZV+eNGI4v

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus7659.execor9886.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus7659.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus7659.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus7659.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor9886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor9886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor9886.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus7659.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus7659.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor9886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor9886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor9886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus7659.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2408-210-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-211-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-213-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-215-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-217-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-219-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-221-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-223-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-225-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-227-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-229-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-231-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-233-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-235-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-237-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-239-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-241-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-243-0x0000000004D40000-0x0000000004D7E000-memory.dmp	family_redline
behavioral1/memory/2408-1131-0x0000000004E90000-0x0000000004EA0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge893849.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ge893849.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino5709.exekino5271.exekino2758.exebus7659.execor9886.exedWh58s93.exeen188446.exege893849.exemetafor.exemetafor.exemetafor.exe

pid	process
1292	kino5709.exe
3596	kino5271.exe
4592	kino2758.exe
652	bus7659.exe
4544	cor9886.exe
2408	dWh58s93.exe
2600	en188446.exe
1896	ge893849.exe
2708	metafor.exe
5100	metafor.exe
1096	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus7659.execor9886.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus7659.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor9886.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor9886.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino5271.exekino2758.exea657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612.exekino5709.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino5271.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino5271.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino2758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino2758.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino5709.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino5709.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3680 4544 WerFault.exe cor9886.exe
3288 2408 WerFault.exe dWh58s93.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4392 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus7659.execor9886.exedWh58s93.exeen188446.exe

pid process

652 bus7659.exe
652 bus7659.exe
4544 cor9886.exe
4544 cor9886.exe
2408 dWh58s93.exe
2408 dWh58s93.exe
2600 en188446.exe
2600 en188446.exe

pid	pid_target	process	target process
3680	4544	WerFault.exe	cor9886.exe
3288	2408	WerFault.exe	dWh58s93.exe

pid	process
4392	schtasks.exe

pid	process
652	bus7659.exe
652	bus7659.exe
4544	cor9886.exe
4544	cor9886.exe
2408	dWh58s93.exe
2408	dWh58s93.exe
2600	en188446.exe
2600	en188446.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus7659.execor9886.exedWh58s93.exeen188446.exe

description	pid	process
Token: SeDebugPrivilege	652	bus7659.exe
Token: SeDebugPrivilege	4544	cor9886.exe
Token: SeDebugPrivilege	2408	dWh58s93.exe
Token: SeDebugPrivilege	2600	en188446.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

a657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612.exekino5709.exekino5271.exekino2758.exege893849.exemetafor.execmd.exe

description	pid	process	target process
PID 4084 wrote to memory of 1292	4084	a657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612.exe	kino5709.exe
PID 4084 wrote to memory of 1292	4084	a657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612.exe	kino5709.exe
PID 4084 wrote to memory of 1292	4084	a657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612.exe	kino5709.exe
PID 1292 wrote to memory of 3596	1292	kino5709.exe	kino5271.exe
PID 1292 wrote to memory of 3596	1292	kino5709.exe	kino5271.exe
PID 1292 wrote to memory of 3596	1292	kino5709.exe	kino5271.exe
PID 3596 wrote to memory of 4592	3596	kino5271.exe	kino2758.exe
PID 3596 wrote to memory of 4592	3596	kino5271.exe	kino2758.exe
PID 3596 wrote to memory of 4592	3596	kino5271.exe	kino2758.exe
PID 4592 wrote to memory of 652	4592	kino2758.exe	bus7659.exe
PID 4592 wrote to memory of 652	4592	kino2758.exe	bus7659.exe
PID 4592 wrote to memory of 4544	4592	kino2758.exe	cor9886.exe
PID 4592 wrote to memory of 4544	4592	kino2758.exe	cor9886.exe
PID 4592 wrote to memory of 4544	4592	kino2758.exe	cor9886.exe
PID 3596 wrote to memory of 2408	3596	kino5271.exe	dWh58s93.exe
PID 3596 wrote to memory of 2408	3596	kino5271.exe	dWh58s93.exe
PID 3596 wrote to memory of 2408	3596	kino5271.exe	dWh58s93.exe
PID 1292 wrote to memory of 2600	1292	kino5709.exe	en188446.exe
PID 1292 wrote to memory of 2600	1292	kino5709.exe	en188446.exe
PID 1292 wrote to memory of 2600	1292	kino5709.exe	en188446.exe
PID 4084 wrote to memory of 1896	4084	a657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612.exe	ge893849.exe
PID 4084 wrote to memory of 1896	4084	a657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612.exe	ge893849.exe
PID 4084 wrote to memory of 1896	4084	a657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612.exe	ge893849.exe
PID 1896 wrote to memory of 2708	1896	ge893849.exe	metafor.exe
PID 1896 wrote to memory of 2708	1896	ge893849.exe	metafor.exe
PID 1896 wrote to memory of 2708	1896	ge893849.exe	metafor.exe
PID 2708 wrote to memory of 4392	2708	metafor.exe	schtasks.exe
PID 2708 wrote to memory of 4392	2708	metafor.exe	schtasks.exe
PID 2708 wrote to memory of 4392	2708	metafor.exe	schtasks.exe
PID 2708 wrote to memory of 2852	2708	metafor.exe	cmd.exe
PID 2708 wrote to memory of 2852	2708	metafor.exe	cmd.exe
PID 2708 wrote to memory of 2852	2708	metafor.exe	cmd.exe
PID 2852 wrote to memory of 4988	2852	cmd.exe	cmd.exe
PID 2852 wrote to memory of 4988	2852	cmd.exe	cmd.exe
PID 2852 wrote to memory of 4988	2852	cmd.exe	cmd.exe
PID 2852 wrote to memory of 4056	2852	cmd.exe	cacls.exe
PID 2852 wrote to memory of 4056	2852	cmd.exe	cacls.exe
PID 2852 wrote to memory of 4056	2852	cmd.exe	cacls.exe
PID 2852 wrote to memory of 3536	2852	cmd.exe	cacls.exe
PID 2852 wrote to memory of 3536	2852	cmd.exe	cacls.exe
PID 2852 wrote to memory of 3536	2852	cmd.exe	cacls.exe
PID 2852 wrote to memory of 3720	2852	cmd.exe	cmd.exe
PID 2852 wrote to memory of 3720	2852	cmd.exe	cmd.exe
PID 2852 wrote to memory of 3720	2852	cmd.exe	cmd.exe
PID 2852 wrote to memory of 4888	2852	cmd.exe	cacls.exe
PID 2852 wrote to memory of 4888	2852	cmd.exe	cacls.exe
PID 2852 wrote to memory of 4888	2852	cmd.exe	cacls.exe
PID 2852 wrote to memory of 2764	2852	cmd.exe	cacls.exe
PID 2852 wrote to memory of 2764	2852	cmd.exe	cacls.exe
PID 2852 wrote to memory of 2764	2852	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\a657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612.exe
"C:\Users\Admin\AppData\Local\Temp\a657c5bd7dbd9beea3488ad3c0c8a9122032566eaf62da14698af26967910612.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5709.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5709.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5271.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5271.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3596

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2758.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2758.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7659.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7659.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9886.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9886.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1080
6⤵
- Program crash
PID:3680

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWh58s93.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWh58s93.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 1836
5⤵
- Program crash
PID:3288

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en188446.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en188446.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge893849.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge893849.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:4392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4988

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:4056

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3720

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:4888

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4544 -ip 4544
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2408 -ip 2408
1⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:1096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge893849.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge893849.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5709.exe
Filesize
842KB

MD5
865a10d72c6ef116eab4066a00a56176

SHA1
27ea40924046804b5ef7e356f118de1bdb311faf

SHA256
476275620689853ae984028c7e2e4f656dce53e7a912c9e947ebf8fcc8d74945

SHA512
5a9e4644e28cd828f25e36dd02b1fab5e1f6c4228c19686b3781cf814dee14678f596f54fcd6aa9281fd9ffe6310d51c46b6d44432fda1a02b4b716232172326

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5709.exe
Filesize
842KB

MD5
865a10d72c6ef116eab4066a00a56176

SHA1
27ea40924046804b5ef7e356f118de1bdb311faf

SHA256
476275620689853ae984028c7e2e4f656dce53e7a912c9e947ebf8fcc8d74945

SHA512
5a9e4644e28cd828f25e36dd02b1fab5e1f6c4228c19686b3781cf814dee14678f596f54fcd6aa9281fd9ffe6310d51c46b6d44432fda1a02b4b716232172326

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en188446.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en188446.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5271.exe
Filesize
699KB

MD5
92c2e39b71493e9bf2fdea2ec364a48b

SHA1
301e9b4321adba0a17fcd39411c5603f7fb3d020

SHA256
307bff2d66e3a06a29662069afdd52f07ac2285de938ef50258ac092051cf386

SHA512
59cd3596882eef8ccde32ead7048e496569d1bbf08951ceec3410b2392d6ad4ab980506402f62740b4b3dc2d0c24b727c5fbdd52085e00f92751d1666db7d4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5271.exe
Filesize
699KB

MD5
92c2e39b71493e9bf2fdea2ec364a48b

SHA1
301e9b4321adba0a17fcd39411c5603f7fb3d020

SHA256
307bff2d66e3a06a29662069afdd52f07ac2285de938ef50258ac092051cf386

SHA512
59cd3596882eef8ccde32ead7048e496569d1bbf08951ceec3410b2392d6ad4ab980506402f62740b4b3dc2d0c24b727c5fbdd52085e00f92751d1666db7d4f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWh58s93.exe
Filesize
358KB

MD5
09fc64e8e47afd6fd55ca8bf97c7f887

SHA1
4287815eb8c908b13214117f05d2b6085f50d0ff

SHA256
e5b442e7771d2838deb41201fc3bfde2ecd94821156a5c77d0287d9cab588f12

SHA512
67e4eef96c93fbd60e313e704281035553ce0c4aa724eb8a5c1a88dcdb47362af2b2788251f44e22246fc8910dd320b534839cd9979c1cfd3b9ac48bb1621585

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWh58s93.exe
Filesize
358KB

MD5
09fc64e8e47afd6fd55ca8bf97c7f887

SHA1
4287815eb8c908b13214117f05d2b6085f50d0ff

SHA256
e5b442e7771d2838deb41201fc3bfde2ecd94821156a5c77d0287d9cab588f12

SHA512
67e4eef96c93fbd60e313e704281035553ce0c4aa724eb8a5c1a88dcdb47362af2b2788251f44e22246fc8910dd320b534839cd9979c1cfd3b9ac48bb1621585

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2758.exe
Filesize
346KB

MD5
bfa6f416490745d365f86ff75cd742e2

SHA1
1460c2cf5d84c586a720047d3d1681b2502b1961

SHA256
e7aed6e58615a8cdb2224d73c5bf5f9d6bb9cccff4470cbbd4c2b822ddef40fa

SHA512
3e2171d7e3a6b523f8ab87abeca41a6a4894a2e9612a2b2dd449e61c720046ce96d7f97097111c0e9eb6d238d38d85602998d93cb845fa49814f40e3437b6a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2758.exe
Filesize
346KB

MD5
bfa6f416490745d365f86ff75cd742e2

SHA1
1460c2cf5d84c586a720047d3d1681b2502b1961

SHA256
e7aed6e58615a8cdb2224d73c5bf5f9d6bb9cccff4470cbbd4c2b822ddef40fa

SHA512
3e2171d7e3a6b523f8ab87abeca41a6a4894a2e9612a2b2dd449e61c720046ce96d7f97097111c0e9eb6d238d38d85602998d93cb845fa49814f40e3437b6a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7659.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7659.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9886.exe
Filesize
300KB

MD5
95bbffd3071093342774d2dc5241f3e5

SHA1
df5427668a7a7836f09db30a02506764d5c16e10

SHA256
0cd59220b89a9c872fd1f8f91b048d7d6c529740e6ae6b78f023403c7c8af176

SHA512
e76f6768011f458b1b1f921eae476214cf3a65f720a3d7deaa7eedf199ecc91564d09ebbfa84e762cbfeaf4c45dcf3579de2321724c0570582fbfd36157c217e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9886.exe
Filesize
300KB

MD5
95bbffd3071093342774d2dc5241f3e5

SHA1
df5427668a7a7836f09db30a02506764d5c16e10

SHA256
0cd59220b89a9c872fd1f8f91b048d7d6c529740e6ae6b78f023403c7c8af176

SHA512
e76f6768011f458b1b1f921eae476214cf3a65f720a3d7deaa7eedf199ecc91564d09ebbfa84e762cbfeaf4c45dcf3579de2321724c0570582fbfd36157c217e

Download Submit
memory/652-161-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/2408-1123-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/2408-239-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-1134-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/2408-1133-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/2408-1132-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/2408-1131-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/2408-1130-0x00000000069D0000-0x0000000006EFC000-memory.dmp

Filesize
5.2MB

Download
memory/2408-1129-0x0000000006800000-0x00000000069C2000-memory.dmp

Filesize
1.8MB

Download
memory/2408-1128-0x0000000006790000-0x00000000067E0000-memory.dmp

Filesize
320KB

Download
memory/2408-1127-0x0000000006710000-0x0000000006786000-memory.dmp

Filesize
472KB

Download
memory/2408-1125-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/2408-1124-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/2408-1122-0x0000000005C80000-0x0000000005CBC000-memory.dmp

Filesize
240KB

Download
memory/2408-1121-0x0000000004E50000-0x0000000004E62000-memory.dmp

Filesize
72KB

Download
memory/2408-1120-0x0000000005B70000-0x0000000005C7A000-memory.dmp

Filesize
1.0MB

Download
memory/2408-1119-0x0000000005550000-0x0000000005B68000-memory.dmp

Filesize
6.1MB

Download
memory/2408-210-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-211-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-213-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-215-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-217-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-219-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-221-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-223-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-225-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-227-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-229-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-231-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-233-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-235-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-237-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-296-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/2408-241-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-243-0x0000000004D40000-0x0000000004D7E000-memory.dmp

Filesize
248KB

Download
memory/2408-293-0x0000000000A40000-0x0000000000A8B000-memory.dmp

Filesize
300KB

Download
memory/2408-294-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/2600-1140-0x0000000000640000-0x0000000000672000-memory.dmp

Filesize
200KB

Download
memory/2600-1142-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2600-1141-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4544-192-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-180-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-182-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-203-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4544-202-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4544-200-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4544-199-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4544-198-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4544-197-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4544-196-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-194-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-188-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-190-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-204-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4544-178-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-205-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/4544-186-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-184-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-174-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-176-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-172-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-169-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-170-0x0000000002660000-0x0000000002672000-memory.dmp

Filesize
72KB

Download
memory/4544-168-0x0000000004F50000-0x00000000054F4000-memory.dmp

Filesize
5.6MB

Download
memory/4544-167-0x0000000000860000-0x000000000088D000-memory.dmp

Filesize
180KB

Download