amadey | 7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08

Analysis

max time kernel
141s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08.exe
Size

1010KB
MD5

15a5590c4fb02904e5519940ec485288
SHA1

40c5d62141c2178da73f145ec891d2c172b87f4e
SHA256

7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08
SHA512

8dac71325cdb9a7376b97c1e917c45965e27e216f8bff967f03c036842bbea76ac0fde9e470b15ed11e79a4e0d24aa95b04029a674741ca61ebbd59e4a57c63f
SSDEEP

24576:XyorZUi1Pbo5T7IKvvwzrY86KLuTVSIC+51GQUvBW+aGT:ij2bo5T7V0T6J1hHHG

Score

10^/10

amadey redline down roxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

roxi

193.233.20.31:4125

Attributes

auth_value
9d8be78c896acc3cf8b8a6637a221376

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor6746.exebus1573.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor6746.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus1573.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus1573.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus1573.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor6746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor6746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor6746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus1573.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus1573.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus1573.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor6746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor6746.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/60-212-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-214-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-217-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-219-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-221-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-223-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-225-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-227-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-229-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-231-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-233-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-235-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-237-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-239-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-241-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-243-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-245-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline
behavioral1/memory/60-247-0x0000000004D20000-0x0000000004D5E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge875465.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	ge875465.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kino5595.exekino5195.exekino4064.exebus1573.execor6746.exedhc86s13.exeen552209.exege875465.exemetafor.exemetafor.exe

pid	process
3672	kino5595.exe
988	kino5195.exe
4104	kino4064.exe
3240	bus1573.exe
4920	cor6746.exe
60	dhc86s13.exe
3996	en552209.exe
756	ge875465.exe
936	metafor.exe
4900	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus1573.execor6746.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus1573.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor6746.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor6746.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino5595.exekino5195.exekino4064.exe7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino5595.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino5195.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino5195.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino4064.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino4064.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino5595.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2408 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4332 4920 WerFault.exe cor6746.exe
2824 60 WerFault.exe dhc86s13.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1432 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus1573.execor6746.exedhc86s13.exeen552209.exe

pid process

3240 bus1573.exe
3240 bus1573.exe
4920 cor6746.exe
4920 cor6746.exe
60 dhc86s13.exe
60 dhc86s13.exe
3996 en552209.exe
3996 en552209.exe

pid	process
2408	sc.exe

pid	pid_target	process	target process
4332	4920	WerFault.exe	cor6746.exe
2824	60	WerFault.exe	dhc86s13.exe

pid	process
1432	schtasks.exe

pid	process
3240	bus1573.exe
3240	bus1573.exe
4920	cor6746.exe
4920	cor6746.exe
60	dhc86s13.exe
60	dhc86s13.exe
3996	en552209.exe
3996	en552209.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus1573.execor6746.exedhc86s13.exeen552209.exe

description	pid	process
Token: SeDebugPrivilege	3240	bus1573.exe
Token: SeDebugPrivilege	4920	cor6746.exe
Token: SeDebugPrivilege	60	dhc86s13.exe
Token: SeDebugPrivilege	3996	en552209.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08.exekino5595.exekino5195.exekino4064.exege875465.exemetafor.execmd.exe

description	pid	process	target process
PID 324 wrote to memory of 3672	324	7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08.exe	kino5595.exe
PID 324 wrote to memory of 3672	324	7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08.exe	kino5595.exe
PID 324 wrote to memory of 3672	324	7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08.exe	kino5595.exe
PID 3672 wrote to memory of 988	3672	kino5595.exe	kino5195.exe
PID 3672 wrote to memory of 988	3672	kino5595.exe	kino5195.exe
PID 3672 wrote to memory of 988	3672	kino5595.exe	kino5195.exe
PID 988 wrote to memory of 4104	988	kino5195.exe	kino4064.exe
PID 988 wrote to memory of 4104	988	kino5195.exe	kino4064.exe
PID 988 wrote to memory of 4104	988	kino5195.exe	kino4064.exe
PID 4104 wrote to memory of 3240	4104	kino4064.exe	bus1573.exe
PID 4104 wrote to memory of 3240	4104	kino4064.exe	bus1573.exe
PID 4104 wrote to memory of 4920	4104	kino4064.exe	cor6746.exe
PID 4104 wrote to memory of 4920	4104	kino4064.exe	cor6746.exe
PID 4104 wrote to memory of 4920	4104	kino4064.exe	cor6746.exe
PID 988 wrote to memory of 60	988	kino5195.exe	dhc86s13.exe
PID 988 wrote to memory of 60	988	kino5195.exe	dhc86s13.exe
PID 988 wrote to memory of 60	988	kino5195.exe	dhc86s13.exe
PID 3672 wrote to memory of 3996	3672	kino5595.exe	en552209.exe
PID 3672 wrote to memory of 3996	3672	kino5595.exe	en552209.exe
PID 3672 wrote to memory of 3996	3672	kino5595.exe	en552209.exe
PID 324 wrote to memory of 756	324	7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08.exe	ge875465.exe
PID 324 wrote to memory of 756	324	7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08.exe	ge875465.exe
PID 324 wrote to memory of 756	324	7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08.exe	ge875465.exe
PID 756 wrote to memory of 936	756	ge875465.exe	metafor.exe
PID 756 wrote to memory of 936	756	ge875465.exe	metafor.exe
PID 756 wrote to memory of 936	756	ge875465.exe	metafor.exe
PID 936 wrote to memory of 1432	936	metafor.exe	schtasks.exe
PID 936 wrote to memory of 1432	936	metafor.exe	schtasks.exe
PID 936 wrote to memory of 1432	936	metafor.exe	schtasks.exe
PID 936 wrote to memory of 3384	936	metafor.exe	cmd.exe
PID 936 wrote to memory of 3384	936	metafor.exe	cmd.exe
PID 936 wrote to memory of 3384	936	metafor.exe	cmd.exe
PID 3384 wrote to memory of 728	3384	cmd.exe	cmd.exe
PID 3384 wrote to memory of 728	3384	cmd.exe	cmd.exe
PID 3384 wrote to memory of 728	3384	cmd.exe	cmd.exe
PID 3384 wrote to memory of 2488	3384	cmd.exe	cacls.exe
PID 3384 wrote to memory of 2488	3384	cmd.exe	cacls.exe
PID 3384 wrote to memory of 2488	3384	cmd.exe	cacls.exe
PID 3384 wrote to memory of 3964	3384	cmd.exe	cacls.exe
PID 3384 wrote to memory of 3964	3384	cmd.exe	cacls.exe
PID 3384 wrote to memory of 3964	3384	cmd.exe	cacls.exe
PID 3384 wrote to memory of 4868	3384	cmd.exe	cmd.exe
PID 3384 wrote to memory of 4868	3384	cmd.exe	cmd.exe
PID 3384 wrote to memory of 4868	3384	cmd.exe	cmd.exe
PID 3384 wrote to memory of 2708	3384	cmd.exe	cacls.exe
PID 3384 wrote to memory of 2708	3384	cmd.exe	cacls.exe
PID 3384 wrote to memory of 2708	3384	cmd.exe	cacls.exe
PID 3384 wrote to memory of 1876	3384	cmd.exe	cacls.exe
PID 3384 wrote to memory of 1876	3384	cmd.exe	cacls.exe
PID 3384 wrote to memory of 1876	3384	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08.exe
"C:\Users\Admin\AppData\Local\Temp\7090f29c10e99ba876a747b722b28c622d6d7aad0f6c985bd64d0d50d5478b08.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5595.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5595.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5195.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5195.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4064.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4064.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1573.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1573.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6746.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6746.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 1088
        6⤵
        Program crash
        
        PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dhc86s13.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dhc86s13.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:60
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 1496
        5⤵
        Program crash
        
        PID:2824
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en552209.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en552209.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge875465.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge875465.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1432
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:728
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:2488
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:3964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4868
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:2708
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4920 -ip 4920
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 60 -ip 60
1⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge875465.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge875465.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5595.exe

Filesize
829KB

MD5
831ae3cb31ed48e21b0fa89d143d245f

SHA1
6d354459448ecdf136017d58c158a6a3e721cec8

SHA256
845fcea88f47189b6cdb1cc0f41f33feabef54c78f4d6d2b2f627afb0b31deec

SHA512
bc7f028086bbe069b9b0624d6116a60f2b16fa28eba81563197371604f2c6009cc96e8be6498b90b940e9d5a8617c3442b8dbf14a3f03784c6dfcdf579998bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5595.exe

Filesize
829KB

MD5
831ae3cb31ed48e21b0fa89d143d245f

SHA1
6d354459448ecdf136017d58c158a6a3e721cec8

SHA256
845fcea88f47189b6cdb1cc0f41f33feabef54c78f4d6d2b2f627afb0b31deec

SHA512
bc7f028086bbe069b9b0624d6116a60f2b16fa28eba81563197371604f2c6009cc96e8be6498b90b940e9d5a8617c3442b8dbf14a3f03784c6dfcdf579998bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en552209.exe

Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en552209.exe

Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5195.exe

Filesize
686KB

MD5
41ee3119f3e442424a6b12eb59c5942d

SHA1
ffb2cf7493fb5891c300b25125d018e749e4dd38

SHA256
b0cacfd8c575a0badb46d69c424feff1d3bc24691d1928908cc4e467ece93789

SHA512
73a9667bffb501e567562c818d8cbc82c81d30dd773e8ff2b5d4fd574cfce1a5e8e378fbd67cc9f5ae19ae832981438d1d15952760a75da4ab3c621c4f313180

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5195.exe

Filesize
686KB

MD5
41ee3119f3e442424a6b12eb59c5942d

SHA1
ffb2cf7493fb5891c300b25125d018e749e4dd38

SHA256
b0cacfd8c575a0badb46d69c424feff1d3bc24691d1928908cc4e467ece93789

SHA512
73a9667bffb501e567562c818d8cbc82c81d30dd773e8ff2b5d4fd574cfce1a5e8e378fbd67cc9f5ae19ae832981438d1d15952760a75da4ab3c621c4f313180

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dhc86s13.exe

Filesize
355KB

MD5
4d84a2659e137e4d5af4ad6281fbd3c9

SHA1
2b11f9fda224e824008e39e640bc86da63705ec9

SHA256
56c3acfe61a7f1629a784a76eedb1259bfdbe307a36daf3e72eb1881eac41a32

SHA512
412f2c6ae0238708556cd2ee1e608e55746711ca6fecd7ffa9a43475d70cc48768431b29d0c9982f57cd9604227cd660422b6f071ace0076b48e317c0e3dae1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dhc86s13.exe

Filesize
355KB

MD5
4d84a2659e137e4d5af4ad6281fbd3c9

SHA1
2b11f9fda224e824008e39e640bc86da63705ec9

SHA256
56c3acfe61a7f1629a784a76eedb1259bfdbe307a36daf3e72eb1881eac41a32

SHA512
412f2c6ae0238708556cd2ee1e608e55746711ca6fecd7ffa9a43475d70cc48768431b29d0c9982f57cd9604227cd660422b6f071ace0076b48e317c0e3dae1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4064.exe

Filesize
340KB

MD5
3ab56f1e510915923fc394fa6ef1f701

SHA1
8b8f431fc30e07ae27728f626beb787966f3126f

SHA256
5260d8d3bc17a3ab9723eeefa93c2804d3fba44c5cc7155b2c8959d2e7257bb9

SHA512
1b14dbf21aca8330c92717ce75d22c89c8bb7d753990b5c181a26e6dea8f536c22edd1cb6e1cc89e24daf460a20b0524683d1769e1328ad9a2396e1652d1601f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4064.exe

Filesize
340KB

MD5
3ab56f1e510915923fc394fa6ef1f701

SHA1
8b8f431fc30e07ae27728f626beb787966f3126f

SHA256
5260d8d3bc17a3ab9723eeefa93c2804d3fba44c5cc7155b2c8959d2e7257bb9

SHA512
1b14dbf21aca8330c92717ce75d22c89c8bb7d753990b5c181a26e6dea8f536c22edd1cb6e1cc89e24daf460a20b0524683d1769e1328ad9a2396e1652d1601f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1573.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1573.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6746.exe

Filesize
298KB

MD5
f7c2f372a2c0aa032fbb1e771c8fc4ba

SHA1
aebd9c63c249647a131e1ca03e90d2d520471cd0

SHA256
15b006a5cde6cb83a6e853682af800888730620f615ac1b72c22a202d465f4a8

SHA512
0fc37053875886bbb3ed0fd0314cb6c4f5bdf5afb9109ea350b1f6ad03ca6e3412d18b164a377fba06d89f5a924d249b58b4793b1831d07d67b5511f53541653

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6746.exe

Filesize
298KB

MD5
f7c2f372a2c0aa032fbb1e771c8fc4ba

SHA1
aebd9c63c249647a131e1ca03e90d2d520471cd0

SHA256
15b006a5cde6cb83a6e853682af800888730620f615ac1b72c22a202d465f4a8

SHA512
0fc37053875886bbb3ed0fd0314cb6c4f5bdf5afb9109ea350b1f6ad03ca6e3412d18b164a377fba06d89f5a924d249b58b4793b1831d07d67b5511f53541653

Download Submit
memory/60-1123-0x0000000008110000-0x000000000814C000-memory.dmp

Filesize
240KB

Download
memory/60-1130-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/60-1135-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/60-1134-0x00000000090B0000-0x00000000095DC000-memory.dmp

Filesize
5.2MB

Download
memory/60-1133-0x0000000008EE0000-0x00000000090A2000-memory.dmp

Filesize
1.8MB

Download
memory/60-1132-0x0000000008E60000-0x0000000008EB0000-memory.dmp

Filesize
320KB

Download
memory/60-1131-0x0000000008DC0000-0x0000000008E36000-memory.dmp

Filesize
472KB

Download
memory/60-1129-0x0000000008BB0000-0x0000000008C42000-memory.dmp

Filesize
584KB

Download
memory/60-1128-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/60-1127-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/60-1126-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/60-1124-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/60-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/60-1121-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/60-1120-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/60-247-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-245-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-243-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-210-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/60-211-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/60-213-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/60-212-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-215-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/60-214-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-217-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-219-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-221-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-223-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-225-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-227-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-229-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-231-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-233-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-235-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-237-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-239-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/60-241-0x0000000004D20000-0x0000000004D5E000-memory.dmp

Filesize
248KB

Download
memory/3240-161-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/3996-1141-0x00000000008F0000-0x0000000000922000-memory.dmp

Filesize
200KB

Download
memory/3996-1142-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/4920-200-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/4920-188-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/4920-202-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4920-178-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/4920-180-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/4920-199-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4920-198-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4920-197-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4920-196-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/4920-184-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/4920-194-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/4920-192-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/4920-190-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/4920-204-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4920-186-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/4920-176-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/4920-174-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/4920-203-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4920-205-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/4920-172-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/4920-170-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/4920-169-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/4920-168-0x00000000073B0000-0x0000000007954000-memory.dmp

Filesize
5.6MB

Download
memory/4920-167-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4920-182-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download