amadey | 658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a

Analysis

max time kernel
96s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a.exe
Size

1011KB
MD5

0d59763d88382758cbd145e06b656dee
SHA1

d069a26b30b3b9c4621726a259081d530626067e
SHA256

658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a
SHA512

6f45d1bed1a24571554d7b201ba9c8ceebe3496e6b635df9f547241f81c264759981e145a85aef0475f4b1a1898d5d0943cc9e2bde68154f958da1a7181255e5
SSDEEP

24576:2yNN0JGGfSbobLuBuX8kwLQ+Ps3jgAiGXkHCAoTT37:FQJGxobLuY8kwc+Ps3jgnm

Score

10^/10

amadey redline down roxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

roxi

193.233.20.31:4125

Attributes

auth_value
9d8be78c896acc3cf8b8a6637a221376

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus2357.execor0976.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus2357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus2357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor0976.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor0976.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor0976.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor0976.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus2357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus2357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus2357.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus2357.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor0976.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor0976.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3128-210-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-211-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-213-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-215-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-217-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-219-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-221-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-223-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-225-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-227-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-229-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-231-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-233-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-235-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-238-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-245-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-247-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline
behavioral1/memory/3128-242-0x0000000007780000-0x00000000077BE000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

metafor.exege076266.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	metafor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	ge076266.exe

Executes dropped EXE 10 IoCs

Processes:

kino5792.exekino8126.exekino4547.exebus2357.execor0976.exedSA03s12.exeen953312.exege076266.exemetafor.exemetafor.exe

pid	process
4768	kino5792.exe
1984	kino8126.exe
1552	kino4547.exe
4916	bus2357.exe
4644	cor0976.exe
3128	dSA03s12.exe
2816	en953312.exe
1472	ge076266.exe
1944	metafor.exe
2036	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus2357.execor0976.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus2357.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor0976.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor0976.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino5792.exekino8126.exekino4547.exe658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino5792.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino5792.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino8126.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino8126.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino4547.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino4547.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3812 4644 WerFault.exe cor0976.exe
628 3128 WerFault.exe dSA03s12.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1596 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus2357.execor0976.exedSA03s12.exeen953312.exe

pid process

4916 bus2357.exe
4916 bus2357.exe
4644 cor0976.exe
4644 cor0976.exe
3128 dSA03s12.exe
3128 dSA03s12.exe
2816 en953312.exe
2816 en953312.exe

pid	pid_target	process	target process
3812	4644	WerFault.exe	cor0976.exe
628	3128	WerFault.exe	dSA03s12.exe

pid	process
1596	schtasks.exe

pid	process
4916	bus2357.exe
4916	bus2357.exe
4644	cor0976.exe
4644	cor0976.exe
3128	dSA03s12.exe
3128	dSA03s12.exe
2816	en953312.exe
2816	en953312.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus2357.execor0976.exedSA03s12.exeen953312.exe

description	pid	process
Token: SeDebugPrivilege	4916	bus2357.exe
Token: SeDebugPrivilege	4644	cor0976.exe
Token: SeDebugPrivilege	3128	dSA03s12.exe
Token: SeDebugPrivilege	2816	en953312.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a.exekino5792.exekino8126.exekino4547.exege076266.exemetafor.execmd.exe

description	pid	process	target process
PID 2164 wrote to memory of 4768	2164	658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a.exe	kino5792.exe
PID 2164 wrote to memory of 4768	2164	658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a.exe	kino5792.exe
PID 2164 wrote to memory of 4768	2164	658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a.exe	kino5792.exe
PID 4768 wrote to memory of 1984	4768	kino5792.exe	kino8126.exe
PID 4768 wrote to memory of 1984	4768	kino5792.exe	kino8126.exe
PID 4768 wrote to memory of 1984	4768	kino5792.exe	kino8126.exe
PID 1984 wrote to memory of 1552	1984	kino8126.exe	kino4547.exe
PID 1984 wrote to memory of 1552	1984	kino8126.exe	kino4547.exe
PID 1984 wrote to memory of 1552	1984	kino8126.exe	kino4547.exe
PID 1552 wrote to memory of 4916	1552	kino4547.exe	bus2357.exe
PID 1552 wrote to memory of 4916	1552	kino4547.exe	bus2357.exe
PID 1552 wrote to memory of 4644	1552	kino4547.exe	cor0976.exe
PID 1552 wrote to memory of 4644	1552	kino4547.exe	cor0976.exe
PID 1552 wrote to memory of 4644	1552	kino4547.exe	cor0976.exe
PID 1984 wrote to memory of 3128	1984	kino8126.exe	dSA03s12.exe
PID 1984 wrote to memory of 3128	1984	kino8126.exe	dSA03s12.exe
PID 1984 wrote to memory of 3128	1984	kino8126.exe	dSA03s12.exe
PID 4768 wrote to memory of 2816	4768	kino5792.exe	en953312.exe
PID 4768 wrote to memory of 2816	4768	kino5792.exe	en953312.exe
PID 4768 wrote to memory of 2816	4768	kino5792.exe	en953312.exe
PID 2164 wrote to memory of 1472	2164	658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a.exe	ge076266.exe
PID 2164 wrote to memory of 1472	2164	658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a.exe	ge076266.exe
PID 2164 wrote to memory of 1472	2164	658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a.exe	ge076266.exe
PID 1472 wrote to memory of 1944	1472	ge076266.exe	metafor.exe
PID 1472 wrote to memory of 1944	1472	ge076266.exe	metafor.exe
PID 1472 wrote to memory of 1944	1472	ge076266.exe	metafor.exe
PID 1944 wrote to memory of 1596	1944	metafor.exe	schtasks.exe
PID 1944 wrote to memory of 1596	1944	metafor.exe	schtasks.exe
PID 1944 wrote to memory of 1596	1944	metafor.exe	schtasks.exe
PID 1944 wrote to memory of 3356	1944	metafor.exe	cmd.exe
PID 1944 wrote to memory of 3356	1944	metafor.exe	cmd.exe
PID 1944 wrote to memory of 3356	1944	metafor.exe	cmd.exe
PID 3356 wrote to memory of 1172	3356	cmd.exe	cmd.exe
PID 3356 wrote to memory of 1172	3356	cmd.exe	cmd.exe
PID 3356 wrote to memory of 1172	3356	cmd.exe	cmd.exe
PID 3356 wrote to memory of 1256	3356	cmd.exe	cacls.exe
PID 3356 wrote to memory of 1256	3356	cmd.exe	cacls.exe
PID 3356 wrote to memory of 1256	3356	cmd.exe	cacls.exe
PID 3356 wrote to memory of 4604	3356	cmd.exe	cacls.exe
PID 3356 wrote to memory of 4604	3356	cmd.exe	cacls.exe
PID 3356 wrote to memory of 4604	3356	cmd.exe	cacls.exe
PID 3356 wrote to memory of 4840	3356	cmd.exe	cmd.exe
PID 3356 wrote to memory of 4840	3356	cmd.exe	cmd.exe
PID 3356 wrote to memory of 4840	3356	cmd.exe	cmd.exe
PID 3356 wrote to memory of 1140	3356	cmd.exe	cacls.exe
PID 3356 wrote to memory of 1140	3356	cmd.exe	cacls.exe
PID 3356 wrote to memory of 1140	3356	cmd.exe	cacls.exe
PID 3356 wrote to memory of 860	3356	cmd.exe	cacls.exe
PID 3356 wrote to memory of 860	3356	cmd.exe	cacls.exe
PID 3356 wrote to memory of 860	3356	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a.exe
"C:\Users\Admin\AppData\Local\Temp\658ecfde26244d8a7e658f9396d9498e8097d6fd2bfdaff70b3cd692cc58a09a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5792.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5792.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8126.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8126.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4547.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4547.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1552
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2357.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2357.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0976.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0976.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1084
        6⤵
        Program crash
        
        PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSA03s12.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSA03s12.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1856
        5⤵
        Program crash
        
        PID:628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en953312.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en953312.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge076266.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge076266.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1172
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:1256
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:4604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4840
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:1140
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4644 -ip 4644
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3128 -ip 3128
1⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge076266.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge076266.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5792.exe

Filesize
829KB

MD5
7d5d8c29b00d6e46adff4b2d6b274fbb

SHA1
803ec8bac0c8d95cf70decdce628de253595061b

SHA256
f8400fb142efc38c901688f580277e4508ea723b05c7dc09069de550904d2755

SHA512
c3e1114936765d5a142beebbf95e55808861947e6485e9417a0066c60d43e9c83a6704ff0f72c157db507b78d0bb648323dfe59450266a379d89760882269357

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino5792.exe

Filesize
829KB

MD5
7d5d8c29b00d6e46adff4b2d6b274fbb

SHA1
803ec8bac0c8d95cf70decdce628de253595061b

SHA256
f8400fb142efc38c901688f580277e4508ea723b05c7dc09069de550904d2755

SHA512
c3e1114936765d5a142beebbf95e55808861947e6485e9417a0066c60d43e9c83a6704ff0f72c157db507b78d0bb648323dfe59450266a379d89760882269357

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en953312.exe

Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en953312.exe

Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8126.exe

Filesize
686KB

MD5
743afce12e831c816eafea3e21882760

SHA1
2de8588e3995c1c56604eb6a7f2bf1d20c55f194

SHA256
2342689cada71a56caea4e74a5cb73858d0cc8eb6fa2135e1910c113a3fa5e1e

SHA512
1b0380975479b6059f07b1c5a1a2e17f8424392141f81eb72a1b0ece2d9b6a305a120a848859cae9fe4e1b279b12955eba9a09491c8d1e58a6eca674aa026251

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8126.exe

Filesize
686KB

MD5
743afce12e831c816eafea3e21882760

SHA1
2de8588e3995c1c56604eb6a7f2bf1d20c55f194

SHA256
2342689cada71a56caea4e74a5cb73858d0cc8eb6fa2135e1910c113a3fa5e1e

SHA512
1b0380975479b6059f07b1c5a1a2e17f8424392141f81eb72a1b0ece2d9b6a305a120a848859cae9fe4e1b279b12955eba9a09491c8d1e58a6eca674aa026251

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSA03s12.exe

Filesize
355KB

MD5
48c56d4bf21119804d4c85822dea7320

SHA1
996612cdfa71c43bf4ac86794c1305016fda40e5

SHA256
2bc80576338029c0d49c319de6671b82dddc32dcef086b2428cbf44b597dcb0e

SHA512
535354d7ad5d2cf909f78342e1224a17969d8d8e137722be95025fecc9823ad0983a87e7e7618dceb3f02457947b75eae508adab14512bed2b3494adbf3e143a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSA03s12.exe

Filesize
355KB

MD5
48c56d4bf21119804d4c85822dea7320

SHA1
996612cdfa71c43bf4ac86794c1305016fda40e5

SHA256
2bc80576338029c0d49c319de6671b82dddc32dcef086b2428cbf44b597dcb0e

SHA512
535354d7ad5d2cf909f78342e1224a17969d8d8e137722be95025fecc9823ad0983a87e7e7618dceb3f02457947b75eae508adab14512bed2b3494adbf3e143a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4547.exe

Filesize
340KB

MD5
5212bb3477f9ff448918969c4a3dbeda

SHA1
d978bd833d78d069319b9840bed308d314908165

SHA256
49ba0fbc450843197209381ba5b66a113c6a7b5cab6cca7297bc1eb02745c5de

SHA512
dbfb8e7af4c60758061c90587c9acf7dcbe6a2e525bb1901a12702235a45b9088a5c4ba8e050730345f93865edfe48d5a4b206a1a469d48af6e6ec7e1bba9169

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4547.exe

Filesize
340KB

MD5
5212bb3477f9ff448918969c4a3dbeda

SHA1
d978bd833d78d069319b9840bed308d314908165

SHA256
49ba0fbc450843197209381ba5b66a113c6a7b5cab6cca7297bc1eb02745c5de

SHA512
dbfb8e7af4c60758061c90587c9acf7dcbe6a2e525bb1901a12702235a45b9088a5c4ba8e050730345f93865edfe48d5a4b206a1a469d48af6e6ec7e1bba9169

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2357.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2357.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0976.exe

Filesize
298KB

MD5
a9799b0be5b69ac6b20dbbe9044390fb

SHA1
84062113ac95d55c363dc041567b25a8bfa32ff3

SHA256
2cd3765267be403d88923507590c66e335c85643a2ea5bbe7bf581b46dbe177a

SHA512
087295e6184cc96a5df73fefb03b811112394082f55108f87ca50072dc7d8d12f374fed783a6f856be4a0f8ce7fc2c4345649fa81af44d82b29fa0db0fd72fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0976.exe

Filesize
298KB

MD5
a9799b0be5b69ac6b20dbbe9044390fb

SHA1
84062113ac95d55c363dc041567b25a8bfa32ff3

SHA256
2cd3765267be403d88923507590c66e335c85643a2ea5bbe7bf581b46dbe177a

SHA512
087295e6184cc96a5df73fefb03b811112394082f55108f87ca50072dc7d8d12f374fed783a6f856be4a0f8ce7fc2c4345649fa81af44d82b29fa0db0fd72fbe

Download Submit
memory/2816-1142-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/2816-1141-0x0000000000F10000-0x0000000000F42000-memory.dmp

Filesize
200KB

Download
memory/3128-1123-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/3128-238-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-1135-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/3128-1134-0x0000000008F50000-0x000000000947C000-memory.dmp

Filesize
5.2MB

Download
memory/3128-1133-0x0000000008D70000-0x0000000008F32000-memory.dmp

Filesize
1.8MB

Download
memory/3128-1132-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/3128-1131-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/3128-1129-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/3128-1130-0x0000000008C10000-0x0000000008C60000-memory.dmp

Filesize
320KB

Download
memory/3128-1128-0x0000000008B80000-0x0000000008BF6000-memory.dmp

Filesize
472KB

Download
memory/3128-1127-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/3128-1126-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/3128-1124-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/3128-1122-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/3128-1121-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/3128-1120-0x00000000077C0000-0x0000000007DD8000-memory.dmp

Filesize
6.1MB

Download
memory/3128-210-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-211-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-213-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-215-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-217-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-219-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-221-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-223-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-225-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-227-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-229-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-231-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-233-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-235-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-237-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/3128-242-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-239-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/3128-241-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/3128-245-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/3128-244-0x0000000007040000-0x0000000007050000-memory.dmp

Filesize
64KB

Download
memory/3128-247-0x0000000007780000-0x00000000077BE000-memory.dmp

Filesize
248KB

Download
memory/4644-194-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-184-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-192-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-190-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-180-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-204-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4644-203-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4644-202-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4644-200-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4644-199-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/4644-198-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-196-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-186-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-182-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-205-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/4644-188-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-178-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-176-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-174-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-172-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-171-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4644-170-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4644-169-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/4644-168-0x00000000072F0000-0x0000000007894000-memory.dmp

Filesize
5.6MB

Download
memory/4644-167-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4916-161-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download