amadey | 3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698

Analysis

max time kernel
111s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698.exe
Size

1008KB
MD5

7b734a03ac20f5093c7ab15af8c7b323
SHA1

cb23a093bdb6b242e53e5665099331ebaa6a8270
SHA256

3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698
SHA512

fd983c2a65428b0c8abfa5a5df37659e4afed720d3aec1ecec9ce907ee67d9fd10d649a750d8e511816b2fb2b8af6be677feb0135de3b999e1f9251bdddd3ba7
SSDEEP

24576:JyhvIdomIPrkj9PTGuulXbYSSBVlnCMTSDIi:8VOofPrkhPtulrvSBVRCsCI

Score

10^/10

amadey redline down roxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

roxi

193.233.20.31:4125

Attributes

auth_value
9d8be78c896acc3cf8b8a6637a221376

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus2786.execor9915.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus2786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus2786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor9915.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus2786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus2786.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus2786.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor9915.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor9915.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor9915.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor9915.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor9915.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus2786.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/444-210-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-211-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-215-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-223-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-221-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-218-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-225-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-227-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-229-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-231-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-233-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-235-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-237-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-239-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-241-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-243-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-245-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-247-0x0000000004C00000-0x0000000004C3E000-memory.dmp	family_redline
behavioral1/memory/444-1131-0x0000000007280000-0x0000000007290000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge059846.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ge059846.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kino6203.exekino0952.exekino8967.exebus2786.execor9915.exedTu45s81.exeen787230.exege059846.exemetafor.exemetafor.exe

pid	process
1932	kino6203.exe
4392	kino0952.exe
1704	kino8967.exe
3220	bus2786.exe
936	cor9915.exe
444	dTu45s81.exe
2752	en787230.exe
2272	ge059846.exe
4920	metafor.exe
212	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus2786.execor9915.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus2786.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor9915.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor9915.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698.exekino6203.exekino0952.exekino8967.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino6203.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino0952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino0952.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino8967.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino8967.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3400 936 WerFault.exe cor9915.exe
1816 444 WerFault.exe dTu45s81.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2132 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus2786.execor9915.exedTu45s81.exeen787230.exe

pid process

3220 bus2786.exe
3220 bus2786.exe
936 cor9915.exe
936 cor9915.exe
444 dTu45s81.exe
444 dTu45s81.exe
2752 en787230.exe
2752 en787230.exe

pid	pid_target	process	target process
3400	936	WerFault.exe	cor9915.exe
1816	444	WerFault.exe	dTu45s81.exe

pid	process
2132	schtasks.exe

pid	process
3220	bus2786.exe
3220	bus2786.exe
936	cor9915.exe
936	cor9915.exe
444	dTu45s81.exe
444	dTu45s81.exe
2752	en787230.exe
2752	en787230.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus2786.execor9915.exedTu45s81.exeen787230.exe

description	pid	process
Token: SeDebugPrivilege	3220	bus2786.exe
Token: SeDebugPrivilege	936	cor9915.exe
Token: SeDebugPrivilege	444	dTu45s81.exe
Token: SeDebugPrivilege	2752	en787230.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698.exekino6203.exekino0952.exekino8967.exege059846.exemetafor.execmd.exe

description	pid	process	target process
PID 60 wrote to memory of 1932	60	3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698.exe	kino6203.exe
PID 60 wrote to memory of 1932	60	3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698.exe	kino6203.exe
PID 60 wrote to memory of 1932	60	3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698.exe	kino6203.exe
PID 1932 wrote to memory of 4392	1932	kino6203.exe	kino0952.exe
PID 1932 wrote to memory of 4392	1932	kino6203.exe	kino0952.exe
PID 1932 wrote to memory of 4392	1932	kino6203.exe	kino0952.exe
PID 4392 wrote to memory of 1704	4392	kino0952.exe	kino8967.exe
PID 4392 wrote to memory of 1704	4392	kino0952.exe	kino8967.exe
PID 4392 wrote to memory of 1704	4392	kino0952.exe	kino8967.exe
PID 1704 wrote to memory of 3220	1704	kino8967.exe	bus2786.exe
PID 1704 wrote to memory of 3220	1704	kino8967.exe	bus2786.exe
PID 1704 wrote to memory of 936	1704	kino8967.exe	cor9915.exe
PID 1704 wrote to memory of 936	1704	kino8967.exe	cor9915.exe
PID 1704 wrote to memory of 936	1704	kino8967.exe	cor9915.exe
PID 4392 wrote to memory of 444	4392	kino0952.exe	dTu45s81.exe
PID 4392 wrote to memory of 444	4392	kino0952.exe	dTu45s81.exe
PID 4392 wrote to memory of 444	4392	kino0952.exe	dTu45s81.exe
PID 1932 wrote to memory of 2752	1932	kino6203.exe	en787230.exe
PID 1932 wrote to memory of 2752	1932	kino6203.exe	en787230.exe
PID 1932 wrote to memory of 2752	1932	kino6203.exe	en787230.exe
PID 60 wrote to memory of 2272	60	3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698.exe	ge059846.exe
PID 60 wrote to memory of 2272	60	3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698.exe	ge059846.exe
PID 60 wrote to memory of 2272	60	3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698.exe	ge059846.exe
PID 2272 wrote to memory of 4920	2272	ge059846.exe	metafor.exe
PID 2272 wrote to memory of 4920	2272	ge059846.exe	metafor.exe
PID 2272 wrote to memory of 4920	2272	ge059846.exe	metafor.exe
PID 4920 wrote to memory of 2132	4920	metafor.exe	schtasks.exe
PID 4920 wrote to memory of 2132	4920	metafor.exe	schtasks.exe
PID 4920 wrote to memory of 2132	4920	metafor.exe	schtasks.exe
PID 4920 wrote to memory of 460	4920	metafor.exe	cmd.exe
PID 4920 wrote to memory of 460	4920	metafor.exe	cmd.exe
PID 4920 wrote to memory of 460	4920	metafor.exe	cmd.exe
PID 460 wrote to memory of 532	460	cmd.exe	cmd.exe
PID 460 wrote to memory of 532	460	cmd.exe	cmd.exe
PID 460 wrote to memory of 532	460	cmd.exe	cmd.exe
PID 460 wrote to memory of 1824	460	cmd.exe	cacls.exe
PID 460 wrote to memory of 1824	460	cmd.exe	cacls.exe
PID 460 wrote to memory of 1824	460	cmd.exe	cacls.exe
PID 460 wrote to memory of 4184	460	cmd.exe	cacls.exe
PID 460 wrote to memory of 4184	460	cmd.exe	cacls.exe
PID 460 wrote to memory of 4184	460	cmd.exe	cacls.exe
PID 460 wrote to memory of 1528	460	cmd.exe	cmd.exe
PID 460 wrote to memory of 1528	460	cmd.exe	cmd.exe
PID 460 wrote to memory of 1528	460	cmd.exe	cmd.exe
PID 460 wrote to memory of 3320	460	cmd.exe	cacls.exe
PID 460 wrote to memory of 3320	460	cmd.exe	cacls.exe
PID 460 wrote to memory of 3320	460	cmd.exe	cacls.exe
PID 460 wrote to memory of 3224	460	cmd.exe	cacls.exe
PID 460 wrote to memory of 3224	460	cmd.exe	cacls.exe
PID 460 wrote to memory of 3224	460	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698.exe
"C:\Users\Admin\AppData\Local\Temp\3b1760ced26a630c36343a215ca4b06368d512dd6a24c6d0a6610c8975677698.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:60
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6203.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6203.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino0952.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino0952.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8967.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8967.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2786.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2786.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9915.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9915.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 1100
        6⤵
        Program crash
        
        PID:3400
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dTu45s81.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dTu45s81.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:444
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 444 -s 1348
        5⤵
        Program crash
        
        PID:1816
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en787230.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en787230.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge059846.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge059846.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
    "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:532
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:N"
        5⤵
        
        PID:1824
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "metafor.exe" /P "Admin:R" /E
        5⤵
        
        PID:4184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1528
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:N"
        5⤵
        
        PID:3320
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\5975271bda" /P "Admin:R" /E
        5⤵
        
        PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 936 -ip 936
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 444 -ip 444
1⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge059846.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge059846.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6203.exe

Filesize
826KB

MD5
0e4933777cd7965bc80ad0528b06d9ca

SHA1
39760c751ddb9a236d9f1c38b37758fa63868f4c

SHA256
643ff499a4312c8f50be0bc2a68748768afd914906ed36100ecce0be32b8d5a1

SHA512
5f652a23257493f04c2d60102eb96b1ac7dff9d30c9bb5d8180a38455b9ee21f69ac8286875e89909f48ee274b1154c4cce583a0ef24c2d05565b2e1be3d8493

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6203.exe

Filesize
826KB

MD5
0e4933777cd7965bc80ad0528b06d9ca

SHA1
39760c751ddb9a236d9f1c38b37758fa63868f4c

SHA256
643ff499a4312c8f50be0bc2a68748768afd914906ed36100ecce0be32b8d5a1

SHA512
5f652a23257493f04c2d60102eb96b1ac7dff9d30c9bb5d8180a38455b9ee21f69ac8286875e89909f48ee274b1154c4cce583a0ef24c2d05565b2e1be3d8493

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en787230.exe

Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en787230.exe

Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino0952.exe

Filesize
684KB

MD5
1601b718f6fb1712e35554cec8835808

SHA1
79db8d9eeabb764fb7cdf4e93d05fd3ca5a6f9cb

SHA256
1297cd3d6d57c3d9f56dbebf0bfefb5fcc738099b9f268488dc9ef353c683f2f

SHA512
ff216488f950102726f5306bf0fd2d755c72d61b9887dd6cb8da0865e06362cb45b94445c7592324550bd003b5fb0f5ad2d67ea6d1360ee04d9e5d0cb451d9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino0952.exe

Filesize
684KB

MD5
1601b718f6fb1712e35554cec8835808

SHA1
79db8d9eeabb764fb7cdf4e93d05fd3ca5a6f9cb

SHA256
1297cd3d6d57c3d9f56dbebf0bfefb5fcc738099b9f268488dc9ef353c683f2f

SHA512
ff216488f950102726f5306bf0fd2d755c72d61b9887dd6cb8da0865e06362cb45b94445c7592324550bd003b5fb0f5ad2d67ea6d1360ee04d9e5d0cb451d9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dTu45s81.exe

Filesize
355KB

MD5
daffe2dfde9229d52f7d306ec7e0d043

SHA1
6b4052c97538c27356dd51724705feaa3121667c

SHA256
478ac6974c3766ee57e79ce003746f6b66b43cfc4c41cacca4ca0c78c9f6cc32

SHA512
86d871396b87094a4729556975abbff6580125a1419283adcd8c0b1b2ece462de0167c603d657d253ce3de04582a3590e0bf8490ca6a607f72bcb4637ed3b3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dTu45s81.exe

Filesize
355KB

MD5
daffe2dfde9229d52f7d306ec7e0d043

SHA1
6b4052c97538c27356dd51724705feaa3121667c

SHA256
478ac6974c3766ee57e79ce003746f6b66b43cfc4c41cacca4ca0c78c9f6cc32

SHA512
86d871396b87094a4729556975abbff6580125a1419283adcd8c0b1b2ece462de0167c603d657d253ce3de04582a3590e0bf8490ca6a607f72bcb4637ed3b3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8967.exe

Filesize
339KB

MD5
85152b2c97db058b884686bc0fd25ac0

SHA1
1e857498d65c553f2af4485e89095ea20b538730

SHA256
e8f2acc58a29e194ec427e5e145fc286b6df29179e83dcaf7bef9797444cb238

SHA512
7322acea67ced9350c979806abc8417ab5c025fc9f876f89d3e039b628356e33034fecf4b23d2454e489d8e454a0e61c7e525d2157fb1eec44b5ac468e84c787

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8967.exe

Filesize
339KB

MD5
85152b2c97db058b884686bc0fd25ac0

SHA1
1e857498d65c553f2af4485e89095ea20b538730

SHA256
e8f2acc58a29e194ec427e5e145fc286b6df29179e83dcaf7bef9797444cb238

SHA512
7322acea67ced9350c979806abc8417ab5c025fc9f876f89d3e039b628356e33034fecf4b23d2454e489d8e454a0e61c7e525d2157fb1eec44b5ac468e84c787

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2786.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2786.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9915.exe

Filesize
298KB

MD5
5eac49fe8c8d384e11117afa75deedc6

SHA1
a7c659a9bb1c474180954e945b4a33658d622ccf

SHA256
f2499ccc025b95d385c97ed839f934c203f02e1ae37306d3664bade36ec8fa2b

SHA512
0cbf431291e3dfe1f78391c086e4bf0c20e77c7afcc00abd4dd873a225e575c9318ea45a474bf227f2f1f3223a6597befd5e2ec4637ac401d195abe682dc0ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor9915.exe

Filesize
298KB

MD5
5eac49fe8c8d384e11117afa75deedc6

SHA1
a7c659a9bb1c474180954e945b4a33658d622ccf

SHA256
f2499ccc025b95d385c97ed839f934c203f02e1ae37306d3664bade36ec8fa2b

SHA512
0cbf431291e3dfe1f78391c086e4bf0c20e77c7afcc00abd4dd873a225e575c9318ea45a474bf227f2f1f3223a6597befd5e2ec4637ac401d195abe682dc0ffb

Download Submit
memory/444-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/444-1127-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/444-1135-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/444-1133-0x0000000009540000-0x0000000009590000-memory.dmp

Filesize
320KB

Download
memory/444-1132-0x00000000094B0000-0x0000000009526000-memory.dmp

Filesize
472KB

Download
memory/444-1131-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/444-1130-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/444-1129-0x0000000008D60000-0x000000000928C000-memory.dmp

Filesize
5.2MB

Download
memory/444-1128-0x0000000008B90000-0x0000000008D52000-memory.dmp

Filesize
1.8MB

Download
memory/444-1126-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/444-1124-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/444-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/444-1121-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/444-1120-0x0000000007940000-0x0000000007F58000-memory.dmp

Filesize
6.1MB

Download
memory/444-247-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-245-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-243-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-241-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-210-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-211-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-213-0x0000000002CB0000-0x0000000002CFB000-memory.dmp

Filesize
300KB

Download
memory/444-214-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/444-215-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-217-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/444-223-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-221-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-219-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/444-218-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-225-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-227-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-229-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-231-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-233-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-235-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-237-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/444-239-0x0000000004C00000-0x0000000004C3E000-memory.dmp

Filesize
248KB

Download
memory/936-189-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-168-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/936-205-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/936-204-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/936-202-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/936-203-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/936-200-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/936-175-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-199-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-197-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-181-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-195-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-193-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-179-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-173-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-187-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-185-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-183-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-177-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-172-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-167-0x0000000007340000-0x00000000078E4000-memory.dmp

Filesize
5.6MB

Download
memory/936-191-0x00000000049D0000-0x00000000049E2000-memory.dmp

Filesize
72KB

Download
memory/936-171-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/936-169-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/936-170-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/2752-1141-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

Filesize
64KB

Download
memory/2752-1140-0x0000000000E30000-0x0000000000E62000-memory.dmp

Filesize
200KB

Download
memory/3220-161-0x00000000008C0000-0x00000000008CA000-memory.dmp

Filesize
40KB

Download