amadey | 24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667

Analysis

max time kernel
124s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667.exe
Size

1008KB
MD5

f298979492b7dbac5ebf8a1124feb0fd
SHA1

169743b09767b066b8c7dc34fa79f23459e229d8
SHA256

24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667
SHA512

427fec0327ec546a85ef26923cedc3f62a1f1ca7f5adc89f2b93a494c2345297368a08bde1fb97eab8a9476d473642071d542316a6910c182a22c91b82744ab1
SSDEEP

12288:6MrJy90ehPkAEeI/gpCCCFLEd5XGYiTwDglHe6kss240E8ibYIxuI4+O8sBRHmKb:ry/BhEeVDCFL8GLTkw+kfybYYHDuHei

Score

10^/10

amadey redline down roxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

roxi

193.233.20.31:4125

Attributes

auth_value
9d8be78c896acc3cf8b8a6637a221376

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus2316.execor5855.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus2316.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus2316.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor5855.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor5855.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor5855.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus2316.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus2316.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus2316.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus2316.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor5855.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor5855.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor5855.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2192-207-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-208-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-210-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-212-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-218-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-215-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-222-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-224-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-226-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-228-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-232-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-234-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-230-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-236-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-238-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-240-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-242-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-244-0x0000000007140000-0x000000000717E000-memory.dmp	family_redline
behavioral1/memory/2192-1125-0x00000000072E0000-0x00000000072F0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge463450.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ge463450.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino9805.exekino3546.exekino4509.exebus2316.execor5855.exedzl56s46.exeen783145.exege463450.exemetafor.exemetafor.exemetafor.exe

pid	process
1028	kino9805.exe
3044	kino3546.exe
768	kino4509.exe
236	bus2316.exe
4552	cor5855.exe
2192	dzl56s46.exe
3328	en783145.exe
4164	ge463450.exe
3288	metafor.exe
3840	metafor.exe
4868	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus2316.execor5855.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus2316.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor5855.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor5855.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino9805.exekino3546.exekino4509.exe24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino9805.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino3546.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino4509.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino4509.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino9805.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4804 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2468 4552 WerFault.exe cor5855.exe
2600 2192 WerFault.exe dzl56s46.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4876 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus2316.execor5855.exedzl56s46.exeen783145.exe

pid process

236 bus2316.exe
236 bus2316.exe
4552 cor5855.exe
4552 cor5855.exe
2192 dzl56s46.exe
2192 dzl56s46.exe
3328 en783145.exe
3328 en783145.exe

pid	process
4804	sc.exe

pid	pid_target	process	target process
2468	4552	WerFault.exe	cor5855.exe
2600	2192	WerFault.exe	dzl56s46.exe

pid	process
4876	schtasks.exe

pid	process
236	bus2316.exe
236	bus2316.exe
4552	cor5855.exe
4552	cor5855.exe
2192	dzl56s46.exe
2192	dzl56s46.exe
3328	en783145.exe
3328	en783145.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus2316.execor5855.exedzl56s46.exeen783145.exe

description	pid	process
Token: SeDebugPrivilege	236	bus2316.exe
Token: SeDebugPrivilege	4552	cor5855.exe
Token: SeDebugPrivilege	2192	dzl56s46.exe
Token: SeDebugPrivilege	3328	en783145.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667.exekino9805.exekino3546.exekino4509.exege463450.exemetafor.execmd.exe

description	pid	process	target process
PID 1688 wrote to memory of 1028	1688	24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667.exe	kino9805.exe
PID 1688 wrote to memory of 1028	1688	24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667.exe	kino9805.exe
PID 1688 wrote to memory of 1028	1688	24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667.exe	kino9805.exe
PID 1028 wrote to memory of 3044	1028	kino9805.exe	kino3546.exe
PID 1028 wrote to memory of 3044	1028	kino9805.exe	kino3546.exe
PID 1028 wrote to memory of 3044	1028	kino9805.exe	kino3546.exe
PID 3044 wrote to memory of 768	3044	kino3546.exe	kino4509.exe
PID 3044 wrote to memory of 768	3044	kino3546.exe	kino4509.exe
PID 3044 wrote to memory of 768	3044	kino3546.exe	kino4509.exe
PID 768 wrote to memory of 236	768	kino4509.exe	bus2316.exe
PID 768 wrote to memory of 236	768	kino4509.exe	bus2316.exe
PID 768 wrote to memory of 4552	768	kino4509.exe	cor5855.exe
PID 768 wrote to memory of 4552	768	kino4509.exe	cor5855.exe
PID 768 wrote to memory of 4552	768	kino4509.exe	cor5855.exe
PID 3044 wrote to memory of 2192	3044	kino3546.exe	dzl56s46.exe
PID 3044 wrote to memory of 2192	3044	kino3546.exe	dzl56s46.exe
PID 3044 wrote to memory of 2192	3044	kino3546.exe	dzl56s46.exe
PID 1028 wrote to memory of 3328	1028	kino9805.exe	en783145.exe
PID 1028 wrote to memory of 3328	1028	kino9805.exe	en783145.exe
PID 1028 wrote to memory of 3328	1028	kino9805.exe	en783145.exe
PID 1688 wrote to memory of 4164	1688	24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667.exe	ge463450.exe
PID 1688 wrote to memory of 4164	1688	24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667.exe	ge463450.exe
PID 1688 wrote to memory of 4164	1688	24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667.exe	ge463450.exe
PID 4164 wrote to memory of 3288	4164	ge463450.exe	metafor.exe
PID 4164 wrote to memory of 3288	4164	ge463450.exe	metafor.exe
PID 4164 wrote to memory of 3288	4164	ge463450.exe	metafor.exe
PID 3288 wrote to memory of 4876	3288	metafor.exe	schtasks.exe
PID 3288 wrote to memory of 4876	3288	metafor.exe	schtasks.exe
PID 3288 wrote to memory of 4876	3288	metafor.exe	schtasks.exe
PID 3288 wrote to memory of 5096	3288	metafor.exe	cmd.exe
PID 3288 wrote to memory of 5096	3288	metafor.exe	cmd.exe
PID 3288 wrote to memory of 5096	3288	metafor.exe	cmd.exe
PID 5096 wrote to memory of 4176	5096	cmd.exe	cmd.exe
PID 5096 wrote to memory of 4176	5096	cmd.exe	cmd.exe
PID 5096 wrote to memory of 4176	5096	cmd.exe	cmd.exe
PID 5096 wrote to memory of 1336	5096	cmd.exe	cacls.exe
PID 5096 wrote to memory of 1336	5096	cmd.exe	cacls.exe
PID 5096 wrote to memory of 1336	5096	cmd.exe	cacls.exe
PID 5096 wrote to memory of 3376	5096	cmd.exe	cacls.exe
PID 5096 wrote to memory of 3376	5096	cmd.exe	cacls.exe
PID 5096 wrote to memory of 3376	5096	cmd.exe	cacls.exe
PID 5096 wrote to memory of 1668	5096	cmd.exe	cmd.exe
PID 5096 wrote to memory of 1668	5096	cmd.exe	cmd.exe
PID 5096 wrote to memory of 1668	5096	cmd.exe	cmd.exe
PID 5096 wrote to memory of 4508	5096	cmd.exe	cacls.exe
PID 5096 wrote to memory of 4508	5096	cmd.exe	cacls.exe
PID 5096 wrote to memory of 4508	5096	cmd.exe	cacls.exe
PID 5096 wrote to memory of 1408	5096	cmd.exe	cacls.exe
PID 5096 wrote to memory of 1408	5096	cmd.exe	cacls.exe
PID 5096 wrote to memory of 1408	5096	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667.exe
"C:\Users\Admin\AppData\Local\Temp\24ae693b099fa349c4a1767cbb132495f29743ccedca34d79cdbd6eee46f4667.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9805.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9805.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3546.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3546.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4509.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4509.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2316.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2316.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5855.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5855.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 1104
6⤵
- Program crash
PID:2468

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dzl56s46.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dzl56s46.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 1640
5⤵
- Program crash
PID:2600

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en783145.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en783145.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge463450.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge463450.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:4876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4176

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:1336

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1668

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:4508

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4552 -ip 4552
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2192 -ip 2192
1⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3840

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge463450.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge463450.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9805.exe
Filesize
826KB

MD5
6cf110d7253963f9d012da060a5560b0

SHA1
46148e7ff9f0da4e24b49cdae62bad0dcb6e7691

SHA256
c866403a4d8a3cd7d395cee68c8f40a8520d6f7c4df5a5a2b2c89d6e8665bd6d

SHA512
4ee1f1c7c3e6e7c2a49c69650a55e80362b531c5715a5edd795f2fa8119459e18923c097e700c1e65c96717ea94c1ca36f70128e211e68ea405d036ec84f7d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9805.exe
Filesize
826KB

MD5
6cf110d7253963f9d012da060a5560b0

SHA1
46148e7ff9f0da4e24b49cdae62bad0dcb6e7691

SHA256
c866403a4d8a3cd7d395cee68c8f40a8520d6f7c4df5a5a2b2c89d6e8665bd6d

SHA512
4ee1f1c7c3e6e7c2a49c69650a55e80362b531c5715a5edd795f2fa8119459e18923c097e700c1e65c96717ea94c1ca36f70128e211e68ea405d036ec84f7d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en783145.exe
Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en783145.exe
Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3546.exe
Filesize
684KB

MD5
7f6912aecccb27a7310d1efc3ce017a1

SHA1
e395bd3044d6b4c5ebe8db3118967a4e24534fcd

SHA256
69cb321fd223c25a2580a12fb07109e5797c7ed29741e0fb569087c5a417da9f

SHA512
1f2c66346c147167bfe2bd07e0c00a5c31be0b0d1b56e08f469290ec73e64c9f5d0bb86c108af7df3bf910749674f37ae5590e88c6ec1c39c7acfd4a3323412f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3546.exe
Filesize
684KB

MD5
7f6912aecccb27a7310d1efc3ce017a1

SHA1
e395bd3044d6b4c5ebe8db3118967a4e24534fcd

SHA256
69cb321fd223c25a2580a12fb07109e5797c7ed29741e0fb569087c5a417da9f

SHA512
1f2c66346c147167bfe2bd07e0c00a5c31be0b0d1b56e08f469290ec73e64c9f5d0bb86c108af7df3bf910749674f37ae5590e88c6ec1c39c7acfd4a3323412f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dzl56s46.exe
Filesize
355KB

MD5
0da23cf8df11f4d3c78f72c08a65acd9

SHA1
039f242e81b9948e496b5d0d899eda3b54e2b278

SHA256
84cfb9be0ab98d7370e39f7337ee2e6d81c1f84e2d7c50c500cb5e1be65ee47a

SHA512
7375d5df2b6d467a1e47fa940d4639d930475a0b2cb26bc3969028dcdb93e8def7d6732512c4778ad21ab6a6184b97f94cb95a8a3c7873e4f10ad77c99c5b5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dzl56s46.exe
Filesize
355KB

MD5
0da23cf8df11f4d3c78f72c08a65acd9

SHA1
039f242e81b9948e496b5d0d899eda3b54e2b278

SHA256
84cfb9be0ab98d7370e39f7337ee2e6d81c1f84e2d7c50c500cb5e1be65ee47a

SHA512
7375d5df2b6d467a1e47fa940d4639d930475a0b2cb26bc3969028dcdb93e8def7d6732512c4778ad21ab6a6184b97f94cb95a8a3c7873e4f10ad77c99c5b5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4509.exe
Filesize
339KB

MD5
edade0d48ed31380b3685186db3d69be

SHA1
b909372b7332f70e346e9b3b5fddb4f6ce4f2033

SHA256
31aa285c0e0b75348840e75b89004b352c0cc3aa26c2e7546e3d99d497d007c5

SHA512
50cf1a0f4f7fc511d6be74d333e656b8b0b666814321ed40a35ed443f54b55b3fb3d13f0e68b49fa4a77a8f500f7831ec509ce9ba417d8d1719d03310d415164

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4509.exe
Filesize
339KB

MD5
edade0d48ed31380b3685186db3d69be

SHA1
b909372b7332f70e346e9b3b5fddb4f6ce4f2033

SHA256
31aa285c0e0b75348840e75b89004b352c0cc3aa26c2e7546e3d99d497d007c5

SHA512
50cf1a0f4f7fc511d6be74d333e656b8b0b666814321ed40a35ed443f54b55b3fb3d13f0e68b49fa4a77a8f500f7831ec509ce9ba417d8d1719d03310d415164

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2316.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2316.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5855.exe
Filesize
298KB

MD5
8d6af419c86faab47b3bb70cf7daadc1

SHA1
002863a64f7fa571a6b665f22f52bf42cdd5d866

SHA256
5e02b073b728da3748211d210764dcdce38cee759f57c59ae5220177ae82a6c6

SHA512
d3ff9a15dbef568788bf37aaa540d50dec20d5d530e2fed85dc6bcaf43491a46b28d97d3ed1d135e7007ceb1931f9b83201581aa67ca5ec82f66291ed1c8e2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor5855.exe
Filesize
298KB

MD5
8d6af419c86faab47b3bb70cf7daadc1

SHA1
002863a64f7fa571a6b665f22f52bf42cdd5d866

SHA256
5e02b073b728da3748211d210764dcdce38cee759f57c59ae5220177ae82a6c6

SHA512
d3ff9a15dbef568788bf37aaa540d50dec20d5d530e2fed85dc6bcaf43491a46b28d97d3ed1d135e7007ceb1931f9b83201581aa67ca5ec82f66291ed1c8e2e3

Download Submit
memory/236-161-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2192-1120-0x00000000072A0000-0x00000000072DC000-memory.dmp

Filesize
240KB

Download
memory/2192-238-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-1132-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2192-1131-0x000000000B260000-0x000000000B78C000-memory.dmp

Filesize
5.2MB

Download
memory/2192-1130-0x000000000B090000-0x000000000B252000-memory.dmp

Filesize
1.8MB

Download
memory/2192-1129-0x000000000B030000-0x000000000B080000-memory.dmp

Filesize
320KB

Download
memory/2192-1128-0x000000000AFA0000-0x000000000B016000-memory.dmp

Filesize
472KB

Download
memory/2192-1127-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2192-1126-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2192-1125-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2192-1124-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/2192-1123-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/2192-1121-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2192-207-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-208-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-210-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-212-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-217-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2192-218-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-215-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-221-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2192-219-0x00000000072E0000-0x00000000072F0000-memory.dmp

Filesize
64KB

Download
memory/2192-214-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/2192-222-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-224-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-226-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-228-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-232-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-234-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-230-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-236-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-1119-0x0000000007280000-0x0000000007292000-memory.dmp

Filesize
72KB

Download
memory/2192-240-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-242-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-244-0x0000000007140000-0x000000000717E000-memory.dmp

Filesize
248KB

Download
memory/2192-1117-0x00000000078A0000-0x0000000007EB8000-memory.dmp

Filesize
6.1MB

Download
memory/2192-1118-0x0000000007EC0000-0x0000000007FCA000-memory.dmp

Filesize
1.0MB

Download
memory/3328-1138-0x0000000000AF0000-0x0000000000B22000-memory.dmp

Filesize
200KB

Download
memory/3328-1139-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/4552-188-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4552-202-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/4552-178-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4552-201-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/4552-199-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/4552-198-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4552-196-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4552-194-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4552-176-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4552-190-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4552-167-0x0000000007370000-0x0000000007914000-memory.dmp

Filesize
5.6MB

Download
memory/4552-184-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4552-192-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4552-182-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4552-180-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4552-174-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4552-171-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4552-172-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download
memory/4552-170-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/4552-169-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/4552-168-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4552-186-0x0000000007220000-0x0000000007232000-memory.dmp

Filesize
72KB

Download