amadey | 09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d

Analysis

max time kernel
145s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d.exe
Size

1010KB
MD5

b8db952f956a726bbc47acce14e22713
SHA1

f618b1c239a399d56e27c8f13d95e9bfbbedfbe4
SHA256

09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d
SHA512

c18b8e131d940c420e0d91e499b63b20bfb61bcf6dec2483364ae43a3c85460ded54e6d769012d575a0d6ed620b408ffde1482344d989551a8c8c0d982c187b6
SSDEEP

24576:Oyb/D2priXcICNeGQ2QaVbXVsu4DUWPqK2x/HXJ:df2prTRNLQ2J9lsu4DUED29H

Score

10^/10

amadey redline down roxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

roxi

193.233.20.31:4125

Attributes

auth_value
9d8be78c896acc3cf8b8a6637a221376

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor1484.exebus3442.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor1484.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor1484.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor1484.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus3442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus3442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus3442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor1484.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor1484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus3442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus3442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus3442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor1484.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4240-209-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-210-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-212-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-220-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-222-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-216-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-224-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-226-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-228-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-230-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-232-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-234-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-236-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-238-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-240-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-242-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-244-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline
behavioral1/memory/4240-246-0x0000000004BF0000-0x0000000004C2E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge541280.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ge541280.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino1001.exekino7292.exekino6570.exebus3442.execor1484.exedJN90s11.exeen182881.exege541280.exemetafor.exemetafor.exemetafor.exe

pid	process
1764	kino1001.exe
4848	kino7292.exe
4032	kino6570.exe
3124	bus3442.exe
4568	cor1484.exe
4240	dJN90s11.exe
844	en182881.exe
1836	ge541280.exe
4180	metafor.exe
548	metafor.exe
4084	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus3442.execor1484.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus3442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor1484.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor1484.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino1001.exekino7292.exekino6570.exe09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino1001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino1001.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino7292.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino7292.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6570.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino6570.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2764 4568 WerFault.exe cor1484.exe
2292 4240 WerFault.exe dJN90s11.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3272 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus3442.execor1484.exedJN90s11.exeen182881.exe

pid process

3124 bus3442.exe
3124 bus3442.exe
4568 cor1484.exe
4568 cor1484.exe
4240 dJN90s11.exe
4240 dJN90s11.exe
844 en182881.exe
844 en182881.exe

pid	pid_target	process	target process
2764	4568	WerFault.exe	cor1484.exe
2292	4240	WerFault.exe	dJN90s11.exe

pid	process
3272	schtasks.exe

pid	process
3124	bus3442.exe
3124	bus3442.exe
4568	cor1484.exe
4568	cor1484.exe
4240	dJN90s11.exe
4240	dJN90s11.exe
844	en182881.exe
844	en182881.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus3442.execor1484.exedJN90s11.exeen182881.exe

description	pid	process
Token: SeDebugPrivilege	3124	bus3442.exe
Token: SeDebugPrivilege	4568	cor1484.exe
Token: SeDebugPrivilege	4240	dJN90s11.exe
Token: SeDebugPrivilege	844	en182881.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d.exekino1001.exekino7292.exekino6570.exege541280.exemetafor.execmd.exe

description	pid	process	target process
PID 1956 wrote to memory of 1764	1956	09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d.exe	kino1001.exe
PID 1956 wrote to memory of 1764	1956	09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d.exe	kino1001.exe
PID 1956 wrote to memory of 1764	1956	09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d.exe	kino1001.exe
PID 1764 wrote to memory of 4848	1764	kino1001.exe	kino7292.exe
PID 1764 wrote to memory of 4848	1764	kino1001.exe	kino7292.exe
PID 1764 wrote to memory of 4848	1764	kino1001.exe	kino7292.exe
PID 4848 wrote to memory of 4032	4848	kino7292.exe	kino6570.exe
PID 4848 wrote to memory of 4032	4848	kino7292.exe	kino6570.exe
PID 4848 wrote to memory of 4032	4848	kino7292.exe	kino6570.exe
PID 4032 wrote to memory of 3124	4032	kino6570.exe	bus3442.exe
PID 4032 wrote to memory of 3124	4032	kino6570.exe	bus3442.exe
PID 4032 wrote to memory of 4568	4032	kino6570.exe	cor1484.exe
PID 4032 wrote to memory of 4568	4032	kino6570.exe	cor1484.exe
PID 4032 wrote to memory of 4568	4032	kino6570.exe	cor1484.exe
PID 4848 wrote to memory of 4240	4848	kino7292.exe	dJN90s11.exe
PID 4848 wrote to memory of 4240	4848	kino7292.exe	dJN90s11.exe
PID 4848 wrote to memory of 4240	4848	kino7292.exe	dJN90s11.exe
PID 1764 wrote to memory of 844	1764	kino1001.exe	en182881.exe
PID 1764 wrote to memory of 844	1764	kino1001.exe	en182881.exe
PID 1764 wrote to memory of 844	1764	kino1001.exe	en182881.exe
PID 1956 wrote to memory of 1836	1956	09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d.exe	ge541280.exe
PID 1956 wrote to memory of 1836	1956	09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d.exe	ge541280.exe
PID 1956 wrote to memory of 1836	1956	09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d.exe	ge541280.exe
PID 1836 wrote to memory of 4180	1836	ge541280.exe	metafor.exe
PID 1836 wrote to memory of 4180	1836	ge541280.exe	metafor.exe
PID 1836 wrote to memory of 4180	1836	ge541280.exe	metafor.exe
PID 4180 wrote to memory of 3272	4180	metafor.exe	schtasks.exe
PID 4180 wrote to memory of 3272	4180	metafor.exe	schtasks.exe
PID 4180 wrote to memory of 3272	4180	metafor.exe	schtasks.exe
PID 4180 wrote to memory of 2880	4180	metafor.exe	cmd.exe
PID 4180 wrote to memory of 2880	4180	metafor.exe	cmd.exe
PID 4180 wrote to memory of 2880	4180	metafor.exe	cmd.exe
PID 2880 wrote to memory of 4772	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 4772	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 4772	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 1168	2880	cmd.exe	cacls.exe
PID 2880 wrote to memory of 1168	2880	cmd.exe	cacls.exe
PID 2880 wrote to memory of 1168	2880	cmd.exe	cacls.exe
PID 2880 wrote to memory of 2100	2880	cmd.exe	cacls.exe
PID 2880 wrote to memory of 2100	2880	cmd.exe	cacls.exe
PID 2880 wrote to memory of 2100	2880	cmd.exe	cacls.exe
PID 2880 wrote to memory of 3548	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 3548	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 3548	2880	cmd.exe	cmd.exe
PID 2880 wrote to memory of 2184	2880	cmd.exe	cacls.exe
PID 2880 wrote to memory of 2184	2880	cmd.exe	cacls.exe
PID 2880 wrote to memory of 2184	2880	cmd.exe	cacls.exe
PID 2880 wrote to memory of 4676	2880	cmd.exe	cacls.exe
PID 2880 wrote to memory of 4676	2880	cmd.exe	cacls.exe
PID 2880 wrote to memory of 4676	2880	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d.exe
"C:\Users\Admin\AppData\Local\Temp\09067d57922ac1e23a480ade3ac764f2b24e7dc40eaa4002d7e256508890297d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1001.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1001.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7292.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7292.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6570.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6570.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3442.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3442.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1484.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1484.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1004
6⤵
- Program crash
PID:2764

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dJN90s11.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dJN90s11.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1336
5⤵
- Program crash
PID:2292

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en182881.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en182881.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge541280.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge541280.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:3272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4772

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:1168

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3548

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:2184

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4568 -ip 4568
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4240 -ip 4240
1⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:548

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge541280.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge541280.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1001.exe
Filesize
828KB

MD5
15ebe9df12546270df6839f78591437d

SHA1
cbce75281e095ec6ed702bb006d49b79344d70eb

SHA256
22621de422c836cbef36c2ff5e179c470a4ecf81fb72034deecba7e1bbed9f80

SHA512
0cdc94767838e65c2c8b54cbfff1b1edaef760f5d364c3bf9ee389c38d7f9721cf4130529c153a4def097287adb2b18d0308915533036d91adb804048417e6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1001.exe
Filesize
828KB

MD5
15ebe9df12546270df6839f78591437d

SHA1
cbce75281e095ec6ed702bb006d49b79344d70eb

SHA256
22621de422c836cbef36c2ff5e179c470a4ecf81fb72034deecba7e1bbed9f80

SHA512
0cdc94767838e65c2c8b54cbfff1b1edaef760f5d364c3bf9ee389c38d7f9721cf4130529c153a4def097287adb2b18d0308915533036d91adb804048417e6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en182881.exe
Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en182881.exe
Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7292.exe
Filesize
685KB

MD5
fb151cd386036cde3e65c3867c75d872

SHA1
e23910b49a1c8ab48c48c0f2e3b6e9a054337d42

SHA256
da66c36667ae7810748a4b58efad406904a54f8fab2f836eccacc64430f98907

SHA512
c08079fa12dacbfc9148b32153469cd738c383ac592d33a1e3520caa8da89bf4b8a5e9798346bb4b9061131c334f664266160b33be247f30cb82673c8e134767

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino7292.exe
Filesize
685KB

MD5
fb151cd386036cde3e65c3867c75d872

SHA1
e23910b49a1c8ab48c48c0f2e3b6e9a054337d42

SHA256
da66c36667ae7810748a4b58efad406904a54f8fab2f836eccacc64430f98907

SHA512
c08079fa12dacbfc9148b32153469cd738c383ac592d33a1e3520caa8da89bf4b8a5e9798346bb4b9061131c334f664266160b33be247f30cb82673c8e134767

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dJN90s11.exe
Filesize
355KB

MD5
608cd7cac8da33a15ae50e58c8171d86

SHA1
f3aa698e13676f9e7cac3f22b741dac0eca6814b

SHA256
cbaceafb273daed14311d78829b438c987c3d0cb65181bf233dc625837487046

SHA512
570e624de5ff6fc2ee5ff6ebc83e8c1d9194d6ca3e81a6afc2917920429715d88b59079189ae65c917b496f11b949b552b577ebcdd0a8f6cc91295c9d391b980

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dJN90s11.exe
Filesize
355KB

MD5
608cd7cac8da33a15ae50e58c8171d86

SHA1
f3aa698e13676f9e7cac3f22b741dac0eca6814b

SHA256
cbaceafb273daed14311d78829b438c987c3d0cb65181bf233dc625837487046

SHA512
570e624de5ff6fc2ee5ff6ebc83e8c1d9194d6ca3e81a6afc2917920429715d88b59079189ae65c917b496f11b949b552b577ebcdd0a8f6cc91295c9d391b980

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6570.exe
Filesize
340KB

MD5
3d019213907b026c3d12f5604d7181cc

SHA1
e4bf67def6d2a70f15b05971df2879dad33fdb22

SHA256
c3b90c25d4815bf13a3d06491ee0a8526c00a5697336042a52c01c63450e8781

SHA512
83193955e5abdc91fb334a0122682cad817c3977889765acc3e3016ef14e9355e56c76d3a77b12fa9277fb2e56c3c28da6413c22df6763a352f22aa35f5bcaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6570.exe
Filesize
340KB

MD5
3d019213907b026c3d12f5604d7181cc

SHA1
e4bf67def6d2a70f15b05971df2879dad33fdb22

SHA256
c3b90c25d4815bf13a3d06491ee0a8526c00a5697336042a52c01c63450e8781

SHA512
83193955e5abdc91fb334a0122682cad817c3977889765acc3e3016ef14e9355e56c76d3a77b12fa9277fb2e56c3c28da6413c22df6763a352f22aa35f5bcaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3442.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3442.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1484.exe
Filesize
298KB

MD5
6e2c0660f83c6c52f3aaedec9c594d5a

SHA1
c932031583b137e49df4d79624ba326b46d05d9c

SHA256
dbd14df21add1096017bf38d696ab9d19f7cbe7ed5a80c741778c60cbcaf0cb4

SHA512
e0929feaa9635ee9ca8413f4097c24d6f04e5bedb2c571c38e537b78185448505235c36b2f682704952e7a6a98f66b06fdf5c3e05d8113e06e883d4bee98798b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1484.exe
Filesize
298KB

MD5
6e2c0660f83c6c52f3aaedec9c594d5a

SHA1
c932031583b137e49df4d79624ba326b46d05d9c

SHA256
dbd14df21add1096017bf38d696ab9d19f7cbe7ed5a80c741778c60cbcaf0cb4

SHA512
e0929feaa9635ee9ca8413f4097c24d6f04e5bedb2c571c38e537b78185448505235c36b2f682704952e7a6a98f66b06fdf5c3e05d8113e06e883d4bee98798b

Download Submit
memory/844-1141-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/844-1140-0x0000000000340000-0x0000000000372000-memory.dmp

Filesize
200KB

Download
memory/3124-161-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/4240-1123-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4240-240-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-1135-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4240-1133-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4240-1132-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4240-1131-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4240-1130-0x0000000009080000-0x00000000095AC000-memory.dmp

Filesize
5.2MB

Download
memory/4240-1129-0x0000000008EB0000-0x0000000009072000-memory.dmp

Filesize
1.8MB

Download
memory/4240-1128-0x0000000008D30000-0x0000000008D80000-memory.dmp

Filesize
320KB

Download
memory/4240-1127-0x0000000008CA0000-0x0000000008D16000-memory.dmp

Filesize
472KB

Download
memory/4240-1126-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/4240-1125-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/4240-1122-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/4240-209-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-210-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-212-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-213-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/4240-217-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4240-220-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-219-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4240-222-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-216-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-215-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4240-224-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-226-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-228-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-230-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-232-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-234-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-236-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-238-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-1121-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4240-242-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-244-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-246-0x0000000004BF0000-0x0000000004C2E000-memory.dmp

Filesize
248KB

Download
memory/4240-1119-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/4240-1120-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/4568-191-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4568-170-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/4568-183-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4568-187-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4568-204-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/4568-203-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/4568-202-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/4568-200-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/4568-199-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4568-197-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4568-167-0x0000000007130000-0x00000000076D4000-memory.dmp

Filesize
5.6MB

Download
memory/4568-185-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4568-179-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4568-181-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4568-189-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4568-177-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4568-175-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4568-173-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4568-172-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4568-171-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/4568-169-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/4568-193-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4568-168-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/4568-195-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download