amadey | 760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71.exe
Size

1009KB
MD5

6c7ac567d9da49c6db15f7686db70f66
SHA1

66d7be5ff6be95f33c9df64e572b38229773aec3
SHA256

760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71
SHA512

dc40be48fbf0af0a61231fdd68e9a328b363f65f7bb93bcd34ea6fb518f973baaef9fb2475bedc7bad5dc9aa19a1fdb7f5cfe0147f199eef5b68c666287da2af
SSDEEP

24576:Ky6RN4ghr+BbohfTIP7IfZi3PYbZAYkb4qvlq2j24MPx:RWNzN+Bbo5TIP7IfZcPoyYkb40q6

Score

10^/10

amadey redline down roxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

roxi

193.233.20.31:4125

Attributes

auth_value
9d8be78c896acc3cf8b8a6637a221376

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus5865.execor0859.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus5865.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus5865.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus5865.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor0859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor0859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor0859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor0859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor0859.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus5865.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus5865.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus5865.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor0859.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4700-212-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-213-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-215-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-217-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-219-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-221-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-223-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-225-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-229-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-233-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-235-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-237-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-239-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-241-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-243-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-245-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-247-0x0000000004DE0000-0x0000000004E1E000-memory.dmp	family_redline
behavioral1/memory/4700-1134-0x0000000005040000-0x0000000005050000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge746154.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	ge746154.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kino6741.exekino6183.exekino4964.exebus5865.execor0859.exedxb11s57.exeen545663.exege746154.exemetafor.exemetafor.exemetafor.exe

pid	process
2340	kino6741.exe
1484	kino6183.exe
1692	kino4964.exe
5080	bus5865.exe
660	cor0859.exe
4700	dxb11s57.exe
1892	en545663.exe
644	ge746154.exe
4040	metafor.exe
4720	metafor.exe
4256	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus5865.execor0859.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus5865.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor0859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor0859.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino6741.exekino6183.exekino4964.exe760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino6741.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6183.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino6183.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino4964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino4964.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino6741.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4312 660 WerFault.exe cor0859.exe
1272 4700 WerFault.exe dxb11s57.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3184 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus5865.execor0859.exedxb11s57.exeen545663.exe

pid process

5080 bus5865.exe
5080 bus5865.exe
660 cor0859.exe
660 cor0859.exe
4700 dxb11s57.exe
4700 dxb11s57.exe
1892 en545663.exe
1892 en545663.exe

pid	pid_target	process	target process
4312	660	WerFault.exe	cor0859.exe
1272	4700	WerFault.exe	dxb11s57.exe

pid	process
3184	schtasks.exe

pid	process
5080	bus5865.exe
5080	bus5865.exe
660	cor0859.exe
660	cor0859.exe
4700	dxb11s57.exe
4700	dxb11s57.exe
1892	en545663.exe
1892	en545663.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus5865.execor0859.exedxb11s57.exeen545663.exe

description	pid	process
Token: SeDebugPrivilege	5080	bus5865.exe
Token: SeDebugPrivilege	660	cor0859.exe
Token: SeDebugPrivilege	4700	dxb11s57.exe
Token: SeDebugPrivilege	1892	en545663.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71.exekino6741.exekino6183.exekino4964.exege746154.exemetafor.execmd.exe

description	pid	process	target process
PID 5008 wrote to memory of 2340	5008	760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71.exe	kino6741.exe
PID 5008 wrote to memory of 2340	5008	760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71.exe	kino6741.exe
PID 5008 wrote to memory of 2340	5008	760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71.exe	kino6741.exe
PID 2340 wrote to memory of 1484	2340	kino6741.exe	kino6183.exe
PID 2340 wrote to memory of 1484	2340	kino6741.exe	kino6183.exe
PID 2340 wrote to memory of 1484	2340	kino6741.exe	kino6183.exe
PID 1484 wrote to memory of 1692	1484	kino6183.exe	kino4964.exe
PID 1484 wrote to memory of 1692	1484	kino6183.exe	kino4964.exe
PID 1484 wrote to memory of 1692	1484	kino6183.exe	kino4964.exe
PID 1692 wrote to memory of 5080	1692	kino4964.exe	bus5865.exe
PID 1692 wrote to memory of 5080	1692	kino4964.exe	bus5865.exe
PID 1692 wrote to memory of 660	1692	kino4964.exe	cor0859.exe
PID 1692 wrote to memory of 660	1692	kino4964.exe	cor0859.exe
PID 1692 wrote to memory of 660	1692	kino4964.exe	cor0859.exe
PID 1484 wrote to memory of 4700	1484	kino6183.exe	dxb11s57.exe
PID 1484 wrote to memory of 4700	1484	kino6183.exe	dxb11s57.exe
PID 1484 wrote to memory of 4700	1484	kino6183.exe	dxb11s57.exe
PID 2340 wrote to memory of 1892	2340	kino6741.exe	en545663.exe
PID 2340 wrote to memory of 1892	2340	kino6741.exe	en545663.exe
PID 2340 wrote to memory of 1892	2340	kino6741.exe	en545663.exe
PID 5008 wrote to memory of 644	5008	760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71.exe	ge746154.exe
PID 5008 wrote to memory of 644	5008	760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71.exe	ge746154.exe
PID 5008 wrote to memory of 644	5008	760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71.exe	ge746154.exe
PID 644 wrote to memory of 4040	644	ge746154.exe	metafor.exe
PID 644 wrote to memory of 4040	644	ge746154.exe	metafor.exe
PID 644 wrote to memory of 4040	644	ge746154.exe	metafor.exe
PID 4040 wrote to memory of 3184	4040	metafor.exe	schtasks.exe
PID 4040 wrote to memory of 3184	4040	metafor.exe	schtasks.exe
PID 4040 wrote to memory of 3184	4040	metafor.exe	schtasks.exe
PID 4040 wrote to memory of 2092	4040	metafor.exe	cmd.exe
PID 4040 wrote to memory of 2092	4040	metafor.exe	cmd.exe
PID 4040 wrote to memory of 2092	4040	metafor.exe	cmd.exe
PID 2092 wrote to memory of 4972	2092	cmd.exe	cmd.exe
PID 2092 wrote to memory of 4972	2092	cmd.exe	cmd.exe
PID 2092 wrote to memory of 4972	2092	cmd.exe	cmd.exe
PID 2092 wrote to memory of 388	2092	cmd.exe	cacls.exe
PID 2092 wrote to memory of 388	2092	cmd.exe	cacls.exe
PID 2092 wrote to memory of 388	2092	cmd.exe	cacls.exe
PID 2092 wrote to memory of 4628	2092	cmd.exe	cacls.exe
PID 2092 wrote to memory of 4628	2092	cmd.exe	cacls.exe
PID 2092 wrote to memory of 4628	2092	cmd.exe	cacls.exe
PID 2092 wrote to memory of 3268	2092	cmd.exe	cmd.exe
PID 2092 wrote to memory of 3268	2092	cmd.exe	cmd.exe
PID 2092 wrote to memory of 3268	2092	cmd.exe	cmd.exe
PID 2092 wrote to memory of 2116	2092	cmd.exe	cacls.exe
PID 2092 wrote to memory of 2116	2092	cmd.exe	cacls.exe
PID 2092 wrote to memory of 2116	2092	cmd.exe	cacls.exe
PID 2092 wrote to memory of 3564	2092	cmd.exe	cacls.exe
PID 2092 wrote to memory of 3564	2092	cmd.exe	cacls.exe
PID 2092 wrote to memory of 3564	2092	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71.exe
"C:\Users\Admin\AppData\Local\Temp\760808847a2e97d060d36a1e2170feadf9532b36d76dfd25dc94d4d42f52fa71.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6741.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6741.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6183.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6183.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4964.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4964.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5865.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5865.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0859.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0859.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 1076
6⤵
- Program crash
PID:4312

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxb11s57.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxb11s57.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 1340
5⤵
- Program crash
PID:1272

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en545663.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en545663.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge746154.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge746154.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:3184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4972

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:388

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3268

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:2116

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 660 -ip 660
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4700 -ip 4700
1⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge746154.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge746154.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6741.exe
Filesize
827KB

MD5
92b4c1e84f395f7df535723128192893

SHA1
f3832e2498bb0b9ffef6d2c5a34aa4e69b057040

SHA256
3d2318571e9629ab95050ae240742a6a57a916b40e1024d14abfb31b6016dfaa

SHA512
ee27bf99867b7c85f3a8cc71e03bf0d018eeec787853ffd47699c30346596aa7236de470d9075635d22eeca57d387321dc64db1eda213df5310b2011e3e9ae0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino6741.exe
Filesize
827KB

MD5
92b4c1e84f395f7df535723128192893

SHA1
f3832e2498bb0b9ffef6d2c5a34aa4e69b057040

SHA256
3d2318571e9629ab95050ae240742a6a57a916b40e1024d14abfb31b6016dfaa

SHA512
ee27bf99867b7c85f3a8cc71e03bf0d018eeec787853ffd47699c30346596aa7236de470d9075635d22eeca57d387321dc64db1eda213df5310b2011e3e9ae0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en545663.exe
Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en545663.exe
Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6183.exe
Filesize
685KB

MD5
181811ccbfb8c440e2d861568da8ceee

SHA1
ba0634c825e46a45d6330f5bfe5b5882221109c1

SHA256
737220b0c6da034b1d6224ac95e84dc35ab113875dcb0ac65967aded422023e0

SHA512
ede7e250bdf57b20075c51fac61d40af8fad2d3f8081cba291c9d8c81dba1b0d123c3a5e5bb98a6e3fe9c908e3154a5cf8feb94b4c30b4b25589a6c72a297ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino6183.exe
Filesize
685KB

MD5
181811ccbfb8c440e2d861568da8ceee

SHA1
ba0634c825e46a45d6330f5bfe5b5882221109c1

SHA256
737220b0c6da034b1d6224ac95e84dc35ab113875dcb0ac65967aded422023e0

SHA512
ede7e250bdf57b20075c51fac61d40af8fad2d3f8081cba291c9d8c81dba1b0d123c3a5e5bb98a6e3fe9c908e3154a5cf8feb94b4c30b4b25589a6c72a297ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxb11s57.exe
Filesize
355KB

MD5
9b3f10090d279ccdd9bdd87f6bcdeeb5

SHA1
2c4c60985d98fad59ccca62e6bc811f31a37ad68

SHA256
726fef5283dd616e36f64ea50a8afc33726265ed60574f796546b3c0d30b4df8

SHA512
254b2e9c3ee3b1b797b5299cfaec251cd66d99b47bd3e0fd156df59671210d749e11c54fdedc1116e2bdfef40a2414cf1aa9fec9e55754848ee816cd5f0d026e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxb11s57.exe
Filesize
355KB

MD5
9b3f10090d279ccdd9bdd87f6bcdeeb5

SHA1
2c4c60985d98fad59ccca62e6bc811f31a37ad68

SHA256
726fef5283dd616e36f64ea50a8afc33726265ed60574f796546b3c0d30b4df8

SHA512
254b2e9c3ee3b1b797b5299cfaec251cd66d99b47bd3e0fd156df59671210d749e11c54fdedc1116e2bdfef40a2414cf1aa9fec9e55754848ee816cd5f0d026e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4964.exe
Filesize
340KB

MD5
d3972df0c1c8b2dfaf5abe42b4328b5b

SHA1
3e238575518da267ee3d722c4ea8613057b46e1d

SHA256
1bf9764f2e6b103d1ad4fb8abbcfbd32634a9d2f9e5891f4c618bffd77b20712

SHA512
23e5c533ef713de6b0b078aa776b000707a81847a4efca5de54e70eb4deda51240251b3e94a4af0c741f2ffb3dd6aff78c5bf8dc89279bb4b4d246cc247d5198

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4964.exe
Filesize
340KB

MD5
d3972df0c1c8b2dfaf5abe42b4328b5b

SHA1
3e238575518da267ee3d722c4ea8613057b46e1d

SHA256
1bf9764f2e6b103d1ad4fb8abbcfbd32634a9d2f9e5891f4c618bffd77b20712

SHA512
23e5c533ef713de6b0b078aa776b000707a81847a4efca5de54e70eb4deda51240251b3e94a4af0c741f2ffb3dd6aff78c5bf8dc89279bb4b4d246cc247d5198

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5865.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5865.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0859.exe
Filesize
298KB

MD5
650257c43e91eb8599e019e122967d1d

SHA1
f254442f2edba5d7543e30afd5db83cd4a66a98b

SHA256
52de12a50dddc612cf29c2847b0dc17225dc262847b6f8ec3658969df7bde5ee

SHA512
a01bf434efe1f0d7bec5abd273b8846eaed2c24494648ad35b2a94bf4eca40750f628c4fa7ff2b176888dc55e30aac025c2f091ad8ddb0e595470084ef46c4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0859.exe
Filesize
298KB

MD5
650257c43e91eb8599e019e122967d1d

SHA1
f254442f2edba5d7543e30afd5db83cd4a66a98b

SHA256
52de12a50dddc612cf29c2847b0dc17225dc262847b6f8ec3658969df7bde5ee

SHA512
a01bf434efe1f0d7bec5abd273b8846eaed2c24494648ad35b2a94bf4eca40750f628c4fa7ff2b176888dc55e30aac025c2f091ad8ddb0e595470084ef46c4dd

Download Submit
memory/660-190-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-205-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/660-188-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-184-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-192-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-194-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-196-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-198-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-199-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/660-200-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/660-201-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/660-202-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/660-204-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/660-186-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-206-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/660-207-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/660-182-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-180-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-178-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-176-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-174-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-172-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-171-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/660-170-0x0000000007260000-0x0000000007804000-memory.dmp

Filesize
5.6MB

Download
memory/660-169-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/1892-1142-0x0000000000C10000-0x0000000000C42000-memory.dmp

Filesize
200KB

Download
memory/1892-1143-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/4700-221-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-230-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4700-233-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-235-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-237-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-239-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-241-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-243-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-245-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-247-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-1122-0x0000000007990000-0x0000000007FA8000-memory.dmp

Filesize
6.1MB

Download
memory/4700-1123-0x0000000007FB0000-0x00000000080BA000-memory.dmp

Filesize
1.0MB

Download
memory/4700-1124-0x00000000080C0000-0x00000000080D2000-memory.dmp

Filesize
72KB

Download
memory/4700-1125-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4700-1126-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/4700-1128-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/4700-1129-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/4700-1131-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4700-1130-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4700-1132-0x0000000008CC0000-0x0000000008D36000-memory.dmp

Filesize
472KB

Download
memory/4700-1133-0x0000000008D50000-0x0000000008DA0000-memory.dmp

Filesize
320KB

Download
memory/4700-1134-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4700-1135-0x0000000008EB0000-0x0000000009072000-memory.dmp

Filesize
1.8MB

Download
memory/4700-1136-0x0000000009090000-0x00000000095BC000-memory.dmp

Filesize
5.2MB

Download
memory/4700-232-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4700-229-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-228-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4700-227-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/4700-225-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-223-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-219-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-217-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-215-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-213-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/4700-212-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

Filesize
248KB

Download
memory/5080-161-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/5080-162-0x000000001B720000-0x000000001B86E000-memory.dmp

Filesize
1.3MB

Download
memory/5080-164-0x000000001B720000-0x000000001B86E000-memory.dmp

Filesize
1.3MB

Download