amadey | 00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c

Analysis

max time kernel
140s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c.exe
Size

1009KB
MD5

b96b49769d1c27f272502f32793e7358
SHA1

b5ac81a4aaf70801298bc034c237a3d476d5ecc3
SHA256

00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c
SHA512

997b325acd488831e7a5ee809159f547f207acacc51e0e2a93686353b950850423bd3cf07eaf3faffbb2b81054b863452286713338bd248d43c5db28c490c719
SSDEEP

24576:cyRBHUcR7oXv3HpYeuKnljjJrD2BkkDdCQc0lCt1:LRBNkf3JYslZ23Dk

Score

10^/10

amadey redline down volya discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

volya

193.233.20.31:4125

Attributes

auth_value
0efc9f002a9fbeec5f8b8338141d546a

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus2380.execor7132.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus2380.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus2380.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus2380.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus2380.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus2380.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor7132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor7132.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus2380.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor7132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor7132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor7132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor7132.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2108-208-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-209-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-211-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-213-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-215-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-218-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-220-0x0000000007160000-0x0000000007170000-memory.dmp	family_redline
behavioral1/memory/2108-221-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-226-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-224-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-228-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-230-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-234-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-232-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-236-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-238-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-240-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-242-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline
behavioral1/memory/2108-244-0x0000000007720000-0x000000000775E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

metafor.exege266084.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	metafor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ge266084.exe

Executes dropped EXE 11 IoCs

Processes:

kino2022.exekino3835.exekino3321.exebus2380.execor7132.exedPQ14s67.exeen588446.exege266084.exemetafor.exemetafor.exemetafor.exe

pid	process
4580	kino2022.exe
2020	kino3835.exe
3048	kino3321.exe
3292	bus2380.exe
3904	cor7132.exe
2108	dPQ14s67.exe
4372	en588446.exe
1008	ge266084.exe
3048	metafor.exe
4188	metafor.exe
64	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus2380.execor7132.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus2380.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor7132.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor7132.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino3321.exe00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c.exekino2022.exekino3835.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3321.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino3321.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino2022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino2022.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3835.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino3835.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

912 3904 WerFault.exe cor7132.exe
2480 2108 WerFault.exe dPQ14s67.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1152 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus2380.execor7132.exedPQ14s67.exeen588446.exe

pid process

3292 bus2380.exe
3292 bus2380.exe
3904 cor7132.exe
3904 cor7132.exe
2108 dPQ14s67.exe
2108 dPQ14s67.exe
4372 en588446.exe
4372 en588446.exe

pid	pid_target	process	target process
912	3904	WerFault.exe	cor7132.exe
2480	2108	WerFault.exe	dPQ14s67.exe

pid	process
1152	schtasks.exe

pid	process
3292	bus2380.exe
3292	bus2380.exe
3904	cor7132.exe
3904	cor7132.exe
2108	dPQ14s67.exe
2108	dPQ14s67.exe
4372	en588446.exe
4372	en588446.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus2380.execor7132.exedPQ14s67.exeen588446.exe

description	pid	process
Token: SeDebugPrivilege	3292	bus2380.exe
Token: SeDebugPrivilege	3904	cor7132.exe
Token: SeDebugPrivilege	2108	dPQ14s67.exe
Token: SeDebugPrivilege	4372	en588446.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c.exekino2022.exekino3835.exekino3321.exege266084.exemetafor.execmd.exe

description	pid	process	target process
PID 1944 wrote to memory of 4580	1944	00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c.exe	kino2022.exe
PID 1944 wrote to memory of 4580	1944	00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c.exe	kino2022.exe
PID 1944 wrote to memory of 4580	1944	00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c.exe	kino2022.exe
PID 4580 wrote to memory of 2020	4580	kino2022.exe	kino3835.exe
PID 4580 wrote to memory of 2020	4580	kino2022.exe	kino3835.exe
PID 4580 wrote to memory of 2020	4580	kino2022.exe	kino3835.exe
PID 2020 wrote to memory of 3048	2020	kino3835.exe	kino3321.exe
PID 2020 wrote to memory of 3048	2020	kino3835.exe	kino3321.exe
PID 2020 wrote to memory of 3048	2020	kino3835.exe	kino3321.exe
PID 3048 wrote to memory of 3292	3048	kino3321.exe	bus2380.exe
PID 3048 wrote to memory of 3292	3048	kino3321.exe	bus2380.exe
PID 3048 wrote to memory of 3904	3048	kino3321.exe	cor7132.exe
PID 3048 wrote to memory of 3904	3048	kino3321.exe	cor7132.exe
PID 3048 wrote to memory of 3904	3048	kino3321.exe	cor7132.exe
PID 2020 wrote to memory of 2108	2020	kino3835.exe	dPQ14s67.exe
PID 2020 wrote to memory of 2108	2020	kino3835.exe	dPQ14s67.exe
PID 2020 wrote to memory of 2108	2020	kino3835.exe	dPQ14s67.exe
PID 4580 wrote to memory of 4372	4580	kino2022.exe	en588446.exe
PID 4580 wrote to memory of 4372	4580	kino2022.exe	en588446.exe
PID 4580 wrote to memory of 4372	4580	kino2022.exe	en588446.exe
PID 1944 wrote to memory of 1008	1944	00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c.exe	ge266084.exe
PID 1944 wrote to memory of 1008	1944	00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c.exe	ge266084.exe
PID 1944 wrote to memory of 1008	1944	00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c.exe	ge266084.exe
PID 1008 wrote to memory of 3048	1008	ge266084.exe	metafor.exe
PID 1008 wrote to memory of 3048	1008	ge266084.exe	metafor.exe
PID 1008 wrote to memory of 3048	1008	ge266084.exe	metafor.exe
PID 3048 wrote to memory of 1152	3048	metafor.exe	schtasks.exe
PID 3048 wrote to memory of 1152	3048	metafor.exe	schtasks.exe
PID 3048 wrote to memory of 1152	3048	metafor.exe	schtasks.exe
PID 3048 wrote to memory of 2220	3048	metafor.exe	cmd.exe
PID 3048 wrote to memory of 2220	3048	metafor.exe	cmd.exe
PID 3048 wrote to memory of 2220	3048	metafor.exe	cmd.exe
PID 2220 wrote to memory of 676	2220	cmd.exe	cmd.exe
PID 2220 wrote to memory of 676	2220	cmd.exe	cmd.exe
PID 2220 wrote to memory of 676	2220	cmd.exe	cmd.exe
PID 2220 wrote to memory of 672	2220	cmd.exe	cacls.exe
PID 2220 wrote to memory of 672	2220	cmd.exe	cacls.exe
PID 2220 wrote to memory of 672	2220	cmd.exe	cacls.exe
PID 2220 wrote to memory of 2336	2220	cmd.exe	cacls.exe
PID 2220 wrote to memory of 2336	2220	cmd.exe	cacls.exe
PID 2220 wrote to memory of 2336	2220	cmd.exe	cacls.exe
PID 2220 wrote to memory of 1340	2220	cmd.exe	cmd.exe
PID 2220 wrote to memory of 1340	2220	cmd.exe	cmd.exe
PID 2220 wrote to memory of 1340	2220	cmd.exe	cmd.exe
PID 2220 wrote to memory of 1552	2220	cmd.exe	cacls.exe
PID 2220 wrote to memory of 1552	2220	cmd.exe	cacls.exe
PID 2220 wrote to memory of 1552	2220	cmd.exe	cacls.exe
PID 2220 wrote to memory of 612	2220	cmd.exe	cacls.exe
PID 2220 wrote to memory of 612	2220	cmd.exe	cacls.exe
PID 2220 wrote to memory of 612	2220	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c.exe
"C:\Users\Admin\AppData\Local\Temp\00c8afb252b2c136d1da27a29b54dce6dc880990f0821a975ea4484bb0502e3c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2022.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2022.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3835.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3835.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3321.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3321.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2380.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2380.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7132.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7132.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 1088
6⤵
- Program crash
PID:912

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPQ14s67.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPQ14s67.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1328
5⤵
- Program crash
PID:2480

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en588446.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en588446.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge266084.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge266084.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:1152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:676

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:672

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1340

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:1552

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3904 -ip 3904
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2108 -ip 2108
1⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:64

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge266084.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge266084.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2022.exe
Filesize
829KB

MD5
79f9beb2dd40cbba19c30dc6f6e4108b

SHA1
79944b49cf10d2c615813e8bc53ddfca36e5f9bc

SHA256
ee476f8be3ba4dd01915738a0f09f679ca72f24f35a624782f6695de49526f11

SHA512
f7fe8e95169540dd6182108af7303bae035074e77ab7f5d10437de8e435d3c148c31ab2ad35867f6c62624f620c5a54bf865333d3481988eb9fc280412909c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino2022.exe
Filesize
829KB

MD5
79f9beb2dd40cbba19c30dc6f6e4108b

SHA1
79944b49cf10d2c615813e8bc53ddfca36e5f9bc

SHA256
ee476f8be3ba4dd01915738a0f09f679ca72f24f35a624782f6695de49526f11

SHA512
f7fe8e95169540dd6182108af7303bae035074e77ab7f5d10437de8e435d3c148c31ab2ad35867f6c62624f620c5a54bf865333d3481988eb9fc280412909c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en588446.exe
Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en588446.exe
Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3835.exe
Filesize
686KB

MD5
3a0c29820f80d7a1023c14dca1abb959

SHA1
5bf4162a78fe8915862d8595785048c7b5697c40

SHA256
0cf5fd5afcc633be46f3854b53afad3f1628286d9d3fe0eba1f564b404bcf46c

SHA512
5c30ebb7c517d27708a04a3946ec85afbb71a747921a9c717669feb0b51774efca556036afa3079293235b2f483c1a1ed980bae15ece4eb626f4e72363ca10a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3835.exe
Filesize
686KB

MD5
3a0c29820f80d7a1023c14dca1abb959

SHA1
5bf4162a78fe8915862d8595785048c7b5697c40

SHA256
0cf5fd5afcc633be46f3854b53afad3f1628286d9d3fe0eba1f564b404bcf46c

SHA512
5c30ebb7c517d27708a04a3946ec85afbb71a747921a9c717669feb0b51774efca556036afa3079293235b2f483c1a1ed980bae15ece4eb626f4e72363ca10a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPQ14s67.exe
Filesize
356KB

MD5
c1a0aae9187265b21bf7ffae7fba753b

SHA1
a9a3a35f68b4b2705c6e778886a68246bd67a79e

SHA256
644f9b48bbce7461caf33947ce1857b1637664244f4dcd7fc65dd898c9c13e68

SHA512
ebc1086ef54c84631eb3b454a64a09a56835a1d8171bcd504f3c46e292874e4655121d1b0d8c81ffafc56e4dd13190d29cf2e54daaa085754f678dfcdd510627

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dPQ14s67.exe
Filesize
356KB

MD5
c1a0aae9187265b21bf7ffae7fba753b

SHA1
a9a3a35f68b4b2705c6e778886a68246bd67a79e

SHA256
644f9b48bbce7461caf33947ce1857b1637664244f4dcd7fc65dd898c9c13e68

SHA512
ebc1086ef54c84631eb3b454a64a09a56835a1d8171bcd504f3c46e292874e4655121d1b0d8c81ffafc56e4dd13190d29cf2e54daaa085754f678dfcdd510627

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3321.exe
Filesize
340KB

MD5
71444f1925b12952545c495cb819d37b

SHA1
4e4cb9b3605b9eb31eb355336a3c794ccf7b5911

SHA256
f9f8617896d7507c03d88181d3a40e21d3a1ba1f77c12d5c31ba4ab43e8982c3

SHA512
8844cbdc40c2944f12edcc60fbe3ca6149b90c057bde05609ad16c2e629cae935e316a22dd1e82fbc1940731cb209137902f4834ee37192eae5dcf1dd06d8a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino3321.exe
Filesize
340KB

MD5
71444f1925b12952545c495cb819d37b

SHA1
4e4cb9b3605b9eb31eb355336a3c794ccf7b5911

SHA256
f9f8617896d7507c03d88181d3a40e21d3a1ba1f77c12d5c31ba4ab43e8982c3

SHA512
8844cbdc40c2944f12edcc60fbe3ca6149b90c057bde05609ad16c2e629cae935e316a22dd1e82fbc1940731cb209137902f4834ee37192eae5dcf1dd06d8a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2380.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus2380.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7132.exe
Filesize
298KB

MD5
6814153c88f95b72c2518f6aebadf07d

SHA1
330d2574b78c6bc710ea96a59976b98fe9f8ae25

SHA256
97d11f16196ae4b101a5982c5c95e3995716a84d74fdd12b5cfa56af3597e963

SHA512
b028be058bd9ff8dc24c75803aaef2e202a2b64988fc14d010bec995c5536fc6443bd7760d7820eb6a0253893cc9b7718f2d6d0d71f6c765e91be21566f316f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7132.exe
Filesize
298KB

MD5
6814153c88f95b72c2518f6aebadf07d

SHA1
330d2574b78c6bc710ea96a59976b98fe9f8ae25

SHA256
97d11f16196ae4b101a5982c5c95e3995716a84d74fdd12b5cfa56af3597e963

SHA512
b028be058bd9ff8dc24c75803aaef2e202a2b64988fc14d010bec995c5536fc6443bd7760d7820eb6a0253893cc9b7718f2d6d0d71f6c765e91be21566f316f5

Download Submit
memory/2108-1120-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/2108-236-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-1132-0x0000000007160000-0x0000000007170000-memory.dmp

Filesize
64KB

Download
memory/2108-1131-0x0000000009080000-0x00000000095AC000-memory.dmp

Filesize
5.2MB

Download
memory/2108-1130-0x0000000008EA0000-0x0000000009062000-memory.dmp

Filesize
1.8MB

Download
memory/2108-1129-0x0000000007160000-0x0000000007170000-memory.dmp

Filesize
64KB

Download
memory/2108-1128-0x0000000007160000-0x0000000007170000-memory.dmp

Filesize
64KB

Download
memory/2108-1127-0x0000000007160000-0x0000000007170000-memory.dmp

Filesize
64KB

Download
memory/2108-1126-0x0000000008BF0000-0x0000000008C40000-memory.dmp

Filesize
320KB

Download
memory/2108-1125-0x0000000008B60000-0x0000000008BD6000-memory.dmp

Filesize
472KB

Download
memory/2108-1124-0x0000000008A80000-0x0000000008B12000-memory.dmp

Filesize
584KB

Download
memory/2108-1123-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/2108-1121-0x0000000007160000-0x0000000007170000-memory.dmp

Filesize
64KB

Download
memory/2108-1119-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/2108-207-0x00000000045C0000-0x000000000460B000-memory.dmp

Filesize
300KB

Download
memory/2108-208-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-209-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-211-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-213-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-215-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-217-0x0000000007160000-0x0000000007170000-memory.dmp

Filesize
64KB

Download
memory/2108-218-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-220-0x0000000007160000-0x0000000007170000-memory.dmp

Filesize
64KB

Download
memory/2108-222-0x0000000007160000-0x0000000007170000-memory.dmp

Filesize
64KB

Download
memory/2108-221-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-226-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-224-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-228-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-230-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-234-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-232-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-1118-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/2108-238-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-240-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-242-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-244-0x0000000007720000-0x000000000775E000-memory.dmp

Filesize
248KB

Download
memory/2108-1117-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/3292-161-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Filesize
40KB

Download
memory/3904-188-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-168-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/3904-182-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-202-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/3904-200-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/3904-199-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/3904-198-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-196-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-194-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-192-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-180-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-178-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-172-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-176-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-186-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-190-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-167-0x0000000007390000-0x0000000007934000-memory.dmp

Filesize
5.6MB

Download
memory/3904-174-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-171-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3904-170-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/3904-169-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/3904-184-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/4372-1139-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/4372-1138-0x00000000001D0000-0x0000000000202000-memory.dmp

Filesize
200KB

Download