amadey | b5832a44f10e577763be0f55f12b4aaea72b8a0ca4ebaa33cb4fbdc8b964199e

Analysis

max time kernel
118s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2023 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

498c270d2379322070b1e104289d9338f374f85acf0f48c74d33f84da8a98e8c.exe
Size

1005KB
MD5

6b30714e2d2ed3b58ef41c3391a0292a
SHA1

4bbfa272a39ddea6cdc715d9d8ea61abf97075a1
SHA256

498c270d2379322070b1e104289d9338f374f85acf0f48c74d33f84da8a98e8c
SHA512

da251d847f4c88bfe2897b92f706c36fb1be84fa72a983388f30c715c155b868565d5e9a4d36a44db315a02a3452e71d61b2c86c3d5f0f4c5616eadc97acb63f
SSDEEP

24576:7yGtOyuMBfUjuPTiITtKfSHbjA8KPL4bBMvWkjGzIKeczp:uGMuUjubiIsS70pD4Nfkadb

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus8068.execor3117.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus8068.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus8068.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus8068.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus8068.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor3117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor3117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor3117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus8068.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus8068.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor3117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor3117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor3117.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3204-209-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-212-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-210-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-214-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-217-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-221-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-224-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-226-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-228-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-230-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-232-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-234-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-236-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-238-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-240-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-242-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-244-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral2/memory/3204-246-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge514351.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	ge514351.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kina0056.exekina3486.exekina2220.exebus8068.execor3117.exedtz72s22.exeen170934.exege514351.exemetafor.exemetafor.exemetafor.exe

pid	process
3928	kina0056.exe
2044	kina3486.exe
244	kina2220.exe
3736	bus8068.exe
4968	cor3117.exe
3204	dtz72s22.exe
3212	en170934.exe
4032	ge514351.exe
2744	metafor.exe
4248	metafor.exe
2312	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus8068.execor3117.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus8068.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor3117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor3117.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina2220.exe498c270d2379322070b1e104289d9338f374f85acf0f48c74d33f84da8a98e8c.exekina0056.exekina3486.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina2220.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina2220.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	498c270d2379322070b1e104289d9338f374f85acf0f48c74d33f84da8a98e8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	498c270d2379322070b1e104289d9338f374f85acf0f48c74d33f84da8a98e8c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina0056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina0056.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina3486.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina3486.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2188 4968 WerFault.exe cor3117.exe
4284 3204 WerFault.exe dtz72s22.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1648 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus8068.execor3117.exedtz72s22.exeen170934.exe

pid process

3736 bus8068.exe
3736 bus8068.exe
4968 cor3117.exe
4968 cor3117.exe
3204 dtz72s22.exe
3204 dtz72s22.exe
3212 en170934.exe
3212 en170934.exe

pid	pid_target	process	target process
2188	4968	WerFault.exe	cor3117.exe
4284	3204	WerFault.exe	dtz72s22.exe

pid	process
1648	schtasks.exe

pid	process
3736	bus8068.exe
3736	bus8068.exe
4968	cor3117.exe
4968	cor3117.exe
3204	dtz72s22.exe
3204	dtz72s22.exe
3212	en170934.exe
3212	en170934.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus8068.execor3117.exedtz72s22.exeen170934.exe

description	pid	process
Token: SeDebugPrivilege	3736	bus8068.exe
Token: SeDebugPrivilege	4968	cor3117.exe
Token: SeDebugPrivilege	3204	dtz72s22.exe
Token: SeDebugPrivilege	3212	en170934.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

498c270d2379322070b1e104289d9338f374f85acf0f48c74d33f84da8a98e8c.exekina0056.exekina3486.exekina2220.exege514351.exemetafor.execmd.exe

description	pid	process	target process
PID 4388 wrote to memory of 3928	4388	498c270d2379322070b1e104289d9338f374f85acf0f48c74d33f84da8a98e8c.exe	kina0056.exe
PID 4388 wrote to memory of 3928	4388	498c270d2379322070b1e104289d9338f374f85acf0f48c74d33f84da8a98e8c.exe	kina0056.exe
PID 4388 wrote to memory of 3928	4388	498c270d2379322070b1e104289d9338f374f85acf0f48c74d33f84da8a98e8c.exe	kina0056.exe
PID 3928 wrote to memory of 2044	3928	kina0056.exe	kina3486.exe
PID 3928 wrote to memory of 2044	3928	kina0056.exe	kina3486.exe
PID 3928 wrote to memory of 2044	3928	kina0056.exe	kina3486.exe
PID 2044 wrote to memory of 244	2044	kina3486.exe	kina2220.exe
PID 2044 wrote to memory of 244	2044	kina3486.exe	kina2220.exe
PID 2044 wrote to memory of 244	2044	kina3486.exe	kina2220.exe
PID 244 wrote to memory of 3736	244	kina2220.exe	bus8068.exe
PID 244 wrote to memory of 3736	244	kina2220.exe	bus8068.exe
PID 244 wrote to memory of 4968	244	kina2220.exe	cor3117.exe
PID 244 wrote to memory of 4968	244	kina2220.exe	cor3117.exe
PID 244 wrote to memory of 4968	244	kina2220.exe	cor3117.exe
PID 2044 wrote to memory of 3204	2044	kina3486.exe	dtz72s22.exe
PID 2044 wrote to memory of 3204	2044	kina3486.exe	dtz72s22.exe
PID 2044 wrote to memory of 3204	2044	kina3486.exe	dtz72s22.exe
PID 3928 wrote to memory of 3212	3928	kina0056.exe	en170934.exe
PID 3928 wrote to memory of 3212	3928	kina0056.exe	en170934.exe
PID 3928 wrote to memory of 3212	3928	kina0056.exe	en170934.exe
PID 4388 wrote to memory of 4032	4388	498c270d2379322070b1e104289d9338f374f85acf0f48c74d33f84da8a98e8c.exe	ge514351.exe
PID 4388 wrote to memory of 4032	4388	498c270d2379322070b1e104289d9338f374f85acf0f48c74d33f84da8a98e8c.exe	ge514351.exe
PID 4388 wrote to memory of 4032	4388	498c270d2379322070b1e104289d9338f374f85acf0f48c74d33f84da8a98e8c.exe	ge514351.exe
PID 4032 wrote to memory of 2744	4032	ge514351.exe	metafor.exe
PID 4032 wrote to memory of 2744	4032	ge514351.exe	metafor.exe
PID 4032 wrote to memory of 2744	4032	ge514351.exe	metafor.exe
PID 2744 wrote to memory of 1648	2744	metafor.exe	schtasks.exe
PID 2744 wrote to memory of 1648	2744	metafor.exe	schtasks.exe
PID 2744 wrote to memory of 1648	2744	metafor.exe	schtasks.exe
PID 2744 wrote to memory of 5076	2744	metafor.exe	cmd.exe
PID 2744 wrote to memory of 5076	2744	metafor.exe	cmd.exe
PID 2744 wrote to memory of 5076	2744	metafor.exe	cmd.exe
PID 5076 wrote to memory of 4240	5076	cmd.exe	cmd.exe
PID 5076 wrote to memory of 4240	5076	cmd.exe	cmd.exe
PID 5076 wrote to memory of 4240	5076	cmd.exe	cmd.exe
PID 5076 wrote to memory of 2868	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 2868	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 2868	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 3108	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 3108	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 3108	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 1544	5076	cmd.exe	cmd.exe
PID 5076 wrote to memory of 1544	5076	cmd.exe	cmd.exe
PID 5076 wrote to memory of 1544	5076	cmd.exe	cmd.exe
PID 5076 wrote to memory of 4788	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 4788	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 4788	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 3424	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 3424	5076	cmd.exe	cacls.exe
PID 5076 wrote to memory of 3424	5076	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\498c270d2379322070b1e104289d9338f374f85acf0f48c74d33f84da8a98e8c.exe
"C:\Users\Admin\AppData\Local\Temp\498c270d2379322070b1e104289d9338f374f85acf0f48c74d33f84da8a98e8c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina0056.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina0056.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3928

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina3486.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina3486.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2220.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2220.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:244

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8068.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8068.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3117.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3117.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 1080
6⤵
- Program crash
PID:2188

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dtz72s22.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dtz72s22.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1160
5⤵
- Program crash
PID:4284

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en170934.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en170934.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge514351.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge514351.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4240

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:2868

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1544

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:4788

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4968 -ip 4968
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3204 -ip 3204
1⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4248

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
309ef0e299ef58fb2096a6a33b59d174

SHA1
60d1a2fd9449299a3a755455cac4b8f97cf0850b

SHA256
275e36e7cc4de7503e68e99eb0b9abd40fddcb408e4ddf2af288445c796554e1

SHA512
fd17ccd3bcff576583c2edcf17ae6dba524c6a57af17122e35ca2e1b902b12e264b2fb86cde0b730c66d8c2c07f4459a88586304ef9b40034f3525a22224127a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
309ef0e299ef58fb2096a6a33b59d174

SHA1
60d1a2fd9449299a3a755455cac4b8f97cf0850b

SHA256
275e36e7cc4de7503e68e99eb0b9abd40fddcb408e4ddf2af288445c796554e1

SHA512
fd17ccd3bcff576583c2edcf17ae6dba524c6a57af17122e35ca2e1b902b12e264b2fb86cde0b730c66d8c2c07f4459a88586304ef9b40034f3525a22224127a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
309ef0e299ef58fb2096a6a33b59d174

SHA1
60d1a2fd9449299a3a755455cac4b8f97cf0850b

SHA256
275e36e7cc4de7503e68e99eb0b9abd40fddcb408e4ddf2af288445c796554e1

SHA512
fd17ccd3bcff576583c2edcf17ae6dba524c6a57af17122e35ca2e1b902b12e264b2fb86cde0b730c66d8c2c07f4459a88586304ef9b40034f3525a22224127a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
309ef0e299ef58fb2096a6a33b59d174

SHA1
60d1a2fd9449299a3a755455cac4b8f97cf0850b

SHA256
275e36e7cc4de7503e68e99eb0b9abd40fddcb408e4ddf2af288445c796554e1

SHA512
fd17ccd3bcff576583c2edcf17ae6dba524c6a57af17122e35ca2e1b902b12e264b2fb86cde0b730c66d8c2c07f4459a88586304ef9b40034f3525a22224127a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
309ef0e299ef58fb2096a6a33b59d174

SHA1
60d1a2fd9449299a3a755455cac4b8f97cf0850b

SHA256
275e36e7cc4de7503e68e99eb0b9abd40fddcb408e4ddf2af288445c796554e1

SHA512
fd17ccd3bcff576583c2edcf17ae6dba524c6a57af17122e35ca2e1b902b12e264b2fb86cde0b730c66d8c2c07f4459a88586304ef9b40034f3525a22224127a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge514351.exe
Filesize
226KB

MD5
309ef0e299ef58fb2096a6a33b59d174

SHA1
60d1a2fd9449299a3a755455cac4b8f97cf0850b

SHA256
275e36e7cc4de7503e68e99eb0b9abd40fddcb408e4ddf2af288445c796554e1

SHA512
fd17ccd3bcff576583c2edcf17ae6dba524c6a57af17122e35ca2e1b902b12e264b2fb86cde0b730c66d8c2c07f4459a88586304ef9b40034f3525a22224127a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge514351.exe
Filesize
226KB

MD5
309ef0e299ef58fb2096a6a33b59d174

SHA1
60d1a2fd9449299a3a755455cac4b8f97cf0850b

SHA256
275e36e7cc4de7503e68e99eb0b9abd40fddcb408e4ddf2af288445c796554e1

SHA512
fd17ccd3bcff576583c2edcf17ae6dba524c6a57af17122e35ca2e1b902b12e264b2fb86cde0b730c66d8c2c07f4459a88586304ef9b40034f3525a22224127a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina0056.exe
Filesize
823KB

MD5
1a96f43fd5d555547c2fc8e9caaf1f97

SHA1
ccebda67b049d5700d7addb7c15578aa0757cfcb

SHA256
b0fde75dd8273e84c0e14c72e730ef383b5bd91dfd9cf0667a2c3ee6af87b691

SHA512
960bf27d682875c2997b126cc6637bdf34ad12983888a8032087395e58f45d553cc1e43dee6c89cce6e52e1b93a682c788e9cd4a88427aaf8886fcc03c202a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina0056.exe
Filesize
823KB

MD5
1a96f43fd5d555547c2fc8e9caaf1f97

SHA1
ccebda67b049d5700d7addb7c15578aa0757cfcb

SHA256
b0fde75dd8273e84c0e14c72e730ef383b5bd91dfd9cf0667a2c3ee6af87b691

SHA512
960bf27d682875c2997b126cc6637bdf34ad12983888a8032087395e58f45d553cc1e43dee6c89cce6e52e1b93a682c788e9cd4a88427aaf8886fcc03c202a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en170934.exe
Filesize
175KB

MD5
3934d8598d6d2beea97e1328a732ea12

SHA1
1b8930aa30695090457e717804179cf7ffa6ad96

SHA256
d5b76b0da9fe10b2e40f0dfb8eb0118a6ebfcbfb78994c61df8335f4729ceafc

SHA512
2eaa1caff5a4a06c50cba857c6a44b8bae7ba0e9eedfcebeacac41e3b290579f3bc6951f1589da87369ab491484a3aea0458fbb049044edeb2df8f603c8950e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en170934.exe
Filesize
175KB

MD5
3934d8598d6d2beea97e1328a732ea12

SHA1
1b8930aa30695090457e717804179cf7ffa6ad96

SHA256
d5b76b0da9fe10b2e40f0dfb8eb0118a6ebfcbfb78994c61df8335f4729ceafc

SHA512
2eaa1caff5a4a06c50cba857c6a44b8bae7ba0e9eedfcebeacac41e3b290579f3bc6951f1589da87369ab491484a3aea0458fbb049044edeb2df8f603c8950e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina3486.exe
Filesize
681KB

MD5
46b98687914fe7a7f0a933be7535d846

SHA1
79bedfaa155149be55184f870f25bab54808317c

SHA256
dcd6f5b458bba13125f754bee26a2fae5be6f8481afb3b458a504ed4fa6289b9

SHA512
1e5562e11e68b45d76c7f45d3358337ab838fd7e7f2361d092847c2a05deb36f95f6ac52ef621857d72b3dad937d8e007f5e61042511ce8492ef3b0993b17040

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina3486.exe
Filesize
681KB

MD5
46b98687914fe7a7f0a933be7535d846

SHA1
79bedfaa155149be55184f870f25bab54808317c

SHA256
dcd6f5b458bba13125f754bee26a2fae5be6f8481afb3b458a504ed4fa6289b9

SHA512
1e5562e11e68b45d76c7f45d3358337ab838fd7e7f2361d092847c2a05deb36f95f6ac52ef621857d72b3dad937d8e007f5e61042511ce8492ef3b0993b17040

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dtz72s22.exe
Filesize
349KB

MD5
5daa88ff5c4a3e0a00a0b5b2e1587902

SHA1
5f33107197818e543d0b3112e454c296f2cba15b

SHA256
7a52ecaa19397ee64b9cfbeb2160478e48ee7d6a934c9475a7c35690c7d8222a

SHA512
5a786266cd995ae23857d058316e3f0cd70ec4c3183a5860502ed09ca37e71eb5a61a1eb462deb612ef4680532bf0c831a41bec43d9fc7c5fcdc9a87b352dae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dtz72s22.exe
Filesize
349KB

MD5
5daa88ff5c4a3e0a00a0b5b2e1587902

SHA1
5f33107197818e543d0b3112e454c296f2cba15b

SHA256
7a52ecaa19397ee64b9cfbeb2160478e48ee7d6a934c9475a7c35690c7d8222a

SHA512
5a786266cd995ae23857d058316e3f0cd70ec4c3183a5860502ed09ca37e71eb5a61a1eb462deb612ef4680532bf0c831a41bec43d9fc7c5fcdc9a87b352dae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2220.exe
Filesize
330KB

MD5
288c4a1ff2c158b3ea7bf4fd96038789

SHA1
db7e9889ec660f0fe018df8f40e0b60445770246

SHA256
b89fb6bfcbd12bb67f1c64418af599b5065d451a94c95fb6c0ad14d05fc99fcf

SHA512
a7035d899cbcb8638a713c3d35e8e715b21dbfa565da990e41b55daf24221a043a18fa7d219963ef285be9f19403e819dd178b3b92d81a3f1759deac36ce45e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina2220.exe
Filesize
330KB

MD5
288c4a1ff2c158b3ea7bf4fd96038789

SHA1
db7e9889ec660f0fe018df8f40e0b60445770246

SHA256
b89fb6bfcbd12bb67f1c64418af599b5065d451a94c95fb6c0ad14d05fc99fcf

SHA512
a7035d899cbcb8638a713c3d35e8e715b21dbfa565da990e41b55daf24221a043a18fa7d219963ef285be9f19403e819dd178b3b92d81a3f1759deac36ce45e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8068.exe
Filesize
11KB

MD5
011e97057df685ee7620914e53d80c08

SHA1
ac78a1ebffc0cce4e987c17d79c8c61db8d4323f

SHA256
a4941dfa59a520e9bcd49d313a2db0770789e7df586131061fe0d5960920941f

SHA512
8834c2e0977eec550529ca8d3a8956849df2834c8667e8623adc83ec665610a4b1e03f1d1e007d083c5d8e79dc5af84a79ceff3af5dcaca7f4b2c8579bc1e2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus8068.exe
Filesize
11KB

MD5
011e97057df685ee7620914e53d80c08

SHA1
ac78a1ebffc0cce4e987c17d79c8c61db8d4323f

SHA256
a4941dfa59a520e9bcd49d313a2db0770789e7df586131061fe0d5960920941f

SHA512
8834c2e0977eec550529ca8d3a8956849df2834c8667e8623adc83ec665610a4b1e03f1d1e007d083c5d8e79dc5af84a79ceff3af5dcaca7f4b2c8579bc1e2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3117.exe
Filesize
257KB

MD5
92fcc9d0ee6be12782206e33de264add

SHA1
bd12e1e644493f56c527cef3590a16829c3fd17e

SHA256
08ba86b2f2c8ff4e87bded5738f3cd973ce4a3c2be480e466e293bd5af423530

SHA512
436f346e1afa9661e7b8eba07bf864accbd8e90f549e1ca2685f8ee29592cd20ecd0b5322b41af173538aa148740126065b17b0b4d1f0c2f5ce29ea078342df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor3117.exe
Filesize
257KB

MD5
92fcc9d0ee6be12782206e33de264add

SHA1
bd12e1e644493f56c527cef3590a16829c3fd17e

SHA256
08ba86b2f2c8ff4e87bded5738f3cd973ce4a3c2be480e466e293bd5af423530

SHA512
436f346e1afa9661e7b8eba07bf864accbd8e90f549e1ca2685f8ee29592cd20ecd0b5322b41af173538aa148740126065b17b0b4d1f0c2f5ce29ea078342df1

Download Submit
memory/3204-1123-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-234-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-1134-0x00000000070F0000-0x0000000007140000-memory.dmp

Filesize
320KB

Download
memory/3204-1133-0x0000000007050000-0x00000000070C6000-memory.dmp

Filesize
472KB

Download
memory/3204-1132-0x0000000006A00000-0x0000000006F2C000-memory.dmp

Filesize
5.2MB

Download
memory/3204-1131-0x0000000006830000-0x00000000069F2000-memory.dmp

Filesize
1.8MB

Download
memory/3204-1130-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-1129-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-1128-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-1127-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-1125-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/3204-1124-0x0000000005E10000-0x0000000005EA2000-memory.dmp

Filesize
584KB

Download
memory/3204-1122-0x0000000005B20000-0x0000000005B5C000-memory.dmp

Filesize
240KB

Download
memory/3204-1121-0x0000000005B00000-0x0000000005B12000-memory.dmp

Filesize
72KB

Download
memory/3204-1120-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/3204-1119-0x0000000005380000-0x0000000005998000-memory.dmp

Filesize
6.1MB

Download
memory/3204-209-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-212-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-210-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-214-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-217-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-216-0x0000000000B60000-0x0000000000BAB000-memory.dmp

Filesize
300KB

Download
memory/3204-218-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-220-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-223-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3204-221-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-224-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-226-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-228-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-230-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-232-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-246-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-236-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-238-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-240-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-242-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3204-244-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/3212-1140-0x0000000000DC0000-0x0000000000DF2000-memory.dmp

Filesize
200KB

Download
memory/3212-1141-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/3736-161-0x0000000000050000-0x000000000005A000-memory.dmp

Filesize
40KB

Download
memory/4968-201-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4968-187-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4968-177-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4968-183-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4968-200-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/4968-199-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4968-197-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4968-195-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4968-193-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4968-191-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4968-189-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4968-202-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4968-185-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4968-173-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4968-172-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4968-204-0x0000000000400000-0x0000000000703000-memory.dmp

Filesize
3.0MB

Download
memory/4968-181-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4968-175-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/4968-170-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4968-171-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4968-169-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/4968-168-0x0000000002360000-0x000000000238D000-memory.dmp

Filesize
180KB

Download
memory/4968-167-0x0000000004E00000-0x00000000053A4000-memory.dmp

Filesize
5.6MB

Download
memory/4968-179-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download