amadey | 42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2

Analysis

max time kernel
135s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2.exe
Size

1005KB
MD5

08376b54e3f6be3934e041093e41e075
SHA1

ea2037f46d585170ce77b8198212f3c4497dc0b1
SHA256

42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2
SHA512

c7e30b4738c99d6f6367934770379f7ad88e7d4fb357503e464c059ed700fef685e64d461063da6dbb4c105e6f9c0eca138fa0728b5afd8f0af436df863b5df8
SSDEEP

24576:cypCKNjaU5LVCGz03UaBjT+3WwmJ1dpZagCq5pqG9nLS:LpZ1Vl0kaJ+3WwmDD75QknL

Score

10^/10

amadey redline renta rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

renta

176.113.115.145:4125

Attributes

auth_value
359596fd5b36e9925ade4d9a1846bafb

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor1008.exebu349673.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor1008.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor1008.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor1008.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu349673.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu349673.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu349673.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu349673.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor1008.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor1008.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu349673.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu349673.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor1008.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/868-211-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-213-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-210-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-215-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-217-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-219-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-221-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-223-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-225-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-227-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-229-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-231-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-233-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-235-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-237-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-239-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-241-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline
behavioral1/memory/868-244-0x00000000065D0000-0x000000000660F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge992453.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	ge992453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kina5579.exekina5234.exekina4563.exebu349673.execor1008.exedke12s58.exeen335096.exege992453.exemetafor.exemetafor.exemetafor.exe

pid	process
4128	kina5579.exe
3056	kina5234.exe
908	kina4563.exe
1648	bu349673.exe
4352	cor1008.exe
868	dke12s58.exe
1988	en335096.exe
412	ge992453.exe
4748	metafor.exe
2904	metafor.exe
3332	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bu349673.execor1008.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu349673.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor1008.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor1008.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina5234.exekina4563.exe42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2.exekina5579.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina5234.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina4563.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina4563.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina5579.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina5579.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina5234.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

720 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2548 4352 WerFault.exe cor1008.exe
1824 868 WerFault.exe dke12s58.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2928 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu349673.execor1008.exedke12s58.exeen335096.exe

pid process

1648 bu349673.exe
1648 bu349673.exe
4352 cor1008.exe
4352 cor1008.exe
868 dke12s58.exe
868 dke12s58.exe
1988 en335096.exe
1988 en335096.exe

pid	process
720	sc.exe

pid	pid_target	process	target process
2548	4352	WerFault.exe	cor1008.exe
1824	868	WerFault.exe	dke12s58.exe

pid	process
2928	schtasks.exe

pid	process
1648	bu349673.exe
1648	bu349673.exe
4352	cor1008.exe
4352	cor1008.exe
868	dke12s58.exe
868	dke12s58.exe
1988	en335096.exe
1988	en335096.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu349673.execor1008.exedke12s58.exeen335096.exe

description	pid	process
Token: SeDebugPrivilege	1648	bu349673.exe
Token: SeDebugPrivilege	4352	cor1008.exe
Token: SeDebugPrivilege	868	dke12s58.exe
Token: SeDebugPrivilege	1988	en335096.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2.exekina5579.exekina5234.exekina4563.exege992453.exemetafor.execmd.exe

description	pid	process	target process
PID 4872 wrote to memory of 4128	4872	42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2.exe	kina5579.exe
PID 4872 wrote to memory of 4128	4872	42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2.exe	kina5579.exe
PID 4872 wrote to memory of 4128	4872	42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2.exe	kina5579.exe
PID 4128 wrote to memory of 3056	4128	kina5579.exe	kina5234.exe
PID 4128 wrote to memory of 3056	4128	kina5579.exe	kina5234.exe
PID 4128 wrote to memory of 3056	4128	kina5579.exe	kina5234.exe
PID 3056 wrote to memory of 908	3056	kina5234.exe	kina4563.exe
PID 3056 wrote to memory of 908	3056	kina5234.exe	kina4563.exe
PID 3056 wrote to memory of 908	3056	kina5234.exe	kina4563.exe
PID 908 wrote to memory of 1648	908	kina4563.exe	bu349673.exe
PID 908 wrote to memory of 1648	908	kina4563.exe	bu349673.exe
PID 908 wrote to memory of 4352	908	kina4563.exe	cor1008.exe
PID 908 wrote to memory of 4352	908	kina4563.exe	cor1008.exe
PID 908 wrote to memory of 4352	908	kina4563.exe	cor1008.exe
PID 3056 wrote to memory of 868	3056	kina5234.exe	dke12s58.exe
PID 3056 wrote to memory of 868	3056	kina5234.exe	dke12s58.exe
PID 3056 wrote to memory of 868	3056	kina5234.exe	dke12s58.exe
PID 4128 wrote to memory of 1988	4128	kina5579.exe	en335096.exe
PID 4128 wrote to memory of 1988	4128	kina5579.exe	en335096.exe
PID 4128 wrote to memory of 1988	4128	kina5579.exe	en335096.exe
PID 4872 wrote to memory of 412	4872	42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2.exe	ge992453.exe
PID 4872 wrote to memory of 412	4872	42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2.exe	ge992453.exe
PID 4872 wrote to memory of 412	4872	42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2.exe	ge992453.exe
PID 412 wrote to memory of 4748	412	ge992453.exe	metafor.exe
PID 412 wrote to memory of 4748	412	ge992453.exe	metafor.exe
PID 412 wrote to memory of 4748	412	ge992453.exe	metafor.exe
PID 4748 wrote to memory of 2928	4748	metafor.exe	schtasks.exe
PID 4748 wrote to memory of 2928	4748	metafor.exe	schtasks.exe
PID 4748 wrote to memory of 2928	4748	metafor.exe	schtasks.exe
PID 4748 wrote to memory of 4916	4748	metafor.exe	cmd.exe
PID 4748 wrote to memory of 4916	4748	metafor.exe	cmd.exe
PID 4748 wrote to memory of 4916	4748	metafor.exe	cmd.exe
PID 4916 wrote to memory of 3264	4916	cmd.exe	cmd.exe
PID 4916 wrote to memory of 3264	4916	cmd.exe	cmd.exe
PID 4916 wrote to memory of 3264	4916	cmd.exe	cmd.exe
PID 4916 wrote to memory of 5056	4916	cmd.exe	cacls.exe
PID 4916 wrote to memory of 5056	4916	cmd.exe	cacls.exe
PID 4916 wrote to memory of 5056	4916	cmd.exe	cacls.exe
PID 4916 wrote to memory of 1484	4916	cmd.exe	cacls.exe
PID 4916 wrote to memory of 1484	4916	cmd.exe	cacls.exe
PID 4916 wrote to memory of 1484	4916	cmd.exe	cacls.exe
PID 4916 wrote to memory of 1492	4916	cmd.exe	cmd.exe
PID 4916 wrote to memory of 1492	4916	cmd.exe	cmd.exe
PID 4916 wrote to memory of 1492	4916	cmd.exe	cmd.exe
PID 4916 wrote to memory of 1872	4916	cmd.exe	cacls.exe
PID 4916 wrote to memory of 1872	4916	cmd.exe	cacls.exe
PID 4916 wrote to memory of 1872	4916	cmd.exe	cacls.exe
PID 4916 wrote to memory of 5092	4916	cmd.exe	cacls.exe
PID 4916 wrote to memory of 5092	4916	cmd.exe	cacls.exe
PID 4916 wrote to memory of 5092	4916	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2.exe
"C:\Users\Admin\AppData\Local\Temp\42338005c2737dece9b2f888a24d852f44559001e86c245ce7f41697e94375d2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina5579.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina5579.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4128

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5234.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5234.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4563.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4563.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu349673.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu349673.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1008.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1008.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 1080
6⤵
- Program crash
PID:2548

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dke12s58.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dke12s58.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 1352
5⤵
- Program crash
PID:1824

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en335096.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en335096.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge992453.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge992453.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:2928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3264

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:5056

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1492

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:1872

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4352 -ip 4352
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 868 -ip 868
1⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
7aa968f0e577e21b86b7c7df9993c130

SHA1
01173dff1fd3f79e2c51e2693bee3b62b7c9f7ce

SHA256
3ebfcb7dc0902c1519ccc7dd5a7b7bb54aa8864657c2d66c938d1ce8f9bc5413

SHA512
042be991bdae2e9e30d6479436ef690fbee7019249cbd11cbd4bb66b1043b9a0e2fe44eafc0a7c2d4108c7c1e9990c5449f65d398e1e952d4781bea3d8e4f63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
7aa968f0e577e21b86b7c7df9993c130

SHA1
01173dff1fd3f79e2c51e2693bee3b62b7c9f7ce

SHA256
3ebfcb7dc0902c1519ccc7dd5a7b7bb54aa8864657c2d66c938d1ce8f9bc5413

SHA512
042be991bdae2e9e30d6479436ef690fbee7019249cbd11cbd4bb66b1043b9a0e2fe44eafc0a7c2d4108c7c1e9990c5449f65d398e1e952d4781bea3d8e4f63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
7aa968f0e577e21b86b7c7df9993c130

SHA1
01173dff1fd3f79e2c51e2693bee3b62b7c9f7ce

SHA256
3ebfcb7dc0902c1519ccc7dd5a7b7bb54aa8864657c2d66c938d1ce8f9bc5413

SHA512
042be991bdae2e9e30d6479436ef690fbee7019249cbd11cbd4bb66b1043b9a0e2fe44eafc0a7c2d4108c7c1e9990c5449f65d398e1e952d4781bea3d8e4f63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
7aa968f0e577e21b86b7c7df9993c130

SHA1
01173dff1fd3f79e2c51e2693bee3b62b7c9f7ce

SHA256
3ebfcb7dc0902c1519ccc7dd5a7b7bb54aa8864657c2d66c938d1ce8f9bc5413

SHA512
042be991bdae2e9e30d6479436ef690fbee7019249cbd11cbd4bb66b1043b9a0e2fe44eafc0a7c2d4108c7c1e9990c5449f65d398e1e952d4781bea3d8e4f63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
7aa968f0e577e21b86b7c7df9993c130

SHA1
01173dff1fd3f79e2c51e2693bee3b62b7c9f7ce

SHA256
3ebfcb7dc0902c1519ccc7dd5a7b7bb54aa8864657c2d66c938d1ce8f9bc5413

SHA512
042be991bdae2e9e30d6479436ef690fbee7019249cbd11cbd4bb66b1043b9a0e2fe44eafc0a7c2d4108c7c1e9990c5449f65d398e1e952d4781bea3d8e4f63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge992453.exe

Filesize
227KB

MD5
7aa968f0e577e21b86b7c7df9993c130

SHA1
01173dff1fd3f79e2c51e2693bee3b62b7c9f7ce

SHA256
3ebfcb7dc0902c1519ccc7dd5a7b7bb54aa8864657c2d66c938d1ce8f9bc5413

SHA512
042be991bdae2e9e30d6479436ef690fbee7019249cbd11cbd4bb66b1043b9a0e2fe44eafc0a7c2d4108c7c1e9990c5449f65d398e1e952d4781bea3d8e4f63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge992453.exe

Filesize
227KB

MD5
7aa968f0e577e21b86b7c7df9993c130

SHA1
01173dff1fd3f79e2c51e2693bee3b62b7c9f7ce

SHA256
3ebfcb7dc0902c1519ccc7dd5a7b7bb54aa8864657c2d66c938d1ce8f9bc5413

SHA512
042be991bdae2e9e30d6479436ef690fbee7019249cbd11cbd4bb66b1043b9a0e2fe44eafc0a7c2d4108c7c1e9990c5449f65d398e1e952d4781bea3d8e4f63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina5579.exe

Filesize
823KB

MD5
ad83550119e7910306508068f0e40822

SHA1
642bd066f0b5d7742d7921fa30671782a09d1261

SHA256
6824ecddbe217199ecf9dbc6e511e61c6f2cfe77815921f96fb3dc47b817f876

SHA512
ce013073595fefa9dc1b32b2cbe962736bc861fab91c8788581410a72af099805c20338738ffdde6f35381c0a5b58f60c3b38a5c327c20909bad6006e01fe072

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina5579.exe

Filesize
823KB

MD5
ad83550119e7910306508068f0e40822

SHA1
642bd066f0b5d7742d7921fa30671782a09d1261

SHA256
6824ecddbe217199ecf9dbc6e511e61c6f2cfe77815921f96fb3dc47b817f876

SHA512
ce013073595fefa9dc1b32b2cbe962736bc861fab91c8788581410a72af099805c20338738ffdde6f35381c0a5b58f60c3b38a5c327c20909bad6006e01fe072

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en335096.exe

Filesize
175KB

MD5
12d01cc3cd95c27fbc7b957e4633c319

SHA1
2ef7ca94a9685c48ea3eb92c270cb2e71bd5925c

SHA256
20fca29406c28be7355ac31ee57cbeb495477c22923e8fe23f13338ceba45555

SHA512
248370b4cb08a107dec0eeed27421dfde85ee48757dfcadf6822733380406dc8d34d0ba85107e8bcf2e020a3a98e80c206bc4f0ef9d653058f6ac8bf5140aa83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en335096.exe

Filesize
175KB

MD5
12d01cc3cd95c27fbc7b957e4633c319

SHA1
2ef7ca94a9685c48ea3eb92c270cb2e71bd5925c

SHA256
20fca29406c28be7355ac31ee57cbeb495477c22923e8fe23f13338ceba45555

SHA512
248370b4cb08a107dec0eeed27421dfde85ee48757dfcadf6822733380406dc8d34d0ba85107e8bcf2e020a3a98e80c206bc4f0ef9d653058f6ac8bf5140aa83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5234.exe

Filesize
681KB

MD5
f94d2325df24c9261d3d05d6497fc363

SHA1
c496b2230a15223ffbeef7f7dcfed9fdfa61bee6

SHA256
2688214cf223d0a24771494aad32913621d7f5782ab4cf623d3d4797d30c6334

SHA512
74fcba75367303e74bea36009fa2f291999e21ba3fc67e13b9b82479167bb6c048eeeb0e3d292bc05b99671725b61f5ff1637f66bca9ad8e77d05554d5f84ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina5234.exe

Filesize
681KB

MD5
f94d2325df24c9261d3d05d6497fc363

SHA1
c496b2230a15223ffbeef7f7dcfed9fdfa61bee6

SHA256
2688214cf223d0a24771494aad32913621d7f5782ab4cf623d3d4797d30c6334

SHA512
74fcba75367303e74bea36009fa2f291999e21ba3fc67e13b9b82479167bb6c048eeeb0e3d292bc05b99671725b61f5ff1637f66bca9ad8e77d05554d5f84ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dke12s58.exe

Filesize
345KB

MD5
956b7076c9f54b17e429b61bb566e03e

SHA1
3360b6e8274e5bfdf39e7f3e6b55d9a19d01a825

SHA256
2a217fb03deab552c6c7bcfc169ba9f20adfbb7c3bc8faa9dd096412f0b020d4

SHA512
d3ba6a8cfbd3cd6f7673a11803f8ec2d1833f6cff080686d754023d6a1c324dd243a22f6f2835aac82f9c9cbe05e42d29f7bd0ec99690a0623bca6460520ad96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dke12s58.exe

Filesize
345KB

MD5
956b7076c9f54b17e429b61bb566e03e

SHA1
3360b6e8274e5bfdf39e7f3e6b55d9a19d01a825

SHA256
2a217fb03deab552c6c7bcfc169ba9f20adfbb7c3bc8faa9dd096412f0b020d4

SHA512
d3ba6a8cfbd3cd6f7673a11803f8ec2d1833f6cff080686d754023d6a1c324dd243a22f6f2835aac82f9c9cbe05e42d29f7bd0ec99690a0623bca6460520ad96

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4563.exe

Filesize
344KB

MD5
d756535cc4b93cddf1e71ddee2e863bd

SHA1
6dfb43dc176b8bbf3f56f3737bf5e2644e0b242c

SHA256
5f6022c410da76bc3377b0a7845d4e293e21ebf3e2c82b3bfb04da13fb29c635

SHA512
8a4e443c27c36ca6dae050b8996063047ea2fc6cc354368550b66f1acf439137d73b3c93a1e68ee2febb723281654261abecab68e7da4775b9a4c3edd68f1079

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina4563.exe

Filesize
344KB

MD5
d756535cc4b93cddf1e71ddee2e863bd

SHA1
6dfb43dc176b8bbf3f56f3737bf5e2644e0b242c

SHA256
5f6022c410da76bc3377b0a7845d4e293e21ebf3e2c82b3bfb04da13fb29c635

SHA512
8a4e443c27c36ca6dae050b8996063047ea2fc6cc354368550b66f1acf439137d73b3c93a1e68ee2febb723281654261abecab68e7da4775b9a4c3edd68f1079

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu349673.exe

Filesize
11KB

MD5
156146d82dcc5dd050a5f3e1fda1627b

SHA1
3528e1d56b2c3f44f00a3866eccee4d0f83f3147

SHA256
797716cd799c196bdb354d1466c57a01f543ab98300af711f0ece92207be3a60

SHA512
dd12ba0be6a2697fd68aae5baea9d0f37b1aab3cbd378e5aac2769c3c36eda4973544353eac453a4c20b38c981e971b7fca49dfde9361fd2e29f7e9b0776d86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu349673.exe

Filesize
11KB

MD5
156146d82dcc5dd050a5f3e1fda1627b

SHA1
3528e1d56b2c3f44f00a3866eccee4d0f83f3147

SHA256
797716cd799c196bdb354d1466c57a01f543ab98300af711f0ece92207be3a60

SHA512
dd12ba0be6a2697fd68aae5baea9d0f37b1aab3cbd378e5aac2769c3c36eda4973544353eac453a4c20b38c981e971b7fca49dfde9361fd2e29f7e9b0776d86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1008.exe

Filesize
291KB

MD5
00c7f95033893c84ac70d0644e4d4169

SHA1
37f290252a7ff55c08f24a7d873fb970da34ac35

SHA256
9e00f96620543c1905f4812e3ec29be8c53230c740d19971b060d43347e55ac0

SHA512
0a56e4d88e1bb12e9edd15b8cac1098ebe56256d089c71a8880bc225b16ef21a2fe9daffa182c24d03e5de307eb40f5ff0c7ae3bcda2491f5f0a7624120a1946

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1008.exe

Filesize
291KB

MD5
00c7f95033893c84ac70d0644e4d4169

SHA1
37f290252a7ff55c08f24a7d873fb970da34ac35

SHA256
9e00f96620543c1905f4812e3ec29be8c53230c740d19971b060d43347e55ac0

SHA512
0a56e4d88e1bb12e9edd15b8cac1098ebe56256d089c71a8880bc225b16ef21a2fe9daffa182c24d03e5de307eb40f5ff0c7ae3bcda2491f5f0a7624120a1946

Download Submit
memory/868-1123-0x0000000006F70000-0x0000000006FAC000-memory.dmp

Filesize
240KB

Download
memory/868-241-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-1135-0x0000000005E90000-0x0000000005EA0000-memory.dmp

Filesize
64KB

Download
memory/868-1134-0x0000000007F20000-0x000000000844C000-memory.dmp

Filesize
5.2MB

Download
memory/868-1133-0x0000000007D40000-0x0000000007F02000-memory.dmp

Filesize
1.8MB

Download
memory/868-1132-0x0000000005E90000-0x0000000005EA0000-memory.dmp

Filesize
64KB

Download
memory/868-1131-0x0000000005E90000-0x0000000005EA0000-memory.dmp

Filesize
64KB

Download
memory/868-1130-0x0000000005E90000-0x0000000005EA0000-memory.dmp

Filesize
64KB

Download
memory/868-1129-0x0000000007A90000-0x0000000007AE0000-memory.dmp

Filesize
320KB

Download
memory/868-1128-0x0000000007A00000-0x0000000007A76000-memory.dmp

Filesize
472KB

Download
memory/868-1126-0x0000000007300000-0x0000000007366000-memory.dmp

Filesize
408KB

Download
memory/868-1125-0x0000000007260000-0x00000000072F2000-memory.dmp

Filesize
584KB

Download
memory/868-1124-0x0000000005E90000-0x0000000005EA0000-memory.dmp

Filesize
64KB

Download
memory/868-1122-0x0000000006F50000-0x0000000006F62000-memory.dmp

Filesize
72KB

Download
memory/868-1121-0x0000000006E10000-0x0000000006F1A000-memory.dmp

Filesize
1.0MB

Download
memory/868-1120-0x0000000006770000-0x0000000006D88000-memory.dmp

Filesize
6.1MB

Download
memory/868-250-0x0000000005E90000-0x0000000005EA0000-memory.dmp

Filesize
64KB

Download
memory/868-211-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-213-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-210-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-215-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-217-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-219-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-221-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-223-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-225-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-227-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-229-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-231-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-233-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-235-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-237-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-239-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-243-0x0000000001A30000-0x0000000001A7B000-memory.dmp

Filesize
300KB

Download
memory/868-245-0x0000000005E90000-0x0000000005EA0000-memory.dmp

Filesize
64KB

Download
memory/868-244-0x00000000065D0000-0x000000000660F000-memory.dmp

Filesize
252KB

Download
memory/868-248-0x0000000005E90000-0x0000000005EA0000-memory.dmp

Filesize
64KB

Download
memory/1648-161-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/1988-1141-0x0000000000E40000-0x0000000000E72000-memory.dmp

Filesize
200KB

Download
memory/1988-1143-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download
memory/1988-1142-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download
memory/4352-201-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4352-177-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4352-203-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4352-185-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4352-200-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4352-199-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4352-198-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4352-197-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4352-195-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4352-193-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4352-191-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4352-189-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4352-187-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4352-179-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4352-175-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4352-204-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4352-205-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4352-183-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4352-173-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4352-171-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4352-170-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/4352-169-0x0000000005120000-0x00000000056C4000-memory.dmp

Filesize
5.6MB

Download
memory/4352-168-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4352-167-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/4352-181-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download