amadey | 6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160

Analysis

max time kernel
129s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160.exe
Size

1004KB
MD5

cacdb71ce03ba51a9da4fd57233ab869
SHA1

4dc540915689665ba8405d0241a541304e26b377
SHA256

6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160
SHA512

c05cb650eef8bb9954318d60820adbe6e1b564ad48024945577f8d9e0441e4f6221a98536924ba03882b19c2d06fe09d632c3580c2fa179cb83474bc879876d1
SSDEEP

24576:4yN0yUSXvdS2/zbalbFjte6HagsaCBzlt2YFgeGwo:/NjtXv9/valb5ljCBzlM21

Score

10^/10

amadey redline renta rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

renta

176.113.115.145:4125

Attributes

auth_value
359596fd5b36e9925ade4d9a1846bafb

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor7045.exebu173519.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor7045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu173519.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu173519.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu173519.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu173519.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu173519.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor7045.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu173519.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor7045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor7045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor7045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor7045.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3596-209-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-210-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-212-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-214-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-216-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-218-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-220-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-222-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-224-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-226-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-228-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-230-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-232-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-234-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-236-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-238-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-240-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-242-0x00000000065E0000-0x000000000661F000-memory.dmp	family_redline
behavioral1/memory/3596-470-0x0000000005EE0000-0x0000000005EF0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge404760.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ge404760.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kina2801.exekina1178.exekina9936.exebu173519.execor7045.exedlX01s32.exeen681986.exege404760.exemetafor.exemetafor.exemetafor.exe

pid	process
4112	kina2801.exe
4816	kina1178.exe
4812	kina9936.exe
1212	bu173519.exe
1256	cor7045.exe
3596	dlX01s32.exe
3212	en681986.exe
4536	ge404760.exe
3752	metafor.exe
3412	metafor.exe
2156	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bu173519.execor7045.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu173519.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor7045.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor7045.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina1178.exekina9936.exe6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160.exekina2801.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina1178.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina9936.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina9936.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina2801.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina2801.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina1178.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4464 1256 WerFault.exe cor7045.exe
688 3596 WerFault.exe dlX01s32.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

664 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu173519.execor7045.exedlX01s32.exeen681986.exe

pid process

1212 bu173519.exe
1212 bu173519.exe
1256 cor7045.exe
1256 cor7045.exe
3596 dlX01s32.exe
3596 dlX01s32.exe
3212 en681986.exe
3212 en681986.exe

pid	pid_target	process	target process
4464	1256	WerFault.exe	cor7045.exe
688	3596	WerFault.exe	dlX01s32.exe

pid	process
664	schtasks.exe

pid	process
1212	bu173519.exe
1212	bu173519.exe
1256	cor7045.exe
1256	cor7045.exe
3596	dlX01s32.exe
3596	dlX01s32.exe
3212	en681986.exe
3212	en681986.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu173519.execor7045.exedlX01s32.exeen681986.exe

description	pid	process
Token: SeDebugPrivilege	1212	bu173519.exe
Token: SeDebugPrivilege	1256	cor7045.exe
Token: SeDebugPrivilege	3596	dlX01s32.exe
Token: SeDebugPrivilege	3212	en681986.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160.exekina2801.exekina1178.exekina9936.exege404760.exemetafor.execmd.exe

description	pid	process	target process
PID 3744 wrote to memory of 4112	3744	6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160.exe	kina2801.exe
PID 3744 wrote to memory of 4112	3744	6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160.exe	kina2801.exe
PID 3744 wrote to memory of 4112	3744	6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160.exe	kina2801.exe
PID 4112 wrote to memory of 4816	4112	kina2801.exe	kina1178.exe
PID 4112 wrote to memory of 4816	4112	kina2801.exe	kina1178.exe
PID 4112 wrote to memory of 4816	4112	kina2801.exe	kina1178.exe
PID 4816 wrote to memory of 4812	4816	kina1178.exe	kina9936.exe
PID 4816 wrote to memory of 4812	4816	kina1178.exe	kina9936.exe
PID 4816 wrote to memory of 4812	4816	kina1178.exe	kina9936.exe
PID 4812 wrote to memory of 1212	4812	kina9936.exe	bu173519.exe
PID 4812 wrote to memory of 1212	4812	kina9936.exe	bu173519.exe
PID 4812 wrote to memory of 1256	4812	kina9936.exe	cor7045.exe
PID 4812 wrote to memory of 1256	4812	kina9936.exe	cor7045.exe
PID 4812 wrote to memory of 1256	4812	kina9936.exe	cor7045.exe
PID 4816 wrote to memory of 3596	4816	kina1178.exe	dlX01s32.exe
PID 4816 wrote to memory of 3596	4816	kina1178.exe	dlX01s32.exe
PID 4816 wrote to memory of 3596	4816	kina1178.exe	dlX01s32.exe
PID 4112 wrote to memory of 3212	4112	kina2801.exe	en681986.exe
PID 4112 wrote to memory of 3212	4112	kina2801.exe	en681986.exe
PID 4112 wrote to memory of 3212	4112	kina2801.exe	en681986.exe
PID 3744 wrote to memory of 4536	3744	6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160.exe	ge404760.exe
PID 3744 wrote to memory of 4536	3744	6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160.exe	ge404760.exe
PID 3744 wrote to memory of 4536	3744	6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160.exe	ge404760.exe
PID 4536 wrote to memory of 3752	4536	ge404760.exe	metafor.exe
PID 4536 wrote to memory of 3752	4536	ge404760.exe	metafor.exe
PID 4536 wrote to memory of 3752	4536	ge404760.exe	metafor.exe
PID 3752 wrote to memory of 664	3752	metafor.exe	schtasks.exe
PID 3752 wrote to memory of 664	3752	metafor.exe	schtasks.exe
PID 3752 wrote to memory of 664	3752	metafor.exe	schtasks.exe
PID 3752 wrote to memory of 2420	3752	metafor.exe	cmd.exe
PID 3752 wrote to memory of 2420	3752	metafor.exe	cmd.exe
PID 3752 wrote to memory of 2420	3752	metafor.exe	cmd.exe
PID 2420 wrote to memory of 4368	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 4368	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 4368	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 1936	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 1936	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 1936	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 4288	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 4288	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 4288	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 4248	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 4248	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 4248	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 2316	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 2316	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 2316	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 1648	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 1648	2420	cmd.exe	cacls.exe
PID 2420 wrote to memory of 1648	2420	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160.exe
"C:\Users\Admin\AppData\Local\Temp\6a3d243ab77c57b4432752a221003b8b590ee5425b43fde18ab85d653b5f9160.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina2801.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina2801.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1178.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1178.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4816

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9936.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9936.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4812

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu173519.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu173519.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7045.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7045.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 1080
6⤵
- Program crash
PID:4464

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlX01s32.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlX01s32.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 1580
5⤵
- Program crash
PID:688

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en681986.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en681986.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge404760.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge404760.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4368

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:1936

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4248

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:2316

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1256 -ip 1256
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3596 -ip 3596
1⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3412

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
27932283468321b62622eaf43666d945

SHA1
9f264f9b0c6200a8687e600784b77eaabe245938

SHA256
be428535de058515aeaa13c7c51d2066348337e15689824c78413a06179fdbe5

SHA512
d9789161b04680ff46dbbb438b01ae7144fb7c1eb6a240525061d088bd01f212b12c62df67fad7bf7aea33aab88439a16ff51ea26af6ae03c5b7efc3775b0cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
27932283468321b62622eaf43666d945

SHA1
9f264f9b0c6200a8687e600784b77eaabe245938

SHA256
be428535de058515aeaa13c7c51d2066348337e15689824c78413a06179fdbe5

SHA512
d9789161b04680ff46dbbb438b01ae7144fb7c1eb6a240525061d088bd01f212b12c62df67fad7bf7aea33aab88439a16ff51ea26af6ae03c5b7efc3775b0cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
27932283468321b62622eaf43666d945

SHA1
9f264f9b0c6200a8687e600784b77eaabe245938

SHA256
be428535de058515aeaa13c7c51d2066348337e15689824c78413a06179fdbe5

SHA512
d9789161b04680ff46dbbb438b01ae7144fb7c1eb6a240525061d088bd01f212b12c62df67fad7bf7aea33aab88439a16ff51ea26af6ae03c5b7efc3775b0cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
27932283468321b62622eaf43666d945

SHA1
9f264f9b0c6200a8687e600784b77eaabe245938

SHA256
be428535de058515aeaa13c7c51d2066348337e15689824c78413a06179fdbe5

SHA512
d9789161b04680ff46dbbb438b01ae7144fb7c1eb6a240525061d088bd01f212b12c62df67fad7bf7aea33aab88439a16ff51ea26af6ae03c5b7efc3775b0cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
27932283468321b62622eaf43666d945

SHA1
9f264f9b0c6200a8687e600784b77eaabe245938

SHA256
be428535de058515aeaa13c7c51d2066348337e15689824c78413a06179fdbe5

SHA512
d9789161b04680ff46dbbb438b01ae7144fb7c1eb6a240525061d088bd01f212b12c62df67fad7bf7aea33aab88439a16ff51ea26af6ae03c5b7efc3775b0cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge404760.exe
Filesize
227KB

MD5
27932283468321b62622eaf43666d945

SHA1
9f264f9b0c6200a8687e600784b77eaabe245938

SHA256
be428535de058515aeaa13c7c51d2066348337e15689824c78413a06179fdbe5

SHA512
d9789161b04680ff46dbbb438b01ae7144fb7c1eb6a240525061d088bd01f212b12c62df67fad7bf7aea33aab88439a16ff51ea26af6ae03c5b7efc3775b0cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge404760.exe
Filesize
227KB

MD5
27932283468321b62622eaf43666d945

SHA1
9f264f9b0c6200a8687e600784b77eaabe245938

SHA256
be428535de058515aeaa13c7c51d2066348337e15689824c78413a06179fdbe5

SHA512
d9789161b04680ff46dbbb438b01ae7144fb7c1eb6a240525061d088bd01f212b12c62df67fad7bf7aea33aab88439a16ff51ea26af6ae03c5b7efc3775b0cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina2801.exe
Filesize
822KB

MD5
07bf93b5c40c804eaa916c96ad57b9c0

SHA1
fdac836a2cc3d7a65be71049a8908f748e4a0054

SHA256
59597e47a58104b78cc0db594e38291d8866875f240acafb7ed380bf91614fbb

SHA512
f4fc88afa278c1de74508947521be47cf7094c3ce9f01a6dd65df15878dcc4c6ff30333a7e68686633b44dfd768602db2901696de5b4e8d32c9637f9bcf7e985

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina2801.exe
Filesize
822KB

MD5
07bf93b5c40c804eaa916c96ad57b9c0

SHA1
fdac836a2cc3d7a65be71049a8908f748e4a0054

SHA256
59597e47a58104b78cc0db594e38291d8866875f240acafb7ed380bf91614fbb

SHA512
f4fc88afa278c1de74508947521be47cf7094c3ce9f01a6dd65df15878dcc4c6ff30333a7e68686633b44dfd768602db2901696de5b4e8d32c9637f9bcf7e985

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en681986.exe
Filesize
175KB

MD5
c1c9d6dd86e7b0ebc67410309421bb24

SHA1
9e80bf2625401be9e4e16e10d6ba7069321ea30d

SHA256
c2cbd3d1c58d957d2ec205dc2ac771f3f207f9e99ace663141bb19915d562c6f

SHA512
4b74515daaa99bf47a932681eb0f81c5bb4a0c234013b1f1c6e5a76c049f43ef497c8e4a317f543fb0b5eea2f90d827c5a14a98b7e6d62f7ae660486943fe0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en681986.exe
Filesize
175KB

MD5
c1c9d6dd86e7b0ebc67410309421bb24

SHA1
9e80bf2625401be9e4e16e10d6ba7069321ea30d

SHA256
c2cbd3d1c58d957d2ec205dc2ac771f3f207f9e99ace663141bb19915d562c6f

SHA512
4b74515daaa99bf47a932681eb0f81c5bb4a0c234013b1f1c6e5a76c049f43ef497c8e4a317f543fb0b5eea2f90d827c5a14a98b7e6d62f7ae660486943fe0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1178.exe
Filesize
680KB

MD5
a93c89ac64387f9655b513a117fb9084

SHA1
ce1346e597eef9afaff21c51dc2fd491d522c129

SHA256
37dc59c9deb2e506f6f91a32423822ec12881c1fd97323cedda5e67cff3d1112

SHA512
7458821bd88838ff01bbfb3d7c49e40cbf77a18869e05c0cb33e0eb1af20f280082f99632462aea829ee9982d333723071939810835f0bdcd3a1521abe05766b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1178.exe
Filesize
680KB

MD5
a93c89ac64387f9655b513a117fb9084

SHA1
ce1346e597eef9afaff21c51dc2fd491d522c129

SHA256
37dc59c9deb2e506f6f91a32423822ec12881c1fd97323cedda5e67cff3d1112

SHA512
7458821bd88838ff01bbfb3d7c49e40cbf77a18869e05c0cb33e0eb1af20f280082f99632462aea829ee9982d333723071939810835f0bdcd3a1521abe05766b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlX01s32.exe
Filesize
345KB

MD5
0f3cd08adcd07fa935419ee0609f9144

SHA1
cec775b4cb13e253ad7f2e075a250460befe1625

SHA256
26b0c5a64b5446635cf8b78f00e4d1fcb4c48480191fcb51d2fe44a175955610

SHA512
e219cb5384c1a1cc1a47716e87019b52e5596aca193f0dfa8fa5c99c52b3c07a4ddfd6a5e05b591ea2da92387f212e15ba74f65954e248d74bf0672d8a23bae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlX01s32.exe
Filesize
345KB

MD5
0f3cd08adcd07fa935419ee0609f9144

SHA1
cec775b4cb13e253ad7f2e075a250460befe1625

SHA256
26b0c5a64b5446635cf8b78f00e4d1fcb4c48480191fcb51d2fe44a175955610

SHA512
e219cb5384c1a1cc1a47716e87019b52e5596aca193f0dfa8fa5c99c52b3c07a4ddfd6a5e05b591ea2da92387f212e15ba74f65954e248d74bf0672d8a23bae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9936.exe
Filesize
344KB

MD5
5cc7a0c07638bad54d186f0971abd41c

SHA1
88b76943b83d970bc4859029347e135d0f8ad823

SHA256
9e18eac297c9b4a97199366709daa790b3ea6e017ea8d138f2f8f38597375e38

SHA512
2b92fa55d4667ef3172542615defc076590bee585ecb47c40f699299b8de4c6cc446955fb09bea76a1e1f9c51b7958cb23b75c9c553a7f7635b4e8feda669a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9936.exe
Filesize
344KB

MD5
5cc7a0c07638bad54d186f0971abd41c

SHA1
88b76943b83d970bc4859029347e135d0f8ad823

SHA256
9e18eac297c9b4a97199366709daa790b3ea6e017ea8d138f2f8f38597375e38

SHA512
2b92fa55d4667ef3172542615defc076590bee585ecb47c40f699299b8de4c6cc446955fb09bea76a1e1f9c51b7958cb23b75c9c553a7f7635b4e8feda669a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu173519.exe
Filesize
11KB

MD5
51ca1ac1040845b78480127865ac0378

SHA1
3bd4dd4d620728117aa090dc828d17da6f6eb8c8

SHA256
27d0fa6fd2d83136684d43fc81540375e2e047e5a1aecd793a576879fd0fd781

SHA512
4f9cabf1e71089acbcae35a180226b5fb4dd03f084bab03c85ac10a77545d0730d6cfbd8f80ed85e9337e6f2a99cc5431db90ce892fca908bb09d9c62d5b404d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu173519.exe
Filesize
11KB

MD5
51ca1ac1040845b78480127865ac0378

SHA1
3bd4dd4d620728117aa090dc828d17da6f6eb8c8

SHA256
27d0fa6fd2d83136684d43fc81540375e2e047e5a1aecd793a576879fd0fd781

SHA512
4f9cabf1e71089acbcae35a180226b5fb4dd03f084bab03c85ac10a77545d0730d6cfbd8f80ed85e9337e6f2a99cc5431db90ce892fca908bb09d9c62d5b404d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7045.exe
Filesize
291KB

MD5
b4230a6a6d42806c7a3679ee62155e33

SHA1
01c639176d619eaab58e88010ec8d51890b0e2ef

SHA256
899c4369add7da6dfdc35333dd784dff26a0cd1f5a29f2ef1b1327cc2ef37f83

SHA512
7c03d3b5279f250b1db2fd7c80817a8a45cf5ed171e77872cfb25689f75774dd0d08b576b958cd62dc2f57d9e2638ef6d67402790bb0a9e27e13116e2c5fb45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7045.exe
Filesize
291KB

MD5
b4230a6a6d42806c7a3679ee62155e33

SHA1
01c639176d619eaab58e88010ec8d51890b0e2ef

SHA256
899c4369add7da6dfdc35333dd784dff26a0cd1f5a29f2ef1b1327cc2ef37f83

SHA512
7c03d3b5279f250b1db2fd7c80817a8a45cf5ed171e77872cfb25689f75774dd0d08b576b958cd62dc2f57d9e2638ef6d67402790bb0a9e27e13116e2c5fb45a

Download Submit
memory/1212-161-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/1256-180-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-200-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1256-167-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/1256-182-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-184-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-186-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-188-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-190-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-192-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-194-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-196-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-198-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-199-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1256-178-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-201-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1256-203-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1256-204-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1256-176-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-174-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-172-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-171-0x0000000002640000-0x0000000002652000-memory.dmp

Filesize
72KB

Download
memory/1256-170-0x0000000004FB0000-0x0000000005554000-memory.dmp

Filesize
5.6MB

Download
memory/1256-169-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1256-168-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/3212-1138-0x0000000000B60000-0x0000000000B92000-memory.dmp

Filesize
200KB

Download
memory/3212-1140-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/3212-1139-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/3596-214-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-230-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-232-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-234-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-236-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-238-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-240-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-242-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-466-0x0000000001A30000-0x0000000001A7B000-memory.dmp

Filesize
300KB

Download
memory/3596-470-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

Filesize
64KB

Download
memory/3596-467-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

Filesize
64KB

Download
memory/3596-1118-0x0000000006770000-0x0000000006D88000-memory.dmp

Filesize
6.1MB

Download
memory/3596-1119-0x0000000006E10000-0x0000000006F1A000-memory.dmp

Filesize
1.0MB

Download
memory/3596-1120-0x0000000006F50000-0x0000000006F62000-memory.dmp

Filesize
72KB

Download
memory/3596-1121-0x0000000006F70000-0x0000000006FAC000-memory.dmp

Filesize
240KB

Download
memory/3596-1122-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

Filesize
64KB

Download
memory/3596-1123-0x0000000007260000-0x00000000072C6000-memory.dmp

Filesize
408KB

Download
memory/3596-1124-0x0000000007920000-0x00000000079B2000-memory.dmp

Filesize
584KB

Download
memory/3596-1126-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

Filesize
64KB

Download
memory/3596-1127-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

Filesize
64KB

Download
memory/3596-1128-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

Filesize
64KB

Download
memory/3596-1129-0x0000000008E90000-0x0000000008F06000-memory.dmp

Filesize
472KB

Download
memory/3596-1130-0x0000000008F10000-0x0000000008F60000-memory.dmp

Filesize
320KB

Download
memory/3596-228-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-226-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-224-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-222-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-220-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-218-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-216-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-212-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-210-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-209-0x00000000065E0000-0x000000000661F000-memory.dmp

Filesize
252KB

Download
memory/3596-1131-0x0000000008F70000-0x0000000009132000-memory.dmp

Filesize
1.8MB

Download
memory/3596-1132-0x0000000009140000-0x000000000966C000-memory.dmp

Filesize
5.2MB

Download