amadey | 690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8

Analysis

max time kernel
136s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8.exe
Size

1004KB
MD5

90ea4b12228977dc872ea1efe1ea50cc
SHA1

91ac74138528717e855a2d75d987e134d7dd3646
SHA256

690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8
SHA512

9fd4d58a6314e442d712ed5fa41eba716b316b5e83fd8930546b52aa4339a9e7d86814c3874c014425e7fd725785f8af00bb1febce7ae367d716d82eb5dcad74
SSDEEP

12288:3Mrly90JImIxFvhFkbn72BMT5yYq/EUh94cQcC5v3aKFmJ5vo7infiPN73a2mhsQ:2yFmg+AMlmhsh3aymJ5UinaPNja11v

Score

10^/10

amadey redline renta rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

renta

176.113.115.145:4125

Attributes

auth_value
359596fd5b36e9925ade4d9a1846bafb

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bu765375.execor1980.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu765375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu765375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu765375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu765375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor1980.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor1980.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor1980.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu765375.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu765375.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor1980.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor1980.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor1980.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/632-210-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-211-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-213-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-215-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-217-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-219-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-221-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-223-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-225-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-227-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-229-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-231-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-233-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-235-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-237-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-239-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-241-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-243-0x0000000003B90000-0x0000000003BCF000-memory.dmp	family_redline
behavioral1/memory/632-1130-0x0000000006390000-0x00000000063A0000-memory.dmp	family_redline
behavioral1/memory/632-1131-0x0000000006390000-0x00000000063A0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge633455.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ge633455.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 11 IoCs

Processes:

kina3646.exekina1485.exekina9304.exebu765375.execor1980.exedjo15s46.exeen992524.exege633455.exemetafor.exemetafor.exemetafor.exe

pid	process
3180	kina3646.exe
4808	kina1485.exe
2288	kina9304.exe
1564	bu765375.exe
1180	cor1980.exe
632	djo15s46.exe
3868	en992524.exe
528	ge633455.exe
3952	metafor.exe
3172	metafor.exe
1932	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor1980.exebu765375.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor1980.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu765375.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor1980.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina3646.exekina1485.exekina9304.exe690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina3646.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina3646.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina1485.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina1485.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina9304.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina9304.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1656 1180 WerFault.exe cor1980.exe
4508 632 WerFault.exe djo15s46.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4060 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu765375.execor1980.exedjo15s46.exeen992524.exe

pid process

1564 bu765375.exe
1564 bu765375.exe
1180 cor1980.exe
1180 cor1980.exe
632 djo15s46.exe
632 djo15s46.exe
3868 en992524.exe
3868 en992524.exe

pid	pid_target	process	target process
1656	1180	WerFault.exe	cor1980.exe
4508	632	WerFault.exe	djo15s46.exe

pid	process
4060	schtasks.exe

pid	process
1564	bu765375.exe
1564	bu765375.exe
1180	cor1980.exe
1180	cor1980.exe
632	djo15s46.exe
632	djo15s46.exe
3868	en992524.exe
3868	en992524.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu765375.execor1980.exedjo15s46.exeen992524.exe

description	pid	process
Token: SeDebugPrivilege	1564	bu765375.exe
Token: SeDebugPrivilege	1180	cor1980.exe
Token: SeDebugPrivilege	632	djo15s46.exe
Token: SeDebugPrivilege	3868	en992524.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8.exekina3646.exekina1485.exekina9304.exege633455.exemetafor.execmd.exe

description	pid	process	target process
PID 1916 wrote to memory of 3180	1916	690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8.exe	kina3646.exe
PID 1916 wrote to memory of 3180	1916	690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8.exe	kina3646.exe
PID 1916 wrote to memory of 3180	1916	690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8.exe	kina3646.exe
PID 3180 wrote to memory of 4808	3180	kina3646.exe	kina1485.exe
PID 3180 wrote to memory of 4808	3180	kina3646.exe	kina1485.exe
PID 3180 wrote to memory of 4808	3180	kina3646.exe	kina1485.exe
PID 4808 wrote to memory of 2288	4808	kina1485.exe	kina9304.exe
PID 4808 wrote to memory of 2288	4808	kina1485.exe	kina9304.exe
PID 4808 wrote to memory of 2288	4808	kina1485.exe	kina9304.exe
PID 2288 wrote to memory of 1564	2288	kina9304.exe	bu765375.exe
PID 2288 wrote to memory of 1564	2288	kina9304.exe	bu765375.exe
PID 2288 wrote to memory of 1180	2288	kina9304.exe	cor1980.exe
PID 2288 wrote to memory of 1180	2288	kina9304.exe	cor1980.exe
PID 2288 wrote to memory of 1180	2288	kina9304.exe	cor1980.exe
PID 4808 wrote to memory of 632	4808	kina1485.exe	djo15s46.exe
PID 4808 wrote to memory of 632	4808	kina1485.exe	djo15s46.exe
PID 4808 wrote to memory of 632	4808	kina1485.exe	djo15s46.exe
PID 3180 wrote to memory of 3868	3180	kina3646.exe	en992524.exe
PID 3180 wrote to memory of 3868	3180	kina3646.exe	en992524.exe
PID 3180 wrote to memory of 3868	3180	kina3646.exe	en992524.exe
PID 1916 wrote to memory of 528	1916	690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8.exe	ge633455.exe
PID 1916 wrote to memory of 528	1916	690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8.exe	ge633455.exe
PID 1916 wrote to memory of 528	1916	690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8.exe	ge633455.exe
PID 528 wrote to memory of 3952	528	ge633455.exe	metafor.exe
PID 528 wrote to memory of 3952	528	ge633455.exe	metafor.exe
PID 528 wrote to memory of 3952	528	ge633455.exe	metafor.exe
PID 3952 wrote to memory of 4060	3952	metafor.exe	schtasks.exe
PID 3952 wrote to memory of 4060	3952	metafor.exe	schtasks.exe
PID 3952 wrote to memory of 4060	3952	metafor.exe	schtasks.exe
PID 3952 wrote to memory of 1308	3952	metafor.exe	cmd.exe
PID 3952 wrote to memory of 1308	3952	metafor.exe	cmd.exe
PID 3952 wrote to memory of 1308	3952	metafor.exe	cmd.exe
PID 1308 wrote to memory of 1696	1308	cmd.exe	cmd.exe
PID 1308 wrote to memory of 1696	1308	cmd.exe	cmd.exe
PID 1308 wrote to memory of 1696	1308	cmd.exe	cmd.exe
PID 1308 wrote to memory of 536	1308	cmd.exe	cacls.exe
PID 1308 wrote to memory of 536	1308	cmd.exe	cacls.exe
PID 1308 wrote to memory of 536	1308	cmd.exe	cacls.exe
PID 1308 wrote to memory of 1052	1308	cmd.exe	cacls.exe
PID 1308 wrote to memory of 1052	1308	cmd.exe	cacls.exe
PID 1308 wrote to memory of 1052	1308	cmd.exe	cacls.exe
PID 1308 wrote to memory of 3896	1308	cmd.exe	cmd.exe
PID 1308 wrote to memory of 3896	1308	cmd.exe	cmd.exe
PID 1308 wrote to memory of 3896	1308	cmd.exe	cmd.exe
PID 1308 wrote to memory of 3736	1308	cmd.exe	cacls.exe
PID 1308 wrote to memory of 3736	1308	cmd.exe	cacls.exe
PID 1308 wrote to memory of 3736	1308	cmd.exe	cacls.exe
PID 1308 wrote to memory of 4764	1308	cmd.exe	cacls.exe
PID 1308 wrote to memory of 4764	1308	cmd.exe	cacls.exe
PID 1308 wrote to memory of 4764	1308	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8.exe
"C:\Users\Admin\AppData\Local\Temp\690757d17926cf1303246e5bc39b755143cbaeed10d11caf04a4bffbc91fd4d8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3646.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3646.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3180

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1485.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1485.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9304.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9304.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu765375.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu765375.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1980.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1980.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1028
6⤵
- Program crash
PID:1656

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\djo15s46.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\djo15s46.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 1360
5⤵
- Program crash
PID:4508

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en992524.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en992524.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge633455.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge633455.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:4060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1696

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:536

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3896

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:3736

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1180 -ip 1180
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 632 -ip 632
1⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3172

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
87531b759fbe28de78565ed5dd4e13aa

SHA1
73ccb46651297c9cc06d7bbfee7e0189863b1319

SHA256
e3bb60ebd50eddddf729c011b336944c8cd5dc29c0352a7995415d6af324b99a

SHA512
da795d5c8c0d97a02c8d90e7a0c14d6cf455332dce01b027265e4c917e4b247cbc5f12cca8dcc909ee2522dab78c1fee16dfbfebbe3de4b11c1bf85c974a36e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
87531b759fbe28de78565ed5dd4e13aa

SHA1
73ccb46651297c9cc06d7bbfee7e0189863b1319

SHA256
e3bb60ebd50eddddf729c011b336944c8cd5dc29c0352a7995415d6af324b99a

SHA512
da795d5c8c0d97a02c8d90e7a0c14d6cf455332dce01b027265e4c917e4b247cbc5f12cca8dcc909ee2522dab78c1fee16dfbfebbe3de4b11c1bf85c974a36e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
87531b759fbe28de78565ed5dd4e13aa

SHA1
73ccb46651297c9cc06d7bbfee7e0189863b1319

SHA256
e3bb60ebd50eddddf729c011b336944c8cd5dc29c0352a7995415d6af324b99a

SHA512
da795d5c8c0d97a02c8d90e7a0c14d6cf455332dce01b027265e4c917e4b247cbc5f12cca8dcc909ee2522dab78c1fee16dfbfebbe3de4b11c1bf85c974a36e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
87531b759fbe28de78565ed5dd4e13aa

SHA1
73ccb46651297c9cc06d7bbfee7e0189863b1319

SHA256
e3bb60ebd50eddddf729c011b336944c8cd5dc29c0352a7995415d6af324b99a

SHA512
da795d5c8c0d97a02c8d90e7a0c14d6cf455332dce01b027265e4c917e4b247cbc5f12cca8dcc909ee2522dab78c1fee16dfbfebbe3de4b11c1bf85c974a36e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
87531b759fbe28de78565ed5dd4e13aa

SHA1
73ccb46651297c9cc06d7bbfee7e0189863b1319

SHA256
e3bb60ebd50eddddf729c011b336944c8cd5dc29c0352a7995415d6af324b99a

SHA512
da795d5c8c0d97a02c8d90e7a0c14d6cf455332dce01b027265e4c917e4b247cbc5f12cca8dcc909ee2522dab78c1fee16dfbfebbe3de4b11c1bf85c974a36e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge633455.exe
Filesize
227KB

MD5
87531b759fbe28de78565ed5dd4e13aa

SHA1
73ccb46651297c9cc06d7bbfee7e0189863b1319

SHA256
e3bb60ebd50eddddf729c011b336944c8cd5dc29c0352a7995415d6af324b99a

SHA512
da795d5c8c0d97a02c8d90e7a0c14d6cf455332dce01b027265e4c917e4b247cbc5f12cca8dcc909ee2522dab78c1fee16dfbfebbe3de4b11c1bf85c974a36e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge633455.exe
Filesize
227KB

MD5
87531b759fbe28de78565ed5dd4e13aa

SHA1
73ccb46651297c9cc06d7bbfee7e0189863b1319

SHA256
e3bb60ebd50eddddf729c011b336944c8cd5dc29c0352a7995415d6af324b99a

SHA512
da795d5c8c0d97a02c8d90e7a0c14d6cf455332dce01b027265e4c917e4b247cbc5f12cca8dcc909ee2522dab78c1fee16dfbfebbe3de4b11c1bf85c974a36e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3646.exe
Filesize
822KB

MD5
6343aac15bd8338c651b2b7b58981bd3

SHA1
a73aa2bf5a3edc38d53aac0097292e371f46f73b

SHA256
f4513146f65e9a2f9eecbbf365c07036fbbd15c359ccf0ad20635ab4bd6b41ca

SHA512
9612f64b5f499c0370cf63b6df124ff7a3adb503110c7c91b4649a1a6e65827003c37ccaf21ba8d6510256e746373d4d2991596256d417401833efe6d3b15c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3646.exe
Filesize
822KB

MD5
6343aac15bd8338c651b2b7b58981bd3

SHA1
a73aa2bf5a3edc38d53aac0097292e371f46f73b

SHA256
f4513146f65e9a2f9eecbbf365c07036fbbd15c359ccf0ad20635ab4bd6b41ca

SHA512
9612f64b5f499c0370cf63b6df124ff7a3adb503110c7c91b4649a1a6e65827003c37ccaf21ba8d6510256e746373d4d2991596256d417401833efe6d3b15c8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en992524.exe
Filesize
175KB

MD5
0779aab5fd0df666030f8c0315bb3b15

SHA1
e3bcdd4afbf8684f0aa4ae0678325619257cc6ff

SHA256
abf07440b25288f24a0556559227307c5ddd5f2d3036c2a068a66112fb4b10d3

SHA512
4a1dea6243dda9717b6e32445cf56c3e3168a151ce18591fca02d372922297663d28dab058d8cf7b800daf0e3db2d0d27ff1c20f1c156c363ee5ec27dcd25e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en992524.exe
Filesize
175KB

MD5
0779aab5fd0df666030f8c0315bb3b15

SHA1
e3bcdd4afbf8684f0aa4ae0678325619257cc6ff

SHA256
abf07440b25288f24a0556559227307c5ddd5f2d3036c2a068a66112fb4b10d3

SHA512
4a1dea6243dda9717b6e32445cf56c3e3168a151ce18591fca02d372922297663d28dab058d8cf7b800daf0e3db2d0d27ff1c20f1c156c363ee5ec27dcd25e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1485.exe
Filesize
680KB

MD5
d1281959ce750c6aab640c89efac4b4c

SHA1
c7555e592809323db2a914232463104512770f5f

SHA256
b45f1798b70a209cf6081efc87a1044d7bb4e5cc022cbf690013c59ff0e4f79f

SHA512
26ffc21d38abe3ed5e0c46de319b182f205c65f909d2287f7365a9e368549509bd954c6f363ced1e912e7979c59255936458dc9f2b7910b273759dfa9738220b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1485.exe
Filesize
680KB

MD5
d1281959ce750c6aab640c89efac4b4c

SHA1
c7555e592809323db2a914232463104512770f5f

SHA256
b45f1798b70a209cf6081efc87a1044d7bb4e5cc022cbf690013c59ff0e4f79f

SHA512
26ffc21d38abe3ed5e0c46de319b182f205c65f909d2287f7365a9e368549509bd954c6f363ced1e912e7979c59255936458dc9f2b7910b273759dfa9738220b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\djo15s46.exe
Filesize
345KB

MD5
8b38c5149a30036c849a943bf6fed500

SHA1
215498da5e8e0db5bbb8983c0318ed67a6f1eb89

SHA256
f51b8f7fedcb1c76642e030bcb0200130e6ec88cb4a5d064c156b35edda4b915

SHA512
122d171d669e14f2d361868d12dc2e43eabc90ec46cc747695afe864fcdc969dc4bca4fdf989fd3c4eec26b157744dec205e02d25c149470e3b277b043ff54d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\djo15s46.exe
Filesize
345KB

MD5
8b38c5149a30036c849a943bf6fed500

SHA1
215498da5e8e0db5bbb8983c0318ed67a6f1eb89

SHA256
f51b8f7fedcb1c76642e030bcb0200130e6ec88cb4a5d064c156b35edda4b915

SHA512
122d171d669e14f2d361868d12dc2e43eabc90ec46cc747695afe864fcdc969dc4bca4fdf989fd3c4eec26b157744dec205e02d25c149470e3b277b043ff54d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9304.exe
Filesize
345KB

MD5
36385f06cd6c06a988d5b7918e92932d

SHA1
28bb1988eb83a4babb0edd3ba686a51305e1ac85

SHA256
242fefec8e9b3517b8228336b7b9e97420306f838a7fef694c5eb0a9623dbf5a

SHA512
300d7933f200900fd60010af10364c09abd1415cc00eeffff04d2530f0f17e6b740b30888888975073402042f2ae0a84f50beb7d19039a598d6c97ce8a0624a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9304.exe
Filesize
345KB

MD5
36385f06cd6c06a988d5b7918e92932d

SHA1
28bb1988eb83a4babb0edd3ba686a51305e1ac85

SHA256
242fefec8e9b3517b8228336b7b9e97420306f838a7fef694c5eb0a9623dbf5a

SHA512
300d7933f200900fd60010af10364c09abd1415cc00eeffff04d2530f0f17e6b740b30888888975073402042f2ae0a84f50beb7d19039a598d6c97ce8a0624a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu765375.exe
Filesize
11KB

MD5
e0233372fb5a978e424016b9233a3f95

SHA1
5dbc3e695cbbb7c8d982fac7c330d199cb461141

SHA256
111c507d7b970b8a17f2b1c7828b9dd35f14e73461ac9afa986c9f9dabeffba6

SHA512
4e82c114e995bb3582ed1b478465eea994e478d64f5859bf45ab02452705b56865580f2feddba76ae550787b0d60920c8c984578977e7615060ab9cf1b955e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu765375.exe
Filesize
11KB

MD5
e0233372fb5a978e424016b9233a3f95

SHA1
5dbc3e695cbbb7c8d982fac7c330d199cb461141

SHA256
111c507d7b970b8a17f2b1c7828b9dd35f14e73461ac9afa986c9f9dabeffba6

SHA512
4e82c114e995bb3582ed1b478465eea994e478d64f5859bf45ab02452705b56865580f2feddba76ae550787b0d60920c8c984578977e7615060ab9cf1b955e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1980.exe
Filesize
291KB

MD5
1f6aec0addf122a1e98d073ba433e409

SHA1
7b1dc08a71d201c0af062b4fed9aef8d8c253ac1

SHA256
001065fcbc17521415d72a2b3f6ffd7831aa2435c6fd7e7448679d3d15439d38

SHA512
77500940a40ed4c471885f0eeac3ed57518a09370eb233172b16f1a7654f133ed73f278974ed48099ea62bce7ded710a26e446447d66ab24114b9f27e61e23bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1980.exe
Filesize
291KB

MD5
1f6aec0addf122a1e98d073ba433e409

SHA1
7b1dc08a71d201c0af062b4fed9aef8d8c253ac1

SHA256
001065fcbc17521415d72a2b3f6ffd7831aa2435c6fd7e7448679d3d15439d38

SHA512
77500940a40ed4c471885f0eeac3ed57518a09370eb233172b16f1a7654f133ed73f278974ed48099ea62bce7ded710a26e446447d66ab24114b9f27e61e23bb

Download Submit
memory/632-1123-0x00000000062B0000-0x00000000062EC000-memory.dmp

Filesize
240KB

Download
memory/632-1127-0x0000000007B90000-0x0000000007BE0000-memory.dmp

Filesize
320KB

Download
memory/632-1134-0x0000000006390000-0x00000000063A0000-memory.dmp

Filesize
64KB

Download
memory/632-1133-0x0000000007F20000-0x000000000844C000-memory.dmp

Filesize
5.2MB

Download
memory/632-1132-0x0000000007D40000-0x0000000007F02000-memory.dmp

Filesize
1.8MB

Download
memory/632-1131-0x0000000006390000-0x00000000063A0000-memory.dmp

Filesize
64KB

Download
memory/632-1130-0x0000000006390000-0x00000000063A0000-memory.dmp

Filesize
64KB

Download
memory/632-1129-0x0000000006390000-0x00000000063A0000-memory.dmp

Filesize
64KB

Download
memory/632-1126-0x0000000007B00000-0x0000000007B76000-memory.dmp

Filesize
472KB

Download
memory/632-1125-0x0000000007300000-0x0000000007366000-memory.dmp

Filesize
408KB

Download
memory/632-1124-0x0000000007260000-0x00000000072F2000-memory.dmp

Filesize
584KB

Download
memory/632-1122-0x0000000006390000-0x00000000063A0000-memory.dmp

Filesize
64KB

Download
memory/632-1121-0x0000000003E10000-0x0000000003E22000-memory.dmp

Filesize
72KB

Download
memory/632-1120-0x0000000006F70000-0x000000000707A000-memory.dmp

Filesize
1.0MB

Download
memory/632-1119-0x0000000006950000-0x0000000006F68000-memory.dmp

Filesize
6.1MB

Download
memory/632-359-0x0000000006390000-0x00000000063A0000-memory.dmp

Filesize
64KB

Download
memory/632-362-0x0000000006390000-0x00000000063A0000-memory.dmp

Filesize
64KB

Download
memory/632-210-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-211-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-213-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-215-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-217-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-219-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-221-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-223-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-225-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-227-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-229-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-231-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-233-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-235-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-237-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-239-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-241-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-243-0x0000000003B90000-0x0000000003BCF000-memory.dmp

Filesize
252KB

Download
memory/632-358-0x0000000001A30000-0x0000000001A7B000-memory.dmp

Filesize
300KB

Download
memory/1180-192-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1180-168-0x0000000004D70000-0x0000000005314000-memory.dmp

Filesize
5.6MB

Download
memory/1180-205-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1180-204-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/1180-203-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/1180-202-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/1180-180-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1180-200-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1180-199-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/1180-198-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/1180-186-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1180-197-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/1180-196-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1180-184-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1180-176-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1180-190-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1180-188-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1180-178-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1180-182-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1180-167-0x00000000007F0000-0x000000000081D000-memory.dmp

Filesize
180KB

Download
memory/1180-194-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1180-174-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1180-172-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1180-170-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1180-169-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/1564-161-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download
memory/3868-1141-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/3868-1140-0x0000000000C70000-0x0000000000CA2000-memory.dmp

Filesize
200KB

Download