amadey | 7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e

Analysis

max time kernel
97s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e.exe
Size

1.0MB
MD5

6a9c63e4b103655433460034e2b5daef
SHA1

840cce79d479f46f1a6274face3394a2c531e8aa
SHA256

7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e
SHA512

00392482b4f8da44556ee02571e320f5f874fcbc57b75d520617a1df3a7fdc160a64c6df6bde935151d5b78c285ae7afd1eaed0fae0f471058fddd9a7d3930c3
SSDEEP

12288:KMr2y90kr6KeCddOZU+BENd6rfMZ/KvV5RxNpZUs5oMKAZHyCuHWhtMgnBoAbOEc:wyL6ZQxhT9UbxNp4HOBnudRGrI

Score

10^/10

amadey redline renta rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

renta

176.113.115.145:4125

Attributes

auth_value
359596fd5b36e9925ade4d9a1846bafb

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor0479.exebu220350.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor0479.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu220350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu220350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu220350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor0479.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor0479.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor0479.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu220350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu220350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu220350.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor0479.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor0479.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3760-212-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-213-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-219-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-216-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-221-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-223-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-225-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-227-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-229-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-231-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-233-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-235-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-237-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-239-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-241-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-243-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-245-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral1/memory/3760-247-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge445291.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ge445291.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kina1849.exekina9689.exekina7409.exebu220350.execor0479.exedwI57s07.exeen090326.exege445291.exemetafor.exemetafor.exe

pid	process
2108	kina1849.exe
3940	kina9689.exe
4848	kina7409.exe
3592	bu220350.exe
4616	cor0479.exe
3760	dwI57s07.exe
4688	en090326.exe
1468	ge445291.exe
1888	metafor.exe
4356	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor0479.exebu220350.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor0479.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu220350.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor0479.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina9689.exekina7409.exe7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e.exekina1849.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina9689.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina7409.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina7409.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina1849.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina1849.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina9689.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4692 4616 WerFault.exe cor0479.exe
3740 3760 WerFault.exe dwI57s07.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2892 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu220350.execor0479.exedwI57s07.exeen090326.exe

pid process

3592 bu220350.exe
3592 bu220350.exe
4616 cor0479.exe
4616 cor0479.exe
3760 dwI57s07.exe
3760 dwI57s07.exe
4688 en090326.exe
4688 en090326.exe

pid	pid_target	process	target process
4692	4616	WerFault.exe	cor0479.exe
3740	3760	WerFault.exe	dwI57s07.exe

pid	process
2892	schtasks.exe

pid	process
3592	bu220350.exe
3592	bu220350.exe
4616	cor0479.exe
4616	cor0479.exe
3760	dwI57s07.exe
3760	dwI57s07.exe
4688	en090326.exe
4688	en090326.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu220350.execor0479.exedwI57s07.exeen090326.exe

description	pid	process
Token: SeDebugPrivilege	3592	bu220350.exe
Token: SeDebugPrivilege	4616	cor0479.exe
Token: SeDebugPrivilege	3760	dwI57s07.exe
Token: SeDebugPrivilege	4688	en090326.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e.exekina1849.exekina9689.exekina7409.exege445291.exemetafor.execmd.exe

description	pid	process	target process
PID 392 wrote to memory of 2108	392	7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e.exe	kina1849.exe
PID 392 wrote to memory of 2108	392	7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e.exe	kina1849.exe
PID 392 wrote to memory of 2108	392	7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e.exe	kina1849.exe
PID 2108 wrote to memory of 3940	2108	kina1849.exe	kina9689.exe
PID 2108 wrote to memory of 3940	2108	kina1849.exe	kina9689.exe
PID 2108 wrote to memory of 3940	2108	kina1849.exe	kina9689.exe
PID 3940 wrote to memory of 4848	3940	kina9689.exe	kina7409.exe
PID 3940 wrote to memory of 4848	3940	kina9689.exe	kina7409.exe
PID 3940 wrote to memory of 4848	3940	kina9689.exe	kina7409.exe
PID 4848 wrote to memory of 3592	4848	kina7409.exe	bu220350.exe
PID 4848 wrote to memory of 3592	4848	kina7409.exe	bu220350.exe
PID 4848 wrote to memory of 4616	4848	kina7409.exe	cor0479.exe
PID 4848 wrote to memory of 4616	4848	kina7409.exe	cor0479.exe
PID 4848 wrote to memory of 4616	4848	kina7409.exe	cor0479.exe
PID 3940 wrote to memory of 3760	3940	kina9689.exe	dwI57s07.exe
PID 3940 wrote to memory of 3760	3940	kina9689.exe	dwI57s07.exe
PID 3940 wrote to memory of 3760	3940	kina9689.exe	dwI57s07.exe
PID 2108 wrote to memory of 4688	2108	kina1849.exe	en090326.exe
PID 2108 wrote to memory of 4688	2108	kina1849.exe	en090326.exe
PID 2108 wrote to memory of 4688	2108	kina1849.exe	en090326.exe
PID 392 wrote to memory of 1468	392	7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e.exe	ge445291.exe
PID 392 wrote to memory of 1468	392	7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e.exe	ge445291.exe
PID 392 wrote to memory of 1468	392	7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e.exe	ge445291.exe
PID 1468 wrote to memory of 1888	1468	ge445291.exe	metafor.exe
PID 1468 wrote to memory of 1888	1468	ge445291.exe	metafor.exe
PID 1468 wrote to memory of 1888	1468	ge445291.exe	metafor.exe
PID 1888 wrote to memory of 2892	1888	metafor.exe	schtasks.exe
PID 1888 wrote to memory of 2892	1888	metafor.exe	schtasks.exe
PID 1888 wrote to memory of 2892	1888	metafor.exe	schtasks.exe
PID 1888 wrote to memory of 5068	1888	metafor.exe	cmd.exe
PID 1888 wrote to memory of 5068	1888	metafor.exe	cmd.exe
PID 1888 wrote to memory of 5068	1888	metafor.exe	cmd.exe
PID 5068 wrote to memory of 2340	5068	cmd.exe	cmd.exe
PID 5068 wrote to memory of 2340	5068	cmd.exe	cmd.exe
PID 5068 wrote to memory of 2340	5068	cmd.exe	cmd.exe
PID 5068 wrote to memory of 3636	5068	cmd.exe	cacls.exe
PID 5068 wrote to memory of 3636	5068	cmd.exe	cacls.exe
PID 5068 wrote to memory of 3636	5068	cmd.exe	cacls.exe
PID 5068 wrote to memory of 1264	5068	cmd.exe	cacls.exe
PID 5068 wrote to memory of 1264	5068	cmd.exe	cacls.exe
PID 5068 wrote to memory of 1264	5068	cmd.exe	cacls.exe
PID 5068 wrote to memory of 1432	5068	cmd.exe	cmd.exe
PID 5068 wrote to memory of 1432	5068	cmd.exe	cmd.exe
PID 5068 wrote to memory of 1432	5068	cmd.exe	cmd.exe
PID 5068 wrote to memory of 4668	5068	cmd.exe	cacls.exe
PID 5068 wrote to memory of 4668	5068	cmd.exe	cacls.exe
PID 5068 wrote to memory of 4668	5068	cmd.exe	cacls.exe
PID 5068 wrote to memory of 1576	5068	cmd.exe	cacls.exe
PID 5068 wrote to memory of 1576	5068	cmd.exe	cacls.exe
PID 5068 wrote to memory of 1576	5068	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e.exe
"C:\Users\Admin\AppData\Local\Temp\7d93998e16179cf0fbdb55cdec9d74e0c43d2ab80d1e246f9110c035f0a69a4e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina1849.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina1849.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9689.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9689.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3940

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina7409.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina7409.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu220350.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu220350.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0479.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0479.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 1084
6⤵
- Program crash
PID:4692

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dwI57s07.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dwI57s07.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 1324
5⤵
- Program crash
PID:3740

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en090326.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en090326.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge445291.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge445291.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:2892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2340

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:3636

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1432

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:4668

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4616 -ip 4616
1⤵
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3760 -ip 3760
1⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
e8223bf0af369bc57689282b9db792f4

SHA1
db65b46a6b29136eb1a6efe564e17de5738f95e5

SHA256
f7e8697c789b0c38e6ced46114270d83f36da736fd2306f5050c8b9ff004d6ad

SHA512
117ea5f16ee801368e0ccfbea4360b3f71d5cbdea89b8b9a9d5090138360d84089ca2fe1c5af4c656ae1966f0287f400633cd7b9ad0ab4c88a819c5d21941ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
e8223bf0af369bc57689282b9db792f4

SHA1
db65b46a6b29136eb1a6efe564e17de5738f95e5

SHA256
f7e8697c789b0c38e6ced46114270d83f36da736fd2306f5050c8b9ff004d6ad

SHA512
117ea5f16ee801368e0ccfbea4360b3f71d5cbdea89b8b9a9d5090138360d84089ca2fe1c5af4c656ae1966f0287f400633cd7b9ad0ab4c88a819c5d21941ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
e8223bf0af369bc57689282b9db792f4

SHA1
db65b46a6b29136eb1a6efe564e17de5738f95e5

SHA256
f7e8697c789b0c38e6ced46114270d83f36da736fd2306f5050c8b9ff004d6ad

SHA512
117ea5f16ee801368e0ccfbea4360b3f71d5cbdea89b8b9a9d5090138360d84089ca2fe1c5af4c656ae1966f0287f400633cd7b9ad0ab4c88a819c5d21941ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
e8223bf0af369bc57689282b9db792f4

SHA1
db65b46a6b29136eb1a6efe564e17de5738f95e5

SHA256
f7e8697c789b0c38e6ced46114270d83f36da736fd2306f5050c8b9ff004d6ad

SHA512
117ea5f16ee801368e0ccfbea4360b3f71d5cbdea89b8b9a9d5090138360d84089ca2fe1c5af4c656ae1966f0287f400633cd7b9ad0ab4c88a819c5d21941ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge445291.exe
Filesize
227KB

MD5
e8223bf0af369bc57689282b9db792f4

SHA1
db65b46a6b29136eb1a6efe564e17de5738f95e5

SHA256
f7e8697c789b0c38e6ced46114270d83f36da736fd2306f5050c8b9ff004d6ad

SHA512
117ea5f16ee801368e0ccfbea4360b3f71d5cbdea89b8b9a9d5090138360d84089ca2fe1c5af4c656ae1966f0287f400633cd7b9ad0ab4c88a819c5d21941ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge445291.exe
Filesize
227KB

MD5
e8223bf0af369bc57689282b9db792f4

SHA1
db65b46a6b29136eb1a6efe564e17de5738f95e5

SHA256
f7e8697c789b0c38e6ced46114270d83f36da736fd2306f5050c8b9ff004d6ad

SHA512
117ea5f16ee801368e0ccfbea4360b3f71d5cbdea89b8b9a9d5090138360d84089ca2fe1c5af4c656ae1966f0287f400633cd7b9ad0ab4c88a819c5d21941ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina1849.exe
Filesize
847KB

MD5
f1e9af937865b21a00c1f015f7488748

SHA1
d626616b458242d090d16c0813d5be7dc0743afa

SHA256
e02f881915918544164f5fe689aa00a301375b9d50af97d4f286b81eecf45ec2

SHA512
1a846f21830420a43e0edbce22182204e553696c0c99cbd232f73368709753838c1a4d2891872bf4398f894b65a320da3669d1ed59839a0d223f2f5f96316fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina1849.exe
Filesize
847KB

MD5
f1e9af937865b21a00c1f015f7488748

SHA1
d626616b458242d090d16c0813d5be7dc0743afa

SHA256
e02f881915918544164f5fe689aa00a301375b9d50af97d4f286b81eecf45ec2

SHA512
1a846f21830420a43e0edbce22182204e553696c0c99cbd232f73368709753838c1a4d2891872bf4398f894b65a320da3669d1ed59839a0d223f2f5f96316fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en090326.exe
Filesize
175KB

MD5
437b54906c11448a8d90f7b5526ea747

SHA1
0e6f5172b0aaf1c38205768214954d78fd073e05

SHA256
002bd4c3a43b4d1a6d001681921d0b2022612f3f253c9799b8d37e2a7d04aa37

SHA512
0c87ab88b595c2747053c32ba5f452674c5bafa5901ea75b531f9c852c5a0f7a8f284067e1d348b747491eef00735b446fff1516e98d09463e8493e83cb02cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en090326.exe
Filesize
175KB

MD5
437b54906c11448a8d90f7b5526ea747

SHA1
0e6f5172b0aaf1c38205768214954d78fd073e05

SHA256
002bd4c3a43b4d1a6d001681921d0b2022612f3f253c9799b8d37e2a7d04aa37

SHA512
0c87ab88b595c2747053c32ba5f452674c5bafa5901ea75b531f9c852c5a0f7a8f284067e1d348b747491eef00735b446fff1516e98d09463e8493e83cb02cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9689.exe
Filesize
705KB

MD5
e00bef2f371bfa261a2a112172d793ab

SHA1
31dead38fd44abb2f906b7338ec24e577ab8c020

SHA256
89f184ca75a3778b04436304f262c66b9d2bd652ded79aae22a4330c51b98236

SHA512
1bc37df7e99f58793c1a78749f5f2327bf26d88e12a892a018378fe812fe6b61a88bc2b78f5bd0756e0c55e6fcb35e2e4d1c6cd400853fe1d8220ce2f4afa3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9689.exe
Filesize
705KB

MD5
e00bef2f371bfa261a2a112172d793ab

SHA1
31dead38fd44abb2f906b7338ec24e577ab8c020

SHA256
89f184ca75a3778b04436304f262c66b9d2bd652ded79aae22a4330c51b98236

SHA512
1bc37df7e99f58793c1a78749f5f2327bf26d88e12a892a018378fe812fe6b61a88bc2b78f5bd0756e0c55e6fcb35e2e4d1c6cd400853fe1d8220ce2f4afa3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dwI57s07.exe
Filesize
380KB

MD5
1730853815a86687ab707e8fe3029f5e

SHA1
e7ddbc634ab94f4ad1b15ce84f7439b2838a3c27

SHA256
56bfa3572f770140830d26b6c4b2e0482e38c8b8800f3d17eaa7cc2296b48add

SHA512
e0b01859087e5ed487f6bd029742b368f9cf12ec53db37b7438ea9dfc28ef208bd05538b49a9e10f22081bcecf46580f42739ba029309bdf770ce061d25cd701

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dwI57s07.exe
Filesize
380KB

MD5
1730853815a86687ab707e8fe3029f5e

SHA1
e7ddbc634ab94f4ad1b15ce84f7439b2838a3c27

SHA256
56bfa3572f770140830d26b6c4b2e0482e38c8b8800f3d17eaa7cc2296b48add

SHA512
e0b01859087e5ed487f6bd029742b368f9cf12ec53db37b7438ea9dfc28ef208bd05538b49a9e10f22081bcecf46580f42739ba029309bdf770ce061d25cd701

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina7409.exe
Filesize
349KB

MD5
8b1ab19188d8b477b94888e87d354fbe

SHA1
787f177ad04c0fb084da453b4a5a6cc07e0d1ed5

SHA256
c713ef68ab5b6546d9cd8295a43e03fafa0cbc4dd8b9bdd96a7325c6cbce72ad

SHA512
ed26df4438cae4e69e2452f48671e9064bfcfbd4d6f07b2f3b9552cdb3e36eb15c298da2d285a74322118472bdb21d5f2c52956570ec41e146d9e272d10e1b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina7409.exe
Filesize
349KB

MD5
8b1ab19188d8b477b94888e87d354fbe

SHA1
787f177ad04c0fb084da453b4a5a6cc07e0d1ed5

SHA256
c713ef68ab5b6546d9cd8295a43e03fafa0cbc4dd8b9bdd96a7325c6cbce72ad

SHA512
ed26df4438cae4e69e2452f48671e9064bfcfbd4d6f07b2f3b9552cdb3e36eb15c298da2d285a74322118472bdb21d5f2c52956570ec41e146d9e272d10e1b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu220350.exe
Filesize
11KB

MD5
7dec748a03906160dfe516141a43e841

SHA1
2078f0c87593907a7a4acade058838878324e062

SHA256
5ba4774ca85ec41c74081da5ff04c679e4bc6b846e43a9a913d1fdc753673baa

SHA512
e6e1dcb78200ebb571865286d46052f6c901ebb3b7b34b8a0f81cb9c78bd33ab2e088ab6ac91fcd0729abcbddd09e19a236e4d3d3a2456bdffb185b5c231eb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu220350.exe
Filesize
11KB

MD5
7dec748a03906160dfe516141a43e841

SHA1
2078f0c87593907a7a4acade058838878324e062

SHA256
5ba4774ca85ec41c74081da5ff04c679e4bc6b846e43a9a913d1fdc753673baa

SHA512
e6e1dcb78200ebb571865286d46052f6c901ebb3b7b34b8a0f81cb9c78bd33ab2e088ab6ac91fcd0729abcbddd09e19a236e4d3d3a2456bdffb185b5c231eb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0479.exe
Filesize
321KB

MD5
041532fc98cc5a33bb3612c9d18f9722

SHA1
6f9f81f2e851e5b6785abf33c50025afc689d1de

SHA256
4b007701cc509c515a252f45e2ec40df527faa053b89bce7f05ee3aa050c8abb

SHA512
930b4c06e0a8c2b53c98a99effac44a84e37820b81d6453e53d7f8782ead2ec88f2b7d8226ad589d9ac8a9f311d758925c31775c941b2c84c928b8cc38ed04b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0479.exe
Filesize
321KB

MD5
041532fc98cc5a33bb3612c9d18f9722

SHA1
6f9f81f2e851e5b6785abf33c50025afc689d1de

SHA256
4b007701cc509c515a252f45e2ec40df527faa053b89bce7f05ee3aa050c8abb

SHA512
930b4c06e0a8c2b53c98a99effac44a84e37820b81d6453e53d7f8782ead2ec88f2b7d8226ad589d9ac8a9f311d758925c31775c941b2c84c928b8cc38ed04b1

Download Submit
memory/3592-161-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/3760-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/3760-237-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-1135-0x00000000097D0000-0x0000000009820000-memory.dmp

Filesize
320KB

Download
memory/3760-1134-0x0000000009730000-0x00000000097A6000-memory.dmp

Filesize
472KB

Download
memory/3760-1133-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3760-1132-0x00000000090F0000-0x000000000961C000-memory.dmp

Filesize
5.2MB

Download
memory/3760-1131-0x0000000008F00000-0x00000000090C2000-memory.dmp

Filesize
1.8MB

Download
memory/3760-1130-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3760-1129-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3760-1128-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3760-1127-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/3760-1126-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/3760-1124-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3760-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/3760-1121-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/3760-1120-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/3760-247-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-210-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/3760-211-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3760-212-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-214-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3760-213-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-217-0x0000000007300000-0x0000000007310000-memory.dmp

Filesize
64KB

Download
memory/3760-219-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-216-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-221-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-223-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-225-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-227-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-229-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-231-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-233-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-235-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-245-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-239-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-241-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/3760-243-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/4616-189-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-169-0x0000000004650000-0x0000000004660000-memory.dmp

Filesize
64KB

Download
memory/4616-181-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-205-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4616-204-0x0000000004650000-0x0000000004660000-memory.dmp

Filesize
64KB

Download
memory/4616-177-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-203-0x0000000004650000-0x0000000004660000-memory.dmp

Filesize
64KB

Download
memory/4616-201-0x0000000004650000-0x0000000004660000-memory.dmp

Filesize
64KB

Download
memory/4616-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/4616-199-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-197-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-195-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-167-0x0000000007280000-0x0000000007824000-memory.dmp

Filesize
5.6MB

Download
memory/4616-179-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-173-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-187-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-185-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-175-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-183-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-193-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-168-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/4616-191-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-172-0x0000000004A70000-0x0000000004A82000-memory.dmp

Filesize
72KB

Download
memory/4616-171-0x0000000004650000-0x0000000004660000-memory.dmp

Filesize
64KB

Download
memory/4616-170-0x0000000004650000-0x0000000004660000-memory.dmp

Filesize
64KB

Download
memory/4688-1143-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/4688-1142-0x00000000051F0000-0x0000000005200000-memory.dmp

Filesize
64KB

Download
memory/4688-1141-0x0000000000590000-0x00000000005C2000-memory.dmp

Filesize
200KB

Download