amadey | 1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8

Analysis

max time kernel
93s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8.exe
Size

1.0MB
MD5

eb48f88ebce32a0aa5d8ff3568189aec
SHA1

8129576e363f248920255be2a762ffef6a9ae83e
SHA256

1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8
SHA512

9b24519acb0354ff603e2cbcb2d363993992bc6d5e3d47bd20149a951ef7b47eb309779357d5912c7b42a66d2e04af8402118f94219fddb701f11ef6ef1172b1
SSDEEP

24576:byBz8qfTX8BMef6jJYcxWwFo19UAqPmTLopE2jaqQccP:OBz7D8qeijJYcw9UfsLwECcc

Score

10^/10

amadey redline renta rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

renta

176.113.115.145:4125

Attributes

auth_value
359596fd5b36e9925ade4d9a1846bafb

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor7524.exebu674764.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor7524.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor7524.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu674764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu674764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu674764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor7524.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor7524.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor7524.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu674764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu674764.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu674764.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor7524.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4416-208-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-211-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-209-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-213-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-215-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-218-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-223-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-225-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-229-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-231-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-227-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-233-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-235-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-237-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-239-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-241-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-243-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline
behavioral1/memory/4416-245-0x0000000004D00000-0x0000000004D3F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge025247.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ge025247.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kina3589.exekina9214.exekina3476.exebu674764.execor7524.exedHj34s02.exeen568513.exege025247.exemetafor.exemetafor.exe

pid	process
4424	kina3589.exe
4400	kina9214.exe
3472	kina3476.exe
4080	bu674764.exe
1828	cor7524.exe
4416	dHj34s02.exe
3872	en568513.exe
2044	ge025247.exe
3012	metafor.exe
3288	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bu674764.execor7524.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu674764.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor7524.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor7524.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina9214.exekina3476.exe1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8.exekina3589.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina9214.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina9214.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina3476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina3476.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina3589.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina3589.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4852 1828 WerFault.exe cor7524.exe
4084 4416 WerFault.exe dHj34s02.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3456 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu674764.execor7524.exedHj34s02.exeen568513.exe

pid process

4080 bu674764.exe
4080 bu674764.exe
1828 cor7524.exe
1828 cor7524.exe
4416 dHj34s02.exe
4416 dHj34s02.exe
3872 en568513.exe
3872 en568513.exe

pid	pid_target	process	target process
4852	1828	WerFault.exe	cor7524.exe
4084	4416	WerFault.exe	dHj34s02.exe

pid	process
3456	schtasks.exe

pid	process
4080	bu674764.exe
4080	bu674764.exe
1828	cor7524.exe
1828	cor7524.exe
4416	dHj34s02.exe
4416	dHj34s02.exe
3872	en568513.exe
3872	en568513.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu674764.execor7524.exedHj34s02.exeen568513.exe

description	pid	process
Token: SeDebugPrivilege	4080	bu674764.exe
Token: SeDebugPrivilege	1828	cor7524.exe
Token: SeDebugPrivilege	4416	dHj34s02.exe
Token: SeDebugPrivilege	3872	en568513.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8.exekina3589.exekina9214.exekina3476.exege025247.exemetafor.execmd.exe

description	pid	process	target process
PID 4824 wrote to memory of 4424	4824	1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8.exe	kina3589.exe
PID 4824 wrote to memory of 4424	4824	1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8.exe	kina3589.exe
PID 4824 wrote to memory of 4424	4824	1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8.exe	kina3589.exe
PID 4424 wrote to memory of 4400	4424	kina3589.exe	kina9214.exe
PID 4424 wrote to memory of 4400	4424	kina3589.exe	kina9214.exe
PID 4424 wrote to memory of 4400	4424	kina3589.exe	kina9214.exe
PID 4400 wrote to memory of 3472	4400	kina9214.exe	kina3476.exe
PID 4400 wrote to memory of 3472	4400	kina9214.exe	kina3476.exe
PID 4400 wrote to memory of 3472	4400	kina9214.exe	kina3476.exe
PID 3472 wrote to memory of 4080	3472	kina3476.exe	bu674764.exe
PID 3472 wrote to memory of 4080	3472	kina3476.exe	bu674764.exe
PID 3472 wrote to memory of 1828	3472	kina3476.exe	cor7524.exe
PID 3472 wrote to memory of 1828	3472	kina3476.exe	cor7524.exe
PID 3472 wrote to memory of 1828	3472	kina3476.exe	cor7524.exe
PID 4400 wrote to memory of 4416	4400	kina9214.exe	dHj34s02.exe
PID 4400 wrote to memory of 4416	4400	kina9214.exe	dHj34s02.exe
PID 4400 wrote to memory of 4416	4400	kina9214.exe	dHj34s02.exe
PID 4424 wrote to memory of 3872	4424	kina3589.exe	en568513.exe
PID 4424 wrote to memory of 3872	4424	kina3589.exe	en568513.exe
PID 4424 wrote to memory of 3872	4424	kina3589.exe	en568513.exe
PID 4824 wrote to memory of 2044	4824	1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8.exe	ge025247.exe
PID 4824 wrote to memory of 2044	4824	1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8.exe	ge025247.exe
PID 4824 wrote to memory of 2044	4824	1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8.exe	ge025247.exe
PID 2044 wrote to memory of 3012	2044	ge025247.exe	metafor.exe
PID 2044 wrote to memory of 3012	2044	ge025247.exe	metafor.exe
PID 2044 wrote to memory of 3012	2044	ge025247.exe	metafor.exe
PID 3012 wrote to memory of 3456	3012	metafor.exe	schtasks.exe
PID 3012 wrote to memory of 3456	3012	metafor.exe	schtasks.exe
PID 3012 wrote to memory of 3456	3012	metafor.exe	schtasks.exe
PID 3012 wrote to memory of 2212	3012	metafor.exe	cmd.exe
PID 3012 wrote to memory of 2212	3012	metafor.exe	cmd.exe
PID 3012 wrote to memory of 2212	3012	metafor.exe	cmd.exe
PID 2212 wrote to memory of 3184	2212	cmd.exe	cmd.exe
PID 2212 wrote to memory of 3184	2212	cmd.exe	cmd.exe
PID 2212 wrote to memory of 3184	2212	cmd.exe	cmd.exe
PID 2212 wrote to memory of 4500	2212	cmd.exe	cacls.exe
PID 2212 wrote to memory of 4500	2212	cmd.exe	cacls.exe
PID 2212 wrote to memory of 4500	2212	cmd.exe	cacls.exe
PID 2212 wrote to memory of 1792	2212	cmd.exe	cacls.exe
PID 2212 wrote to memory of 1792	2212	cmd.exe	cacls.exe
PID 2212 wrote to memory of 1792	2212	cmd.exe	cacls.exe
PID 2212 wrote to memory of 3552	2212	cmd.exe	cmd.exe
PID 2212 wrote to memory of 3552	2212	cmd.exe	cmd.exe
PID 2212 wrote to memory of 3552	2212	cmd.exe	cmd.exe
PID 2212 wrote to memory of 264	2212	cmd.exe	cacls.exe
PID 2212 wrote to memory of 264	2212	cmd.exe	cacls.exe
PID 2212 wrote to memory of 264	2212	cmd.exe	cacls.exe
PID 2212 wrote to memory of 2200	2212	cmd.exe	cacls.exe
PID 2212 wrote to memory of 2200	2212	cmd.exe	cacls.exe
PID 2212 wrote to memory of 2200	2212	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8.exe
"C:\Users\Admin\AppData\Local\Temp\1724cd38aeb6c4a0ff173836d9f7a08a718cfa2aaf7161a609ae5e810ecd87f8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3589.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3589.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9214.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9214.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4400

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina3476.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina3476.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu674764.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu674764.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7524.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7524.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 1084
6⤵
- Program crash
PID:4852

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dHj34s02.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dHj34s02.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1348
5⤵
- Program crash
PID:4084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en568513.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en568513.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge025247.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge025247.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:3456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3184

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:4500

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3552

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:264

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1828 -ip 1828
1⤵
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4416 -ip 4416
1⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
27f6c6cfc82948b1e9ded15b9ebe6777

SHA1
74d6288aa6d15e1ac5b889256beb3356322dddc4

SHA256
9e470c85852f922fbba1dc3b03c7810aae10202dec0c455ba23d1feb55d12eeb

SHA512
6d86159b118718420fd7867e9bfa95e8a847492f73e41ffc8cec7ba616fc01238faf0c1843acd3a78c03fe13f42c289eb704a908b823495cf3d80e199f0448c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
27f6c6cfc82948b1e9ded15b9ebe6777

SHA1
74d6288aa6d15e1ac5b889256beb3356322dddc4

SHA256
9e470c85852f922fbba1dc3b03c7810aae10202dec0c455ba23d1feb55d12eeb

SHA512
6d86159b118718420fd7867e9bfa95e8a847492f73e41ffc8cec7ba616fc01238faf0c1843acd3a78c03fe13f42c289eb704a908b823495cf3d80e199f0448c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
27f6c6cfc82948b1e9ded15b9ebe6777

SHA1
74d6288aa6d15e1ac5b889256beb3356322dddc4

SHA256
9e470c85852f922fbba1dc3b03c7810aae10202dec0c455ba23d1feb55d12eeb

SHA512
6d86159b118718420fd7867e9bfa95e8a847492f73e41ffc8cec7ba616fc01238faf0c1843acd3a78c03fe13f42c289eb704a908b823495cf3d80e199f0448c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
27f6c6cfc82948b1e9ded15b9ebe6777

SHA1
74d6288aa6d15e1ac5b889256beb3356322dddc4

SHA256
9e470c85852f922fbba1dc3b03c7810aae10202dec0c455ba23d1feb55d12eeb

SHA512
6d86159b118718420fd7867e9bfa95e8a847492f73e41ffc8cec7ba616fc01238faf0c1843acd3a78c03fe13f42c289eb704a908b823495cf3d80e199f0448c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge025247.exe
Filesize
227KB

MD5
27f6c6cfc82948b1e9ded15b9ebe6777

SHA1
74d6288aa6d15e1ac5b889256beb3356322dddc4

SHA256
9e470c85852f922fbba1dc3b03c7810aae10202dec0c455ba23d1feb55d12eeb

SHA512
6d86159b118718420fd7867e9bfa95e8a847492f73e41ffc8cec7ba616fc01238faf0c1843acd3a78c03fe13f42c289eb704a908b823495cf3d80e199f0448c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge025247.exe
Filesize
227KB

MD5
27f6c6cfc82948b1e9ded15b9ebe6777

SHA1
74d6288aa6d15e1ac5b889256beb3356322dddc4

SHA256
9e470c85852f922fbba1dc3b03c7810aae10202dec0c455ba23d1feb55d12eeb

SHA512
6d86159b118718420fd7867e9bfa95e8a847492f73e41ffc8cec7ba616fc01238faf0c1843acd3a78c03fe13f42c289eb704a908b823495cf3d80e199f0448c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3589.exe
Filesize
847KB

MD5
1a5b66457073f06f240c700d751bc6df

SHA1
a44f1268a3bb9145959c569c07066df7823f5a1e

SHA256
731205a1f0184049e7f8dcb14a0fcb37b73efabcdbf26cc68dc2a5b4e226dcad

SHA512
fab266aa1edfcae0da3b19e93aa5b7a3c1d5e743fb91db0843877ec493f606cc4c36509b4bffe8fc6cdc335014ae8de0f4aab0f069c30cc368dd374db486d2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3589.exe
Filesize
847KB

MD5
1a5b66457073f06f240c700d751bc6df

SHA1
a44f1268a3bb9145959c569c07066df7823f5a1e

SHA256
731205a1f0184049e7f8dcb14a0fcb37b73efabcdbf26cc68dc2a5b4e226dcad

SHA512
fab266aa1edfcae0da3b19e93aa5b7a3c1d5e743fb91db0843877ec493f606cc4c36509b4bffe8fc6cdc335014ae8de0f4aab0f069c30cc368dd374db486d2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en568513.exe
Filesize
175KB

MD5
9bf50cf7203c864c7153af834d0d9c34

SHA1
db73ececfc7b58cc63eeb5cb6f32290c11b60436

SHA256
c5eca4b42075e50081acaf34dfe32f6702cc1abad5314bdba9471303ad0c1419

SHA512
cf5c05cb7eecf13ab79c4a8b49c778fc48653cc77fd14935f12fb3dd027ea7c2a69916ef97a9f4f947e0aed056e0b61d3cc1a14002980a91e8ce3ff4bb3ea212

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en568513.exe
Filesize
175KB

MD5
9bf50cf7203c864c7153af834d0d9c34

SHA1
db73ececfc7b58cc63eeb5cb6f32290c11b60436

SHA256
c5eca4b42075e50081acaf34dfe32f6702cc1abad5314bdba9471303ad0c1419

SHA512
cf5c05cb7eecf13ab79c4a8b49c778fc48653cc77fd14935f12fb3dd027ea7c2a69916ef97a9f4f947e0aed056e0b61d3cc1a14002980a91e8ce3ff4bb3ea212

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9214.exe
Filesize
705KB

MD5
c3897c4fa729df2e270baf11d28dc06f

SHA1
c151a7dcdffce10723fca92c3ffa3ab736516ba9

SHA256
b97d609480962d5fde1b274fc344b9cd6321145ebb3240fe7ee26fba9273537d

SHA512
4f9be591c74d3210e0c1ab9e886274b530b207010860549df5fbad1ad97f2a1f4c3b62b9f1e98fd0de4536e55d9d685f8537e752379b652fda23e1fedd84f74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9214.exe
Filesize
705KB

MD5
c3897c4fa729df2e270baf11d28dc06f

SHA1
c151a7dcdffce10723fca92c3ffa3ab736516ba9

SHA256
b97d609480962d5fde1b274fc344b9cd6321145ebb3240fe7ee26fba9273537d

SHA512
4f9be591c74d3210e0c1ab9e886274b530b207010860549df5fbad1ad97f2a1f4c3b62b9f1e98fd0de4536e55d9d685f8537e752379b652fda23e1fedd84f74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dHj34s02.exe
Filesize
380KB

MD5
0cd7378d689300bd32727328ebd09d74

SHA1
39b505043ad3fdb3080b3b4f65e0912c722d5433

SHA256
09a74e8a771f11fa034b70d93768e88c2090ae8ed50da493a0ac883a8402f593

SHA512
6a1d3a05c0de458c20c19215715e85ee84b94b94fcd87b6a8f0d1e6c9176a2c84a3feb36da8bd09b187eedb2202763705b2bcdc2ff936cc33212bc9f735aeb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dHj34s02.exe
Filesize
380KB

MD5
0cd7378d689300bd32727328ebd09d74

SHA1
39b505043ad3fdb3080b3b4f65e0912c722d5433

SHA256
09a74e8a771f11fa034b70d93768e88c2090ae8ed50da493a0ac883a8402f593

SHA512
6a1d3a05c0de458c20c19215715e85ee84b94b94fcd87b6a8f0d1e6c9176a2c84a3feb36da8bd09b187eedb2202763705b2bcdc2ff936cc33212bc9f735aeb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina3476.exe
Filesize
349KB

MD5
b9a218b123d11e29bb78aeb22bd874df

SHA1
4aaba9ca68733f3d681d613f27148adb21f2e78d

SHA256
c0c8504bc258cfbe2a438c590a358666f74ac79173482c143a5b150bc0e407ae

SHA512
0044589926f1913cc31089542c8446be37ea3f924e1adc9c8cb24d6ad6f1935dae718020532eb4935597e564303b8e422d433493ab31ef418d70455f298273f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina3476.exe
Filesize
349KB

MD5
b9a218b123d11e29bb78aeb22bd874df

SHA1
4aaba9ca68733f3d681d613f27148adb21f2e78d

SHA256
c0c8504bc258cfbe2a438c590a358666f74ac79173482c143a5b150bc0e407ae

SHA512
0044589926f1913cc31089542c8446be37ea3f924e1adc9c8cb24d6ad6f1935dae718020532eb4935597e564303b8e422d433493ab31ef418d70455f298273f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu674764.exe
Filesize
11KB

MD5
1027411999e76a36e857f69fa2ef087a

SHA1
0f813ff9e129639c6083c1e2bf69a8020e78ef05

SHA256
9a727af15b8f974af2d7d0b7a06dc4f98514f4006f3902c391c8f5210040c97e

SHA512
cacc9146b15cb18d6c9bb6021a183d7479c14c13393644bf3aa851b5432c5881d7717ad100adb7aa9451e07576bd8240ad372a8d47b93f88cb638b2ba10a7f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu674764.exe
Filesize
11KB

MD5
1027411999e76a36e857f69fa2ef087a

SHA1
0f813ff9e129639c6083c1e2bf69a8020e78ef05

SHA256
9a727af15b8f974af2d7d0b7a06dc4f98514f4006f3902c391c8f5210040c97e

SHA512
cacc9146b15cb18d6c9bb6021a183d7479c14c13393644bf3aa851b5432c5881d7717ad100adb7aa9451e07576bd8240ad372a8d47b93f88cb638b2ba10a7f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7524.exe
Filesize
321KB

MD5
8c5168124a2f244cbf273b4ba82f5e6b

SHA1
ea4c779a3cbc854077daec56e94ae8f83f854352

SHA256
18dda82c844c74ac42507b7d58ae6c2eeef50f621815732b709d10ac1eab967a

SHA512
26b2f8c1012dea30d3b8bc3f77f9753d0d9c9c8b54d56fa46b48b252a4a92a3ea7ae9574ea81a8c9c96896deba92188dca48eb5c01f7a24b54bc4a408e0cfd43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7524.exe
Filesize
321KB

MD5
8c5168124a2f244cbf273b4ba82f5e6b

SHA1
ea4c779a3cbc854077daec56e94ae8f83f854352

SHA256
18dda82c844c74ac42507b7d58ae6c2eeef50f621815732b709d10ac1eab967a

SHA512
26b2f8c1012dea30d3b8bc3f77f9753d0d9c9c8b54d56fa46b48b252a4a92a3ea7ae9574ea81a8c9c96896deba92188dca48eb5c01f7a24b54bc4a408e0cfd43

Download Submit
memory/1828-179-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-199-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/1828-167-0x0000000007220000-0x00000000077C4000-memory.dmp

Filesize
5.6MB

Download
memory/1828-181-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-183-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-185-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-187-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-189-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-193-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-191-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-195-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-197-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-198-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1828-177-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-200-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/1828-201-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/1828-203-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/1828-168-0x0000000002C60000-0x0000000002C8D000-memory.dmp

Filesize
180KB

Download
memory/1828-175-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-173-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-171-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-170-0x0000000004C80000-0x0000000004C92000-memory.dmp

Filesize
72KB

Download
memory/1828-169-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/3872-1139-0x0000000000270000-0x00000000002A2000-memory.dmp

Filesize
200KB

Download
memory/3872-1141-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3872-1140-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4080-161-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/4416-215-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-223-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-225-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-229-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-231-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-227-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-233-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-235-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-237-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-239-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-241-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-243-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-245-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-1118-0x0000000007960000-0x0000000007F78000-memory.dmp

Filesize
6.1MB

Download
memory/4416-1119-0x0000000007250000-0x000000000735A000-memory.dmp

Filesize
1.0MB

Download
memory/4416-1120-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4416-1121-0x0000000007F80000-0x0000000007F92000-memory.dmp

Filesize
72KB

Download
memory/4416-1122-0x0000000007FA0000-0x0000000007FDC000-memory.dmp

Filesize
240KB

Download
memory/4416-1124-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/4416-1125-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/4416-1126-0x0000000008A40000-0x0000000008C02000-memory.dmp

Filesize
1.8MB

Download
memory/4416-1127-0x0000000008C10000-0x000000000913C000-memory.dmp

Filesize
5.2MB

Download
memory/4416-1129-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4416-1128-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4416-1130-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4416-1131-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4416-222-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4416-218-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-219-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4416-220-0x00000000073A0000-0x00000000073B0000-memory.dmp

Filesize
64KB

Download
memory/4416-217-0x0000000002DB0000-0x0000000002DFB000-memory.dmp

Filesize
300KB

Download
memory/4416-213-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-209-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-211-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-208-0x0000000004D00000-0x0000000004D3F000-memory.dmp

Filesize
252KB

Download
memory/4416-1132-0x0000000009390000-0x0000000009406000-memory.dmp

Filesize
472KB

Download
memory/4416-1133-0x0000000009410000-0x0000000009460000-memory.dmp

Filesize
320KB

Download