amadey | 9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef

Analysis

max time kernel
144s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef.exe
Size

1.0MB
MD5

bba600b6209014b065e226086ff02ba9
SHA1

5b20df73eeb1f8c82e519a87aaf5d0e6dc0661f3
SHA256

9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef
SHA512

f1e189cc508b4bfaad3faa2e493dc9e44dc7606898b91c71101ca6eceb4f6da0f39dd75a96151660eb2598b3d39b5bd2fb6f802f0cf2d9901eb6e343f921bab6
SSDEEP

24576:CyWTmz2gpgljvAM+be9ZZjvrqbuG0EU9XVyQ8jfIR:pWTmz2cjMH7bBGAlyQ8U

Score

10^/10

amadey redline luza rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

luza

176.113.115.145:4125

Attributes

auth_value
1261701914d508e02e8b4f25d38bc7f9

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bu553539.execor6293.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu553539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor6293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor6293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor6293.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu553539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu553539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu553539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor6293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor6293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor6293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu553539.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu553539.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4592-214-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-215-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-217-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-219-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-221-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-223-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-225-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-227-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-229-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-231-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-233-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-235-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-237-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-239-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-241-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-243-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-245-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4592-247-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

metafor.exege781943.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	metafor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	ge781943.exe

Executes dropped EXE 11 IoCs

Processes:

kina5726.exekina9822.exekina5469.exebu553539.execor6293.exedSg68s58.exeen296895.exege781943.exemetafor.exemetafor.exemetafor.exe

pid	process
4624	kina5726.exe
3364	kina9822.exe
868	kina5469.exe
1428	bu553539.exe
4840	cor6293.exe
4592	dSg68s58.exe
3340	en296895.exe
4264	ge781943.exe
1520	metafor.exe
2120	metafor.exe
2712	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor6293.exebu553539.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor6293.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu553539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor6293.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina5469.exe9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef.exekina5726.exekina9822.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina5469.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina5726.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina5726.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina9822.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina9822.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina5469.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3652 4840 WerFault.exe cor6293.exe
3788 4592 WerFault.exe dSg68s58.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1124 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu553539.execor6293.exedSg68s58.exeen296895.exe

pid process

1428 bu553539.exe
1428 bu553539.exe
4840 cor6293.exe
4840 cor6293.exe
4592 dSg68s58.exe
4592 dSg68s58.exe
3340 en296895.exe
3340 en296895.exe

pid	pid_target	process	target process
3652	4840	WerFault.exe	cor6293.exe
3788	4592	WerFault.exe	dSg68s58.exe

pid	process
1124	schtasks.exe

pid	process
1428	bu553539.exe
1428	bu553539.exe
4840	cor6293.exe
4840	cor6293.exe
4592	dSg68s58.exe
4592	dSg68s58.exe
3340	en296895.exe
3340	en296895.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu553539.execor6293.exedSg68s58.exeen296895.exe

description	pid	process
Token: SeDebugPrivilege	1428	bu553539.exe
Token: SeDebugPrivilege	4840	cor6293.exe
Token: SeDebugPrivilege	4592	dSg68s58.exe
Token: SeDebugPrivilege	3340	en296895.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef.exekina5726.exekina9822.exekina5469.exege781943.exemetafor.execmd.exe

description	pid	process	target process
PID 4928 wrote to memory of 4624	4928	9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef.exe	kina5726.exe
PID 4928 wrote to memory of 4624	4928	9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef.exe	kina5726.exe
PID 4928 wrote to memory of 4624	4928	9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef.exe	kina5726.exe
PID 4624 wrote to memory of 3364	4624	kina5726.exe	kina9822.exe
PID 4624 wrote to memory of 3364	4624	kina5726.exe	kina9822.exe
PID 4624 wrote to memory of 3364	4624	kina5726.exe	kina9822.exe
PID 3364 wrote to memory of 868	3364	kina9822.exe	kina5469.exe
PID 3364 wrote to memory of 868	3364	kina9822.exe	kina5469.exe
PID 3364 wrote to memory of 868	3364	kina9822.exe	kina5469.exe
PID 868 wrote to memory of 1428	868	kina5469.exe	bu553539.exe
PID 868 wrote to memory of 1428	868	kina5469.exe	bu553539.exe
PID 868 wrote to memory of 4840	868	kina5469.exe	cor6293.exe
PID 868 wrote to memory of 4840	868	kina5469.exe	cor6293.exe
PID 868 wrote to memory of 4840	868	kina5469.exe	cor6293.exe
PID 3364 wrote to memory of 4592	3364	kina9822.exe	dSg68s58.exe
PID 3364 wrote to memory of 4592	3364	kina9822.exe	dSg68s58.exe
PID 3364 wrote to memory of 4592	3364	kina9822.exe	dSg68s58.exe
PID 4624 wrote to memory of 3340	4624	kina5726.exe	en296895.exe
PID 4624 wrote to memory of 3340	4624	kina5726.exe	en296895.exe
PID 4624 wrote to memory of 3340	4624	kina5726.exe	en296895.exe
PID 4928 wrote to memory of 4264	4928	9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef.exe	ge781943.exe
PID 4928 wrote to memory of 4264	4928	9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef.exe	ge781943.exe
PID 4928 wrote to memory of 4264	4928	9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef.exe	ge781943.exe
PID 4264 wrote to memory of 1520	4264	ge781943.exe	metafor.exe
PID 4264 wrote to memory of 1520	4264	ge781943.exe	metafor.exe
PID 4264 wrote to memory of 1520	4264	ge781943.exe	metafor.exe
PID 1520 wrote to memory of 1124	1520	metafor.exe	schtasks.exe
PID 1520 wrote to memory of 1124	1520	metafor.exe	schtasks.exe
PID 1520 wrote to memory of 1124	1520	metafor.exe	schtasks.exe
PID 1520 wrote to memory of 2268	1520	metafor.exe	cmd.exe
PID 1520 wrote to memory of 2268	1520	metafor.exe	cmd.exe
PID 1520 wrote to memory of 2268	1520	metafor.exe	cmd.exe
PID 2268 wrote to memory of 336	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 336	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 336	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 116	2268	cmd.exe	cacls.exe
PID 2268 wrote to memory of 116	2268	cmd.exe	cacls.exe
PID 2268 wrote to memory of 116	2268	cmd.exe	cacls.exe
PID 2268 wrote to memory of 4908	2268	cmd.exe	cacls.exe
PID 2268 wrote to memory of 4908	2268	cmd.exe	cacls.exe
PID 2268 wrote to memory of 4908	2268	cmd.exe	cacls.exe
PID 2268 wrote to memory of 4848	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 4848	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 4848	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 4080	2268	cmd.exe	cacls.exe
PID 2268 wrote to memory of 4080	2268	cmd.exe	cacls.exe
PID 2268 wrote to memory of 4080	2268	cmd.exe	cacls.exe
PID 2268 wrote to memory of 3648	2268	cmd.exe	cacls.exe
PID 2268 wrote to memory of 3648	2268	cmd.exe	cacls.exe
PID 2268 wrote to memory of 3648	2268	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef.exe
"C:\Users\Admin\AppData\Local\Temp\9cb82e129c8e69b1c8be270a209c6e38b2595b43bca8e46ef585fd81e1a347ef.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina5726.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina5726.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9822.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9822.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5469.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5469.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu553539.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu553539.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6293.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6293.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 1084
6⤵
- Program crash
PID:3652

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSg68s58.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSg68s58.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1636
5⤵
- Program crash
PID:3788

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en296895.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en296895.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge781943.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge781943.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:1124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:336

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:116

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4848

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:4080

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4840 -ip 4840
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4592 -ip 4592
1⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
fe0ea21c41bb805aa922b93ed6e57884

SHA1
e66a9d2ffdc1d654e2ff68ac0266f926f8892174

SHA256
bf86708b7d7d63d39546ecca9f730c203d5db02444a85445b8127549179941e7

SHA512
8d703c9f10a5503830aaefd7f7ded45d2a5dd9a138419cf62098dbf022a2e899f64c5d6ec51ec74f5d57f00aae68331ba0d560f54fd27f53a857f2d481b4e273

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
fe0ea21c41bb805aa922b93ed6e57884

SHA1
e66a9d2ffdc1d654e2ff68ac0266f926f8892174

SHA256
bf86708b7d7d63d39546ecca9f730c203d5db02444a85445b8127549179941e7

SHA512
8d703c9f10a5503830aaefd7f7ded45d2a5dd9a138419cf62098dbf022a2e899f64c5d6ec51ec74f5d57f00aae68331ba0d560f54fd27f53a857f2d481b4e273

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
fe0ea21c41bb805aa922b93ed6e57884

SHA1
e66a9d2ffdc1d654e2ff68ac0266f926f8892174

SHA256
bf86708b7d7d63d39546ecca9f730c203d5db02444a85445b8127549179941e7

SHA512
8d703c9f10a5503830aaefd7f7ded45d2a5dd9a138419cf62098dbf022a2e899f64c5d6ec51ec74f5d57f00aae68331ba0d560f54fd27f53a857f2d481b4e273

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
fe0ea21c41bb805aa922b93ed6e57884

SHA1
e66a9d2ffdc1d654e2ff68ac0266f926f8892174

SHA256
bf86708b7d7d63d39546ecca9f730c203d5db02444a85445b8127549179941e7

SHA512
8d703c9f10a5503830aaefd7f7ded45d2a5dd9a138419cf62098dbf022a2e899f64c5d6ec51ec74f5d57f00aae68331ba0d560f54fd27f53a857f2d481b4e273

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
227KB

MD5
fe0ea21c41bb805aa922b93ed6e57884

SHA1
e66a9d2ffdc1d654e2ff68ac0266f926f8892174

SHA256
bf86708b7d7d63d39546ecca9f730c203d5db02444a85445b8127549179941e7

SHA512
8d703c9f10a5503830aaefd7f7ded45d2a5dd9a138419cf62098dbf022a2e899f64c5d6ec51ec74f5d57f00aae68331ba0d560f54fd27f53a857f2d481b4e273

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge781943.exe
Filesize
227KB

MD5
fe0ea21c41bb805aa922b93ed6e57884

SHA1
e66a9d2ffdc1d654e2ff68ac0266f926f8892174

SHA256
bf86708b7d7d63d39546ecca9f730c203d5db02444a85445b8127549179941e7

SHA512
8d703c9f10a5503830aaefd7f7ded45d2a5dd9a138419cf62098dbf022a2e899f64c5d6ec51ec74f5d57f00aae68331ba0d560f54fd27f53a857f2d481b4e273

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge781943.exe
Filesize
227KB

MD5
fe0ea21c41bb805aa922b93ed6e57884

SHA1
e66a9d2ffdc1d654e2ff68ac0266f926f8892174

SHA256
bf86708b7d7d63d39546ecca9f730c203d5db02444a85445b8127549179941e7

SHA512
8d703c9f10a5503830aaefd7f7ded45d2a5dd9a138419cf62098dbf022a2e899f64c5d6ec51ec74f5d57f00aae68331ba0d560f54fd27f53a857f2d481b4e273

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina5726.exe
Filesize
873KB

MD5
983f6fe4c52c8646c8aec778c41281f1

SHA1
6bc69b0bc6ff8f15afb5861b985ac2c802ee6d42

SHA256
b8885d6cb0d6754d70aec4e5efdfeb12038f49b3fee2f8106d3266aa8807acbe

SHA512
89c5e533a7749a05c17484b389705d5b093088d13285a99e3c08ed0eaf562afaa583c8bab093111b50d1dee618b04e55bc73b4d87ac1136154cf021e51442070

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina5726.exe
Filesize
873KB

MD5
983f6fe4c52c8646c8aec778c41281f1

SHA1
6bc69b0bc6ff8f15afb5861b985ac2c802ee6d42

SHA256
b8885d6cb0d6754d70aec4e5efdfeb12038f49b3fee2f8106d3266aa8807acbe

SHA512
89c5e533a7749a05c17484b389705d5b093088d13285a99e3c08ed0eaf562afaa583c8bab093111b50d1dee618b04e55bc73b4d87ac1136154cf021e51442070

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en296895.exe
Filesize
175KB

MD5
e40c795ad20ed6abc5dbd4939c07d0d1

SHA1
a9b1a7fb1b55c69a9f0a5d92d2ba5b0cafb56e38

SHA256
f933255bbb9705afc8bbd246d250fee905dcf5ecf578cb8b73b99613eccd1193

SHA512
2ad865cfa168a5ec67b758658758a1f5a79a4b6e6a00631e58a47619748a6e84c3aa2d668eff2fbd0dbf475d7c1d7d6fd7b1626d300f15e65136fed3f472e070

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en296895.exe
Filesize
175KB

MD5
e40c795ad20ed6abc5dbd4939c07d0d1

SHA1
a9b1a7fb1b55c69a9f0a5d92d2ba5b0cafb56e38

SHA256
f933255bbb9705afc8bbd246d250fee905dcf5ecf578cb8b73b99613eccd1193

SHA512
2ad865cfa168a5ec67b758658758a1f5a79a4b6e6a00631e58a47619748a6e84c3aa2d668eff2fbd0dbf475d7c1d7d6fd7b1626d300f15e65136fed3f472e070

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9822.exe
Filesize
731KB

MD5
33646a8139e8b83ceb7e2f0e01442069

SHA1
34d4176100f2a5feb9e37a5012045eb4719b7a12

SHA256
afa30f59fbaa48353c3c19a537253f38825fc01f200d931cf8c1de8f6b070df6

SHA512
140ba5fcfedd37a936a44dfb1eb9aacc7b4b9f5e4142c3a0896fdce77d8c94df5fb095fe92a6e3b7f54738f26fead2b66d71b85f2138c506c16271928eba0de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina9822.exe
Filesize
731KB

MD5
33646a8139e8b83ceb7e2f0e01442069

SHA1
34d4176100f2a5feb9e37a5012045eb4719b7a12

SHA256
afa30f59fbaa48353c3c19a537253f38825fc01f200d931cf8c1de8f6b070df6

SHA512
140ba5fcfedd37a936a44dfb1eb9aacc7b4b9f5e4142c3a0896fdce77d8c94df5fb095fe92a6e3b7f54738f26fead2b66d71b85f2138c506c16271928eba0de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSg68s58.exe
Filesize
406KB

MD5
60201615dc2c1ff5bb09508d27f8c7b3

SHA1
b4f6ad22d2f269339835fd05102aea74b14b5c6b

SHA256
1ce69050ec6110fee924b5cb63ce2fbb37e37401baa02408f87b654898f7bfa2

SHA512
73921cc9885afee45a1471515637c17aebab3d7af06e9b1ecfddf261aa37277f8df4efaddef3f0567db25407035be651e671e8d48e4fbf2f4d7fcf8fd7548e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dSg68s58.exe
Filesize
406KB

MD5
60201615dc2c1ff5bb09508d27f8c7b3

SHA1
b4f6ad22d2f269339835fd05102aea74b14b5c6b

SHA256
1ce69050ec6110fee924b5cb63ce2fbb37e37401baa02408f87b654898f7bfa2

SHA512
73921cc9885afee45a1471515637c17aebab3d7af06e9b1ecfddf261aa37277f8df4efaddef3f0567db25407035be651e671e8d48e4fbf2f4d7fcf8fd7548e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5469.exe
Filesize
362KB

MD5
83bc12abcb7f88628e9ac1da9c8824b7

SHA1
799b2ad90ffc7ac73f3fb3d93ab83f961b470681

SHA256
8838e1dbbfc3b16d1240c628cb0178d4eab64535f39f0f70580a81686d5c053d

SHA512
10c7cc84ef0dc573d4eaa0b26830200714c0759349d9c4f74c886f9ac2d9c7c7f71362963c732fd8b23d386b2bf060228e4e8d39a7d05d300c02a62784ac0406

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5469.exe
Filesize
362KB

MD5
83bc12abcb7f88628e9ac1da9c8824b7

SHA1
799b2ad90ffc7ac73f3fb3d93ab83f961b470681

SHA256
8838e1dbbfc3b16d1240c628cb0178d4eab64535f39f0f70580a81686d5c053d

SHA512
10c7cc84ef0dc573d4eaa0b26830200714c0759349d9c4f74c886f9ac2d9c7c7f71362963c732fd8b23d386b2bf060228e4e8d39a7d05d300c02a62784ac0406

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu553539.exe
Filesize
11KB

MD5
f8a085f5b659f1c3325534ea862e56e1

SHA1
8f0365614652872557dcde46343eae18b784dfe2

SHA256
5a8c2603cf8a7a5a869fece1331333c2fa6022e350d67b8157897215335206ac

SHA512
47e289d5aebfdc9d680c52b8ad635cea97d0083c60f7909d9fd055b7e5803d69bd6b5643969511b7a04daa9abd32e4d17d585ff7dbafc56f2a69705a2739030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu553539.exe
Filesize
11KB

MD5
f8a085f5b659f1c3325534ea862e56e1

SHA1
8f0365614652872557dcde46343eae18b784dfe2

SHA256
5a8c2603cf8a7a5a869fece1331333c2fa6022e350d67b8157897215335206ac

SHA512
47e289d5aebfdc9d680c52b8ad635cea97d0083c60f7909d9fd055b7e5803d69bd6b5643969511b7a04daa9abd32e4d17d585ff7dbafc56f2a69705a2739030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6293.exe
Filesize
347KB

MD5
e628f2cbfcf7ec68892782eb00bafae7

SHA1
c5265d073994d5243830a511a6573e710a5b685f

SHA256
04f1d9db627864bc222e12530499913a98ca0533c7d47b52665596a43f1f3ebd

SHA512
d47c7a9b96f3113554e22f4658b3a421068fd14331c6adb8080b7daf204f72f2079512a4f624151bf59ecfac8848aaef1de42f903f797af75bf62e9cb36cb3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6293.exe
Filesize
347KB

MD5
e628f2cbfcf7ec68892782eb00bafae7

SHA1
c5265d073994d5243830a511a6573e710a5b685f

SHA256
04f1d9db627864bc222e12530499913a98ca0533c7d47b52665596a43f1f3ebd

SHA512
d47c7a9b96f3113554e22f4658b3a421068fd14331c6adb8080b7daf204f72f2079512a4f624151bf59ecfac8848aaef1de42f903f797af75bf62e9cb36cb3d1

Download Submit
memory/1428-161-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/3340-1142-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/3340-1141-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

Filesize
200KB

Download
memory/3340-1143-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/4592-1123-0x0000000007FB0000-0x0000000007FEC000-memory.dmp

Filesize
240KB

Download
memory/4592-241-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-1135-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4592-1134-0x0000000009420000-0x0000000009470000-memory.dmp

Filesize
320KB

Download
memory/4592-1133-0x00000000093A0000-0x0000000009416000-memory.dmp

Filesize
472KB

Download
memory/4592-1132-0x0000000008D20000-0x000000000924C000-memory.dmp

Filesize
5.2MB

Download
memory/4592-1131-0x0000000008B50000-0x0000000008D12000-memory.dmp

Filesize
1.8MB

Download
memory/4592-1130-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4592-1129-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4592-1128-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4592-1127-0x0000000008950000-0x00000000089E2000-memory.dmp

Filesize
584KB

Download
memory/4592-1126-0x0000000008290000-0x00000000082F6000-memory.dmp

Filesize
408KB

Download
memory/4592-1124-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4592-210-0x0000000002CA0000-0x0000000002CEB000-memory.dmp

Filesize
300KB

Download
memory/4592-211-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4592-212-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4592-213-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/4592-214-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-215-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-217-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-219-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-221-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-223-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-225-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-227-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-229-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-231-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-233-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-235-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-237-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-239-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-1122-0x0000000007F90000-0x0000000007FA2000-memory.dmp

Filesize
72KB

Download
memory/4592-243-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-245-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-247-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4592-1120-0x0000000007860000-0x0000000007E78000-memory.dmp

Filesize
6.1MB

Download
memory/4592-1121-0x0000000007E80000-0x0000000007F8A000-memory.dmp

Filesize
1.0MB

Download
memory/4840-193-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-205-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/4840-191-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-189-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-183-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-204-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4840-202-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4840-181-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-200-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/4840-199-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-197-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-195-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-187-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-185-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-201-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4840-177-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-179-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-175-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-173-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-172-0x0000000007100000-0x0000000007112000-memory.dmp

Filesize
72KB

Download
memory/4840-169-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4840-171-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4840-170-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/4840-168-0x0000000002B90000-0x0000000002BBD000-memory.dmp

Filesize
180KB

Download
memory/4840-167-0x0000000007290000-0x0000000007834000-memory.dmp

Filesize
5.6MB

Download