amadey | 845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b

Analysis

max time kernel
78s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2023 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b.exe
Size

1.2MB
MD5

05907e889196d1354e498434be0bdc7e
SHA1

dd9cc4cee11f1ead5c75724d3d25fd9a45ac67a4
SHA256

845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b
SHA512

1b5ca619355931fca6d7b8e5ecdb5fe7fef786c9ed203204167d46b61c42b88b3ff0d663f871fc53f26546c88c647d670354ef7672431f980334bdf8137b38b6
SSDEEP

24576:m4c7EGVJhnPTn+Wzpbg0WBqLescbckY8XFitxTpRwXrDYXYEaGchskdH:m4c7EGDh7nI0WBSesBkLFiNerD6rp

Score

10^/10

amadey redline laba mango discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mango

193.233.20.28:4125

Attributes

auth_value
ecf79d7f5227d998a3501c972d915d23

Extracted

Family

redline

Botnet

laba

193.233.20.28:4125

Attributes

auth_value
2cf01cffff9092a85ca7e106c547190b

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

con2811.exebus7443.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	con2811.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus7443.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus7443.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	con2811.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2516-216-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-217-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-221-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-219-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-223-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-225-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-227-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-229-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-231-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-233-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-235-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-237-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-239-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-245-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-243-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-247-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-241-0x00000000076D0000-0x000000000770E000-memory.dmp	family_redline
behavioral1/memory/2516-1135-0x0000000007110000-0x0000000007120000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge235550.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	ge235550.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 9 IoCs

Processes:

kino4981.exekino2751.exekino9261.exebus7443.execon2811.exedWa97s47.exeen903751.exege235550.exemetafor.exe

pid	process
884	kino4981.exe
4368	kino2751.exe
4948	kino9261.exe
1992	bus7443.exe
2328	con2811.exe
2516	dWa97s47.exe
3460	en903751.exe
1456	ge235550.exe
3128	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

con2811.exebus7443.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	con2811.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus7443.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b.exekino4981.exekino2751.exekino9261.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino4981.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino4981.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino2751.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino2751.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino9261.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino9261.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4572	2328	WerFault.exe	con2811.exe
1476	2516	WerFault.exe	dWa97s47.exe
4548	4996	WerFault.exe	845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3828 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus7443.execon2811.exedWa97s47.exeen903751.exe

pid process

1992 bus7443.exe
1992 bus7443.exe
2328 con2811.exe
2328 con2811.exe
2516 dWa97s47.exe
2516 dWa97s47.exe
3460 en903751.exe
3460 en903751.exe

pid	process
3828	schtasks.exe

pid	process
1992	bus7443.exe
1992	bus7443.exe
2328	con2811.exe
2328	con2811.exe
2516	dWa97s47.exe
2516	dWa97s47.exe
3460	en903751.exe
3460	en903751.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus7443.execon2811.exedWa97s47.exeen903751.exe

description	pid	process
Token: SeDebugPrivilege	1992	bus7443.exe
Token: SeDebugPrivilege	2328	con2811.exe
Token: SeDebugPrivilege	2516	dWa97s47.exe
Token: SeDebugPrivilege	3460	en903751.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b.exekino4981.exekino2751.exekino9261.exege235550.exemetafor.execmd.exe

description	pid	process	target process
PID 4996 wrote to memory of 884	4996	845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b.exe	kino4981.exe
PID 4996 wrote to memory of 884	4996	845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b.exe	kino4981.exe
PID 4996 wrote to memory of 884	4996	845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b.exe	kino4981.exe
PID 884 wrote to memory of 4368	884	kino4981.exe	kino2751.exe
PID 884 wrote to memory of 4368	884	kino4981.exe	kino2751.exe
PID 884 wrote to memory of 4368	884	kino4981.exe	kino2751.exe
PID 4368 wrote to memory of 4948	4368	kino2751.exe	kino9261.exe
PID 4368 wrote to memory of 4948	4368	kino2751.exe	kino9261.exe
PID 4368 wrote to memory of 4948	4368	kino2751.exe	kino9261.exe
PID 4948 wrote to memory of 1992	4948	kino9261.exe	bus7443.exe
PID 4948 wrote to memory of 1992	4948	kino9261.exe	bus7443.exe
PID 4948 wrote to memory of 2328	4948	kino9261.exe	con2811.exe
PID 4948 wrote to memory of 2328	4948	kino9261.exe	con2811.exe
PID 4948 wrote to memory of 2328	4948	kino9261.exe	con2811.exe
PID 4368 wrote to memory of 2516	4368	kino2751.exe	dWa97s47.exe
PID 4368 wrote to memory of 2516	4368	kino2751.exe	dWa97s47.exe
PID 4368 wrote to memory of 2516	4368	kino2751.exe	dWa97s47.exe
PID 884 wrote to memory of 3460	884	kino4981.exe	en903751.exe
PID 884 wrote to memory of 3460	884	kino4981.exe	en903751.exe
PID 884 wrote to memory of 3460	884	kino4981.exe	en903751.exe
PID 4996 wrote to memory of 1456	4996	845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b.exe	ge235550.exe
PID 4996 wrote to memory of 1456	4996	845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b.exe	ge235550.exe
PID 4996 wrote to memory of 1456	4996	845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b.exe	ge235550.exe
PID 1456 wrote to memory of 3128	1456	ge235550.exe	metafor.exe
PID 1456 wrote to memory of 3128	1456	ge235550.exe	metafor.exe
PID 1456 wrote to memory of 3128	1456	ge235550.exe	metafor.exe
PID 3128 wrote to memory of 3828	3128	metafor.exe	schtasks.exe
PID 3128 wrote to memory of 3828	3128	metafor.exe	schtasks.exe
PID 3128 wrote to memory of 3828	3128	metafor.exe	schtasks.exe
PID 3128 wrote to memory of 2160	3128	metafor.exe	cmd.exe
PID 3128 wrote to memory of 2160	3128	metafor.exe	cmd.exe
PID 3128 wrote to memory of 2160	3128	metafor.exe	cmd.exe
PID 2160 wrote to memory of 4756	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4756	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4756	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 3816	2160	cmd.exe	cacls.exe
PID 2160 wrote to memory of 3816	2160	cmd.exe	cacls.exe
PID 2160 wrote to memory of 3816	2160	cmd.exe	cacls.exe
PID 2160 wrote to memory of 2804	2160	cmd.exe	cacls.exe
PID 2160 wrote to memory of 2804	2160	cmd.exe	cacls.exe
PID 2160 wrote to memory of 2804	2160	cmd.exe	cacls.exe
PID 2160 wrote to memory of 4308	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4308	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4308	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 3344	2160	cmd.exe	cacls.exe
PID 2160 wrote to memory of 3344	2160	cmd.exe	cacls.exe
PID 2160 wrote to memory of 3344	2160	cmd.exe	cacls.exe
PID 2160 wrote to memory of 3716	2160	cmd.exe	cacls.exe
PID 2160 wrote to memory of 3716	2160	cmd.exe	cacls.exe
PID 2160 wrote to memory of 3716	2160	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b.exe
"C:\Users\Admin\AppData\Local\Temp\845be0718d9b8f8dffa4066957acbbda33301aa0864a1f2b320d69bc7606690b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4996

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4981.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4981.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:884

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2751.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2751.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4368

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9261.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9261.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4948

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2811.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2811.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1092
6⤵
- Program crash
PID:4572

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWa97s47.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWa97s47.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1312
5⤵
- Program crash
PID:1476

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en903751.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en903751.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge235550.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge235550.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:3828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4756

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4308

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:3344

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 424
2⤵
- Program crash
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2328 -ip 2328
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2516 -ip 2516
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4996 -ip 4996
1⤵
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge235550.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge235550.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4981.exe
Filesize
844KB

MD5
5141c74fb0e966593d9f9ffedbac0b0a

SHA1
946a9eb50ba654837f75b601eeaa317183f20c2c

SHA256
8ec4f1f1f5caa93c49c291ce1f14e96c14f1e3a9e0204514ad004dcd6fed55fd

SHA512
29826a6c176b8004d0533b5cd75b663df71f9c6216d051e8f926b3daad650795622c20cd54797fdf595beca52bbeb6523884ae24543bb8e730b9ebc0b7093cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4981.exe
Filesize
844KB

MD5
5141c74fb0e966593d9f9ffedbac0b0a

SHA1
946a9eb50ba654837f75b601eeaa317183f20c2c

SHA256
8ec4f1f1f5caa93c49c291ce1f14e96c14f1e3a9e0204514ad004dcd6fed55fd

SHA512
29826a6c176b8004d0533b5cd75b663df71f9c6216d051e8f926b3daad650795622c20cd54797fdf595beca52bbeb6523884ae24543bb8e730b9ebc0b7093cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en903751.exe
Filesize
175KB

MD5
478e884952392c14b85cca1a6a4f3e35

SHA1
f3475db1427fec3eedf583f1b7b0f839b27f8d74

SHA256
bc576bf5f9a72ebbfbc11e59b8e384a1923eca8ec6c5234313c37865f74b7413

SHA512
b3a1c504d2a108049a5ee193da2f1bcdd99d269e75f08199c3fccedc0de298996418421b5e48d5c0f582bf775087537ff8f83c341ed2c0cbbcf38e956bffebe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en903751.exe
Filesize
175KB

MD5
478e884952392c14b85cca1a6a4f3e35

SHA1
f3475db1427fec3eedf583f1b7b0f839b27f8d74

SHA256
bc576bf5f9a72ebbfbc11e59b8e384a1923eca8ec6c5234313c37865f74b7413

SHA512
b3a1c504d2a108049a5ee193da2f1bcdd99d269e75f08199c3fccedc0de298996418421b5e48d5c0f582bf775087537ff8f83c341ed2c0cbbcf38e956bffebe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2751.exe
Filesize
702KB

MD5
3c59b877d484dc8a12b5a96e78747f04

SHA1
0c49aaf2228f0281d657194fced2c56ad05b9e5a

SHA256
d1b9b8da47fc3dc59d9f44aa5f7c6ff3c14bd4bd4ccd27296ffb049299e7b7d3

SHA512
5452d444590111c684aca4147671370caa04a3c4cc29212e93594fa5a0483c43473c5da2ecdc47939e038de62ef35d21d0d6201bee91713d09505f8ba36aadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2751.exe
Filesize
702KB

MD5
3c59b877d484dc8a12b5a96e78747f04

SHA1
0c49aaf2228f0281d657194fced2c56ad05b9e5a

SHA256
d1b9b8da47fc3dc59d9f44aa5f7c6ff3c14bd4bd4ccd27296ffb049299e7b7d3

SHA512
5452d444590111c684aca4147671370caa04a3c4cc29212e93594fa5a0483c43473c5da2ecdc47939e038de62ef35d21d0d6201bee91713d09505f8ba36aadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWa97s47.exe
Filesize
395KB

MD5
e25387fb916a34d4affe07ade28d8455

SHA1
b5bb0ac2c95612be258c13f03718e33ac07f508a

SHA256
db9c125de03bc9f7a939cbed3d5b4c78a8b3cf58a1fb95c588a9b6644abcae80

SHA512
4fe8bedbb69141284d61a765023422d1a570f15a66144f03f5e3977839dd14dafaa7c9e05845acb56c385742ad46d1cf79792dc01fec40c88b201d9d5c2bd789

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dWa97s47.exe
Filesize
395KB

MD5
e25387fb916a34d4affe07ade28d8455

SHA1
b5bb0ac2c95612be258c13f03718e33ac07f508a

SHA256
db9c125de03bc9f7a939cbed3d5b4c78a8b3cf58a1fb95c588a9b6644abcae80

SHA512
4fe8bedbb69141284d61a765023422d1a570f15a66144f03f5e3977839dd14dafaa7c9e05845acb56c385742ad46d1cf79792dc01fec40c88b201d9d5c2bd789

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9261.exe
Filesize
348KB

MD5
1efa83425eabab9a22fbe7729b0152ae

SHA1
819eb1db62529387bc29f5e06f665cea513cfe28

SHA256
0e22f456ec421185445bcea21c2f9c9be7b980dc99a98a33f65396b7c1b2bf90

SHA512
3bcc1baa1e85fe455be3511040e0588999f99d49d830327b56b5309a4c19aaf71631fb8457fb8eb9f55a4d91460273482b9d7936bcdef64e8493e1e2b0b0f5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9261.exe
Filesize
348KB

MD5
1efa83425eabab9a22fbe7729b0152ae

SHA1
819eb1db62529387bc29f5e06f665cea513cfe28

SHA256
0e22f456ec421185445bcea21c2f9c9be7b980dc99a98a33f65396b7c1b2bf90

SHA512
3bcc1baa1e85fe455be3511040e0588999f99d49d830327b56b5309a4c19aaf71631fb8457fb8eb9f55a4d91460273482b9d7936bcdef64e8493e1e2b0b0f5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus7443.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2811.exe
Filesize
338KB

MD5
5cd6b1f2c41d7a661c6df2e1b21f36c4

SHA1
4e491407a4fa3cb2141ac1e53add2d2e6eaa87c7

SHA256
92fdfed7ca6e16c859119ff3f2cc57f05e1f2ce56593f9e77af55edbdfb2559e

SHA512
490ed23ef3b20e77e6fe3fc7963c1299770b4ebc0f9b9fba543faac27cbbe3ad64ec21687871b4ba0858ca07234193227f6c166703716633eedb7295c0e5ea6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\con2811.exe
Filesize
338KB

MD5
5cd6b1f2c41d7a661c6df2e1b21f36c4

SHA1
4e491407a4fa3cb2141ac1e53add2d2e6eaa87c7

SHA256
92fdfed7ca6e16c859119ff3f2cc57f05e1f2ce56593f9e77af55edbdfb2559e

SHA512
490ed23ef3b20e77e6fe3fc7963c1299770b4ebc0f9b9fba543faac27cbbe3ad64ec21687871b4ba0858ca07234193227f6c166703716633eedb7295c0e5ea6b

Download Submit
memory/1992-163-0x0000000000C80000-0x0000000000C8A000-memory.dmp

Filesize
40KB

Download
memory/2328-185-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-209-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/2328-179-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-187-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-189-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-191-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-195-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-193-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-197-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-199-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-201-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-203-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-205-0x0000000000400000-0x0000000002B05000-memory.dmp

Filesize
39.0MB

Download
memory/2328-183-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-208-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/2328-207-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/2328-181-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-210-0x0000000000400000-0x0000000002B05000-memory.dmp

Filesize
39.0MB

Download
memory/2328-177-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-176-0x00000000071B0000-0x00000000071C2000-memory.dmp

Filesize
72KB

Download
memory/2328-175-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/2328-173-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/2328-174-0x00000000071E0000-0x00000000071F0000-memory.dmp

Filesize
64KB

Download
memory/2328-172-0x00000000071F0000-0x0000000007794000-memory.dmp

Filesize
5.6MB

Download
memory/2328-171-0x0000000002B10000-0x0000000002B3D000-memory.dmp

Filesize
180KB

Download
memory/2516-219-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-1134-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/2516-231-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-233-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-235-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-237-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-239-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-245-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-243-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-247-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-241-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-361-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/2516-359-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/2516-357-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/2516-1126-0x0000000007720000-0x0000000007D38000-memory.dmp

Filesize
6.1MB

Download
memory/2516-1127-0x0000000007DC0000-0x0000000007ECA000-memory.dmp

Filesize
1.0MB

Download
memory/2516-1128-0x0000000007F00000-0x0000000007F12000-memory.dmp

Filesize
72KB

Download
memory/2516-1129-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/2516-1130-0x0000000007F20000-0x0000000007F5C000-memory.dmp

Filesize
240KB

Download
memory/2516-1132-0x0000000002C90000-0x0000000002CDB000-memory.dmp

Filesize
300KB

Download
memory/2516-1133-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/2516-229-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-1135-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/2516-1137-0x0000000008210000-0x00000000082A2000-memory.dmp

Filesize
584KB

Download
memory/2516-1138-0x00000000082B0000-0x0000000008316000-memory.dmp

Filesize
408KB

Download
memory/2516-1139-0x00000000089B0000-0x0000000008A26000-memory.dmp

Filesize
472KB

Download
memory/2516-1140-0x0000000008A40000-0x0000000008A90000-memory.dmp

Filesize
320KB

Download
memory/2516-1141-0x0000000008CF0000-0x0000000008EB2000-memory.dmp

Filesize
1.8MB

Download
memory/2516-1142-0x0000000008ED0000-0x00000000093FC000-memory.dmp

Filesize
5.2MB

Download
memory/2516-1143-0x0000000007110000-0x0000000007120000-memory.dmp

Filesize
64KB

Download
memory/2516-227-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-225-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-215-0x0000000002C90000-0x0000000002CDB000-memory.dmp

Filesize
300KB

Download
memory/2516-216-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-223-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-221-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/2516-217-0x00000000076D0000-0x000000000770E000-memory.dmp

Filesize
248KB

Download
memory/3460-1151-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/3460-1150-0x0000000000080000-0x00000000000B2000-memory.dmp

Filesize
200KB

Download
memory/4996-134-0x0000000004C30000-0x0000000004D32000-memory.dmp

Filesize
1.0MB

Download
memory/4996-164-0x0000000000400000-0x0000000002BE2000-memory.dmp

Filesize
39.9MB

Download
memory/4996-165-0x0000000004C30000-0x0000000004D32000-memory.dmp

Filesize
1.0MB

Download