amadey | 90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340

Analysis

max time kernel
151s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340.exe
Size

1.0MB
MD5

14cb311d7148df3a210cabec07e5df14
SHA1

2539f30668a7615e40e079057dd870dad4e87c8c
SHA256

90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340
SHA512

796c30d0594de5b120ec7c12d970b2eb5757bc3721104e688ee1efb0f195b96a7f9b38ec648df18c70f8a2ba16852e0b79ca5060b9dc4792f52b1e9ba3dbc6d5
SSDEEP

24576:vy0Fn3uXgu7dh3uSxByw4+Qb6y9703SwRmjGVge8xecxb:64TuBhTxh4+PE7wSwUjVe

Score

10^/10

amadey redline down trap discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

trap

193.233.20.30:4125

Attributes

auth_value
b39a737e2e9eba88e48ab88d1061be9c

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor0980.exebus1226.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor0980.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus1226.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus1226.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor0980.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor0980.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor0980.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor0980.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor0980.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus1226.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus1226.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus1226.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus1226.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3728-212-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-215-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-213-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-217-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-219-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-221-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-223-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-225-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-227-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-229-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-231-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-233-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-235-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-237-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-239-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-241-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-243-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline
behavioral1/memory/3728-245-0x00000000028C0000-0x00000000028FE000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge586858.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	ge586858.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kino4880.exekino4520.exekino8023.exebus1226.execor0980.exedgh63s36.exeen152871.exege586858.exemetafor.exemetafor.exe

pid	process
3012	kino4880.exe
220	kino4520.exe
4752	kino8023.exe
4056	bus1226.exe
2536	cor0980.exe
3728	dgh63s36.exe
3576	en152871.exe
1876	ge586858.exe
3132	metafor.exe
4612	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor0980.exebus1226.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor0980.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus1226.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor0980.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino4880.exekino4520.exekino8023.exe90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino4880.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino4880.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino4520.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino4520.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino8023.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino8023.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4136 2536 WerFault.exe cor0980.exe
2064 3728 WerFault.exe dgh63s36.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1684 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus1226.execor0980.exedgh63s36.exeen152871.exe

pid process

4056 bus1226.exe
4056 bus1226.exe
2536 cor0980.exe
2536 cor0980.exe
3728 dgh63s36.exe
3728 dgh63s36.exe
3576 en152871.exe
3576 en152871.exe

pid	pid_target	process	target process
4136	2536	WerFault.exe	cor0980.exe
2064	3728	WerFault.exe	dgh63s36.exe

pid	process
1684	schtasks.exe

pid	process
4056	bus1226.exe
4056	bus1226.exe
2536	cor0980.exe
2536	cor0980.exe
3728	dgh63s36.exe
3728	dgh63s36.exe
3576	en152871.exe
3576	en152871.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus1226.execor0980.exedgh63s36.exeen152871.exe

description	pid	process
Token: SeDebugPrivilege	4056	bus1226.exe
Token: SeDebugPrivilege	2536	cor0980.exe
Token: SeDebugPrivilege	3728	dgh63s36.exe
Token: SeDebugPrivilege	3576	en152871.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340.exekino4880.exekino4520.exekino8023.exege586858.exemetafor.execmd.exe

description	pid	process	target process
PID 1732 wrote to memory of 3012	1732	90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340.exe	kino4880.exe
PID 1732 wrote to memory of 3012	1732	90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340.exe	kino4880.exe
PID 1732 wrote to memory of 3012	1732	90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340.exe	kino4880.exe
PID 3012 wrote to memory of 220	3012	kino4880.exe	kino4520.exe
PID 3012 wrote to memory of 220	3012	kino4880.exe	kino4520.exe
PID 3012 wrote to memory of 220	3012	kino4880.exe	kino4520.exe
PID 220 wrote to memory of 4752	220	kino4520.exe	kino8023.exe
PID 220 wrote to memory of 4752	220	kino4520.exe	kino8023.exe
PID 220 wrote to memory of 4752	220	kino4520.exe	kino8023.exe
PID 4752 wrote to memory of 4056	4752	kino8023.exe	bus1226.exe
PID 4752 wrote to memory of 4056	4752	kino8023.exe	bus1226.exe
PID 4752 wrote to memory of 2536	4752	kino8023.exe	cor0980.exe
PID 4752 wrote to memory of 2536	4752	kino8023.exe	cor0980.exe
PID 4752 wrote to memory of 2536	4752	kino8023.exe	cor0980.exe
PID 220 wrote to memory of 3728	220	kino4520.exe	dgh63s36.exe
PID 220 wrote to memory of 3728	220	kino4520.exe	dgh63s36.exe
PID 220 wrote to memory of 3728	220	kino4520.exe	dgh63s36.exe
PID 3012 wrote to memory of 3576	3012	kino4880.exe	en152871.exe
PID 3012 wrote to memory of 3576	3012	kino4880.exe	en152871.exe
PID 3012 wrote to memory of 3576	3012	kino4880.exe	en152871.exe
PID 1732 wrote to memory of 1876	1732	90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340.exe	ge586858.exe
PID 1732 wrote to memory of 1876	1732	90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340.exe	ge586858.exe
PID 1732 wrote to memory of 1876	1732	90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340.exe	ge586858.exe
PID 1876 wrote to memory of 3132	1876	ge586858.exe	metafor.exe
PID 1876 wrote to memory of 3132	1876	ge586858.exe	metafor.exe
PID 1876 wrote to memory of 3132	1876	ge586858.exe	metafor.exe
PID 3132 wrote to memory of 1684	3132	metafor.exe	schtasks.exe
PID 3132 wrote to memory of 1684	3132	metafor.exe	schtasks.exe
PID 3132 wrote to memory of 1684	3132	metafor.exe	schtasks.exe
PID 3132 wrote to memory of 4056	3132	metafor.exe	cmd.exe
PID 3132 wrote to memory of 4056	3132	metafor.exe	cmd.exe
PID 3132 wrote to memory of 4056	3132	metafor.exe	cmd.exe
PID 4056 wrote to memory of 3584	4056	cmd.exe	cmd.exe
PID 4056 wrote to memory of 3584	4056	cmd.exe	cmd.exe
PID 4056 wrote to memory of 3584	4056	cmd.exe	cmd.exe
PID 4056 wrote to memory of 4784	4056	cmd.exe	cacls.exe
PID 4056 wrote to memory of 4784	4056	cmd.exe	cacls.exe
PID 4056 wrote to memory of 4784	4056	cmd.exe	cacls.exe
PID 4056 wrote to memory of 1136	4056	cmd.exe	cacls.exe
PID 4056 wrote to memory of 1136	4056	cmd.exe	cacls.exe
PID 4056 wrote to memory of 1136	4056	cmd.exe	cacls.exe
PID 4056 wrote to memory of 3400	4056	cmd.exe	cmd.exe
PID 4056 wrote to memory of 3400	4056	cmd.exe	cmd.exe
PID 4056 wrote to memory of 3400	4056	cmd.exe	cmd.exe
PID 4056 wrote to memory of 4028	4056	cmd.exe	cacls.exe
PID 4056 wrote to memory of 4028	4056	cmd.exe	cacls.exe
PID 4056 wrote to memory of 4028	4056	cmd.exe	cacls.exe
PID 4056 wrote to memory of 4452	4056	cmd.exe	cacls.exe
PID 4056 wrote to memory of 4452	4056	cmd.exe	cacls.exe
PID 4056 wrote to memory of 4452	4056	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340.exe
"C:\Users\Admin\AppData\Local\Temp\90af1f334ed8b3a26b1657d4929edf40531fcbe2a69ec0b815bad8c36273a340.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4880.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4880.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4520.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4520.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8023.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8023.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4752

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1226.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1226.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0980.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0980.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1080
6⤵
- Program crash
PID:4136

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dgh63s36.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dgh63s36.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 1636
5⤵
- Program crash
PID:2064

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en152871.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en152871.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge586858.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge586858.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3584

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:4784

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3400

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:4028

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2536 -ip 2536
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3728 -ip 3728
1⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge586858.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge586858.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4880.exe
Filesize
842KB

MD5
9d25e54d1c87c04fe1edf86a28bf3a0c

SHA1
b82f0a58473d37db44eb8f918d8b83db552ea7ef

SHA256
38daf359c6de0a44c282a7278234f87d7620a869b3ce93581dbe6d20625db6f5

SHA512
2426cfa6b9746fed943b4d756656b53801ad9ad79cda2878cca69519d90bcfc7e110f9f6d83d8a303338f004c74a3a10b60d7784c6c772a9917b2361aa4d83f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino4880.exe
Filesize
842KB

MD5
9d25e54d1c87c04fe1edf86a28bf3a0c

SHA1
b82f0a58473d37db44eb8f918d8b83db552ea7ef

SHA256
38daf359c6de0a44c282a7278234f87d7620a869b3ce93581dbe6d20625db6f5

SHA512
2426cfa6b9746fed943b4d756656b53801ad9ad79cda2878cca69519d90bcfc7e110f9f6d83d8a303338f004c74a3a10b60d7784c6c772a9917b2361aa4d83f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en152871.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en152871.exe
Filesize
175KB

MD5
581e8f97deca3769f1bc14882c9f26dc

SHA1
b69eb0b0c175888de0fa1ea7a0a045d69138d18e

SHA256
b277fd59e05cce33d218d0e9720f041eff2d7a5477b1e2843a6123aad307cd86

SHA512
f56835f4598bb5b121071373d760facd9173efdfadb741f99e3752c825f558b92922a3813606130ff0ed0f886d2d2858a0412d42284d3a941f0702d08eaec065

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4520.exe
Filesize
699KB

MD5
cdcd8f35029777ff68cab6e14cc5b69b

SHA1
92b9df4b34bc21eeec781877b46295d7ebf1f5f8

SHA256
fa4d2ddcde24f3dfe869fc49650c94d2e78dad7ab0ca29d819136217834b59a5

SHA512
1e161c39d4b9b7d9ad33b12c73c58071b137059f624b6a3c8b6bbf263e0938a936dc0a8d9abf53118e4d969d726e99ad0517e43d8b903809acf560d7457ebe13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino4520.exe
Filesize
699KB

MD5
cdcd8f35029777ff68cab6e14cc5b69b

SHA1
92b9df4b34bc21eeec781877b46295d7ebf1f5f8

SHA256
fa4d2ddcde24f3dfe869fc49650c94d2e78dad7ab0ca29d819136217834b59a5

SHA512
1e161c39d4b9b7d9ad33b12c73c58071b137059f624b6a3c8b6bbf263e0938a936dc0a8d9abf53118e4d969d726e99ad0517e43d8b903809acf560d7457ebe13

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dgh63s36.exe
Filesize
358KB

MD5
683027859edc43f2cfffe2e45277e098

SHA1
5e60e4f587a35695dd1bb4bb5607c4da661106d1

SHA256
c7338509da567d52156e2af7a55eaa9f7d354d1f321f359940aa829c4a711aee

SHA512
9faef9015830d7c4b2c19ad7fceefa0098dfb90b21f9705df5bbc257acd5f33206a91e01eb94557bf69cbf621a8ff927348b9a79441d3fd741de0774cc0a1d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dgh63s36.exe
Filesize
358KB

MD5
683027859edc43f2cfffe2e45277e098

SHA1
5e60e4f587a35695dd1bb4bb5607c4da661106d1

SHA256
c7338509da567d52156e2af7a55eaa9f7d354d1f321f359940aa829c4a711aee

SHA512
9faef9015830d7c4b2c19ad7fceefa0098dfb90b21f9705df5bbc257acd5f33206a91e01eb94557bf69cbf621a8ff927348b9a79441d3fd741de0774cc0a1d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8023.exe
Filesize
346KB

MD5
7952873d26ea97eb7fdb719f66f764d0

SHA1
5ee43150f137386e6501849d8ac1174f9512a534

SHA256
98f4767b7bc37370b056411579d2847c3248dd3a2e5259f991ff68c338fececf

SHA512
c6f2716613fdef6b85233398c7a281f8fc46168dbf245bd13e3b95467b377755c43637a219025d3b42a44b4cab437040ca882e4d4c74953a26203adc4ce7d7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8023.exe
Filesize
346KB

MD5
7952873d26ea97eb7fdb719f66f764d0

SHA1
5ee43150f137386e6501849d8ac1174f9512a534

SHA256
98f4767b7bc37370b056411579d2847c3248dd3a2e5259f991ff68c338fececf

SHA512
c6f2716613fdef6b85233398c7a281f8fc46168dbf245bd13e3b95467b377755c43637a219025d3b42a44b4cab437040ca882e4d4c74953a26203adc4ce7d7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1226.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1226.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0980.exe
Filesize
300KB

MD5
773052a5304dc10347194709187a1a06

SHA1
175848eb253b76ed4b00db89166828d65b0d876d

SHA256
978cbf93c8fcaf237753c5e6f250605b1afc6b450b1f309c7f96d17328493fd7

SHA512
f18a468d70bf1f099f1d668e856355612f32a421f4db63aaf591b9255bdd26b817b3a6931236acb86d73c532c5efe23a9439c08a4db6555ffbd5e7ddcf79c220

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor0980.exe
Filesize
300KB

MD5
773052a5304dc10347194709187a1a06

SHA1
175848eb253b76ed4b00db89166828d65b0d876d

SHA256
978cbf93c8fcaf237753c5e6f250605b1afc6b450b1f309c7f96d17328493fd7

SHA512
f18a468d70bf1f099f1d668e856355612f32a421f4db63aaf591b9255bdd26b817b3a6931236acb86d73c532c5efe23a9439c08a4db6555ffbd5e7ddcf79c220

Download Submit
memory/2536-178-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-199-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/2536-167-0x0000000000990000-0x00000000009BD000-memory.dmp

Filesize
180KB

Download
memory/2536-180-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-182-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-184-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-186-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-188-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-190-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-192-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-194-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-196-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-198-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-176-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-200-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2536-201-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2536-202-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2536-204-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/2536-174-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-172-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-171-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/2536-170-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2536-169-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2536-168-0x0000000004EF0000-0x0000000005494000-memory.dmp

Filesize
5.6MB

Download
memory/3576-1139-0x00000000003D0000-0x0000000000402000-memory.dmp

Filesize
200KB

Download
memory/3576-1140-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3728-211-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/3728-223-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-225-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-227-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-229-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-231-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-233-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-235-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-237-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-239-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-241-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-243-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-245-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-1118-0x0000000005550000-0x0000000005B68000-memory.dmp

Filesize
6.1MB

Download
memory/3728-1119-0x0000000005B70000-0x0000000005C7A000-memory.dmp

Filesize
1.0MB

Download
memory/3728-1120-0x0000000004E50000-0x0000000004E62000-memory.dmp

Filesize
72KB

Download
memory/3728-1121-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/3728-1122-0x0000000005C80000-0x0000000005CBC000-memory.dmp

Filesize
240KB

Download
memory/3728-1124-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/3728-1125-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/3728-1126-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/3728-1127-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/3728-1128-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/3728-1129-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/3728-1130-0x0000000006950000-0x0000000006B12000-memory.dmp

Filesize
1.8MB

Download
memory/3728-1131-0x0000000006B30000-0x000000000705C000-memory.dmp

Filesize
5.2MB

Download
memory/3728-221-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-219-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-217-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-213-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-215-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-212-0x00000000028C0000-0x00000000028FE000-memory.dmp

Filesize
248KB

Download
memory/3728-209-0x0000000000880000-0x00000000008CB000-memory.dmp

Filesize
300KB

Download
memory/3728-210-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/3728-1132-0x0000000007180000-0x00000000071F6000-memory.dmp

Filesize
472KB

Download
memory/3728-1133-0x0000000007220000-0x0000000007270000-memory.dmp

Filesize
320KB

Download
memory/4056-161-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download