amadey | c8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2

Analysis

max time kernel
143s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2.exe
Size

1010KB
MD5

7e9f8eba2b7bf7dc063d94d061fa83c0
SHA1

e84f896cd9627c811d28f1dfb16afa5c57618fc3
SHA256

c8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2
SHA512

fa50f5a6f0ee2c98fe7e0a9b3067b8edb2daf40bb9359484f5008854f2522e2a1d170336f94a89aa6e18d43cd9271ab70132c15d539a1000fba9419cf239c799
SSDEEP

24576:YyHet+4fuaKLGxFbS28Cn6Sgf5GHhfRWzocXx:fSlXxW28wjgIHh5i

Score

10^/10

amadey redline down roxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

roxi

193.233.20.31:4125

Attributes

auth_value
9d8be78c896acc3cf8b8a6637a221376

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor6477.exebus1813.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor6477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor6477.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus1813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus1813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus1813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus1813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus1813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus1813.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor6477.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor6477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor6477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor6477.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4816-210-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-211-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-213-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-215-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-219-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-223-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-225-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-227-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-231-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-233-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-229-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-235-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-237-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-239-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-241-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-243-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-245-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-247-0x0000000004D00000-0x0000000004D3E000-memory.dmp	family_redline
behavioral1/memory/4816-1130-0x00000000072C0000-0x00000000072D0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

metafor.exege480057.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	metafor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	ge480057.exe

Executes dropped EXE 10 IoCs

Processes:

kino1224.exekino8954.exekino7242.exebus1813.execor6477.exedHH83s99.exeen040945.exege480057.exemetafor.exemetafor.exe

pid	process
3508	kino1224.exe
5044	kino8954.exe
4416	kino7242.exe
2072	bus1813.exe
64	cor6477.exe
4816	dHH83s99.exe
3512	en040945.exe
3676	ge480057.exe
2072	metafor.exe
1860	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus1813.execor6477.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus1813.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor6477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor6477.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino8954.exekino7242.exec8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2.exekino1224.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino8954.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino7242.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino7242.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino1224.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino1224.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino8954.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2788 64 WerFault.exe cor6477.exe
548 4816 WerFault.exe dHH83s99.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2004 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus1813.execor6477.exedHH83s99.exeen040945.exe

pid process

2072 bus1813.exe
2072 bus1813.exe
64 cor6477.exe
64 cor6477.exe
4816 dHH83s99.exe
4816 dHH83s99.exe
3512 en040945.exe
3512 en040945.exe

pid	pid_target	process	target process
2788	64	WerFault.exe	cor6477.exe
548	4816	WerFault.exe	dHH83s99.exe

pid	process
2004	schtasks.exe

pid	process
2072	bus1813.exe
2072	bus1813.exe
64	cor6477.exe
64	cor6477.exe
4816	dHH83s99.exe
4816	dHH83s99.exe
3512	en040945.exe
3512	en040945.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus1813.execor6477.exedHH83s99.exeen040945.exe

description	pid	process
Token: SeDebugPrivilege	2072	bus1813.exe
Token: SeDebugPrivilege	64	cor6477.exe
Token: SeDebugPrivilege	4816	dHH83s99.exe
Token: SeDebugPrivilege	3512	en040945.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

c8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2.exekino1224.exekino8954.exekino7242.exege480057.exemetafor.execmd.exe

description	pid	process	target process
PID 1208 wrote to memory of 3508	1208	c8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2.exe	kino1224.exe
PID 1208 wrote to memory of 3508	1208	c8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2.exe	kino1224.exe
PID 1208 wrote to memory of 3508	1208	c8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2.exe	kino1224.exe
PID 3508 wrote to memory of 5044	3508	kino1224.exe	kino8954.exe
PID 3508 wrote to memory of 5044	3508	kino1224.exe	kino8954.exe
PID 3508 wrote to memory of 5044	3508	kino1224.exe	kino8954.exe
PID 5044 wrote to memory of 4416	5044	kino8954.exe	kino7242.exe
PID 5044 wrote to memory of 4416	5044	kino8954.exe	kino7242.exe
PID 5044 wrote to memory of 4416	5044	kino8954.exe	kino7242.exe
PID 4416 wrote to memory of 2072	4416	kino7242.exe	bus1813.exe
PID 4416 wrote to memory of 2072	4416	kino7242.exe	bus1813.exe
PID 4416 wrote to memory of 64	4416	kino7242.exe	cor6477.exe
PID 4416 wrote to memory of 64	4416	kino7242.exe	cor6477.exe
PID 4416 wrote to memory of 64	4416	kino7242.exe	cor6477.exe
PID 5044 wrote to memory of 4816	5044	kino8954.exe	dHH83s99.exe
PID 5044 wrote to memory of 4816	5044	kino8954.exe	dHH83s99.exe
PID 5044 wrote to memory of 4816	5044	kino8954.exe	dHH83s99.exe
PID 3508 wrote to memory of 3512	3508	kino1224.exe	en040945.exe
PID 3508 wrote to memory of 3512	3508	kino1224.exe	en040945.exe
PID 3508 wrote to memory of 3512	3508	kino1224.exe	en040945.exe
PID 1208 wrote to memory of 3676	1208	c8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2.exe	ge480057.exe
PID 1208 wrote to memory of 3676	1208	c8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2.exe	ge480057.exe
PID 1208 wrote to memory of 3676	1208	c8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2.exe	ge480057.exe
PID 3676 wrote to memory of 2072	3676	ge480057.exe	metafor.exe
PID 3676 wrote to memory of 2072	3676	ge480057.exe	metafor.exe
PID 3676 wrote to memory of 2072	3676	ge480057.exe	metafor.exe
PID 2072 wrote to memory of 2004	2072	metafor.exe	schtasks.exe
PID 2072 wrote to memory of 2004	2072	metafor.exe	schtasks.exe
PID 2072 wrote to memory of 2004	2072	metafor.exe	schtasks.exe
PID 2072 wrote to memory of 4476	2072	metafor.exe	cmd.exe
PID 2072 wrote to memory of 4476	2072	metafor.exe	cmd.exe
PID 2072 wrote to memory of 4476	2072	metafor.exe	cmd.exe
PID 4476 wrote to memory of 4256	4476	cmd.exe	cmd.exe
PID 4476 wrote to memory of 4256	4476	cmd.exe	cmd.exe
PID 4476 wrote to memory of 4256	4476	cmd.exe	cmd.exe
PID 4476 wrote to memory of 3260	4476	cmd.exe	cacls.exe
PID 4476 wrote to memory of 3260	4476	cmd.exe	cacls.exe
PID 4476 wrote to memory of 3260	4476	cmd.exe	cacls.exe
PID 4476 wrote to memory of 3172	4476	cmd.exe	cacls.exe
PID 4476 wrote to memory of 3172	4476	cmd.exe	cacls.exe
PID 4476 wrote to memory of 3172	4476	cmd.exe	cacls.exe
PID 4476 wrote to memory of 4328	4476	cmd.exe	cmd.exe
PID 4476 wrote to memory of 4328	4476	cmd.exe	cmd.exe
PID 4476 wrote to memory of 4328	4476	cmd.exe	cmd.exe
PID 4476 wrote to memory of 3472	4476	cmd.exe	cacls.exe
PID 4476 wrote to memory of 3472	4476	cmd.exe	cacls.exe
PID 4476 wrote to memory of 3472	4476	cmd.exe	cacls.exe
PID 4476 wrote to memory of 392	4476	cmd.exe	cacls.exe
PID 4476 wrote to memory of 392	4476	cmd.exe	cacls.exe
PID 4476 wrote to memory of 392	4476	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\c8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2.exe
"C:\Users\Admin\AppData\Local\Temp\c8282ffa0ae42bd5cb806352ecb6219291f918992fc929516059dd00870739e2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1224.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1224.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8954.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8954.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7242.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7242.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4416

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1813.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1813.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6477.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6477.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1084
6⤵
- Program crash
PID:2788

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dHH83s99.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dHH83s99.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1352
5⤵
- Program crash
PID:548

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en040945.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en040945.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge480057.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge480057.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:2004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4256

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:3260

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:3172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4328

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:3472

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 64 -ip 64
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4816 -ip 4816
1⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge480057.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge480057.exe

Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1224.exe

Filesize
827KB

MD5
9e80b902a2b9689fd0f9a80e7715998a

SHA1
427d10b42f4012f14f158b71088f843766f5307d

SHA256
28c041747f6b11861d5ee266cc5093122d280995338ca82a38a4130aa421a309

SHA512
704498e7ad989c12b086768fb7c6152814b7c430fed69b7202c8c01b2b8b9edac110bb3d4418c671a2077cba3f11c9c058ea08cf16c538481598810e5ada0708

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino1224.exe

Filesize
827KB

MD5
9e80b902a2b9689fd0f9a80e7715998a

SHA1
427d10b42f4012f14f158b71088f843766f5307d

SHA256
28c041747f6b11861d5ee266cc5093122d280995338ca82a38a4130aa421a309

SHA512
704498e7ad989c12b086768fb7c6152814b7c430fed69b7202c8c01b2b8b9edac110bb3d4418c671a2077cba3f11c9c058ea08cf16c538481598810e5ada0708

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en040945.exe

Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en040945.exe

Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8954.exe

Filesize
685KB

MD5
c5a33dc5a034e2c242ff72ce15856428

SHA1
05378fc9535132d64153f6a555c6fca557660ac0

SHA256
7e0b40c8daba00f8d0b86c515974f8424c94491a360af5093e8c72d6f278f649

SHA512
ab692f7a63ae3cc5316a31649e55d83a4aeab97a5d3c30d44f94cfd4b191f75cdb892a2321f0210f288945099d867fd76fa0440ae1d1660c246ae7ddf375472b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino8954.exe

Filesize
685KB

MD5
c5a33dc5a034e2c242ff72ce15856428

SHA1
05378fc9535132d64153f6a555c6fca557660ac0

SHA256
7e0b40c8daba00f8d0b86c515974f8424c94491a360af5093e8c72d6f278f649

SHA512
ab692f7a63ae3cc5316a31649e55d83a4aeab97a5d3c30d44f94cfd4b191f75cdb892a2321f0210f288945099d867fd76fa0440ae1d1660c246ae7ddf375472b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dHH83s99.exe

Filesize
356KB

MD5
ab3f4b5c6f67974e8d923e4dce0c1469

SHA1
96e00d86f4a1c1fd8973d5306cf93a8a3cc9064d

SHA256
55100e8c778f0722f8689d2cc52f4f3ef6355592fe0bc4d0103958274d96f605

SHA512
f58fe280bb1ba88c7b81fedb5af76896784c7fed609e39ebf675a56f944447812571be72b0e1bafec76dbc52df3ba136ab31709ee0c55ecf821a4ad8628f46be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dHH83s99.exe

Filesize
356KB

MD5
ab3f4b5c6f67974e8d923e4dce0c1469

SHA1
96e00d86f4a1c1fd8973d5306cf93a8a3cc9064d

SHA256
55100e8c778f0722f8689d2cc52f4f3ef6355592fe0bc4d0103958274d96f605

SHA512
f58fe280bb1ba88c7b81fedb5af76896784c7fed609e39ebf675a56f944447812571be72b0e1bafec76dbc52df3ba136ab31709ee0c55ecf821a4ad8628f46be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7242.exe

Filesize
339KB

MD5
2ec1b33d1637159456198638e980cac7

SHA1
383dff6d7b89b46517abad74c9edcb3222696540

SHA256
0ec71d6025fc5cb549540aa73002f3307bebcf8632a09c2230f8d5077050720f

SHA512
e782e1217067fdfdf6c413594c0508c37caff719e88f58d46d6dd236ca02d25487a951b06ace017984f5d825f216ab59e9e8a963e9da0b97725e5e5dc49b9f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino7242.exe

Filesize
339KB

MD5
2ec1b33d1637159456198638e980cac7

SHA1
383dff6d7b89b46517abad74c9edcb3222696540

SHA256
0ec71d6025fc5cb549540aa73002f3307bebcf8632a09c2230f8d5077050720f

SHA512
e782e1217067fdfdf6c413594c0508c37caff719e88f58d46d6dd236ca02d25487a951b06ace017984f5d825f216ab59e9e8a963e9da0b97725e5e5dc49b9f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1813.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus1813.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6477.exe

Filesize
298KB

MD5
72442bcb6f592fee0aedabe7eed5ec9c

SHA1
c3d09af1b0991185f5a9a3f2fc48e0145b8b91ee

SHA256
ca104a477958d099797fe702aa5f1a7da639bc069b921999308730596b4baf30

SHA512
99214f04efd0a0e5ac124ecebdabed2f72c29d3c9789a0cbfb70b646073646d14fe44105a75cff0565a21c3ffd84bfe5e349f7e0a1bbd23bc6a407392ad9202a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor6477.exe

Filesize
298KB

MD5
72442bcb6f592fee0aedabe7eed5ec9c

SHA1
c3d09af1b0991185f5a9a3f2fc48e0145b8b91ee

SHA256
ca104a477958d099797fe702aa5f1a7da639bc069b921999308730596b4baf30

SHA512
99214f04efd0a0e5ac124ecebdabed2f72c29d3c9789a0cbfb70b646073646d14fe44105a75cff0565a21c3ffd84bfe5e349f7e0a1bbd23bc6a407392ad9202a

Download Submit
memory/64-183-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-200-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/64-181-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-185-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-177-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-187-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-189-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-191-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-193-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-195-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-197-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-198-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/64-199-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/64-179-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-201-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/64-203-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/64-204-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/64-205-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/64-167-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/64-175-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-173-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-171-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-170-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/64-169-0x0000000007280000-0x0000000007824000-memory.dmp

Filesize
5.6MB

Download
memory/64-168-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/2072-161-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/3512-1142-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/3512-1141-0x00000000009D0000-0x0000000000A02000-memory.dmp

Filesize
200KB

Download
memory/4816-216-0x0000000002C90000-0x0000000002CDB000-memory.dmp

Filesize
300KB

Download
memory/4816-225-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-227-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-231-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-233-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-229-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-235-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-237-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-239-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-241-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-243-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-245-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-247-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-1120-0x0000000007980000-0x0000000007F98000-memory.dmp

Filesize
6.1MB

Download
memory/4816-1121-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/4816-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4816-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/4816-1124-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4816-1126-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/4816-1127-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/4816-1128-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4816-1129-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4816-1130-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4816-1131-0x0000000008C80000-0x0000000008E42000-memory.dmp

Filesize
1.8MB

Download
memory/4816-1132-0x0000000008E60000-0x000000000938C000-memory.dmp

Filesize
5.2MB

Download
memory/4816-1133-0x00000000094C0000-0x0000000009536000-memory.dmp

Filesize
472KB

Download
memory/4816-1134-0x0000000009550000-0x00000000095A0000-memory.dmp

Filesize
320KB

Download
memory/4816-223-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-222-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4816-219-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-220-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4816-218-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/4816-215-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-213-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-211-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-210-0x0000000004D00000-0x0000000004D3E000-memory.dmp

Filesize
248KB

Download
memory/4816-1136-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download