amadey | db6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03

Analysis

max time kernel
115s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03.exe
Size

1010KB
MD5

cb1e8d526a044e4f8ab050c7b3e1d4e1
SHA1

11a05947f8975c3b4c7025a01a31e173643d9331
SHA256

db6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03
SHA512

41651a42b4eceb47bbee17b6f990de7665ccd5774649b899b7ae00edd3748335600796aad6841c603e2bc28c94ed7379261970c91e2a2a5467919f46b401135a
SSDEEP

24576:ayK6gmjIp1ON1entmGTjz1bSkEWh4bRciSuJj:hK6gOcntJp3EWh4bRciSuJ

Score

10^/10

amadey redline down roxi discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

roxi

193.233.20.31:4125

Attributes

auth_value
9d8be78c896acc3cf8b8a6637a221376

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor4214.exebus5271.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor4214.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor4214.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor4214.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor4214.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus5271.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus5271.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus5271.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus5271.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus5271.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor4214.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor4214.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus5271.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2412-210-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-213-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-211-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-215-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-217-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-221-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-219-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-223-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-230-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-231-0x0000000007200000-0x0000000007210000-memory.dmp	family_redline
behavioral1/memory/2412-233-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-235-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-226-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-237-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-239-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-241-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-245-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-243-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline
behavioral1/memory/2412-247-0x0000000007130000-0x000000000716E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge033111.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ge033111.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kino9404.exekino3217.exekino2020.exebus5271.execor4214.exedsO91s14.exeen981945.exege033111.exemetafor.exemetafor.exe

pid	process
612	kino9404.exe
2172	kino3217.exe
3748	kino2020.exe
3032	bus5271.exe
2236	cor4214.exe
2412	dsO91s14.exe
4272	en981945.exe
2060	ge033111.exe
2016	metafor.exe
3336	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cor4214.exebus5271.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor4214.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor4214.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus5271.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino9404.exekino3217.exekino2020.exedb6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino9404.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino9404.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3217.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino3217.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino2020.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino2020.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	db6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	db6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4668 2236 WerFault.exe cor4214.exe
1476 2412 WerFault.exe dsO91s14.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2928 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus5271.execor4214.exedsO91s14.exeen981945.exe

pid process

3032 bus5271.exe
3032 bus5271.exe
2236 cor4214.exe
2236 cor4214.exe
2412 dsO91s14.exe
2412 dsO91s14.exe
4272 en981945.exe
4272 en981945.exe

pid	pid_target	process	target process
4668	2236	WerFault.exe	cor4214.exe
1476	2412	WerFault.exe	dsO91s14.exe

pid	process
2928	schtasks.exe

pid	process
3032	bus5271.exe
3032	bus5271.exe
2236	cor4214.exe
2236	cor4214.exe
2412	dsO91s14.exe
2412	dsO91s14.exe
4272	en981945.exe
4272	en981945.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus5271.execor4214.exedsO91s14.exeen981945.exe

description	pid	process
Token: SeDebugPrivilege	3032	bus5271.exe
Token: SeDebugPrivilege	2236	cor4214.exe
Token: SeDebugPrivilege	2412	dsO91s14.exe
Token: SeDebugPrivilege	4272	en981945.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

db6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03.exekino9404.exekino3217.exekino2020.exege033111.exemetafor.execmd.exe

description	pid	process	target process
PID 5092 wrote to memory of 612	5092	db6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03.exe	kino9404.exe
PID 5092 wrote to memory of 612	5092	db6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03.exe	kino9404.exe
PID 5092 wrote to memory of 612	5092	db6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03.exe	kino9404.exe
PID 612 wrote to memory of 2172	612	kino9404.exe	kino3217.exe
PID 612 wrote to memory of 2172	612	kino9404.exe	kino3217.exe
PID 612 wrote to memory of 2172	612	kino9404.exe	kino3217.exe
PID 2172 wrote to memory of 3748	2172	kino3217.exe	kino2020.exe
PID 2172 wrote to memory of 3748	2172	kino3217.exe	kino2020.exe
PID 2172 wrote to memory of 3748	2172	kino3217.exe	kino2020.exe
PID 3748 wrote to memory of 3032	3748	kino2020.exe	bus5271.exe
PID 3748 wrote to memory of 3032	3748	kino2020.exe	bus5271.exe
PID 3748 wrote to memory of 2236	3748	kino2020.exe	cor4214.exe
PID 3748 wrote to memory of 2236	3748	kino2020.exe	cor4214.exe
PID 3748 wrote to memory of 2236	3748	kino2020.exe	cor4214.exe
PID 2172 wrote to memory of 2412	2172	kino3217.exe	dsO91s14.exe
PID 2172 wrote to memory of 2412	2172	kino3217.exe	dsO91s14.exe
PID 2172 wrote to memory of 2412	2172	kino3217.exe	dsO91s14.exe
PID 612 wrote to memory of 4272	612	kino9404.exe	en981945.exe
PID 612 wrote to memory of 4272	612	kino9404.exe	en981945.exe
PID 612 wrote to memory of 4272	612	kino9404.exe	en981945.exe
PID 5092 wrote to memory of 2060	5092	db6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03.exe	ge033111.exe
PID 5092 wrote to memory of 2060	5092	db6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03.exe	ge033111.exe
PID 5092 wrote to memory of 2060	5092	db6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03.exe	ge033111.exe
PID 2060 wrote to memory of 2016	2060	ge033111.exe	metafor.exe
PID 2060 wrote to memory of 2016	2060	ge033111.exe	metafor.exe
PID 2060 wrote to memory of 2016	2060	ge033111.exe	metafor.exe
PID 2016 wrote to memory of 2928	2016	metafor.exe	schtasks.exe
PID 2016 wrote to memory of 2928	2016	metafor.exe	schtasks.exe
PID 2016 wrote to memory of 2928	2016	metafor.exe	schtasks.exe
PID 2016 wrote to memory of 4536	2016	metafor.exe	cmd.exe
PID 2016 wrote to memory of 4536	2016	metafor.exe	cmd.exe
PID 2016 wrote to memory of 4536	2016	metafor.exe	cmd.exe
PID 4536 wrote to memory of 4844	4536	cmd.exe	cmd.exe
PID 4536 wrote to memory of 4844	4536	cmd.exe	cmd.exe
PID 4536 wrote to memory of 4844	4536	cmd.exe	cmd.exe
PID 4536 wrote to memory of 728	4536	cmd.exe	cacls.exe
PID 4536 wrote to memory of 728	4536	cmd.exe	cacls.exe
PID 4536 wrote to memory of 728	4536	cmd.exe	cacls.exe
PID 4536 wrote to memory of 3196	4536	cmd.exe	cacls.exe
PID 4536 wrote to memory of 3196	4536	cmd.exe	cacls.exe
PID 4536 wrote to memory of 3196	4536	cmd.exe	cacls.exe
PID 4536 wrote to memory of 1788	4536	cmd.exe	cmd.exe
PID 4536 wrote to memory of 1788	4536	cmd.exe	cmd.exe
PID 4536 wrote to memory of 1788	4536	cmd.exe	cmd.exe
PID 4536 wrote to memory of 3444	4536	cmd.exe	cacls.exe
PID 4536 wrote to memory of 3444	4536	cmd.exe	cacls.exe
PID 4536 wrote to memory of 3444	4536	cmd.exe	cacls.exe
PID 4536 wrote to memory of 4676	4536	cmd.exe	cacls.exe
PID 4536 wrote to memory of 4676	4536	cmd.exe	cacls.exe
PID 4536 wrote to memory of 4676	4536	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\db6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03.exe
"C:\Users\Admin\AppData\Local\Temp\db6de923a7a8ebc395e9b0e111afcb170d3e899bb4cd8bdebee483698577ab03.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5092

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9404.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9404.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:612

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3217.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3217.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2020.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2020.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5271.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5271.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4214.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4214.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1096
6⤵
- Program crash
PID:4668

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsO91s14.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsO91s14.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 1344
5⤵
- Program crash
PID:1476

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en981945.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en981945.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge033111.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge033111.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:2928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4844

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:728

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1788

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:3444

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2236 -ip 2236
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2412 -ip 2412
1⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge033111.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge033111.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9404.exe
Filesize
827KB

MD5
d04da0210ac4ff197600f3d0a0c39468

SHA1
a3f45bafafb1fd5061efe0a6176ff081ea38c78d

SHA256
f6e593f545a9ab4bb0876bdc68681128a7dc7e7eb88803285b393bd2879f5a51

SHA512
4d8434b52db6957469b147be944815fef8311d548e840254335ccf0f34bcc4a4f6a8d1f305e84ffa8467bc1be52a962fa6e82219387ba5acc77ea0972c3a1359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9404.exe
Filesize
827KB

MD5
d04da0210ac4ff197600f3d0a0c39468

SHA1
a3f45bafafb1fd5061efe0a6176ff081ea38c78d

SHA256
f6e593f545a9ab4bb0876bdc68681128a7dc7e7eb88803285b393bd2879f5a51

SHA512
4d8434b52db6957469b147be944815fef8311d548e840254335ccf0f34bcc4a4f6a8d1f305e84ffa8467bc1be52a962fa6e82219387ba5acc77ea0972c3a1359

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en981945.exe
Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en981945.exe
Filesize
175KB

MD5
30bf410db5f6c05f0dee763f5a0fe5b7

SHA1
1f4187925e1af163603a12bb116e869f8f137455

SHA256
d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178

SHA512
5edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3217.exe
Filesize
685KB

MD5
2453e9a1155b76e3d02af70df4537b41

SHA1
ce87e1ec3c3d64b492982c3987e71caa42ab9a62

SHA256
125fa4dc15c281e31dbba41f280cdebde833c4694f7395aa22686669e9d60a71

SHA512
a72c6ffcd92c25c762217728d4ec1a221a5060f863d23ed5a38065ce58fa966bcb92d5558dc0562632628e66147c3a5181b12a09d6b26c1bfb19b9877988bf93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3217.exe
Filesize
685KB

MD5
2453e9a1155b76e3d02af70df4537b41

SHA1
ce87e1ec3c3d64b492982c3987e71caa42ab9a62

SHA256
125fa4dc15c281e31dbba41f280cdebde833c4694f7395aa22686669e9d60a71

SHA512
a72c6ffcd92c25c762217728d4ec1a221a5060f863d23ed5a38065ce58fa966bcb92d5558dc0562632628e66147c3a5181b12a09d6b26c1bfb19b9877988bf93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsO91s14.exe
Filesize
355KB

MD5
e34e8558841f7ed4c59738f813dec5e2

SHA1
06fd22de1226cbf51d6c8e68fb5269375e925d2f

SHA256
ae60661fe9a00c2aae27b76a3ceeb3ebba2495ef70725a5b838bc856a4519da4

SHA512
9eabe5f53e19c44e0c8b482736d7ca2e3df307219993f27f5b347cf6dd0ad8ec275352b63524343cc439fec7c87bf9493a2cf9de0ed9e9dfa4470616364aeaf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dsO91s14.exe
Filesize
355KB

MD5
e34e8558841f7ed4c59738f813dec5e2

SHA1
06fd22de1226cbf51d6c8e68fb5269375e925d2f

SHA256
ae60661fe9a00c2aae27b76a3ceeb3ebba2495ef70725a5b838bc856a4519da4

SHA512
9eabe5f53e19c44e0c8b482736d7ca2e3df307219993f27f5b347cf6dd0ad8ec275352b63524343cc439fec7c87bf9493a2cf9de0ed9e9dfa4470616364aeaf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2020.exe
Filesize
340KB

MD5
4a3935a9419d9098e6db61fa36d36214

SHA1
321cdee017a2507635e640e41175bd5fa7f70955

SHA256
a84e14346edc37f5ba4180bf5296772a1e52f39894be25f3b21e180ffa06b2e2

SHA512
164fbc3a08b93f3c8797bb5f085298cc5618406dcf77b186544df4bd81ad7b09e0658d08073b9c6ad05f94c614e7f5744ec0c10ed1e087f1831377eae3562898

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino2020.exe
Filesize
340KB

MD5
4a3935a9419d9098e6db61fa36d36214

SHA1
321cdee017a2507635e640e41175bd5fa7f70955

SHA256
a84e14346edc37f5ba4180bf5296772a1e52f39894be25f3b21e180ffa06b2e2

SHA512
164fbc3a08b93f3c8797bb5f085298cc5618406dcf77b186544df4bd81ad7b09e0658d08073b9c6ad05f94c614e7f5744ec0c10ed1e087f1831377eae3562898

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5271.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5271.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4214.exe
Filesize
298KB

MD5
a4acf020b648e7b797bbbc09bb7020a7

SHA1
25ca55efdf43b04453aae78f865000d55e894078

SHA256
09e30cdf25746efbd90e74524dcb6c29c24b608b586c7a0e1291bac299a8c801

SHA512
6ee7d27c5f6908be1444c78efa2fd6897bd05256b296ee4311860a40d6f91a7086a0d69b69f664652fcb3de4dba11dc42c86203e29d531efbd952577a60c6a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4214.exe
Filesize
298KB

MD5
a4acf020b648e7b797bbbc09bb7020a7

SHA1
25ca55efdf43b04453aae78f865000d55e894078

SHA256
09e30cdf25746efbd90e74524dcb6c29c24b608b586c7a0e1291bac299a8c801

SHA512
6ee7d27c5f6908be1444c78efa2fd6897bd05256b296ee4311860a40d6f91a7086a0d69b69f664652fcb3de4dba11dc42c86203e29d531efbd952577a60c6a2c

Download Submit
memory/2236-179-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-200-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/2236-175-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-181-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-183-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-185-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-187-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-189-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-191-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-193-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-195-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-197-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-199-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-177-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-202-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2236-203-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2236-204-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2236-205-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/2236-173-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-172-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2236-171-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2236-170-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2236-169-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/2236-168-0x0000000007290000-0x0000000007834000-memory.dmp

Filesize
5.6MB

Download
memory/2236-167-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/2412-217-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-1124-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2412-227-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2412-229-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2412-230-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-231-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2412-233-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-235-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-226-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-237-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-239-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-241-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-245-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-243-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-247-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-1120-0x00000000077C0000-0x0000000007DD8000-memory.dmp

Filesize
6.1MB

Download
memory/2412-1121-0x0000000007E30000-0x0000000007F3A000-memory.dmp

Filesize
1.0MB

Download
memory/2412-1122-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/2412-1123-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/2412-225-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/2412-1126-0x0000000008280000-0x0000000008312000-memory.dmp

Filesize
584KB

Download
memory/2412-1127-0x0000000008320000-0x0000000008386000-memory.dmp

Filesize
408KB

Download
memory/2412-1128-0x0000000008A40000-0x0000000008AB6000-memory.dmp

Filesize
472KB

Download
memory/2412-1129-0x0000000008AD0000-0x0000000008B20000-memory.dmp

Filesize
320KB

Download
memory/2412-1130-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2412-1131-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2412-1132-0x0000000007200000-0x0000000007210000-memory.dmp

Filesize
64KB

Download
memory/2412-1133-0x0000000008C30000-0x0000000008DF2000-memory.dmp

Filesize
1.8MB

Download
memory/2412-223-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-1134-0x0000000008E00000-0x000000000932C000-memory.dmp

Filesize
5.2MB

Download
memory/2412-210-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-213-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-211-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-219-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-221-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/2412-215-0x0000000007130000-0x000000000716E000-memory.dmp

Filesize
248KB

Download
memory/3032-161-0x0000000000B00000-0x0000000000B0A000-memory.dmp

Filesize
40KB

Download
memory/4272-1141-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/4272-1140-0x0000000000E60000-0x0000000000E92000-memory.dmp

Filesize
200KB

Download