amadey | f3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95

Analysis

max time kernel
143s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95.exe
Size

1011KB
MD5

1c695058ea95d0783be908fc1c056118
SHA1

26d150d6bbb147223f0cc6737b7562a676bb6099
SHA256

f3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95
SHA512

7d5f6c4f9e1b71a3aeaee8346f6d30bd8cde37b76e4b768608c644d9d060ad1f06d40f3111dba12f171ab7240cc26f5b613fb02764d47211dab2d043baf32071
SSDEEP

24576:yyLA3j+ictlapRiF0Jy8feVqkk45PaMH73OiXIbG:ZU1ckRgaePa+73OiXI

Score

10^/10

amadey redline down volya discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

volya

193.233.20.31:4125

Attributes

auth_value
0efc9f002a9fbeec5f8b8338141d546a

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus5883.execor7807.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus5883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus5883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor7807.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor7807.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor7807.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor7807.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus5883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus5883.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus5883.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor7807.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor7807.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus5883.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4624-209-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-210-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-212-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-214-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-216-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-218-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-220-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-222-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-225-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-226-0x0000000007230000-0x0000000007240000-memory.dmp	family_redline
behavioral1/memory/4624-230-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-232-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-234-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-236-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-238-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-242-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-240-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-244-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline
behavioral1/memory/4624-246-0x0000000007170000-0x00000000071AE000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge980873.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	ge980873.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kino9838.exekino2069.exekino8139.exebus5883.execor7807.exedXh12s11.exeen815607.exege980873.exemetafor.exemetafor.exe

pid	process
2860	kino9838.exe
3500	kino2069.exe
3956	kino8139.exe
3296	bus5883.exe
4412	cor7807.exe
4624	dXh12s11.exe
4728	en815607.exe
1872	ge980873.exe
684	metafor.exe
2352	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus5883.execor7807.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus5883.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor7807.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor7807.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino8139.exef3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95.exekino9838.exekino2069.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino8139.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino9838.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino9838.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino2069.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino2069.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino8139.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2984 4412 WerFault.exe cor7807.exe
4748 4624 WerFault.exe dXh12s11.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1096 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus5883.execor7807.exedXh12s11.exeen815607.exe

pid process

3296 bus5883.exe
3296 bus5883.exe
4412 cor7807.exe
4412 cor7807.exe
4624 dXh12s11.exe
4624 dXh12s11.exe
4728 en815607.exe
4728 en815607.exe

pid	pid_target	process	target process
2984	4412	WerFault.exe	cor7807.exe
4748	4624	WerFault.exe	dXh12s11.exe

pid	process
1096	schtasks.exe

pid	process
3296	bus5883.exe
3296	bus5883.exe
4412	cor7807.exe
4412	cor7807.exe
4624	dXh12s11.exe
4624	dXh12s11.exe
4728	en815607.exe
4728	en815607.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus5883.execor7807.exedXh12s11.exeen815607.exe

description	pid	process
Token: SeDebugPrivilege	3296	bus5883.exe
Token: SeDebugPrivilege	4412	cor7807.exe
Token: SeDebugPrivilege	4624	dXh12s11.exe
Token: SeDebugPrivilege	4728	en815607.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

f3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95.exekino9838.exekino2069.exekino8139.exege980873.exemetafor.execmd.exe

description	pid	process	target process
PID 624 wrote to memory of 2860	624	f3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95.exe	kino9838.exe
PID 624 wrote to memory of 2860	624	f3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95.exe	kino9838.exe
PID 624 wrote to memory of 2860	624	f3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95.exe	kino9838.exe
PID 2860 wrote to memory of 3500	2860	kino9838.exe	kino2069.exe
PID 2860 wrote to memory of 3500	2860	kino9838.exe	kino2069.exe
PID 2860 wrote to memory of 3500	2860	kino9838.exe	kino2069.exe
PID 3500 wrote to memory of 3956	3500	kino2069.exe	kino8139.exe
PID 3500 wrote to memory of 3956	3500	kino2069.exe	kino8139.exe
PID 3500 wrote to memory of 3956	3500	kino2069.exe	kino8139.exe
PID 3956 wrote to memory of 3296	3956	kino8139.exe	bus5883.exe
PID 3956 wrote to memory of 3296	3956	kino8139.exe	bus5883.exe
PID 3956 wrote to memory of 4412	3956	kino8139.exe	cor7807.exe
PID 3956 wrote to memory of 4412	3956	kino8139.exe	cor7807.exe
PID 3956 wrote to memory of 4412	3956	kino8139.exe	cor7807.exe
PID 3500 wrote to memory of 4624	3500	kino2069.exe	dXh12s11.exe
PID 3500 wrote to memory of 4624	3500	kino2069.exe	dXh12s11.exe
PID 3500 wrote to memory of 4624	3500	kino2069.exe	dXh12s11.exe
PID 2860 wrote to memory of 4728	2860	kino9838.exe	en815607.exe
PID 2860 wrote to memory of 4728	2860	kino9838.exe	en815607.exe
PID 2860 wrote to memory of 4728	2860	kino9838.exe	en815607.exe
PID 624 wrote to memory of 1872	624	f3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95.exe	ge980873.exe
PID 624 wrote to memory of 1872	624	f3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95.exe	ge980873.exe
PID 624 wrote to memory of 1872	624	f3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95.exe	ge980873.exe
PID 1872 wrote to memory of 684	1872	ge980873.exe	metafor.exe
PID 1872 wrote to memory of 684	1872	ge980873.exe	metafor.exe
PID 1872 wrote to memory of 684	1872	ge980873.exe	metafor.exe
PID 684 wrote to memory of 1096	684	metafor.exe	schtasks.exe
PID 684 wrote to memory of 1096	684	metafor.exe	schtasks.exe
PID 684 wrote to memory of 1096	684	metafor.exe	schtasks.exe
PID 684 wrote to memory of 2728	684	metafor.exe	cmd.exe
PID 684 wrote to memory of 2728	684	metafor.exe	cmd.exe
PID 684 wrote to memory of 2728	684	metafor.exe	cmd.exe
PID 2728 wrote to memory of 2216	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 2216	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 2216	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 1912	2728	cmd.exe	cacls.exe
PID 2728 wrote to memory of 1912	2728	cmd.exe	cacls.exe
PID 2728 wrote to memory of 1912	2728	cmd.exe	cacls.exe
PID 2728 wrote to memory of 2120	2728	cmd.exe	cacls.exe
PID 2728 wrote to memory of 2120	2728	cmd.exe	cacls.exe
PID 2728 wrote to memory of 2120	2728	cmd.exe	cacls.exe
PID 2728 wrote to memory of 428	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 428	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 428	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 1260	2728	cmd.exe	cacls.exe
PID 2728 wrote to memory of 1260	2728	cmd.exe	cacls.exe
PID 2728 wrote to memory of 1260	2728	cmd.exe	cacls.exe
PID 2728 wrote to memory of 1576	2728	cmd.exe	cacls.exe
PID 2728 wrote to memory of 1576	2728	cmd.exe	cacls.exe
PID 2728 wrote to memory of 1576	2728	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\f3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95.exe
"C:\Users\Admin\AppData\Local\Temp\f3b21bde12aa38b60b5e5d66b9d657c0dc402d77c08594ceda61756813adbc95.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9838.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9838.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2069.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2069.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3500

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8139.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8139.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5883.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5883.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7807.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7807.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1100
6⤵
- Program crash
PID:2984

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXh12s11.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXh12s11.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1360
5⤵
- Program crash
PID:4748

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en815607.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en815607.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge980873.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge980873.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:1096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2216

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:1912

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:428

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:1260

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4412 -ip 4412
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4624 -ip 4624
1⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:2352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge980873.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge980873.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9838.exe
Filesize
829KB

MD5
d3b000986e373d920ededff2075e267d

SHA1
da5dd2ee70b15085cea9b4b7e2dc50c3c5cc8dbb

SHA256
c7fc3266e55fb30fc6295ee81b027abe5c1f9b7131b52aa5aa6b9a7520ab81c9

SHA512
bbfde9fdbd1593f1c76b64e16a3bc56eb9fb267509715910373d33e7608058d2cdf9ebaa2fe6b67f45a991ed92da6bf7e63d0133020835fb6f26e72f37f74c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9838.exe
Filesize
829KB

MD5
d3b000986e373d920ededff2075e267d

SHA1
da5dd2ee70b15085cea9b4b7e2dc50c3c5cc8dbb

SHA256
c7fc3266e55fb30fc6295ee81b027abe5c1f9b7131b52aa5aa6b9a7520ab81c9

SHA512
bbfde9fdbd1593f1c76b64e16a3bc56eb9fb267509715910373d33e7608058d2cdf9ebaa2fe6b67f45a991ed92da6bf7e63d0133020835fb6f26e72f37f74c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en815607.exe
Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en815607.exe
Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2069.exe
Filesize
686KB

MD5
b58e491dca9850bc33c9f2b696db67a6

SHA1
a0195ef9db6ddf71595d0a5fe17122776538d756

SHA256
f6abe87380558cb43825d9cf364a129bc1a0d13a70afbe1f16865ee6365041c2

SHA512
9c72e4565c5ac845f23737ef9a70f091ac7dbb6826bdbd33f9c4cf3eb4395588892da7437656a4d2d97e9e78412afb44f0040a62b56a77e5b344f550ac6a9a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2069.exe
Filesize
686KB

MD5
b58e491dca9850bc33c9f2b696db67a6

SHA1
a0195ef9db6ddf71595d0a5fe17122776538d756

SHA256
f6abe87380558cb43825d9cf364a129bc1a0d13a70afbe1f16865ee6365041c2

SHA512
9c72e4565c5ac845f23737ef9a70f091ac7dbb6826bdbd33f9c4cf3eb4395588892da7437656a4d2d97e9e78412afb44f0040a62b56a77e5b344f550ac6a9a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXh12s11.exe
Filesize
356KB

MD5
f8768a4d9af396d28744e75a6f2c2d39

SHA1
85eda0953b9cfda6c8239d3783353aadaea41082

SHA256
70f5d86d404368215df4b0baee43bb8dd0f24fe85e8f80d67a476a3c876d89d3

SHA512
ef4de2f964cd404e649a582a0c61f482de2501a8417ca3819b4bb97ff9e92c9d45ec55724308e06b460ec10b2b274a94b9c1b17c69df5867b9905fb2f3867c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXh12s11.exe
Filesize
356KB

MD5
f8768a4d9af396d28744e75a6f2c2d39

SHA1
85eda0953b9cfda6c8239d3783353aadaea41082

SHA256
70f5d86d404368215df4b0baee43bb8dd0f24fe85e8f80d67a476a3c876d89d3

SHA512
ef4de2f964cd404e649a582a0c61f482de2501a8417ca3819b4bb97ff9e92c9d45ec55724308e06b460ec10b2b274a94b9c1b17c69df5867b9905fb2f3867c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8139.exe
Filesize
340KB

MD5
4fddd6a7ec436dd6cc83f6945a9e4005

SHA1
8689ab911d812543644388b18f08e4404ca1e5ae

SHA256
e286e899d9ec597306bc12f0e2407f4ccc158b9fff5926aecacd632e08bae9f6

SHA512
76ac82e6f5ed8dc98777a21b6350e0af365e62f981e26a29471d905994cc4d414f8a43e6fb7d628b5659278c03ef78dd3d38de0a7a61731826ef8a153079cbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino8139.exe
Filesize
340KB

MD5
4fddd6a7ec436dd6cc83f6945a9e4005

SHA1
8689ab911d812543644388b18f08e4404ca1e5ae

SHA256
e286e899d9ec597306bc12f0e2407f4ccc158b9fff5926aecacd632e08bae9f6

SHA512
76ac82e6f5ed8dc98777a21b6350e0af365e62f981e26a29471d905994cc4d414f8a43e6fb7d628b5659278c03ef78dd3d38de0a7a61731826ef8a153079cbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5883.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus5883.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7807.exe
Filesize
298KB

MD5
904e446d14743428bd92c3d025c9cdf8

SHA1
639cf8fbdea3f2eb8c15a5b1e01c4ee63af376c8

SHA256
b0ae53e1de0143fae7cf0a5ddb4501ba0c83e260ef18d3bb6bd4502256e9b100

SHA512
b01faf553397bcef0e538373439b64862734f63c6daaa3c650ecec9683eae93882f349d0ead8b96d77c15e11a4c48c2e7faf6655a2155a2aa681b08129e97b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor7807.exe
Filesize
298KB

MD5
904e446d14743428bd92c3d025c9cdf8

SHA1
639cf8fbdea3f2eb8c15a5b1e01c4ee63af376c8

SHA256
b0ae53e1de0143fae7cf0a5ddb4501ba0c83e260ef18d3bb6bd4502256e9b100

SHA512
b01faf553397bcef0e538373439b64862734f63c6daaa3c650ecec9683eae93882f349d0ead8b96d77c15e11a4c48c2e7faf6655a2155a2aa681b08129e97b79

Download Submit
memory/3296-161-0x0000000000760000-0x000000000076A000-memory.dmp

Filesize
40KB

Download
memory/4412-179-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-199-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-181-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-183-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-185-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-187-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-189-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-191-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-193-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-195-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-197-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-177-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-200-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/4412-201-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/4412-202-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/4412-204-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/4412-175-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-173-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-172-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/4412-171-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/4412-169-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/4412-167-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/4412-170-0x0000000002F50000-0x0000000002F60000-memory.dmp

Filesize
64KB

Download
memory/4412-168-0x0000000007270000-0x0000000007814000-memory.dmp

Filesize
5.6MB

Download
memory/4624-214-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-1125-0x00000000083C0000-0x0000000008452000-memory.dmp

Filesize
584KB

Download
memory/4624-226-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4624-228-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4624-229-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4624-230-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-232-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-234-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-236-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-238-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-242-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-240-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-244-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-246-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-1119-0x00000000078F0000-0x0000000007F08000-memory.dmp

Filesize
6.1MB

Download
memory/4624-1120-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/4624-1121-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4624-1122-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/4624-1123-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4624-225-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-1126-0x0000000008460000-0x00000000084C6000-memory.dmp

Filesize
408KB

Download
memory/4624-1127-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4624-1128-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4624-1129-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/4624-1130-0x0000000009F30000-0x0000000009FA6000-memory.dmp

Filesize
472KB

Download
memory/4624-1131-0x0000000009FC0000-0x000000000A010000-memory.dmp

Filesize
320KB

Download
memory/4624-1132-0x000000000A170000-0x000000000A332000-memory.dmp

Filesize
1.8MB

Download
memory/4624-1133-0x000000000A340000-0x000000000A86C000-memory.dmp

Filesize
5.2MB

Download
memory/4624-224-0x0000000002CA0000-0x0000000002CEB000-memory.dmp

Filesize
300KB

Download
memory/4624-222-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-209-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-220-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-218-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-216-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-212-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4624-210-0x0000000007170000-0x00000000071AE000-memory.dmp

Filesize
248KB

Download
memory/4728-1139-0x0000000000340000-0x0000000000372000-memory.dmp

Filesize
200KB

Download