amadey | 29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285

Analysis

max time kernel
103s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285.exe
Size

1010KB
MD5

32d81af28ea2c7d40fec687813bc75ad
SHA1

7716447a411fff3e38d1eb98484f5f64fa2fb8e2
SHA256

29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285
SHA512

48ee2cfe53a5bff6ee689f82d33eb4ada5cd7e189feb14a758ecae44ff88cf50d5effceea2b13dea44e5a1de5f8bdb552ee73dbf221d44cfaa9a4d0bd39f07d9
SSDEEP

24576:5y301Cvnx3HxgU4Vk16pkLdChWY3yzDg:s300nx3HB6SLohzizD

Score

10^/10

amadey redline down volya discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

down

193.233.20.31:4125

Attributes

auth_value
12c31a90c72f5efae8c053a0bd339381

Extracted

Family

redline

Botnet

volya

193.233.20.31:4125

Attributes

auth_value
0efc9f002a9fbeec5f8b8338141d546a

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

cor4210.exebus3417.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor4210.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus3417.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus3417.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus3417.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor4210.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor4210.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor4210.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor4210.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus3417.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus3417.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus3417.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor4210.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4500-209-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-211-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-216-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-218-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-214-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-220-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-222-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-224-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-226-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-228-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-230-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-232-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-234-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-236-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-238-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-240-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-242-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline
behavioral1/memory/4500-244-0x0000000004CF0000-0x0000000004D2E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

metafor.exege561556.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	metafor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ge561556.exe

Executes dropped EXE 10 IoCs

Processes:

kino7635.exekino5119.exekino4140.exebus3417.execor4210.exedbL86s47.exeen001573.exege561556.exemetafor.exemetafor.exe

pid	process
1080	kino7635.exe
1416	kino5119.exe
2052	kino4140.exe
3716	bus3417.exe
2512	cor4210.exe
4500	dbL86s47.exe
3896	en001573.exe
3760	ge561556.exe
4748	metafor.exe
264	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus3417.execor4210.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus3417.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor4210.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor4210.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino5119.exekino4140.exe29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285.exekino7635.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino5119.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino5119.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino4140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino4140.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino7635.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino7635.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4496 2512 WerFault.exe cor4210.exe
4948 4500 WerFault.exe dbL86s47.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3484 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus3417.execor4210.exedbL86s47.exeen001573.exe

pid process

3716 bus3417.exe
3716 bus3417.exe
2512 cor4210.exe
2512 cor4210.exe
4500 dbL86s47.exe
4500 dbL86s47.exe
3896 en001573.exe
3896 en001573.exe

pid	pid_target	process	target process
4496	2512	WerFault.exe	cor4210.exe
4948	4500	WerFault.exe	dbL86s47.exe

pid	process
3484	schtasks.exe

pid	process
3716	bus3417.exe
3716	bus3417.exe
2512	cor4210.exe
2512	cor4210.exe
4500	dbL86s47.exe
4500	dbL86s47.exe
3896	en001573.exe
3896	en001573.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus3417.execor4210.exedbL86s47.exeen001573.exe

description	pid	process
Token: SeDebugPrivilege	3716	bus3417.exe
Token: SeDebugPrivilege	2512	cor4210.exe
Token: SeDebugPrivilege	4500	dbL86s47.exe
Token: SeDebugPrivilege	3896	en001573.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285.exekino7635.exekino5119.exekino4140.exege561556.exemetafor.execmd.exe

description	pid	process	target process
PID 320 wrote to memory of 1080	320	29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285.exe	kino7635.exe
PID 320 wrote to memory of 1080	320	29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285.exe	kino7635.exe
PID 320 wrote to memory of 1080	320	29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285.exe	kino7635.exe
PID 1080 wrote to memory of 1416	1080	kino7635.exe	kino5119.exe
PID 1080 wrote to memory of 1416	1080	kino7635.exe	kino5119.exe
PID 1080 wrote to memory of 1416	1080	kino7635.exe	kino5119.exe
PID 1416 wrote to memory of 2052	1416	kino5119.exe	kino4140.exe
PID 1416 wrote to memory of 2052	1416	kino5119.exe	kino4140.exe
PID 1416 wrote to memory of 2052	1416	kino5119.exe	kino4140.exe
PID 2052 wrote to memory of 3716	2052	kino4140.exe	bus3417.exe
PID 2052 wrote to memory of 3716	2052	kino4140.exe	bus3417.exe
PID 2052 wrote to memory of 2512	2052	kino4140.exe	cor4210.exe
PID 2052 wrote to memory of 2512	2052	kino4140.exe	cor4210.exe
PID 2052 wrote to memory of 2512	2052	kino4140.exe	cor4210.exe
PID 1416 wrote to memory of 4500	1416	kino5119.exe	dbL86s47.exe
PID 1416 wrote to memory of 4500	1416	kino5119.exe	dbL86s47.exe
PID 1416 wrote to memory of 4500	1416	kino5119.exe	dbL86s47.exe
PID 1080 wrote to memory of 3896	1080	kino7635.exe	en001573.exe
PID 1080 wrote to memory of 3896	1080	kino7635.exe	en001573.exe
PID 1080 wrote to memory of 3896	1080	kino7635.exe	en001573.exe
PID 320 wrote to memory of 3760	320	29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285.exe	ge561556.exe
PID 320 wrote to memory of 3760	320	29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285.exe	ge561556.exe
PID 320 wrote to memory of 3760	320	29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285.exe	ge561556.exe
PID 3760 wrote to memory of 4748	3760	ge561556.exe	metafor.exe
PID 3760 wrote to memory of 4748	3760	ge561556.exe	metafor.exe
PID 3760 wrote to memory of 4748	3760	ge561556.exe	metafor.exe
PID 4748 wrote to memory of 3484	4748	metafor.exe	schtasks.exe
PID 4748 wrote to memory of 3484	4748	metafor.exe	schtasks.exe
PID 4748 wrote to memory of 3484	4748	metafor.exe	schtasks.exe
PID 4748 wrote to memory of 5052	4748	metafor.exe	cmd.exe
PID 4748 wrote to memory of 5052	4748	metafor.exe	cmd.exe
PID 4748 wrote to memory of 5052	4748	metafor.exe	cmd.exe
PID 5052 wrote to memory of 1608	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 1608	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 1608	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 3996	5052	cmd.exe	cacls.exe
PID 5052 wrote to memory of 3996	5052	cmd.exe	cacls.exe
PID 5052 wrote to memory of 3996	5052	cmd.exe	cacls.exe
PID 5052 wrote to memory of 4896	5052	cmd.exe	cacls.exe
PID 5052 wrote to memory of 4896	5052	cmd.exe	cacls.exe
PID 5052 wrote to memory of 4896	5052	cmd.exe	cacls.exe
PID 5052 wrote to memory of 1164	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 1164	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 1164	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 1976	5052	cmd.exe	cacls.exe
PID 5052 wrote to memory of 1976	5052	cmd.exe	cacls.exe
PID 5052 wrote to memory of 1976	5052	cmd.exe	cacls.exe
PID 5052 wrote to memory of 3172	5052	cmd.exe	cacls.exe
PID 5052 wrote to memory of 3172	5052	cmd.exe	cacls.exe
PID 5052 wrote to memory of 3172	5052	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285.exe
"C:\Users\Admin\AppData\Local\Temp\29431f9979f0314aff1c60b22e129b742ad73851a357a2e56f0cb783e2f0c285.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7635.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7635.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5119.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5119.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4140.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4140.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2052

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3417.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3417.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4210.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4210.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1080
6⤵
- Program crash
PID:4496

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbL86s47.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbL86s47.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 1328
5⤵
- Program crash
PID:4948

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en001573.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en001573.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge561556.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge561556.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:3484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1608

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:3996

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:1164

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:1976

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2512 -ip 2512
1⤵
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4500 -ip 4500
1⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge561556.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge561556.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7635.exe
Filesize
828KB

MD5
9596d33d582e1500be9b556a6dcb3e32

SHA1
f8c0d23ffc1b078b91db4438162a06c8a6e293f8

SHA256
5d47c5eeb0cefbc5dd3b48e28ea4207c333991f6928b58e23df2151282622818

SHA512
2549ed1536117597bcd5af2c5756b906775fa38ae52edc0a68da57b4b1bfebb7d05a6b6ed76c964cf66b905d9c424c8ab7be6114ce53716fd0e36cdd4bb5d3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7635.exe
Filesize
828KB

MD5
9596d33d582e1500be9b556a6dcb3e32

SHA1
f8c0d23ffc1b078b91db4438162a06c8a6e293f8

SHA256
5d47c5eeb0cefbc5dd3b48e28ea4207c333991f6928b58e23df2151282622818

SHA512
2549ed1536117597bcd5af2c5756b906775fa38ae52edc0a68da57b4b1bfebb7d05a6b6ed76c964cf66b905d9c424c8ab7be6114ce53716fd0e36cdd4bb5d3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en001573.exe
Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en001573.exe
Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5119.exe
Filesize
685KB

MD5
1f0912799b38de3c73020289261a68af

SHA1
7d67611e1e77e92b8446eed96e2dd8a5a2de5938

SHA256
2c00b2eb56fdfdb8e3f7d4a07fc87d035f79a388e2ed4daeb57f999328f91a4b

SHA512
f952620757ce666e781eee90e27112e20f04b2aa2dfd42a3ad536ad6d8bbff7eec1b94ee84025dc0ba570bc0f21d8a85d6b8ef677de3c7af0390b3eb070f9104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino5119.exe
Filesize
685KB

MD5
1f0912799b38de3c73020289261a68af

SHA1
7d67611e1e77e92b8446eed96e2dd8a5a2de5938

SHA256
2c00b2eb56fdfdb8e3f7d4a07fc87d035f79a388e2ed4daeb57f999328f91a4b

SHA512
f952620757ce666e781eee90e27112e20f04b2aa2dfd42a3ad536ad6d8bbff7eec1b94ee84025dc0ba570bc0f21d8a85d6b8ef677de3c7af0390b3eb070f9104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbL86s47.exe
Filesize
356KB

MD5
9e77360fec1bc2d7d6dbd7289633e225

SHA1
2ccbd06f255e183a599ed254cf44c6d2d659abc3

SHA256
a038ae810b34ff66da4129039d841386fe02c73462d93badcd621876e013b539

SHA512
6eeda0e3e1907a95dc1b30dda1e4834c57561671f98cfd013bd7bcaa8ad8ec4addf26dddba95456008a8088581f44dd3ed28ba56713da9e586e3efab71021d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dbL86s47.exe
Filesize
356KB

MD5
9e77360fec1bc2d7d6dbd7289633e225

SHA1
2ccbd06f255e183a599ed254cf44c6d2d659abc3

SHA256
a038ae810b34ff66da4129039d841386fe02c73462d93badcd621876e013b539

SHA512
6eeda0e3e1907a95dc1b30dda1e4834c57561671f98cfd013bd7bcaa8ad8ec4addf26dddba95456008a8088581f44dd3ed28ba56713da9e586e3efab71021d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4140.exe
Filesize
340KB

MD5
9f1dfd91c911dee35d65543637b555d0

SHA1
4dcb8ab50a5585936ff1a87e1853de23954e15e5

SHA256
46309ae8f5a3296749fd7ec3002f1c5c2132eeae20c39209091635ccdab0e535

SHA512
b5b134b118a8f66fe0cdfcc66850b043cf69159ea6702b56f137b91eeb46c2f26150ab3fdbf3e0a7b3946262cdc369b2ac49fdbe2abf65a03750aff7778c2f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino4140.exe
Filesize
340KB

MD5
9f1dfd91c911dee35d65543637b555d0

SHA1
4dcb8ab50a5585936ff1a87e1853de23954e15e5

SHA256
46309ae8f5a3296749fd7ec3002f1c5c2132eeae20c39209091635ccdab0e535

SHA512
b5b134b118a8f66fe0cdfcc66850b043cf69159ea6702b56f137b91eeb46c2f26150ab3fdbf3e0a7b3946262cdc369b2ac49fdbe2abf65a03750aff7778c2f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3417.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3417.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4210.exe
Filesize
298KB

MD5
3c9e18caf15e7a92577ef37fae802926

SHA1
30518d52fcd5f5a5642d44da8241bca662228f6e

SHA256
dfd5e1de88602967a9e3924997a15da716c2124c26e8b64893ac1ec4bf3a4890

SHA512
ddee14160b57c5561cfaf31a0c476f53c37498432c05521c38141b97c953e7021c43873a017db87acd8030b1e8c9f36af0878ef637e6937737c7a09d3c349db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor4210.exe
Filesize
298KB

MD5
3c9e18caf15e7a92577ef37fae802926

SHA1
30518d52fcd5f5a5642d44da8241bca662228f6e

SHA256
dfd5e1de88602967a9e3924997a15da716c2124c26e8b64893ac1ec4bf3a4890

SHA512
ddee14160b57c5561cfaf31a0c476f53c37498432c05521c38141b97c953e7021c43873a017db87acd8030b1e8c9f36af0878ef637e6937737c7a09d3c349db4

Download Submit
memory/2512-178-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-199-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/2512-167-0x0000000007220000-0x00000000077C4000-memory.dmp

Filesize
5.6MB

Download
memory/2512-180-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-182-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-184-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-186-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-188-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-190-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-192-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-194-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-196-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-198-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-176-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-200-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/2512-202-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/2512-168-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/2512-174-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-172-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-171-0x00000000077E0000-0x00000000077F2000-memory.dmp

Filesize
72KB

Download
memory/2512-170-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/2512-169-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/3716-161-0x00000000009E0000-0x00000000009EA000-memory.dmp

Filesize
40KB

Download
memory/3896-1137-0x0000000000990000-0x00000000009C2000-memory.dmp

Filesize
200KB

Download
memory/3896-1138-0x00000000052A0000-0x00000000052B0000-memory.dmp

Filesize
64KB

Download
memory/4500-211-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-220-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-222-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-224-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-226-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-228-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-230-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-232-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-234-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-236-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-238-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-240-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-242-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-244-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-1117-0x0000000007830000-0x0000000007E48000-memory.dmp

Filesize
6.1MB

Download
memory/4500-1118-0x0000000007E50000-0x0000000007F5A000-memory.dmp

Filesize
1.0MB

Download
memory/4500-1119-0x0000000007F70000-0x0000000007F82000-memory.dmp

Filesize
72KB

Download
memory/4500-1120-0x0000000007F90000-0x0000000007FCC000-memory.dmp

Filesize
240KB

Download
memory/4500-1121-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/4500-1123-0x0000000008280000-0x00000000082E6000-memory.dmp

Filesize
408KB

Download
memory/4500-1124-0x0000000008940000-0x00000000089D2000-memory.dmp

Filesize
584KB

Download
memory/4500-1125-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/4500-1126-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/4500-1127-0x0000000008B50000-0x0000000008D12000-memory.dmp

Filesize
1.8MB

Download
memory/4500-1128-0x0000000008D20000-0x000000000924C000-memory.dmp

Filesize
5.2MB

Download
memory/4500-1129-0x0000000009380000-0x00000000093F6000-memory.dmp

Filesize
472KB

Download
memory/4500-214-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-218-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-216-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-213-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/4500-208-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/4500-210-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/4500-209-0x0000000004CF0000-0x0000000004D2E000-memory.dmp

Filesize
248KB

Download
memory/4500-207-0x0000000002CB0000-0x0000000002CFB000-memory.dmp

Filesize
300KB

Download
memory/4500-1130-0x0000000009410000-0x0000000009460000-memory.dmp

Filesize
320KB

Download
memory/4500-1131-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download