amadey | dfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c

Analysis

max time kernel
99s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-03-2023 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c.exe
Size

1010KB
MD5

2ebb9b960ba2c86922db22f91b0ff54c
SHA1

6f96deb9ac453d2833806ca32e45cd20a75be670
SHA256

dfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c
SHA512

3f893cfe00fd638f97e5df793bf461783ef3ce60db43a78765a3d41451ed51d22307f82b6893f20827a7a53d5850b437f4118a9f1001f2131d88e527aae5c5bf
SSDEEP

24576:MynsKHvRkBvRdic/I9G2vTLPmRDvs2wLDYf/WOhw3Xe0Y:7nPKBJkc/ivnPmRDv3w6pw3R

Score

10^/10

amadey redline boris volya discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

volya

193.233.20.31:4125

Attributes

auth_value
0efc9f002a9fbeec5f8b8338141d546a

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bus3687.execor2809.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bus3687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bus3687.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor2809.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor2809.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor2809.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bus3687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bus3687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bus3687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor2809.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bus3687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor2809.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor2809.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5004-210-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-211-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-213-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-215-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-217-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-219-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-221-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-223-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-225-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-227-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-229-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-231-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-233-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-238-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-237-0x0000000004790000-0x00000000047A0000-memory.dmp	family_redline
behavioral1/memory/5004-240-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-242-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-244-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline
behavioral1/memory/5004-246-0x00000000076F0000-0x000000000772F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge863490.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	ge863490.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kino7613.exekino3648.exekino9337.exebus3687.execor2809.exedXr36s53.exeen839767.exege863490.exemetafor.exemetafor.exe

pid	process
3680	kino7613.exe
2780	kino3648.exe
4860	kino9337.exe
4936	bus3687.exe
524	cor2809.exe
5004	dXr36s53.exe
4220	en839767.exe
876	ge863490.exe
2728	metafor.exe
3032	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bus3687.execor2809.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bus3687.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor2809.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor2809.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kino7613.exekino3648.exekino9337.exedfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino7613.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kino7613.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino3648.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kino3648.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kino9337.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kino9337.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1568 524 WerFault.exe cor2809.exe
2116 5004 WerFault.exe dXr36s53.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4092 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bus3687.execor2809.exedXr36s53.exeen839767.exe

pid process

4936 bus3687.exe
4936 bus3687.exe
524 cor2809.exe
524 cor2809.exe
5004 dXr36s53.exe
5004 dXr36s53.exe
4220 en839767.exe
4220 en839767.exe

pid	pid_target	process	target process
1568	524	WerFault.exe	cor2809.exe
2116	5004	WerFault.exe	dXr36s53.exe

pid	process
4092	schtasks.exe

pid	process
4936	bus3687.exe
4936	bus3687.exe
524	cor2809.exe
524	cor2809.exe
5004	dXr36s53.exe
5004	dXr36s53.exe
4220	en839767.exe
4220	en839767.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bus3687.execor2809.exedXr36s53.exeen839767.exe

description	pid	process
Token: SeDebugPrivilege	4936	bus3687.exe
Token: SeDebugPrivilege	524	cor2809.exe
Token: SeDebugPrivilege	5004	dXr36s53.exe
Token: SeDebugPrivilege	4220	en839767.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

dfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c.exekino7613.exekino3648.exekino9337.exege863490.exemetafor.execmd.exe

description	pid	process	target process
PID 5048 wrote to memory of 3680	5048	dfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c.exe	kino7613.exe
PID 5048 wrote to memory of 3680	5048	dfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c.exe	kino7613.exe
PID 5048 wrote to memory of 3680	5048	dfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c.exe	kino7613.exe
PID 3680 wrote to memory of 2780	3680	kino7613.exe	kino3648.exe
PID 3680 wrote to memory of 2780	3680	kino7613.exe	kino3648.exe
PID 3680 wrote to memory of 2780	3680	kino7613.exe	kino3648.exe
PID 2780 wrote to memory of 4860	2780	kino3648.exe	kino9337.exe
PID 2780 wrote to memory of 4860	2780	kino3648.exe	kino9337.exe
PID 2780 wrote to memory of 4860	2780	kino3648.exe	kino9337.exe
PID 4860 wrote to memory of 4936	4860	kino9337.exe	bus3687.exe
PID 4860 wrote to memory of 4936	4860	kino9337.exe	bus3687.exe
PID 4860 wrote to memory of 524	4860	kino9337.exe	cor2809.exe
PID 4860 wrote to memory of 524	4860	kino9337.exe	cor2809.exe
PID 4860 wrote to memory of 524	4860	kino9337.exe	cor2809.exe
PID 2780 wrote to memory of 5004	2780	kino3648.exe	dXr36s53.exe
PID 2780 wrote to memory of 5004	2780	kino3648.exe	dXr36s53.exe
PID 2780 wrote to memory of 5004	2780	kino3648.exe	dXr36s53.exe
PID 3680 wrote to memory of 4220	3680	kino7613.exe	en839767.exe
PID 3680 wrote to memory of 4220	3680	kino7613.exe	en839767.exe
PID 3680 wrote to memory of 4220	3680	kino7613.exe	en839767.exe
PID 5048 wrote to memory of 876	5048	dfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c.exe	ge863490.exe
PID 5048 wrote to memory of 876	5048	dfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c.exe	ge863490.exe
PID 5048 wrote to memory of 876	5048	dfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c.exe	ge863490.exe
PID 876 wrote to memory of 2728	876	ge863490.exe	metafor.exe
PID 876 wrote to memory of 2728	876	ge863490.exe	metafor.exe
PID 876 wrote to memory of 2728	876	ge863490.exe	metafor.exe
PID 2728 wrote to memory of 4092	2728	metafor.exe	schtasks.exe
PID 2728 wrote to memory of 4092	2728	metafor.exe	schtasks.exe
PID 2728 wrote to memory of 4092	2728	metafor.exe	schtasks.exe
PID 2728 wrote to memory of 4644	2728	metafor.exe	cmd.exe
PID 2728 wrote to memory of 4644	2728	metafor.exe	cmd.exe
PID 2728 wrote to memory of 4644	2728	metafor.exe	cmd.exe
PID 4644 wrote to memory of 4564	4644	cmd.exe	cmd.exe
PID 4644 wrote to memory of 4564	4644	cmd.exe	cmd.exe
PID 4644 wrote to memory of 4564	4644	cmd.exe	cmd.exe
PID 4644 wrote to memory of 1596	4644	cmd.exe	cacls.exe
PID 4644 wrote to memory of 1596	4644	cmd.exe	cacls.exe
PID 4644 wrote to memory of 1596	4644	cmd.exe	cacls.exe
PID 4644 wrote to memory of 400	4644	cmd.exe	cacls.exe
PID 4644 wrote to memory of 400	4644	cmd.exe	cacls.exe
PID 4644 wrote to memory of 400	4644	cmd.exe	cacls.exe
PID 4644 wrote to memory of 928	4644	cmd.exe	cmd.exe
PID 4644 wrote to memory of 928	4644	cmd.exe	cmd.exe
PID 4644 wrote to memory of 928	4644	cmd.exe	cmd.exe
PID 4644 wrote to memory of 4860	4644	cmd.exe	cacls.exe
PID 4644 wrote to memory of 4860	4644	cmd.exe	cacls.exe
PID 4644 wrote to memory of 4860	4644	cmd.exe	cacls.exe
PID 4644 wrote to memory of 3028	4644	cmd.exe	cacls.exe
PID 4644 wrote to memory of 3028	4644	cmd.exe	cacls.exe
PID 4644 wrote to memory of 3028	4644	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\dfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c.exe
"C:\Users\Admin\AppData\Local\Temp\dfc7cc380088192e6111bcf915a6f70884fa3365438eb3d860a77e377f035e2c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7613.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7613.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3648.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3648.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9337.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9337.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4860

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3687.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3687.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2809.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2809.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 524 -s 1080
6⤵
- Program crash
PID:1568

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXr36s53.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXr36s53.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1316
5⤵
- Program crash
PID:2116

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en839767.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en839767.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge863490.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge863490.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:4092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4564

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:1596

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:928

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:4860

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 524 -ip 524
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5004 -ip 5004
1⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge863490.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge863490.exe
Filesize
226KB

MD5
8627ebe3777cc777ed2a14b907162224

SHA1
06eeed93eb3094f9d0b13ac4a6936f7088fbbdaa

SHA256
319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb

SHA512
9de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7613.exe
Filesize
829KB

MD5
1c6dd18d835203a8b2340e9ea573eb43

SHA1
203e205dc31a1d914fe122014e52d4941d4f470c

SHA256
20aeb64ff6b91ad517fe72b71954f21e4549d894bb05fc52bdc02380b5095dc4

SHA512
6d58a8dc9b8c7ed59eba660ca37c534cea0257f4c8cf5dffba8727d839b0d8710721806e5492855e70a3edead7d4d383d666402c6f71a951aaabcb1c78e59ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino7613.exe
Filesize
829KB

MD5
1c6dd18d835203a8b2340e9ea573eb43

SHA1
203e205dc31a1d914fe122014e52d4941d4f470c

SHA256
20aeb64ff6b91ad517fe72b71954f21e4549d894bb05fc52bdc02380b5095dc4

SHA512
6d58a8dc9b8c7ed59eba660ca37c534cea0257f4c8cf5dffba8727d839b0d8710721806e5492855e70a3edead7d4d383d666402c6f71a951aaabcb1c78e59ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en839767.exe
Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en839767.exe
Filesize
175KB

MD5
018b839c5ea1438099cd92f268570005

SHA1
5c962942d01b46556c5f3d88a51ab865c051418c

SHA256
593c354b3b09050c92d44a076a7a630a245790ab4fab6e872dbafd89e93cb132

SHA512
67d7a260d200127fe6a6c0dee2bfdd6f84f6bdf3778a8033ae0d51eee1cd717328dba6ee4aff07e4522466317e790f7cd94440fe31adca06269db3d279c31010

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3648.exe
Filesize
686KB

MD5
83221c9e935345627567d28f44d56e72

SHA1
c64d6a27d16a333cc6de8e8269b8850b71fa4e4b

SHA256
316b5ef400ba3d67e2860f7df457107b9648835f86831f82f9283b9e2ba46fd2

SHA512
d8ba740a49d42fee95ce6f16c3e2b251ce0951c15792b4688a87a1184c50ddc7c550d3689cafc49dc454e87228b25023849b05a060d85247d5ebfedd28424a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino3648.exe
Filesize
686KB

MD5
83221c9e935345627567d28f44d56e72

SHA1
c64d6a27d16a333cc6de8e8269b8850b71fa4e4b

SHA256
316b5ef400ba3d67e2860f7df457107b9648835f86831f82f9283b9e2ba46fd2

SHA512
d8ba740a49d42fee95ce6f16c3e2b251ce0951c15792b4688a87a1184c50ddc7c550d3689cafc49dc454e87228b25023849b05a060d85247d5ebfedd28424a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXr36s53.exe
Filesize
356KB

MD5
a5f53996229c600747091d6f5b385bcf

SHA1
74d1d8e12ba095ccfb8bc2c7385bb883cb49de27

SHA256
44ebb5ab718235413b56a0599d111a3de4bcc63d3cc785101b7853e2a67c8275

SHA512
790b9e86832b6170061ec519a3c8cf1d2113d35df7a10e601eb7bcddd7bce99fe98c02d4b7c7ce0a5159c9c1c96f21e36c7265e9b0900730c398db119436d850

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXr36s53.exe
Filesize
356KB

MD5
a5f53996229c600747091d6f5b385bcf

SHA1
74d1d8e12ba095ccfb8bc2c7385bb883cb49de27

SHA256
44ebb5ab718235413b56a0599d111a3de4bcc63d3cc785101b7853e2a67c8275

SHA512
790b9e86832b6170061ec519a3c8cf1d2113d35df7a10e601eb7bcddd7bce99fe98c02d4b7c7ce0a5159c9c1c96f21e36c7265e9b0900730c398db119436d850

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9337.exe
Filesize
340KB

MD5
1fb7aea498269795807f8dbf0d7d78fc

SHA1
8c73107c1406db77a87e5359b46f3842ca8bfdd7

SHA256
e9e607c6185eac656242d10612e01965b771b5029f03b0f69863897c487dc76d

SHA512
b4ceab441332452393ab27760d2d58c2039b5e8740b9ad2653dac70c41d6720bb75cd11e6b799f16b9c50d30cf0ba54431b0bd182b9e7282e525d203829e6dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino9337.exe
Filesize
340KB

MD5
1fb7aea498269795807f8dbf0d7d78fc

SHA1
8c73107c1406db77a87e5359b46f3842ca8bfdd7

SHA256
e9e607c6185eac656242d10612e01965b771b5029f03b0f69863897c487dc76d

SHA512
b4ceab441332452393ab27760d2d58c2039b5e8740b9ad2653dac70c41d6720bb75cd11e6b799f16b9c50d30cf0ba54431b0bd182b9e7282e525d203829e6dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3687.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus3687.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2809.exe
Filesize
298KB

MD5
1273d5cc68110737041cfa83159d6fcc

SHA1
1b7ff7b3c26154ce44f676c1ab5301de04c23467

SHA256
f9eaf3f94317af658b0ba701de4386f829f35dbbc919103ab3d496b15765d9b4

SHA512
ae60679dd609572f7b56f8b76d49a23e99b8ddf2e7e1c164ca557ef6394195e2effcbc8ca7ee7f3b1c4d5388ad63f1c31ceb8d5a56cf48f08521fcbc429c2a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2809.exe
Filesize
298KB

MD5
1273d5cc68110737041cfa83159d6fcc

SHA1
1b7ff7b3c26154ce44f676c1ab5301de04c23467

SHA256
f9eaf3f94317af658b0ba701de4386f829f35dbbc919103ab3d496b15765d9b4

SHA512
ae60679dd609572f7b56f8b76d49a23e99b8ddf2e7e1c164ca557ef6394195e2effcbc8ca7ee7f3b1c4d5388ad63f1c31ceb8d5a56cf48f08521fcbc429c2a1b

Download Submit
memory/524-178-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-199-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/524-168-0x0000000002C50000-0x0000000002C7D000-memory.dmp

Filesize
180KB

Download
memory/524-180-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-182-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-184-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-186-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-188-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-192-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-190-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-194-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-196-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-198-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-176-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-200-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/524-201-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/524-202-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/524-204-0x0000000000400000-0x0000000002B79000-memory.dmp

Filesize
39.5MB

Download
memory/524-167-0x0000000007470000-0x0000000007A14000-memory.dmp

Filesize
5.6MB

Download
memory/524-172-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-174-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-171-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/524-170-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/524-169-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/4220-1138-0x00000000008E0000-0x0000000000912000-memory.dmp

Filesize
200KB

Download
memory/4220-1139-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4936-161-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/5004-210-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-225-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-227-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-229-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-231-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-236-0x0000000004790000-0x00000000047A0000-memory.dmp

Filesize
64KB

Download
memory/5004-234-0x0000000004790000-0x00000000047A0000-memory.dmp

Filesize
64KB

Download
memory/5004-233-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-238-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-237-0x0000000004790000-0x00000000047A0000-memory.dmp

Filesize
64KB

Download
memory/5004-240-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-242-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-244-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-246-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-1119-0x00000000078D0000-0x0000000007EE8000-memory.dmp

Filesize
6.1MB

Download
memory/5004-1120-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/5004-1121-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/5004-1122-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/5004-1123-0x0000000004790000-0x00000000047A0000-memory.dmp

Filesize
64KB

Download
memory/5004-1125-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/5004-1126-0x0000000008A90000-0x0000000008B22000-memory.dmp

Filesize
584KB

Download
memory/5004-1127-0x0000000004790000-0x00000000047A0000-memory.dmp

Filesize
64KB

Download
memory/5004-1128-0x0000000004790000-0x00000000047A0000-memory.dmp

Filesize
64KB

Download
memory/5004-1129-0x0000000008B80000-0x0000000008D42000-memory.dmp

Filesize
1.8MB

Download
memory/5004-1130-0x0000000008D60000-0x000000000928C000-memory.dmp

Filesize
5.2MB

Download
memory/5004-223-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-221-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-219-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-217-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-215-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-213-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-211-0x00000000076F0000-0x000000000772F000-memory.dmp

Filesize
252KB

Download
memory/5004-209-0x0000000002C60000-0x0000000002CAB000-memory.dmp

Filesize
300KB

Download
memory/5004-1131-0x0000000009740000-0x00000000097B6000-memory.dmp

Filesize
472KB

Download
memory/5004-1132-0x00000000097D0000-0x0000000009820000-memory.dmp

Filesize
320KB

Download