amadey | ae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3

Analysis

max time kernel
96s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3.exe
Size

1004KB
MD5

32a663e5f4d50897d33c7ae118f0c85f
SHA1

3f6c0001a40b9634dffd3df4c4ef1ededda40cbe
SHA256

ae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3
SHA512

57f2a05e5bb90012e015b275abd0177d2ce0301be938f44524a25737e34c54a3fb55997d993e7b14d9cb44fb6f4a393a5ae316392a716222ba1d01b9ece754e5
SSDEEP

24576:Vy6J6QLfliA3+BcNuJ1TR+sRmJpVtEaxbKa8kftKs:ww3bmBcA1FnRmrR+a8kfw

Score

10^/10

amadey redline renta rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

renta

176.113.115.145:4125

Attributes

auth_value
359596fd5b36e9925ade4d9a1846bafb

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

bu442530.execor1289.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bu442530.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	cor1289.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cor1289.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cor1289.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bu442530.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bu442530.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bu442530.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bu442530.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bu442530.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cor1289.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cor1289.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cor1289.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2496-210-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-211-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-213-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-215-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-217-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-219-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-221-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-223-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-225-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-227-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-229-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-231-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-233-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-235-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-237-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-239-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-241-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-243-0x0000000006000000-0x000000000603F000-memory.dmp	family_redline
behavioral1/memory/2496-1130-0x00000000061C0000-0x00000000061D0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ge029931.exemetafor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	ge029931.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 10 IoCs

Processes:

kina7193.exekina1726.exekina0065.exebu442530.execor1289.exedxu42s45.exeen606703.exege029931.exemetafor.exemetafor.exe

pid	process
3448	kina7193.exe
5108	kina1726.exe
5100	kina0065.exe
4116	bu442530.exe
4972	cor1289.exe
2496	dxu42s45.exe
4544	en606703.exe
860	ge029931.exe
488	metafor.exe
1104	metafor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bu442530.execor1289.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bu442530.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	cor1289.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	cor1289.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kina7193.exekina1726.exekina0065.exeae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina7193.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina7193.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina1726.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina1726.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina0065.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina0065.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3016 4972 WerFault.exe cor1289.exe
4276 2496 WerFault.exe dxu42s45.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1480 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

bu442530.execor1289.exedxu42s45.exeen606703.exe

pid process

4116 bu442530.exe
4116 bu442530.exe
4972 cor1289.exe
4972 cor1289.exe
2496 dxu42s45.exe
2496 dxu42s45.exe
4544 en606703.exe
4544 en606703.exe

pid	pid_target	process	target process
3016	4972	WerFault.exe	cor1289.exe
4276	2496	WerFault.exe	dxu42s45.exe

pid	process
1480	schtasks.exe

pid	process
4116	bu442530.exe
4116	bu442530.exe
4972	cor1289.exe
4972	cor1289.exe
2496	dxu42s45.exe
2496	dxu42s45.exe
4544	en606703.exe
4544	en606703.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bu442530.execor1289.exedxu42s45.exeen606703.exe

description	pid	process
Token: SeDebugPrivilege	4116	bu442530.exe
Token: SeDebugPrivilege	4972	cor1289.exe
Token: SeDebugPrivilege	2496	dxu42s45.exe
Token: SeDebugPrivilege	4544	en606703.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

ae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3.exekina7193.exekina1726.exekina0065.exege029931.exemetafor.execmd.exe

description	pid	process	target process
PID 3980 wrote to memory of 3448	3980	ae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3.exe	kina7193.exe
PID 3980 wrote to memory of 3448	3980	ae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3.exe	kina7193.exe
PID 3980 wrote to memory of 3448	3980	ae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3.exe	kina7193.exe
PID 3448 wrote to memory of 5108	3448	kina7193.exe	kina1726.exe
PID 3448 wrote to memory of 5108	3448	kina7193.exe	kina1726.exe
PID 3448 wrote to memory of 5108	3448	kina7193.exe	kina1726.exe
PID 5108 wrote to memory of 5100	5108	kina1726.exe	kina0065.exe
PID 5108 wrote to memory of 5100	5108	kina1726.exe	kina0065.exe
PID 5108 wrote to memory of 5100	5108	kina1726.exe	kina0065.exe
PID 5100 wrote to memory of 4116	5100	kina0065.exe	bu442530.exe
PID 5100 wrote to memory of 4116	5100	kina0065.exe	bu442530.exe
PID 5100 wrote to memory of 4972	5100	kina0065.exe	cor1289.exe
PID 5100 wrote to memory of 4972	5100	kina0065.exe	cor1289.exe
PID 5100 wrote to memory of 4972	5100	kina0065.exe	cor1289.exe
PID 5108 wrote to memory of 2496	5108	kina1726.exe	dxu42s45.exe
PID 5108 wrote to memory of 2496	5108	kina1726.exe	dxu42s45.exe
PID 5108 wrote to memory of 2496	5108	kina1726.exe	dxu42s45.exe
PID 3448 wrote to memory of 4544	3448	kina7193.exe	en606703.exe
PID 3448 wrote to memory of 4544	3448	kina7193.exe	en606703.exe
PID 3448 wrote to memory of 4544	3448	kina7193.exe	en606703.exe
PID 3980 wrote to memory of 860	3980	ae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3.exe	ge029931.exe
PID 3980 wrote to memory of 860	3980	ae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3.exe	ge029931.exe
PID 3980 wrote to memory of 860	3980	ae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3.exe	ge029931.exe
PID 860 wrote to memory of 488	860	ge029931.exe	metafor.exe
PID 860 wrote to memory of 488	860	ge029931.exe	metafor.exe
PID 860 wrote to memory of 488	860	ge029931.exe	metafor.exe
PID 488 wrote to memory of 1480	488	metafor.exe	schtasks.exe
PID 488 wrote to memory of 1480	488	metafor.exe	schtasks.exe
PID 488 wrote to memory of 1480	488	metafor.exe	schtasks.exe
PID 488 wrote to memory of 1368	488	metafor.exe	cmd.exe
PID 488 wrote to memory of 1368	488	metafor.exe	cmd.exe
PID 488 wrote to memory of 1368	488	metafor.exe	cmd.exe
PID 1368 wrote to memory of 4916	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 4916	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 4916	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 2820	1368	cmd.exe	cacls.exe
PID 1368 wrote to memory of 2820	1368	cmd.exe	cacls.exe
PID 1368 wrote to memory of 2820	1368	cmd.exe	cacls.exe
PID 1368 wrote to memory of 3396	1368	cmd.exe	cacls.exe
PID 1368 wrote to memory of 3396	1368	cmd.exe	cacls.exe
PID 1368 wrote to memory of 3396	1368	cmd.exe	cacls.exe
PID 1368 wrote to memory of 4064	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 4064	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 4064	1368	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1668	1368	cmd.exe	cacls.exe
PID 1368 wrote to memory of 1668	1368	cmd.exe	cacls.exe
PID 1368 wrote to memory of 1668	1368	cmd.exe	cacls.exe
PID 1368 wrote to memory of 3924	1368	cmd.exe	cacls.exe
PID 1368 wrote to memory of 3924	1368	cmd.exe	cacls.exe
PID 1368 wrote to memory of 3924	1368	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\ae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3.exe
"C:\Users\Admin\AppData\Local\Temp\ae52416d9673c6e058e4923517a4b3ad84ae38004e3cc139660a25f01fe508f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7193.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7193.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3448

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1726.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1726.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5108

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina0065.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina0065.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu442530.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu442530.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1289.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1289.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1080
6⤵
- Program crash
PID:3016

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxu42s45.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxu42s45.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1336
5⤵
- Program crash
PID:4276

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en606703.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en606703.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge029931.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge029931.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:488

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
4⤵
- Creates scheduled task(s)
PID:1480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4916

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:N"
5⤵
PID:2820

C:\Windows\SysWOW64\cacls.exe
CACLS "metafor.exe" /P "Admin:R" /E
5⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4064

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:N"
5⤵
PID:1668

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5975271bda" /P "Admin:R" /E
5⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4972 -ip 4972
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2496 -ip 2496
1⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
d1f880569e403cd2c1ab952937d6d605

SHA1
4bc56b25e236709ff2f1379854039c93329fc7f8

SHA256
33ac8b20305852aa59f0d2774bbcbcfca5fdecb266503be311c964d47086660d

SHA512
9fa5e649f589d65790942b57a1e998f07c61cae1da50788e23e1bfdb3dfb24a056cb435c2a8d32a6219d1223b1bec1983399cd8685dc10f605846d160a0fb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
d1f880569e403cd2c1ab952937d6d605

SHA1
4bc56b25e236709ff2f1379854039c93329fc7f8

SHA256
33ac8b20305852aa59f0d2774bbcbcfca5fdecb266503be311c964d47086660d

SHA512
9fa5e649f589d65790942b57a1e998f07c61cae1da50788e23e1bfdb3dfb24a056cb435c2a8d32a6219d1223b1bec1983399cd8685dc10f605846d160a0fb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
d1f880569e403cd2c1ab952937d6d605

SHA1
4bc56b25e236709ff2f1379854039c93329fc7f8

SHA256
33ac8b20305852aa59f0d2774bbcbcfca5fdecb266503be311c964d47086660d

SHA512
9fa5e649f589d65790942b57a1e998f07c61cae1da50788e23e1bfdb3dfb24a056cb435c2a8d32a6219d1223b1bec1983399cd8685dc10f605846d160a0fb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
227KB

MD5
d1f880569e403cd2c1ab952937d6d605

SHA1
4bc56b25e236709ff2f1379854039c93329fc7f8

SHA256
33ac8b20305852aa59f0d2774bbcbcfca5fdecb266503be311c964d47086660d

SHA512
9fa5e649f589d65790942b57a1e998f07c61cae1da50788e23e1bfdb3dfb24a056cb435c2a8d32a6219d1223b1bec1983399cd8685dc10f605846d160a0fb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge029931.exe

Filesize
227KB

MD5
d1f880569e403cd2c1ab952937d6d605

SHA1
4bc56b25e236709ff2f1379854039c93329fc7f8

SHA256
33ac8b20305852aa59f0d2774bbcbcfca5fdecb266503be311c964d47086660d

SHA512
9fa5e649f589d65790942b57a1e998f07c61cae1da50788e23e1bfdb3dfb24a056cb435c2a8d32a6219d1223b1bec1983399cd8685dc10f605846d160a0fb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge029931.exe

Filesize
227KB

MD5
d1f880569e403cd2c1ab952937d6d605

SHA1
4bc56b25e236709ff2f1379854039c93329fc7f8

SHA256
33ac8b20305852aa59f0d2774bbcbcfca5fdecb266503be311c964d47086660d

SHA512
9fa5e649f589d65790942b57a1e998f07c61cae1da50788e23e1bfdb3dfb24a056cb435c2a8d32a6219d1223b1bec1983399cd8685dc10f605846d160a0fb56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7193.exe

Filesize
822KB

MD5
4542c85c11d4442256b53da5df4500f6

SHA1
6b952315c31762b7275f10094158ffc44928691b

SHA256
65fb59b4053b3569f1dff8124f14d70277c7cafccd373b75f6f3fc700053d0d1

SHA512
8c6085f3b216427a7a8b96883290bca145c1bd831f2a416a087444d1888685cbc6fe98311cc29b4ff90cd2599772692bc124e9b369881ebc2d7db89e78bc7d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina7193.exe

Filesize
822KB

MD5
4542c85c11d4442256b53da5df4500f6

SHA1
6b952315c31762b7275f10094158ffc44928691b

SHA256
65fb59b4053b3569f1dff8124f14d70277c7cafccd373b75f6f3fc700053d0d1

SHA512
8c6085f3b216427a7a8b96883290bca145c1bd831f2a416a087444d1888685cbc6fe98311cc29b4ff90cd2599772692bc124e9b369881ebc2d7db89e78bc7d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en606703.exe

Filesize
175KB

MD5
15973d2e0953d7b2dd73a7c0d59cd7db

SHA1
65f060b26970551c33aca434bf69f5de0915779a

SHA256
2210ddfb9b3244e357bd48612f84c06cd9e76333289fd2851b7ee8794863cef7

SHA512
6fe2a963d27754966bee0f0ba4521379177cc214fa9376ac909c186f9347b4a085c6ab6f51f80ef4ec86d71a5387043a6d9ccb844fd1a0d00c98ad447b1a50c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en606703.exe

Filesize
175KB

MD5
15973d2e0953d7b2dd73a7c0d59cd7db

SHA1
65f060b26970551c33aca434bf69f5de0915779a

SHA256
2210ddfb9b3244e357bd48612f84c06cd9e76333289fd2851b7ee8794863cef7

SHA512
6fe2a963d27754966bee0f0ba4521379177cc214fa9376ac909c186f9347b4a085c6ab6f51f80ef4ec86d71a5387043a6d9ccb844fd1a0d00c98ad447b1a50c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1726.exe

Filesize
680KB

MD5
ede29de5165aade511ce566d3327da04

SHA1
8aca85202b4f2302115d6ad6be48eae6fab556e8

SHA256
a34f8a92bf7aa25e9e6053d063fdd3e7602b4b84b42ea5da1a704043a9639451

SHA512
579d2bb25da5eaf794197db127ea2b4294217a2ddeb531a7a5dc49d6990f790d4d29d6475a561096a3436fd04c2c7f93284bbcc0b598c2fe27e116802d5a767f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina1726.exe

Filesize
680KB

MD5
ede29de5165aade511ce566d3327da04

SHA1
8aca85202b4f2302115d6ad6be48eae6fab556e8

SHA256
a34f8a92bf7aa25e9e6053d063fdd3e7602b4b84b42ea5da1a704043a9639451

SHA512
579d2bb25da5eaf794197db127ea2b4294217a2ddeb531a7a5dc49d6990f790d4d29d6475a561096a3436fd04c2c7f93284bbcc0b598c2fe27e116802d5a767f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxu42s45.exe

Filesize
345KB

MD5
7d7014cedbcab529838050b01c262dff

SHA1
ed551b0b5d543b6646061ec8bf73b19cfaaaf847

SHA256
951911a9d6ad81b29592aec126a56b156a49cb9e5da625c649ca68f0bd1d737e

SHA512
af7143977f6174488a8dc8465726e3accb2348c9af20c05ae1c659c73a54217e0313518b07b85a6301353bbcc15908f405af1c396aa1acb39eb48f76ca6e84a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dxu42s45.exe

Filesize
345KB

MD5
7d7014cedbcab529838050b01c262dff

SHA1
ed551b0b5d543b6646061ec8bf73b19cfaaaf847

SHA256
951911a9d6ad81b29592aec126a56b156a49cb9e5da625c649ca68f0bd1d737e

SHA512
af7143977f6174488a8dc8465726e3accb2348c9af20c05ae1c659c73a54217e0313518b07b85a6301353bbcc15908f405af1c396aa1acb39eb48f76ca6e84a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina0065.exe

Filesize
345KB

MD5
184a4ed0215285b05efc29036927844c

SHA1
565d0a23524bada36291045c2ce0e9c876fdbdee

SHA256
b553d3d948802785783703993090766780a25e318ded54f1bff8e200ff9ab5b1

SHA512
48655a2fb59ff34269f34db40bcb9e0ae743a0ee8decb8110278af11935ec86caeb8f59acd7ebf3c3f7afd1c55ab45cdb02a737dfb2b296f26e047d55382c9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina0065.exe

Filesize
345KB

MD5
184a4ed0215285b05efc29036927844c

SHA1
565d0a23524bada36291045c2ce0e9c876fdbdee

SHA256
b553d3d948802785783703993090766780a25e318ded54f1bff8e200ff9ab5b1

SHA512
48655a2fb59ff34269f34db40bcb9e0ae743a0ee8decb8110278af11935ec86caeb8f59acd7ebf3c3f7afd1c55ab45cdb02a737dfb2b296f26e047d55382c9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu442530.exe

Filesize
11KB

MD5
89ea25fa3951359e234ca5a0c5da83a6

SHA1
8bca241d7438874ee78ae7729f344d78fdd18f23

SHA256
7473d597390106f9686a9d2b7bb666a378c3fe3e7acc1227707fc9fda902a484

SHA512
1c55def8582affce995b3978c6ea890659e6a08eaa88c65738b3bc8f5967c64f62e0a6145e4ebaf4b638abb0bcad6d82131701c939bc1d28cf8c83c84a84a9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu442530.exe

Filesize
11KB

MD5
89ea25fa3951359e234ca5a0c5da83a6

SHA1
8bca241d7438874ee78ae7729f344d78fdd18f23

SHA256
7473d597390106f9686a9d2b7bb666a378c3fe3e7acc1227707fc9fda902a484

SHA512
1c55def8582affce995b3978c6ea890659e6a08eaa88c65738b3bc8f5967c64f62e0a6145e4ebaf4b638abb0bcad6d82131701c939bc1d28cf8c83c84a84a9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1289.exe

Filesize
291KB

MD5
5afae0b15bf512fcae1ba6cae209bb86

SHA1
474b09d3ddde022becb9736097323b2715a47494

SHA256
0b425c8b934a0fede8727e318e72d043f098c905b65538c17cbb06e9c50e9db3

SHA512
72a7d347cd1035193bfb3be0f742a02e7819cc5c1dbc5bf5e5a0a16a946804bd42a4374e84612f07f8211111f87eca626be8cd6e626128af7934246f5356b8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor1289.exe

Filesize
291KB

MD5
5afae0b15bf512fcae1ba6cae209bb86

SHA1
474b09d3ddde022becb9736097323b2715a47494

SHA256
0b425c8b934a0fede8727e318e72d043f098c905b65538c17cbb06e9c50e9db3

SHA512
72a7d347cd1035193bfb3be0f742a02e7819cc5c1dbc5bf5e5a0a16a946804bd42a4374e84612f07f8211111f87eca626be8cd6e626128af7934246f5356b8eb

Download Submit
memory/2496-1123-0x0000000006F70000-0x0000000006FAC000-memory.dmp

Filesize
240KB

Download
memory/2496-1130-0x00000000061C0000-0x00000000061D0000-memory.dmp

Filesize
64KB

Download
memory/2496-1135-0x0000000008550000-0x00000000085A0000-memory.dmp

Filesize
320KB

Download
memory/2496-1134-0x00000000084D0000-0x0000000008546000-memory.dmp

Filesize
472KB

Download
memory/2496-1133-0x00000000061C0000-0x00000000061D0000-memory.dmp

Filesize
64KB

Download
memory/2496-1132-0x0000000007D00000-0x000000000822C000-memory.dmp

Filesize
5.2MB

Download
memory/2496-1131-0x0000000007B20000-0x0000000007CE2000-memory.dmp

Filesize
1.8MB

Download
memory/2496-1129-0x00000000061C0000-0x00000000061D0000-memory.dmp

Filesize
64KB

Download
memory/2496-1128-0x00000000061C0000-0x00000000061D0000-memory.dmp

Filesize
64KB

Download
memory/2496-1126-0x0000000007920000-0x00000000079B2000-memory.dmp

Filesize
584KB

Download
memory/2496-1125-0x0000000007260000-0x00000000072C6000-memory.dmp

Filesize
408KB

Download
memory/2496-1124-0x00000000061C0000-0x00000000061D0000-memory.dmp

Filesize
64KB

Download
memory/2496-1122-0x0000000006F50000-0x0000000006F62000-memory.dmp

Filesize
72KB

Download
memory/2496-1121-0x0000000006E10000-0x0000000006F1A000-memory.dmp

Filesize
1.0MB

Download
memory/2496-1120-0x0000000006780000-0x0000000006D98000-memory.dmp

Filesize
6.1MB

Download
memory/2496-376-0x00000000061C0000-0x00000000061D0000-memory.dmp

Filesize
64KB

Download
memory/2496-374-0x00000000061C0000-0x00000000061D0000-memory.dmp

Filesize
64KB

Download
memory/2496-372-0x00000000061C0000-0x00000000061D0000-memory.dmp

Filesize
64KB

Download
memory/2496-210-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-211-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-213-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-215-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-217-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-219-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-221-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-223-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-225-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-227-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-229-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-231-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-233-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-235-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-237-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-239-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-241-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-243-0x0000000006000000-0x000000000603F000-memory.dmp

Filesize
252KB

Download
memory/2496-370-0x0000000001B00000-0x0000000001B4B000-memory.dmp

Filesize
300KB

Download
memory/4116-161-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/4544-1141-0x0000000000E80000-0x0000000000EB2000-memory.dmp

Filesize
200KB

Download
memory/4544-1142-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download
memory/4972-200-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4972-189-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/4972-202-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4972-179-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/4972-181-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/4972-199-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4972-198-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4972-197-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4972-196-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/4972-185-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/4972-195-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/4972-193-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/4972-191-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/4972-203-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4972-187-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/4972-177-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/4972-175-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/4972-204-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4972-205-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4972-173-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/4972-171-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/4972-169-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/4972-168-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download
memory/4972-167-0x0000000004EA0000-0x0000000005444000-memory.dmp

Filesize
5.6MB

Download
memory/4972-183-0x0000000002920000-0x0000000002932000-memory.dmp

Filesize
72KB

Download