amadey | 6ec3f402273407765765c3180937bb586580eb4de9ae774bdeaf96c05e9b770c

Analysis

max time kernel
70s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2023 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Latest_Setup.exe
Size

26.2MB
MD5

a11be3a619ea9bd57949b1fd2854d9e6
SHA1

b00005ed81e9af1ea4eddfc0af581a2b5d037157
SHA256

6ec3f402273407765765c3180937bb586580eb4de9ae774bdeaf96c05e9b770c
SHA512

ba88bb00e00837e2bce0774654ae04ac6b353081101ee26ff1dabbd3a95aebfe143fff0419910cf5db53207b6a0c89e5751985768323d42e5c0d84aafbe5036f
SSDEEP

393216:i5M3YIDtcVVPJtb4SRQ723+fJz/rvzf0xwNslaU6JTbj2Dr/RIoaIKOghXzDFGfw:dZqJT4f1rvLKs2anrRjI5gd9MLl+

Score

10^/10

amadey lumma sectoprat systembc evasion persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

amadey

Version

3.85

45.9.74.166/b7djSDcPcZ/index.php

45.9.74.141/b7djSDcPcZ/index.php

Extracted

Family

systembc

5.42.65.67:4298

localhost.exchange:4298

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3184-267-0x0000000000400000-0x0000000000920000-memory.dmp	family_sectoprat
behavioral1/memory/2836-299-0x0000000000400000-0x0000000000920000-memory.dmp	family_sectoprat

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

BRR.exeBRR.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BRR.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BRR.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BRR.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BRR.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BRR.exeBRR.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BRR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BRR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BRR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BRR.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Latest_Setup.exeipuiwboqnet.exebstyoops.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	Latest_Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	ipuiwboqnet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	bstyoops.exe

Executes dropped EXE 5 IoCs

Processes:

ipuiwboqnet.exebstyoops.exeBRR.exebstyoops.exeBRR.exe

pid process

1992 ipuiwboqnet.exe
1060 bstyoops.exe
3184 BRR.exe
3340 bstyoops.exe
2836 BRR.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3016 rundll32.exe

pid	process
1992	ipuiwboqnet.exe
1060	bstyoops.exe
3184	BRR.exe
3340	bstyoops.exe
2836	BRR.exe

pid	process
3016	rundll32.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe	themida
behavioral1/memory/3184-267-0x0000000000400000-0x0000000000920000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe	themida
behavioral1/memory/2836-299-0x0000000000400000-0x0000000000920000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bstyoops.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BRR.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000057051\\BRR.exe"	bstyoops.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\so64.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000058061\\so64.dll, rundll"	bstyoops.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BRR.exeBRR.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BRR.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BRR.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Latest_Setup.exe

description ioc process

File opened (read-only) \??\F: Latest_Setup.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

BRR.exeBRR.exe

pid process

3184 BRR.exe
2836 BRR.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Latest_Setup.exe

description pid process target process

PID 2880 set thread context of 1196 2880 Latest_Setup.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4236 1048 WerFault.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4456 schtasks.exe

description	ioc	process
File opened (read-only)	\??\F:	Latest_Setup.exe

pid	process
3184	BRR.exe
2836	BRR.exe

description	pid	process	target process
PID 2880 set thread context of 1196	2880	Latest_Setup.exe	AddInProcess32.exe

pid	pid_target	process	target process
4236	1048	WerFault.exe

pid	process
4456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

Latest_Setup.exepowershell.exepowershell.exepowershell.exeAddInProcess32.exeipuiwboqnet.exebstyoops.exeBRR.exeBRR.exe

pid	process
2880	Latest_Setup.exe
2880	Latest_Setup.exe
2880	Latest_Setup.exe
2880	Latest_Setup.exe
2880	Latest_Setup.exe
2880	Latest_Setup.exe
2880	Latest_Setup.exe
2880	Latest_Setup.exe
2880	Latest_Setup.exe
2880	Latest_Setup.exe
2880	Latest_Setup.exe
2880	Latest_Setup.exe
4312	powershell.exe
4312	powershell.exe
4828	powershell.exe
4828	powershell.exe
3652	powershell.exe
3652	powershell.exe
3652	powershell.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1196	AddInProcess32.exe
1992	ipuiwboqnet.exe
1992	ipuiwboqnet.exe
1060	bstyoops.exe
1060	bstyoops.exe
3184	BRR.exe
3184	BRR.exe
2836	BRR.exe
2836	BRR.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4312 powershell.exe
Token: SeDebugPrivilege 4828 powershell.exe
Token: SeDebugPrivilege 3652 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ipuiwboqnet.exe

pid process

1992 ipuiwboqnet.exe

description	pid	process
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	3652	powershell.exe

pid	process
1992	ipuiwboqnet.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Latest_Setup.exeAddInProcess32.exeipuiwboqnet.exebstyoops.execmd.exerundll32.exe

description	pid	process	target process
PID 2880 wrote to memory of 4312	2880	Latest_Setup.exe	powershell.exe
PID 2880 wrote to memory of 4312	2880	Latest_Setup.exe	powershell.exe
PID 2880 wrote to memory of 1196	2880	Latest_Setup.exe	AddInProcess32.exe
PID 2880 wrote to memory of 1196	2880	Latest_Setup.exe	AddInProcess32.exe
PID 2880 wrote to memory of 1196	2880	Latest_Setup.exe	AddInProcess32.exe
PID 2880 wrote to memory of 4828	2880	Latest_Setup.exe	powershell.exe
PID 2880 wrote to memory of 4828	2880	Latest_Setup.exe	powershell.exe
PID 2880 wrote to memory of 1196	2880	Latest_Setup.exe	AddInProcess32.exe
PID 2880 wrote to memory of 1196	2880	Latest_Setup.exe	AddInProcess32.exe
PID 2880 wrote to memory of 1196	2880	Latest_Setup.exe	AddInProcess32.exe
PID 2880 wrote to memory of 1196	2880	Latest_Setup.exe	AddInProcess32.exe
PID 2880 wrote to memory of 1196	2880	Latest_Setup.exe	AddInProcess32.exe
PID 2880 wrote to memory of 1196	2880	Latest_Setup.exe	AddInProcess32.exe
PID 2880 wrote to memory of 3652	2880	Latest_Setup.exe	powershell.exe
PID 2880 wrote to memory of 3652	2880	Latest_Setup.exe	powershell.exe
PID 1196 wrote to memory of 1992	1196	AddInProcess32.exe	ipuiwboqnet.exe
PID 1196 wrote to memory of 1992	1196	AddInProcess32.exe	ipuiwboqnet.exe
PID 1196 wrote to memory of 1992	1196	AddInProcess32.exe	ipuiwboqnet.exe
PID 1992 wrote to memory of 1060	1992	ipuiwboqnet.exe	bstyoops.exe
PID 1992 wrote to memory of 1060	1992	ipuiwboqnet.exe	bstyoops.exe
PID 1992 wrote to memory of 1060	1992	ipuiwboqnet.exe	bstyoops.exe
PID 1060 wrote to memory of 4456	1060	bstyoops.exe	schtasks.exe
PID 1060 wrote to memory of 4456	1060	bstyoops.exe	schtasks.exe
PID 1060 wrote to memory of 4456	1060	bstyoops.exe	schtasks.exe
PID 1060 wrote to memory of 3940	1060	bstyoops.exe	cmd.exe
PID 1060 wrote to memory of 3940	1060	bstyoops.exe	cmd.exe
PID 1060 wrote to memory of 3940	1060	bstyoops.exe	cmd.exe
PID 3940 wrote to memory of 3928	3940	cmd.exe	cmd.exe
PID 3940 wrote to memory of 3928	3940	cmd.exe	cmd.exe
PID 3940 wrote to memory of 3928	3940	cmd.exe	cmd.exe
PID 3940 wrote to memory of 2848	3940	cmd.exe	cacls.exe
PID 3940 wrote to memory of 2848	3940	cmd.exe	cacls.exe
PID 3940 wrote to memory of 2848	3940	cmd.exe	cacls.exe
PID 3940 wrote to memory of 3296	3940	cmd.exe	cacls.exe
PID 3940 wrote to memory of 3296	3940	cmd.exe	cacls.exe
PID 3940 wrote to memory of 3296	3940	cmd.exe	cacls.exe
PID 3940 wrote to memory of 1020	3940	cmd.exe	cmd.exe
PID 3940 wrote to memory of 1020	3940	cmd.exe	cmd.exe
PID 3940 wrote to memory of 1020	3940	cmd.exe	cmd.exe
PID 3940 wrote to memory of 4784	3940	cmd.exe	cacls.exe
PID 3940 wrote to memory of 4784	3940	cmd.exe	cacls.exe
PID 3940 wrote to memory of 4784	3940	cmd.exe	cacls.exe
PID 3940 wrote to memory of 4500	3940	cmd.exe	cacls.exe
PID 3940 wrote to memory of 4500	3940	cmd.exe	cacls.exe
PID 3940 wrote to memory of 4500	3940	cmd.exe	cacls.exe
PID 1060 wrote to memory of 3184	1060	bstyoops.exe	BRR.exe
PID 1060 wrote to memory of 3184	1060	bstyoops.exe	BRR.exe
PID 1060 wrote to memory of 3184	1060	bstyoops.exe	BRR.exe
PID 1060 wrote to memory of 2836	1060	bstyoops.exe	BRR.exe
PID 1060 wrote to memory of 2836	1060	bstyoops.exe	BRR.exe
PID 1060 wrote to memory of 2836	1060	bstyoops.exe	BRR.exe
PID 1060 wrote to memory of 3016	1060	bstyoops.exe	rundll32.exe
PID 1060 wrote to memory of 3016	1060	bstyoops.exe	rundll32.exe
PID 1060 wrote to memory of 3016	1060	bstyoops.exe	rundll32.exe
PID 3016 wrote to memory of 3856	3016	rundll32.exe	rundll32.exe
PID 3016 wrote to memory of 3856	3016	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\Latest_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Latest_Setup.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\ipuiwboqnet.exe
"C:\Users\Admin\AppData\Local\Temp\ipuiwboqnet.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
"C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F
5⤵
- Creates scheduled task(s)
PID:4456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "Admin:N"&&CACLS "bstyoops.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c2868ed41c" /P "Admin:N"&&CACLS "..\c2868ed41c" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3928

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:N"
6⤵
PID:2848

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:R" /E
6⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1020

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:N"
6⤵
PID:4784

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:R" /E
6⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe
"C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3184

C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe
"C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2836

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\so64.dll, rundll
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\so64.dll, rundll
6⤵
PID:3856

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\so64.dll, rundll
5⤵
PID:4956

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\so64.dll, rundll
6⤵
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 1048 -ip 1048
1⤵
PID:2612

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1048 -s 2180
1⤵
- Program crash
PID:4236

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1bad2704664b4c1a190586ec492be65f

SHA1
1c98e6645c66774152c184d23f7a3178ce522e7b

SHA256
5950586396814b38bfdbb86757839fc8c7ce3eb73577775473c29ce6be81fe3e

SHA512
668553c12f1e5560baba826d5c8b139d7c7e323b6aa4e3723aaca479850f898c147d63cb77d305d715044db1e75cf501d6502ca214c7ed05ded424b230893bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1bad2704664b4c1a190586ec492be65f

SHA1
1c98e6645c66774152c184d23f7a3178ce522e7b

SHA256
5950586396814b38bfdbb86757839fc8c7ce3eb73577775473c29ce6be81fe3e

SHA512
668553c12f1e5560baba826d5c8b139d7c7e323b6aa4e3723aaca479850f898c147d63cb77d305d715044db1e75cf501d6502ca214c7ed05ded424b230893bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe
Filesize
1.7MB

MD5
d48f8e58f26c417a39ccaa16b19c3eaa

SHA1
98bac8df1b743fb5161f7e6d06ca459f56609761

SHA256
90abab33af6ecd382df38291b8dcf134cf7c6977965b2beb722fc06cca412e7e

SHA512
7f06ebccbd0b92f94c51c8030f44f19ea444cd96fb8654bcd1d37cded301dfe12f16b09f3a4b4f383e93e5d7240675ab13830e294cef2c7057aaab8c6b653a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe
Filesize
1.7MB

MD5
d48f8e58f26c417a39ccaa16b19c3eaa

SHA1
98bac8df1b743fb5161f7e6d06ca459f56609761

SHA256
90abab33af6ecd382df38291b8dcf134cf7c6977965b2beb722fc06cca412e7e

SHA512
7f06ebccbd0b92f94c51c8030f44f19ea444cd96fb8654bcd1d37cded301dfe12f16b09f3a4b4f383e93e5d7240675ab13830e294cef2c7057aaab8c6b653a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe
Filesize
1.7MB

MD5
d48f8e58f26c417a39ccaa16b19c3eaa

SHA1
98bac8df1b743fb5161f7e6d06ca459f56609761

SHA256
90abab33af6ecd382df38291b8dcf134cf7c6977965b2beb722fc06cca412e7e

SHA512
7f06ebccbd0b92f94c51c8030f44f19ea444cd96fb8654bcd1d37cded301dfe12f16b09f3a4b4f383e93e5d7240675ab13830e294cef2c7057aaab8c6b653a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BRR.exe
Filesize
1.7MB

MD5
d48f8e58f26c417a39ccaa16b19c3eaa

SHA1
98bac8df1b743fb5161f7e6d06ca459f56609761

SHA256
90abab33af6ecd382df38291b8dcf134cf7c6977965b2beb722fc06cca412e7e

SHA512
7f06ebccbd0b92f94c51c8030f44f19ea444cd96fb8654bcd1d37cded301dfe12f16b09f3a4b4f383e93e5d7240675ab13830e294cef2c7057aaab8c6b653a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\so64.dll
Filesize
5.7MB

MD5
f0ff869ef9b5db88702fa3b257089e02

SHA1
bad053cbea73a8f19b737e8cf223b9bd939dc305

SHA256
f8e4893810b5e65725402ecf70abf361fae982a3efb8ec87f1ca04be948d9398

SHA512
1c157b7b3119c5155c15cc0186c19d0803df4a397920e06c1d455f98302b0bd3c2a939b42748096986474187e5e9d527a883e193097e00c540519c787a350d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\so64.dll
Filesize
5.7MB

MD5
f0ff869ef9b5db88702fa3b257089e02

SHA1
bad053cbea73a8f19b737e8cf223b9bd939dc305

SHA256
f8e4893810b5e65725402ecf70abf361fae982a3efb8ec87f1ca04be948d9398

SHA512
1c157b7b3119c5155c15cc0186c19d0803df4a397920e06c1d455f98302b0bd3c2a939b42748096986474187e5e9d527a883e193097e00c540519c787a350d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\so64.dll
Filesize
5.7MB

MD5
f0ff869ef9b5db88702fa3b257089e02

SHA1
bad053cbea73a8f19b737e8cf223b9bd939dc305

SHA256
f8e4893810b5e65725402ecf70abf361fae982a3efb8ec87f1ca04be948d9398

SHA512
1c157b7b3119c5155c15cc0186c19d0803df4a397920e06c1d455f98302b0bd3c2a939b42748096986474187e5e9d527a883e193097e00c540519c787a350d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\so64.dll
Filesize
5.7MB

MD5
f0ff869ef9b5db88702fa3b257089e02

SHA1
bad053cbea73a8f19b737e8cf223b9bd939dc305

SHA256
f8e4893810b5e65725402ecf70abf361fae982a3efb8ec87f1ca04be948d9398

SHA512
1c157b7b3119c5155c15cc0186c19d0803df4a397920e06c1d455f98302b0bd3c2a939b42748096986474187e5e9d527a883e193097e00c540519c787a350d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\so64.dll
Filesize
5.7MB

MD5
f0ff869ef9b5db88702fa3b257089e02

SHA1
bad053cbea73a8f19b737e8cf223b9bd939dc305

SHA256
f8e4893810b5e65725402ecf70abf361fae982a3efb8ec87f1ca04be948d9398

SHA512
1c157b7b3119c5155c15cc0186c19d0803df4a397920e06c1d455f98302b0bd3c2a939b42748096986474187e5e9d527a883e193097e00c540519c787a350d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\so64.dll
Filesize
5.7MB

MD5
f0ff869ef9b5db88702fa3b257089e02

SHA1
bad053cbea73a8f19b737e8cf223b9bd939dc305

SHA256
f8e4893810b5e65725402ecf70abf361fae982a3efb8ec87f1ca04be948d9398

SHA512
1c157b7b3119c5155c15cc0186c19d0803df4a397920e06c1d455f98302b0bd3c2a939b42748096986474187e5e9d527a883e193097e00c540519c787a350d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3jrksqqh.oct.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
4.6MB

MD5
d62a7ad699dbdef8f95629a5922f0627

SHA1
3634e9cb0fb0918ac578d4a6fe7094fb7431b6d6

SHA256
9b8a466595ca8ed677ab8a0dae10d4093d9ed1a9dd643b7c853803fc1e2d1e6b

SHA512
e69a73caf20f1dbbc23165de737ce1babb5254f8ad664b4f50b6d0eabd3e5a4c836b6340a7dd6c6442e197bf47ad24de69f8b0da7f9a544171e243a01857e9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
4.6MB

MD5
d62a7ad699dbdef8f95629a5922f0627

SHA1
3634e9cb0fb0918ac578d4a6fe7094fb7431b6d6

SHA256
9b8a466595ca8ed677ab8a0dae10d4093d9ed1a9dd643b7c853803fc1e2d1e6b

SHA512
e69a73caf20f1dbbc23165de737ce1babb5254f8ad664b4f50b6d0eabd3e5a4c836b6340a7dd6c6442e197bf47ad24de69f8b0da7f9a544171e243a01857e9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
4.6MB

MD5
d62a7ad699dbdef8f95629a5922f0627

SHA1
3634e9cb0fb0918ac578d4a6fe7094fb7431b6d6

SHA256
9b8a466595ca8ed677ab8a0dae10d4093d9ed1a9dd643b7c853803fc1e2d1e6b

SHA512
e69a73caf20f1dbbc23165de737ce1babb5254f8ad664b4f50b6d0eabd3e5a4c836b6340a7dd6c6442e197bf47ad24de69f8b0da7f9a544171e243a01857e9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
4.6MB

MD5
d62a7ad699dbdef8f95629a5922f0627

SHA1
3634e9cb0fb0918ac578d4a6fe7094fb7431b6d6

SHA256
9b8a466595ca8ed677ab8a0dae10d4093d9ed1a9dd643b7c853803fc1e2d1e6b

SHA512
e69a73caf20f1dbbc23165de737ce1babb5254f8ad664b4f50b6d0eabd3e5a4c836b6340a7dd6c6442e197bf47ad24de69f8b0da7f9a544171e243a01857e9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipuiwboqnet.exe
Filesize
4.6MB

MD5
d62a7ad699dbdef8f95629a5922f0627

SHA1
3634e9cb0fb0918ac578d4a6fe7094fb7431b6d6

SHA256
9b8a466595ca8ed677ab8a0dae10d4093d9ed1a9dd643b7c853803fc1e2d1e6b

SHA512
e69a73caf20f1dbbc23165de737ce1babb5254f8ad664b4f50b6d0eabd3e5a4c836b6340a7dd6c6442e197bf47ad24de69f8b0da7f9a544171e243a01857e9e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipuiwboqnet.exe
Filesize
4.6MB

MD5
d62a7ad699dbdef8f95629a5922f0627

SHA1
3634e9cb0fb0918ac578d4a6fe7094fb7431b6d6

SHA256
9b8a466595ca8ed677ab8a0dae10d4093d9ed1a9dd643b7c853803fc1e2d1e6b

SHA512
e69a73caf20f1dbbc23165de737ce1babb5254f8ad664b4f50b6d0eabd3e5a4c836b6340a7dd6c6442e197bf47ad24de69f8b0da7f9a544171e243a01857e9e0

Download Submit
memory/1060-226-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/1060-229-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/1060-260-0x0000000000690000-0x0000000000E02000-memory.dmp

Filesize
7.4MB

Download
memory/1060-227-0x0000000000690000-0x0000000000E02000-memory.dmp

Filesize
7.4MB

Download
memory/1060-230-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/1060-228-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/1060-224-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/1060-225-0x0000000000690000-0x0000000000E02000-memory.dmp

Filesize
7.4MB

Download
memory/1060-231-0x0000000002E90000-0x0000000002E91000-memory.dmp

Filesize
4KB

Download
memory/1196-178-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1196-176-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1992-199-0x0000000000810000-0x0000000000F82000-memory.dmp

Filesize
7.4MB

Download
memory/1992-202-0x0000000000810000-0x0000000000F82000-memory.dmp

Filesize
7.4MB

Download
memory/1992-201-0x0000000001640000-0x0000000001641000-memory.dmp

Filesize
4KB

Download
memory/1992-203-0x0000000001B00000-0x0000000001B01000-memory.dmp

Filesize
4KB

Download
memory/1992-200-0x0000000001630000-0x0000000001631000-memory.dmp

Filesize
4KB

Download
memory/1992-204-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1992-206-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/1992-205-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1992-223-0x0000000000810000-0x0000000000F82000-memory.dmp

Filesize
7.4MB

Download
memory/2016-311-0x00007FFD02BA0000-0x00007FFD03504000-memory.dmp

Filesize
9.4MB

Download
memory/2836-287-0x0000000000400000-0x0000000000920000-memory.dmp

Filesize
5.1MB

Download
memory/2836-314-0x0000000000400000-0x0000000000920000-memory.dmp

Filesize
5.1MB

Download
memory/2836-299-0x0000000000400000-0x0000000000920000-memory.dmp

Filesize
5.1MB

Download
memory/2836-291-0x0000000075840000-0x0000000075930000-memory.dmp

Filesize
960KB

Download
memory/2836-289-0x0000000075840000-0x0000000075930000-memory.dmp

Filesize
960KB

Download
memory/2836-288-0x0000000075840000-0x0000000075930000-memory.dmp

Filesize
960KB

Download
memory/2880-133-0x00007FFD2B890000-0x00007FFD2B892000-memory.dmp

Filesize
8KB

Download
memory/2880-135-0x00007FF6C8910000-0x00007FF6CB480000-memory.dmp

Filesize
43.4MB

Download
memory/2880-134-0x00007FF6C8910000-0x00007FF6CB480000-memory.dmp

Filesize
43.4MB

Download
memory/2880-140-0x00007FF6C8910000-0x00007FF6CB480000-memory.dmp

Filesize
43.4MB

Download
memory/3184-275-0x0000000006000000-0x000000000602E000-memory.dmp

Filesize
184KB

Download
memory/3184-301-0x00000000064C0000-0x00000000069EC000-memory.dmp

Filesize
5.2MB

Download
memory/3184-255-0x0000000000400000-0x0000000000920000-memory.dmp

Filesize
5.1MB

Download
memory/3184-257-0x0000000075840000-0x0000000075930000-memory.dmp

Filesize
960KB

Download
memory/3184-258-0x0000000075840000-0x0000000075930000-memory.dmp

Filesize
960KB

Download
memory/3184-259-0x0000000075840000-0x0000000075930000-memory.dmp

Filesize
960KB

Download
memory/3184-303-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/3184-261-0x00000000773A4000-0x00000000773A6000-memory.dmp

Filesize
8KB

Download
memory/3184-267-0x0000000000400000-0x0000000000920000-memory.dmp

Filesize
5.1MB

Download
memory/3184-268-0x0000000004F30000-0x00000000054D4000-memory.dmp

Filesize
5.6MB

Download
memory/3184-269-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/3184-270-0x0000000005600000-0x00000000057C2000-memory.dmp

Filesize
1.8MB

Download
memory/3184-271-0x00000000057E0000-0x0000000005856000-memory.dmp

Filesize
472KB

Download
memory/3184-272-0x0000000005870000-0x00000000058C0000-memory.dmp

Filesize
320KB

Download
memory/3184-273-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/3184-296-0x0000000075840000-0x0000000075930000-memory.dmp

Filesize
960KB

Download
memory/3184-295-0x0000000075840000-0x0000000075930000-memory.dmp

Filesize
960KB

Download
memory/3184-277-0x0000000006030000-0x0000000006068000-memory.dmp

Filesize
224KB

Download
memory/3184-294-0x0000000075840000-0x0000000075930000-memory.dmp

Filesize
960KB

Download
memory/3184-293-0x0000000075840000-0x0000000075930000-memory.dmp

Filesize
960KB

Download
memory/3184-290-0x0000000000400000-0x0000000000920000-memory.dmp

Filesize
5.1MB

Download
memory/3340-315-0x0000000000690000-0x0000000000E02000-memory.dmp

Filesize
7.4MB

Download
memory/3652-180-0x00000198A5EE0000-0x00000198A5EF0000-memory.dmp

Filesize
64KB

Download
memory/3652-193-0x00000198A5EE0000-0x00000198A5EF0000-memory.dmp

Filesize
64KB

Download
memory/3652-192-0x00007FFD0C460000-0x00007FFD0CF21000-memory.dmp

Filesize
10.8MB

Download
memory/3652-194-0x00000198A5EE0000-0x00000198A5EF0000-memory.dmp

Filesize
64KB

Download
memory/3652-181-0x00000198A5EE0000-0x00000198A5EF0000-memory.dmp

Filesize
64KB

Download
memory/3652-179-0x00007FFD0C460000-0x00007FFD0CF21000-memory.dmp

Filesize
10.8MB

Download
memory/3856-308-0x00007FFD02BA0000-0x00007FFD03504000-memory.dmp

Filesize
9.4MB

Download
memory/3856-306-0x00007FFD2B890000-0x00007FFD2B892000-memory.dmp

Filesize
8KB

Download
memory/4312-152-0x000002365A9B0000-0x000002365A9C0000-memory.dmp

Filesize
64KB

Download
memory/4312-159-0x00007FFD0C900000-0x00007FFD0D3C1000-memory.dmp

Filesize
10.8MB

Download
memory/4312-151-0x00007FFD0C900000-0x00007FFD0D3C1000-memory.dmp

Filesize
10.8MB

Download
memory/4312-146-0x000002365A940000-0x000002365A962000-memory.dmp

Filesize
136KB

Download
memory/4312-153-0x000002365A9B0000-0x000002365A9C0000-memory.dmp

Filesize
64KB

Download
memory/4312-156-0x000002365A9B0000-0x000002365A9C0000-memory.dmp

Filesize
64KB

Download
memory/4312-155-0x00007FFD0C900000-0x00007FFD0D3C1000-memory.dmp

Filesize
10.8MB

Download
memory/4312-154-0x000002365A9B0000-0x000002365A9C0000-memory.dmp

Filesize
64KB

Download
memory/4828-172-0x0000016C79430000-0x0000016C79440000-memory.dmp

Filesize
64KB

Download
memory/4828-166-0x00007FFD0C3B0000-0x00007FFD0CE71000-memory.dmp

Filesize
10.8MB

Download
memory/4828-175-0x00007FFD0C3B0000-0x00007FFD0CE71000-memory.dmp

Filesize
10.8MB

Download
memory/4828-171-0x0000016C79430000-0x0000016C79440000-memory.dmp

Filesize
64KB

Download