amadey | 83f6d9721abac7afdb48fad8a0430fcbb6cb4c1de28e37a0768d92cf8e7c8cda

Resubmissions

30-07-2023 09:27

230730-les4qsgg49 10

29-07-2023 12:31

230729-pp9q1scg28 10

Analysis

max time kernel
94s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2023 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup-File.exe
Size

28.1MB
MD5

9ddc92ae27b3c01abcc9361f5f10dbeb
SHA1

4ae7273d55275c53ebd66fd8d55d54d5257ad21d
SHA256

48987d9c89542a8cb4f8d34eb34902a4762cc8643c0e491deb6115907db4887b
SHA512

20f81c7cf228b92ef488fc24d1a3ed288f77036903bfcb1a650a7505a9f618c2fafa09e4b7c5e539a5627d6436f7011f1ed0ecf027609524006c07716447e68b
SSDEEP

786432:z6FQ28LUo3oaouyd+sP6qSwbJ+IViZRR/5PwUA1:zAQPLUcoMA+sP6q3pV255rI

Score

10^/10

amadey lumma sectoprat systembc evasion persistence rat spyware stealer themida trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

3.85

45.9.74.166/b7djSDcPcZ/index.php

45.9.74.141/b7djSDcPcZ/index.php

Extracted

Family

systembc

5.42.65.67:4298

localhost.exchange:4298

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/memory/3796-371-0x0000000000400000-0x0000000000AAE000-memory.dmp	family_sectoprat

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

BRF.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BRF.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BRF.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BRF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BRF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BRF.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup-File.exenomfaeevfwdhsjnb.exebstyoops.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	Setup-File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	nomfaeevfwdhsjnb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	bstyoops.exe

Executes dropped EXE 4 IoCs

Processes:

nomfaeevfwdhsjnb.exebstyoops.exeBRF.exebstyoops.exe

pid process

1104 nomfaeevfwdhsjnb.exe
3472 bstyoops.exe
3796 BRF.exe
3552 bstyoops.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

5072 rundll32.exe
416 rundll32.exe

pid	process
1104	nomfaeevfwdhsjnb.exe
3472	bstyoops.exe
3796	BRF.exe
3552	bstyoops.exe

pid	process
5072	rundll32.exe
416	rundll32.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe	themida
behavioral3/memory/3796-371-0x0000000000400000-0x0000000000AAE000-memory.dmp	themida

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll	vmprotect
C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll	vmprotect
C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll	vmprotect
C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll	vmprotect
behavioral3/memory/416-420-0x00007FFBF1E90000-0x00007FFBF2882000-memory.dmp	vmprotect
behavioral3/memory/416-427-0x00007FFBF1E90000-0x00007FFBF2882000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bstyoops.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BRF.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000057051\\BRF.exe"	bstyoops.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svc64r.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000058061\\svc64r.dll, rundll"	bstyoops.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

BRF.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BRF.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Setup-File.exe

description ioc process

File opened (read-only) \??\F: Setup-File.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BRF.exe

description	ioc	process
File opened (read-only)	\??\F:	Setup-File.exe

Drops file in System32 directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C5E33246-EF2F-4AEE-8704-5B55B89BE558}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

BRF.exe

pid process

3796 BRF.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup-File.exe

description pid process target process

PID 2916 set thread context of 4280 2916 Setup-File.exe csc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2712 schtasks.exe

pid	process
3796	BRF.exe

description	pid	process	target process
PID 2916 set thread context of 4280	2916	Setup-File.exe	csc.exe

pid	process
2712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

Setup-File.exepowershell.exepowershell.exepowershell.execsc.exenomfaeevfwdhsjnb.exebstyoops.exeBRF.exe

pid	process
2916	Setup-File.exe
2916	Setup-File.exe
2916	Setup-File.exe
2916	Setup-File.exe
2916	Setup-File.exe
2916	Setup-File.exe
2916	Setup-File.exe
2916	Setup-File.exe
2916	Setup-File.exe
2916	Setup-File.exe
2916	Setup-File.exe
2916	Setup-File.exe
3864	powershell.exe
3864	powershell.exe
3864	powershell.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
4280	csc.exe
1104	nomfaeevfwdhsjnb.exe
1104	nomfaeevfwdhsjnb.exe
3472	bstyoops.exe
3472	bstyoops.exe
3796	BRF.exe
3796	BRF.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3864 powershell.exe
Token: SeDebugPrivilege 1776 powershell.exe
Token: SeDebugPrivilege 4024 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

nomfaeevfwdhsjnb.exe

pid process

1104 nomfaeevfwdhsjnb.exe

description	pid	process
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe

pid	process
1104	nomfaeevfwdhsjnb.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

Setup-File.execsc.exenomfaeevfwdhsjnb.exebstyoops.execmd.exerundll32.exe

description	pid	process	target process
PID 2916 wrote to memory of 3864	2916	Setup-File.exe	powershell.exe
PID 2916 wrote to memory of 3864	2916	Setup-File.exe	powershell.exe
PID 2916 wrote to memory of 4280	2916	Setup-File.exe	csc.exe
PID 2916 wrote to memory of 4280	2916	Setup-File.exe	csc.exe
PID 2916 wrote to memory of 4280	2916	Setup-File.exe	csc.exe
PID 2916 wrote to memory of 1776	2916	Setup-File.exe	powershell.exe
PID 2916 wrote to memory of 1776	2916	Setup-File.exe	powershell.exe
PID 2916 wrote to memory of 4280	2916	Setup-File.exe	csc.exe
PID 2916 wrote to memory of 4280	2916	Setup-File.exe	csc.exe
PID 2916 wrote to memory of 4280	2916	Setup-File.exe	csc.exe
PID 2916 wrote to memory of 4280	2916	Setup-File.exe	csc.exe
PID 2916 wrote to memory of 4280	2916	Setup-File.exe	csc.exe
PID 2916 wrote to memory of 4280	2916	Setup-File.exe	csc.exe
PID 2916 wrote to memory of 4024	2916	Setup-File.exe	powershell.exe
PID 2916 wrote to memory of 4024	2916	Setup-File.exe	powershell.exe
PID 4280 wrote to memory of 1104	4280	csc.exe	nomfaeevfwdhsjnb.exe
PID 4280 wrote to memory of 1104	4280	csc.exe	nomfaeevfwdhsjnb.exe
PID 4280 wrote to memory of 1104	4280	csc.exe	nomfaeevfwdhsjnb.exe
PID 1104 wrote to memory of 3472	1104	nomfaeevfwdhsjnb.exe	bstyoops.exe
PID 1104 wrote to memory of 3472	1104	nomfaeevfwdhsjnb.exe	bstyoops.exe
PID 1104 wrote to memory of 3472	1104	nomfaeevfwdhsjnb.exe	bstyoops.exe
PID 3472 wrote to memory of 2712	3472	bstyoops.exe	schtasks.exe
PID 3472 wrote to memory of 2712	3472	bstyoops.exe	schtasks.exe
PID 3472 wrote to memory of 2712	3472	bstyoops.exe	schtasks.exe
PID 3472 wrote to memory of 2768	3472	bstyoops.exe	cmd.exe
PID 3472 wrote to memory of 2768	3472	bstyoops.exe	cmd.exe
PID 3472 wrote to memory of 2768	3472	bstyoops.exe	cmd.exe
PID 2768 wrote to memory of 1296	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 1296	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 1296	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 3352	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 3352	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 3352	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 4408	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 4408	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 4408	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 1060	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 1060	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 1060	2768	cmd.exe	cmd.exe
PID 2768 wrote to memory of 4028	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 4028	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 4028	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 1888	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 1888	2768	cmd.exe	cacls.exe
PID 2768 wrote to memory of 1888	2768	cmd.exe	cacls.exe
PID 3472 wrote to memory of 3796	3472	bstyoops.exe	BRF.exe
PID 3472 wrote to memory of 3796	3472	bstyoops.exe	BRF.exe
PID 3472 wrote to memory of 3796	3472	bstyoops.exe	BRF.exe
PID 3472 wrote to memory of 5072	3472	bstyoops.exe	rundll32.exe
PID 3472 wrote to memory of 5072	3472	bstyoops.exe	rundll32.exe
PID 3472 wrote to memory of 5072	3472	bstyoops.exe	rundll32.exe
PID 5072 wrote to memory of 416	5072	rundll32.exe	rundll32.exe
PID 5072 wrote to memory of 416	5072	rundll32.exe	rundll32.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Setup-File.exe
"C:\Users\Admin\AppData\Local\Temp\Setup-File.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Local\Temp\nomfaeevfwdhsjnb.exe
"C:\Users\Admin\AppData\Local\Temp\nomfaeevfwdhsjnb.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
"C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F
5⤵
- Creates scheduled task(s)
PID:2712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "Admin:N"&&CACLS "bstyoops.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c2868ed41c" /P "Admin:N"&&CACLS "..\c2868ed41c" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1296

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:N"
6⤵
PID:3352

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:R" /E
6⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1060

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:N"
6⤵
PID:4028

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:R" /E
6⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe
"C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3796

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll, rundll
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll, rundll
6⤵
- Loads dropped DLL
PID:416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAxAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3988

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
PID:3552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2f996b44e71bcf8e9d9bd5ef2a96a963

SHA1
61a10fcfb7bad1271f7132c7491982a916489af0

SHA256
78d612ffa268c2871faf8e656889f9ec6475890ff2763410dbf434a343ad9a0d

SHA512
84815d678a672aa99d4834fa4c0a42089bec36da593caabc337dc66180a8ebd0131e65fb68ba645d3d68e80a5e7808e0dcf5b0ff1cb2a46786d532b088b44515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fa43c5d409237063705a8aa3a5868f25

SHA1
7bb83b3ed1aae19408f08cd6df8a53fd038575f8

SHA256
c9c99092d4b96c7ebf347ea548ac9e36c63d06b6e361b1e8c84fac269200ee78

SHA512
865422d5187a87bfbd158c6beae2e996067a0bd82f9fc336c8c26b5e390d2c7ad9634f794a252a2979b6036122eaccec4e56898fdd97d629a1474b8f72bcc1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe
Filesize
2.7MB

MD5
46a224a0255517d54853616333019069

SHA1
8545810a9850152ecb114a1bd996e7a84fec618d

SHA256
df5a60ab74a1665d427abaa489b06bdaad4da36233f34f2214fba37c71239d2d

SHA512
e2e93f82c340f284a2e330f18ebde654c31cad2a09b08b777be6c56af07341b57cb66491c2186b1cc5d3ed3dd2f5d2a89520e0aec40035f96a54b3f66f9d7775

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe
Filesize
2.7MB

MD5
46a224a0255517d54853616333019069

SHA1
8545810a9850152ecb114a1bd996e7a84fec618d

SHA256
df5a60ab74a1665d427abaa489b06bdaad4da36233f34f2214fba37c71239d2d

SHA512
e2e93f82c340f284a2e330f18ebde654c31cad2a09b08b777be6c56af07341b57cb66491c2186b1cc5d3ed3dd2f5d2a89520e0aec40035f96a54b3f66f9d7775

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BRF.exe
Filesize
2.7MB

MD5
46a224a0255517d54853616333019069

SHA1
8545810a9850152ecb114a1bd996e7a84fec618d

SHA256
df5a60ab74a1665d427abaa489b06bdaad4da36233f34f2214fba37c71239d2d

SHA512
e2e93f82c340f284a2e330f18ebde654c31cad2a09b08b777be6c56af07341b57cb66491c2186b1cc5d3ed3dd2f5d2a89520e0aec40035f96a54b3f66f9d7775

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll
Filesize
5.9MB

MD5
6d66ebefc82d9c9f16587a7ae904ed21

SHA1
64727979d14397e8c44182204f26794b33032ba5

SHA256
84130a7aef0d5f4c43b9f6bebde1df579fd97cd477c332aa153f6b315b39b974

SHA512
4e14589e407de6194ed8d2a4c9849d07553547bd5af7f2723a37dc6b3920adc62b72b28d33eb658dc811081829fd64652dfe2f761d6b9fc56b327a697911c71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll
Filesize
5.9MB

MD5
6d66ebefc82d9c9f16587a7ae904ed21

SHA1
64727979d14397e8c44182204f26794b33032ba5

SHA256
84130a7aef0d5f4c43b9f6bebde1df579fd97cd477c332aa153f6b315b39b974

SHA512
4e14589e407de6194ed8d2a4c9849d07553547bd5af7f2723a37dc6b3920adc62b72b28d33eb658dc811081829fd64652dfe2f761d6b9fc56b327a697911c71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll
Filesize
5.9MB

MD5
6d66ebefc82d9c9f16587a7ae904ed21

SHA1
64727979d14397e8c44182204f26794b33032ba5

SHA256
84130a7aef0d5f4c43b9f6bebde1df579fd97cd477c332aa153f6b315b39b974

SHA512
4e14589e407de6194ed8d2a4c9849d07553547bd5af7f2723a37dc6b3920adc62b72b28d33eb658dc811081829fd64652dfe2f761d6b9fc56b327a697911c71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\svc64r.dll
Filesize
5.9MB

MD5
6d66ebefc82d9c9f16587a7ae904ed21

SHA1
64727979d14397e8c44182204f26794b33032ba5

SHA256
84130a7aef0d5f4c43b9f6bebde1df579fd97cd477c332aa153f6b315b39b974

SHA512
4e14589e407de6194ed8d2a4c9849d07553547bd5af7f2723a37dc6b3920adc62b72b28d33eb658dc811081829fd64652dfe2f761d6b9fc56b327a697911c71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2kqkewtv.bm5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.8MB

MD5
d4252546e5600eeaa65acf66902c943a

SHA1
cf2228794617f40959a3bac5c42f50e17ee71f0a

SHA256
289f602f839f2ffdf893b5f6036d561fddd702c7ad987013901d0f021d11d788

SHA512
ebcdf4a8a7fde33773feba6de44c8697e93bb94aa2b40800fc8468f7817a4e3212abc02647943f2eaeb7112d7e752c606df66b465779e422aad2abf68b9dc5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.8MB

MD5
d4252546e5600eeaa65acf66902c943a

SHA1
cf2228794617f40959a3bac5c42f50e17ee71f0a

SHA256
289f602f839f2ffdf893b5f6036d561fddd702c7ad987013901d0f021d11d788

SHA512
ebcdf4a8a7fde33773feba6de44c8697e93bb94aa2b40800fc8468f7817a4e3212abc02647943f2eaeb7112d7e752c606df66b465779e422aad2abf68b9dc5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.8MB

MD5
d4252546e5600eeaa65acf66902c943a

SHA1
cf2228794617f40959a3bac5c42f50e17ee71f0a

SHA256
289f602f839f2ffdf893b5f6036d561fddd702c7ad987013901d0f021d11d788

SHA512
ebcdf4a8a7fde33773feba6de44c8697e93bb94aa2b40800fc8468f7817a4e3212abc02647943f2eaeb7112d7e752c606df66b465779e422aad2abf68b9dc5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.8MB

MD5
d4252546e5600eeaa65acf66902c943a

SHA1
cf2228794617f40959a3bac5c42f50e17ee71f0a

SHA256
289f602f839f2ffdf893b5f6036d561fddd702c7ad987013901d0f021d11d788

SHA512
ebcdf4a8a7fde33773feba6de44c8697e93bb94aa2b40800fc8468f7817a4e3212abc02647943f2eaeb7112d7e752c606df66b465779e422aad2abf68b9dc5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nomfaeevfwdhsjnb.exe
Filesize
6.8MB

MD5
d4252546e5600eeaa65acf66902c943a

SHA1
cf2228794617f40959a3bac5c42f50e17ee71f0a

SHA256
289f602f839f2ffdf893b5f6036d561fddd702c7ad987013901d0f021d11d788

SHA512
ebcdf4a8a7fde33773feba6de44c8697e93bb94aa2b40800fc8468f7817a4e3212abc02647943f2eaeb7112d7e752c606df66b465779e422aad2abf68b9dc5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nomfaeevfwdhsjnb.exe
Filesize
6.8MB

MD5
d4252546e5600eeaa65acf66902c943a

SHA1
cf2228794617f40959a3bac5c42f50e17ee71f0a

SHA256
289f602f839f2ffdf893b5f6036d561fddd702c7ad987013901d0f021d11d788

SHA512
ebcdf4a8a7fde33773feba6de44c8697e93bb94aa2b40800fc8468f7817a4e3212abc02647943f2eaeb7112d7e752c606df66b465779e422aad2abf68b9dc5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuF770.tmp
Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
memory/416-419-0x00007FFC1E9E0000-0x00007FFC1E9E2000-memory.dmp

Filesize
8KB

Download
memory/416-426-0x00007FFC1E9F0000-0x00007FFC1E9F2000-memory.dmp

Filesize
8KB

Download
memory/416-418-0x00007FFC1E9D0000-0x00007FFC1E9D2000-memory.dmp

Filesize
8KB

Download
memory/416-421-0x00007FFC1DBB0000-0x00007FFC1DBB2000-memory.dmp

Filesize
8KB

Download
memory/416-427-0x00007FFBF1E90000-0x00007FFBF2882000-memory.dmp

Filesize
9.9MB

Download
memory/416-422-0x00007FFC1DBC0000-0x00007FFC1DBC2000-memory.dmp

Filesize
8KB

Download
memory/416-423-0x00007FFC1C820000-0x00007FFC1C822000-memory.dmp

Filesize
8KB

Download
memory/416-424-0x00007FFC1C830000-0x00007FFC1C832000-memory.dmp

Filesize
8KB

Download
memory/416-420-0x00007FFBF1E90000-0x00007FFBF2882000-memory.dmp

Filesize
9.9MB

Download
memory/1104-291-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/1104-290-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/1104-289-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/1104-288-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/1104-292-0x0000000000490000-0x0000000000F96000-memory.dmp

Filesize
11.0MB

Download
memory/1104-286-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/1104-287-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/1104-285-0x0000000001800000-0x0000000001801000-memory.dmp

Filesize
4KB

Download
memory/1104-284-0x0000000000490000-0x0000000000F96000-memory.dmp

Filesize
11.0MB

Download
memory/1104-311-0x0000000000490000-0x0000000000F96000-memory.dmp

Filesize
11.0MB

Download
memory/1776-224-0x00000255CBED0000-0x00000255CBEE0000-memory.dmp

Filesize
64KB

Download
memory/1776-219-0x00007FFBFF350000-0x00007FFBFFE11000-memory.dmp

Filesize
10.8MB

Download
memory/1776-198-0x00000255CBED0000-0x00000255CBEE0000-memory.dmp

Filesize
64KB

Download
memory/1776-197-0x00007FFBFF350000-0x00007FFBFFE11000-memory.dmp

Filesize
10.8MB

Download
memory/1776-200-0x00000255CBED0000-0x00000255CBEE0000-memory.dmp

Filesize
64KB

Download
memory/1776-223-0x00000255CBED0000-0x00000255CBEE0000-memory.dmp

Filesize
64KB

Download
memory/1776-228-0x00000255CBED0000-0x00000255CBEE0000-memory.dmp

Filesize
64KB

Download
memory/1776-230-0x00007FFBFF350000-0x00007FFBFFE11000-memory.dmp

Filesize
10.8MB

Download
memory/2916-139-0x00007FFC1C820000-0x00007FFC1C822000-memory.dmp

Filesize
8KB

Download
memory/2916-138-0x00007FF6D1120000-0x00007FF6D3F59000-memory.dmp

Filesize
46.2MB

Download
memory/2916-137-0x00007FFC1DBC0000-0x00007FFC1DBC2000-memory.dmp

Filesize
8KB

Download
memory/2916-133-0x00007FFC1E9D0000-0x00007FFC1E9D2000-memory.dmp

Filesize
8KB

Download
memory/2916-136-0x00007FFC1DBB0000-0x00007FFC1DBB2000-memory.dmp

Filesize
8KB

Download
memory/2916-135-0x00007FFC1E9F0000-0x00007FFC1E9F2000-memory.dmp

Filesize
8KB

Download
memory/2916-140-0x00007FFC1C830000-0x00007FFC1C832000-memory.dmp

Filesize
8KB

Download
memory/2916-148-0x00007FF6D1120000-0x00007FF6D3F59000-memory.dmp

Filesize
46.2MB

Download
memory/2916-134-0x00007FFC1E9E0000-0x00007FFC1E9E2000-memory.dmp

Filesize
8KB

Download
memory/2916-141-0x00007FF6D1120000-0x00007FF6D3F59000-memory.dmp

Filesize
46.2MB

Download
memory/3472-316-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3472-318-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/3472-321-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/3472-322-0x0000000001410000-0x0000000001411000-memory.dmp

Filesize
4KB

Download
memory/3472-323-0x0000000001420000-0x0000000001421000-memory.dmp

Filesize
4KB

Download
memory/3472-339-0x0000000000680000-0x0000000001186000-memory.dmp

Filesize
11.0MB

Download
memory/3472-320-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/3472-319-0x0000000000680000-0x0000000001186000-memory.dmp

Filesize
11.0MB

Download
memory/3472-317-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/3472-315-0x0000000000680000-0x0000000001186000-memory.dmp

Filesize
11.0MB

Download
memory/3552-434-0x0000000000680000-0x0000000001186000-memory.dmp

Filesize
11.0MB

Download
memory/3796-363-0x0000000077394000-0x0000000077396000-memory.dmp

Filesize
8KB

Download
memory/3796-359-0x0000000000400000-0x0000000000AAE000-memory.dmp

Filesize
6.7MB

Download
memory/3796-362-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

Filesize
960KB

Download
memory/3796-371-0x0000000000400000-0x0000000000AAE000-memory.dmp

Filesize
6.7MB

Download
memory/3796-372-0x0000000005160000-0x0000000005704000-memory.dmp

Filesize
5.6MB

Download
memory/3796-373-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/3796-374-0x00000000057B0000-0x0000000005972000-memory.dmp

Filesize
1.8MB

Download
memory/3796-375-0x0000000005980000-0x00000000059F6000-memory.dmp

Filesize
472KB

Download
memory/3796-376-0x0000000005A00000-0x0000000005A50000-memory.dmp

Filesize
320KB

Download
memory/3796-377-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/3796-384-0x0000000006190000-0x00000000061BE000-memory.dmp

Filesize
184KB

Download
memory/3796-385-0x00000000061C0000-0x00000000061F8000-memory.dmp

Filesize
224KB

Download
memory/3796-386-0x0000000000400000-0x0000000000AAE000-memory.dmp

Filesize
6.7MB

Download
memory/3796-360-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

Filesize
960KB

Download
memory/3796-361-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

Filesize
960KB

Download
memory/3796-397-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

Filesize
960KB

Download
memory/3796-407-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

Filesize
960KB

Download
memory/3796-406-0x0000000075CE0000-0x0000000075DD0000-memory.dmp

Filesize
960KB

Download
memory/3796-405-0x0000000006C00000-0x0000000006C1E000-memory.dmp

Filesize
120KB

Download
memory/3796-399-0x00000000066D0000-0x0000000006BFC000-memory.dmp

Filesize
5.2MB

Download
memory/3864-155-0x000001C738D10000-0x000001C738D32000-memory.dmp

Filesize
136KB

Download
memory/3864-159-0x00007FFBFF350000-0x00007FFBFFE11000-memory.dmp

Filesize
10.8MB

Download
memory/3864-160-0x000001C738C60000-0x000001C738C70000-memory.dmp

Filesize
64KB

Download
memory/3864-183-0x00007FFBFF350000-0x00007FFBFFE11000-memory.dmp

Filesize
10.8MB

Download
memory/3864-186-0x00007FFBFF350000-0x00007FFBFFE11000-memory.dmp

Filesize
10.8MB

Download
memory/4024-244-0x0000019B5AAD0000-0x0000019B5AAE0000-memory.dmp

Filesize
64KB

Download
memory/4024-234-0x00007FFBFF350000-0x00007FFBFFE11000-memory.dmp

Filesize
10.8MB

Download
memory/4024-273-0x0000019B5AAD0000-0x0000019B5AAE0000-memory.dmp

Filesize
64KB

Download
memory/4024-270-0x00007FFBFF350000-0x00007FFBFFE11000-memory.dmp

Filesize
10.8MB

Download
memory/4024-272-0x0000019B5AAD0000-0x0000019B5AAE0000-memory.dmp

Filesize
64KB

Download
memory/4024-271-0x0000019B5AAD0000-0x0000019B5AAE0000-memory.dmp

Filesize
64KB

Download
memory/4280-231-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4280-233-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download