neshta | 2835c974cc09bb061c2737418d331ca8a338936f7d986ce848396c78b35845be

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

37KB
MD5

d837db914680e0e91ee392cf2b3f3d2b
SHA1

30f2fc5f58250895f74969d1a7c932f68efcd9af
SHA256

2835c974cc09bb061c2737418d331ca8a338936f7d986ce848396c78b35845be
SHA512

aff4c2cafa23813d5c16ccd8baa8247697cc444c3642140610113f7e4854c083fad514ef3a6441b1fb3075e819af8599d1c5f5b3725c89521045f55598ebcd7b
SSDEEP

768:xz5lT+Q2PeKmxzHAXFyK9Oi26YOjhDPygM:xz512PGLuF39726YOj9u

Score

10^/10

neshta xworm execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

weeks-deployment.gl.at.ply.gg:56058

Mutex

bGBs6Wpo1XzkMyuH

Attributes

Install_directory
%Temp%
install_file
System32.exe

aes.plain

Signatures

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\drsqbk.exe	family_neshta
behavioral2/memory/4008-187-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4008-188-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/4008-190-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1612-0-0x00000000006F0000-0x0000000000700000-memory.dmp	family_xworm

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3224 powershell.exe
4528 powershell.exe
3876 powershell.exe
2364 powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XClient.exedrsqbk.exedrsqbk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	drsqbk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	drsqbk.exe

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnk	XClient.exe

Executes dropped EXE 2 IoCs

Processes:

drsqbk.exedrsqbk.exe

pid process

4008 drsqbk.exe
4252 drsqbk.exe
Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

drsqbk.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" drsqbk.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4008	drsqbk.exe
4252	drsqbk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	drsqbk.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 ip-api.com

flow	ioc
25	ip-api.com

Drops file in Program Files directory 64 IoCs

Processes:

drsqbk.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~3.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	drsqbk.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	drsqbk.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	drsqbk.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	drsqbk.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI9C33~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~4.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	drsqbk.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	drsqbk.exe

Drops file in Windows directory 1 IoCs

Processes:

drsqbk.exe

description ioc process

File opened for modification C:\Windows\svchost.com drsqbk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	drsqbk.exe

Modifies registry class 3 IoCs

Processes:

WScript.exedrsqbk.exedrsqbk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{C89FC398-DF64-4A9A-A23B-8F0942334109}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	drsqbk.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	drsqbk.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3224	powershell.exe
3224	powershell.exe
4528	powershell.exe
4528	powershell.exe
3876	powershell.exe
3876	powershell.exe
2364	powershell.exe
2364	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

XClient.exepowershell.exepowershell.exepowershell.exepowershell.exeWScript.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1612	XClient.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1612	XClient.exe
Token: SeShutdownPrivilege	400	WScript.exe
Token: SeCreatePagefilePrivilege	400	WScript.exe
Token: 33	2900	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2900	AUDIODG.EXE
Token: SeShutdownPrivilege	400	WScript.exe
Token: SeCreatePagefilePrivilege	400	WScript.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

XClient.exedrsqbk.exedrsqbk.exe

description	pid	process	target process
PID 1612 wrote to memory of 3224	1612	XClient.exe	powershell.exe
PID 1612 wrote to memory of 3224	1612	XClient.exe	powershell.exe
PID 1612 wrote to memory of 4528	1612	XClient.exe	powershell.exe
PID 1612 wrote to memory of 4528	1612	XClient.exe	powershell.exe
PID 1612 wrote to memory of 3876	1612	XClient.exe	powershell.exe
PID 1612 wrote to memory of 3876	1612	XClient.exe	powershell.exe
PID 1612 wrote to memory of 2364	1612	XClient.exe	powershell.exe
PID 1612 wrote to memory of 2364	1612	XClient.exe	powershell.exe
PID 1612 wrote to memory of 4008	1612	XClient.exe	drsqbk.exe
PID 1612 wrote to memory of 4008	1612	XClient.exe	drsqbk.exe
PID 1612 wrote to memory of 4008	1612	XClient.exe	drsqbk.exe
PID 4008 wrote to memory of 4252	4008	drsqbk.exe	drsqbk.exe
PID 4008 wrote to memory of 4252	4008	drsqbk.exe	drsqbk.exe
PID 4008 wrote to memory of 4252	4008	drsqbk.exe	drsqbk.exe
PID 4252 wrote to memory of 400	4252	drsqbk.exe	WScript.exe
PID 4252 wrote to memory of 400	4252	drsqbk.exe	WScript.exe
PID 4252 wrote to memory of 400	4252	drsqbk.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\System32.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Users\Admin\AppData\Local\Temp\drsqbk.exe
"C:\Users\Admin\AppData\Local\Temp\drsqbk.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4008

C:\Users\Admin\AppData\Local\Temp\3582-490\drsqbk.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\drsqbk.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS"
4⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x46c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
eb2ed23282f71e1515eabd47f93c32f2

SHA1
3b764cc9b4d4f0c3eed58055835462d4961a6cb4

SHA256
ff7d8e0e4060577a03fac75a901a9e09aeaa567891e18abd5eda67dc57f6ced6

SHA512
19ddbfc96cbf9f09273b6e552ce4f58cb9c745318638a7919c9f4bc074cf60b7d05d75e0384c848d53ded455eac16e382c421486f1e3775d25c93b70ffd3f152

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
fd98baf5a9c30d41317663898985593b

SHA1
ea300b99f723d2429d75a6c40e0838bf60f17aad

SHA256
9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

SHA512
bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\drsqbk.exe
Filesize
396KB

MD5
a703c3b8a39537ce9be339bbc7339a45

SHA1
10354130b42e12c39eb6f3ce95b8368f581ef71b

SHA256
fce41ec4380d80f04eea4f2bb4ed9734c0ed31fb85c8897c0e299fbc0de41f60

SHA512
f73d2daaf572028655e4168834af7fb5477af4748f99845db314c57ab3a08c16d64bd2c5489f5c84ac3b0dcd16ec414284b5994091c3e44929fc7e923d26cb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS
Filesize
168B

MD5
2b56784f8f16a689b305a1c768f28689

SHA1
e81ce025337ff3ebfc8bc48d43d360345a18688f

SHA256
dcd7fe09e32ec3a9fd356f12ded8e3f2ae520a99c8dc996b48dc98a39d68a077

SHA512
d0134e11bea5809b966cae3cc60828e557d6acddab890e56c0e22bed7c4facda582f77dd00a7ccb6da66200cc610ba9bd4423dcf33075f3b2b18434f219bbd68

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\prj_13626871_c66985d209c8197ecce4f5ce7899b49d_1656581581.mp3
Filesize
83KB

MD5
4843241a72238329e13f2497733fd70c

SHA1
c6b6fcc361bbcf17e9d05868deec5700b9e1d048

SHA256
3c6de7e0e9b3781a9bbf710553efaacbd61afd486034a1a633e571fdb02f4348

SHA512
f302d7b69c6a9eced6770ca2e6da3119c3bdf9c2a6a90657814cf0b5ddc52f3c336a4c5e45152443bb6d6f3fa777e3d99c82a3c090c6fa5b4b377f5aa0e1ba20

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bmrude05.vlr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\drsqbk.exe
Filesize
436KB

MD5
f6509de53c3061e0e0e1229fe2f8c7a0

SHA1
9305d1ba855b9749c0bb3065906217ef87f62af0

SHA256
3af0e7b7c901d425a55597ab9aeb6046f1e236109e5700be08061b2542c0e994

SHA512
0488e977d9b2bedafaad80084a085155785725e94008d3d08cc676ca272bdf2db842177c5a8dbc234dfa02105b2973ff538bf0d5cbf995c77764aa7a04d50e7e

Download Submit
memory/400-97-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/400-99-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/400-98-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/400-96-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/400-95-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/400-94-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/1612-2-0x00007FFF4ABA0000-0x00007FFF4B661000-memory.dmp

Filesize
10.8MB

Download
memory/1612-0-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/1612-1-0x00007FFF4ABA3000-0x00007FFF4ABA5000-memory.dmp

Filesize
8KB

Download
memory/1612-57-0x00007FFF4ABA0000-0x00007FFF4B661000-memory.dmp

Filesize
10.8MB

Download
memory/1612-56-0x00007FFF4ABA3000-0x00007FFF4ABA5000-memory.dmp

Filesize
8KB

Download
memory/3224-3-0x00007FFF4ABA0000-0x00007FFF4B661000-memory.dmp

Filesize
10.8MB

Download
memory/3224-4-0x000001D71F9F0000-0x000001D71FA12000-memory.dmp

Filesize
136KB

Download
memory/3224-5-0x00007FFF4ABA0000-0x00007FFF4B661000-memory.dmp

Filesize
10.8MB

Download
memory/3224-17-0x00007FFF4ABA0000-0x00007FFF4B661000-memory.dmp

Filesize
10.8MB

Download
memory/4008-187-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4008-188-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4008-190-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download