Overview

overview

10

Static

static

10

injector.exe

windows11-21h2-x64

10

injector.exe

windows7-x64

10

injector.exe

windows10-1703-x64

10

injector.exe

windows10-2004-x64

10

injector.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/07/2024, 23:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    injector.exe

  • Size

    49KB

  • MD5

    37fbd83271e9f0a2dbe4372ec015c23f

  • SHA1

    7deaca82f648bc67b5cc86e20696fff3a6a957a9

  • SHA256

    b6a0c0000264b84cffcf9fd20e7a6321a6ca97be8babf2092805fbb5ae577809

  • SHA512

    a3eff87bf8f4d8265706aa366060b661628a8621441762078356e029ea23f6369bf3d807e33b4ca8ff0adb84f8ab17cd46fd7a5387237c2be81ba57d83c7d300

  • SSDEEP

    768:ZWO7VMyjFxpyKlSFyx9DKx6YOjhNOKEkzbwonH8wSpO1bNX:ggVMy/sBFU9DU6YOjq1EwoH865F

Score
10/10
xwormexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

https://pastebin.com/raw/r8P3Ngmc:324

Mutex

LrtSM6IVyhGy1fuw

Attributes
  • Install_directory

    %AppData%

  • install_file

    injector.exe

  • pastebin_url

    https://pastebin.com/raw/r8P3Ngmc

aes.plain

Extracted

Family

xworm

Version

3.0

C2

plus-loves.gl.at.ply.gg:59327

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Drops startup file 4 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 14 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\injector.exe
    "C:\Users\Admin\AppData\Local\Temp\injector.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\injector.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3348
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'injector.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\injector.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'injector.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3240
    • C:\Users\Admin\AppData\Local\Temp\BLEBS6HLOW81BN6.exe
      "C:\Users\Admin\AppData\Local\Temp\BLEBS6HLOW81BN6.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:736
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4300
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            "C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4556
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z0lbnf0g\z0lbnf0g.cmdline"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4876
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42B1.tmp" "c:\Users\Admin\AppData\Roaming\CSC1B05CB8A62044DC0809826E91C4B72BA.TMP"
                7⤵
                  PID:4716
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nhbcdjvs\nhbcdjvs.cmdline"
                6⤵
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:2052
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES431F.tmp" "c:\Windows\System32\CSCF0135D7CF853422BB56B174B7F46BE4.TMP"
                  7⤵
                    PID:2152
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Visualizations\csrss.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1600
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\Registry.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2888
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\injector.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2724
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1504
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\IFFKAOR4WHCDP2B.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2624
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1952
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0EVQ0xkGIM.bat"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2664
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:2940
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      7⤵
                        PID:5024
                      • C:\Recovery\WindowsRE\cmd.exe
                        "C:\Recovery\WindowsRE\cmd.exe"
                        7⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5000
            • C:\Users\Admin\AppData\Local\Temp\IFFKAOR4WHCDP2B.exe
              "C:\Users\Admin\AppData\Local\Temp\IFFKAOR4WHCDP2B.exe"
              2⤵
              • Drops startup file
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1768
              • C:\Windows\System32\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "IFFKAOR4WHCDP2B" /tr "C:\Users\Admin\AppData\Roaming\IFFKAOR4WHCDP2B.exe"
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:4580
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Visualizations\csrss.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1140
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1864
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Visualizations\csrss.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4808
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\HypercomponentCommon\Registry.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1884
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\HypercomponentCommon\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4532
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\HypercomponentCommon\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2504
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "injectori" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\injector.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:360
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "injector" /sc ONLOGON /tr "'C:\Windows\SchCache\injector.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:1796
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "injectori" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\injector.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2516
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3744
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:408
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3128
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IFFKAOR4WHCDP2BI" /sc MINUTE /mo 8 /tr "'C:\HypercomponentCommon\IFFKAOR4WHCDP2B.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:3488
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IFFKAOR4WHCDP2B" /sc ONLOGON /tr "'C:\HypercomponentCommon\IFFKAOR4WHCDP2B.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4832
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IFFKAOR4WHCDP2BI" /sc MINUTE /mo 7 /tr "'C:\HypercomponentCommon\IFFKAOR4WHCDP2B.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:5104
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 7 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:4044
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2972
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 11 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Scheduled Task/Job: Scheduled Task
            PID:2424

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe
            Filesize

            220B

            MD5

            47085bdd4e3087465355c9bb9bbc6005

            SHA1

            bf0c5b11c20beca45cc9d4298f2a11a16c793a61

            SHA256

            80577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752

            SHA512

            e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684

            Download Submit

          • C:\HypercomponentCommon\cemEzm0xYx1.bat
            Filesize

            105B

            MD5

            5ee2935a1949f69f67601f7375b3e8a3

            SHA1

            6a3229f18db384e57435bd3308298da56aa8c404

            SHA256

            c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06

            SHA512

            9777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a

            Download Submit

          • C:\HypercomponentCommon\hyperSurrogateagentCrt.exe
            Filesize

            1.9MB

            MD5

            7be5cea1c84ad0b2a6d2e5b6292c8d80

            SHA1

            631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce

            SHA256

            6eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7

            SHA512

            ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            781da0576417bf414dc558e5a315e2be

            SHA1

            215451c1e370be595f1c389f587efeaa93108b4c

            SHA256

            41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

            SHA512

            24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            190b28f40c0edd3cc08d0fd3aca4779a

            SHA1

            425b98532b6a18aa2baece47605f1cf6c8cfbd11

            SHA256

            8a2c650430d93841587c726ffff72fb64e02d2da24c9d8df17e835d1124d53ce

            SHA512

            8d1c7a20b324937face0e0c9249d635b3dfcfbad004928de731baf0d72df9ee64fb3f482451d20eb55fa0364311a9806e9d49ae4eafca38d6b58a988f8807110

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            8cb7f4b4ab204cacd1af6b29c2a2042c

            SHA1

            244540c38e33eac05826d54282a0bfa60340d6a1

            SHA256

            4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6

            SHA512

            7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            a7673410b995b49b300375100bbcb516

            SHA1

            7656933c6014d481f09df4d7026dc7f3b8a8e265

            SHA256

            c76be733d0b42861798d9f325123a19d56d99866cd17f791ae396a773471aaef

            SHA512

            6b51d7d143e069fd182407a4dc2e791eebfe72f84ae7ae57163b627b0e62e8acf0c86f9102a7697d1c8a31e6ee91020c9eb3c6de5f83eb71b2717dee158d629b

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            5b705b4839f481b2485f2195c589cad0

            SHA1

            a55866cd9e6fedf352d0e937101755ea61a50c86

            SHA256

            f6a3b94a63de605bbbcf1e95cb2d743166f44ea7e9d0d2bfa0e88c94c26e37c6

            SHA512

            f228eccd5646068a81e79baeaf7e8bfa470b30d503bf0ca8cc746c009510ab609b5c091cadf08fab1e3581900cdb7834c775c61a95a29c2d73ccd0dcbd851bab

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            c34a9376b4049f0b566e472605484fcc

            SHA1

            fbbd828adb83263a4427709bfdd64dab2c120c0f

            SHA256

            438895d2d6837946052df3aa73e32f7cdb597eb1c5a9e51c8ffe6b2dc69a2946

            SHA512

            d194fb6c2ccef9903b0be1bd21a8e3031fd29f64d89c78670e745dba56e78c6213876f4d88e97a5df8a28555707e7eb681042a63596b3b78cd8fa4553396b59b

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            7d760ca2472bcb9fe9310090d91318ce

            SHA1

            cb316b8560b38ea16a17626e685d5a501cd31c4a

            SHA256

            5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

            SHA512

            141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            050567a067ffea4eb40fe2eefebdc1ee

            SHA1

            6e1fb2c7a7976e0724c532449e97722787a00fec

            SHA256

            3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

            SHA512

            341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            cef328ddb1ee8916e7a658919323edd8

            SHA1

            a676234d426917535e174f85eabe4ef8b88256a5

            SHA256

            a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

            SHA512

            747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\0EVQ0xkGIM.bat
            Filesize

            205B

            MD5

            bc14730fcd6e39b170298e5562e2cddd

            SHA1

            a80ede32b2a51d6f0a84b41119b8903069b35316

            SHA256

            fe265cf222aa1c7f5d1cfadec1fa42f1e2cc920844effd83f75505cd9f8a2c53

            SHA512

            11871312afee5406ae13e835bbcd7d07e4d5d2c020b13ff63a545980ae47355410293055b6e48e93561e5e5c96176cece4b9d49409955fd2174ca0a4b6c06d9d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\BLEBS6HLOW81BN6.exe
            Filesize

            2.2MB

            MD5

            05d87a4a162784fd5256f4118aff32af

            SHA1

            484ed03930ed6a60866b6f909b37ef0d852dbefd

            SHA256

            7e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950

            SHA512

            3d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IFFKAOR4WHCDP2B.exe
            Filesize

            185KB

            MD5

            e0c8976957ffdc4fe5555adbe8cb0d0c

            SHA1

            226a764bacfa17b92131993aa85fe63f1dbf347c

            SHA256

            b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4

            SHA512

            3a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES42B1.tmp
            Filesize

            1KB

            MD5

            04ec7ec24ee93b4ce19f374fbd331cc5

            SHA1

            be44e58c3e15d10db92d27ddf7e94ac15cc33e0b

            SHA256

            3d44347f448a9a45fb3d1c99cf654ccea0377d1f4f3f55820d99bdd24f86b147

            SHA512

            302e65ba1d37f80838dd4b77dfbcd0052c2e0d597927c6ecfc7ed472025afb471e0c2671f08e2d24a850d3d07199c4f15625cdd2986be7ccec97a93e5efd66b8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES431F.tmp
            Filesize

            1KB

            MD5

            b927e97e3cd1dd59f40bcddfe7de91c1

            SHA1

            fa455d7e17409923c3544363d99664d48d5e71b8

            SHA256

            4e0647a3af186f10a5f07800acbf62ce17a1f431649e003b0982b3f8445f0fa5

            SHA512

            4fb18d79963ddd2002fc61d1af9d78a47fb0c2bbd5352d36d904366aded7b737a75ddf599269631be6338025f77aa60db29aa8257e4fe2b2edfa62ec123bda02

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtt23zg0.ptz.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\injector.exe
            Filesize

            49KB

            MD5

            37fbd83271e9f0a2dbe4372ec015c23f

            SHA1

            7deaca82f648bc67b5cc86e20696fff3a6a957a9

            SHA256

            b6a0c0000264b84cffcf9fd20e7a6321a6ca97be8babf2092805fbb5ae577809

            SHA512

            a3eff87bf8f4d8265706aa366060b661628a8621441762078356e029ea23f6369bf3d807e33b4ca8ff0adb84f8ab17cd46fd7a5387237c2be81ba57d83c7d300

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\nhbcdjvs\nhbcdjvs.0.cs
            Filesize

            394B

            MD5

            42c8436ec931a87807688161225b56c5

            SHA1

            663e447cca8c0bfa2f2ad83fd15922398fa86852

            SHA256

            81ee394e915589f93818c9c8fc6c5a5066b640d8e225136d71347f2d70c6aaa5

            SHA512

            5d6dbae19a0e9938c1c94fbe2ebde49e0a4eb8b8047db901e5097226ea07df53f85deb5d3b6862da6ba4d1dc00d2cd34383a612934cee19716c49dff7ec757a9

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\nhbcdjvs\nhbcdjvs.cmdline
            Filesize

            235B

            MD5

            98dafe9e74725e923a73471be67b3981

            SHA1

            78570a9386b4b7b56a10f0187fc874a839dd3dbf

            SHA256

            39f9f3bf1a5e65441558716b45357b972f6b7027f2469f3103e081dfe9343515

            SHA512

            18f3abd722588909e3d812fa48519a612c4a994b9477f9bb08613cd278f17e934523c06f42fafe772ddeb4f6c6073c8d593fafac302cd90dd166979db158f0c9

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\z0lbnf0g\z0lbnf0g.0.cs
            Filesize

            407B

            MD5

            72300a570dd179b198089483fd86c845

            SHA1

            193760d5eecd9b61865af90d533fae92f2e16c91

            SHA256

            99219c0fb0ca96bbdb07d731956ddc8446b2ba5696e1caf5c9b21c4e64c1ac5e

            SHA512

            013d739c0cdea810c943115a6f5d0d55e81a0259f8533ec5310840e84ef4381fed04a79ed56ad3827497ef98d530b8d1284659f0fb325ab6ad7c88a3838f4fed

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\z0lbnf0g\z0lbnf0g.cmdline
            Filesize

            248B

            MD5

            1d9616f06315ac6bcad97a17080b1186

            SHA1

            b6cc94fef59a6e963676bfc702a0024c4f35b19c

            SHA256

            30a5c58ce7975b6e55e3f68c460c44c832aca827a39c9155bd911f64209e77f0

            SHA512

            bf187fdcdbb2f3d884f9ccf57feced1571c695304aa892f8f574fc97d0f52ce8ba5150b6d341aa26b4bd7f23ae5439fdb232578b881210c72219745fd9e14dcb

            Download Submit

          • \??\c:\Users\Admin\AppData\Roaming\CSC1B05CB8A62044DC0809826E91C4B72BA.TMP
            Filesize

            1KB

            MD5

            9c8b99c07f4359668db1aee8d1d717b5

            SHA1

            bfc0e9adb3d0ad42796d65faccbee2d4a549e7e3

            SHA256

            88992d3c5303d5586849a448f5e14ec1ebd96652d6046b2cd62dffea4ec2ba07

            SHA512

            3f9a5d8950846f24407a96c9f35b52a3b3273d9520a088c30e0988ca3eceea903af487522ec2362904ddcc6201fc923c4d0013c04c870e048b7a00ae678cc3cd

            Download Submit

          • \??\c:\Windows\System32\CSCF0135D7CF853422BB56B174B7F46BE4.TMP
            Filesize

            1KB

            MD5

            fe512b068e0ed19d56107c23e9a47cf0

            SHA1

            d5822b37593b7b9b0e122f892a8c86eccbfff6f0

            SHA256

            61c9b7fce03165f0e5cb4f1befcc979fd76aea4d3aba2b53d6ddce0aa8a205c8

            SHA512

            eb859a57aabbc20dd53ecc7e8c29c206e7cac3185f5a43b7373f7ddf9583e5253397be540a42f807692e1d159272e4c775ba69d2815c23db0559bef1fdcb4236

            Download Submit

          • memory/1768-82-0x0000000000920000-0x0000000000954000-memory.dmp

            Filesize

            208KB

            Download

          • memory/3348-17-0x00007FFCD8E10000-0x00007FFCD98D2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3348-10-0x000001D2327E0000-0x000001D232802000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3348-11-0x00007FFCD8E10000-0x00007FFCD98D2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3348-12-0x00007FFCD8E10000-0x00007FFCD98D2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3348-13-0x00007FFCD8E10000-0x00007FFCD98D2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3348-14-0x00007FFCD8E10000-0x00007FFCD98D2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3348-15-0x00007FFCD8E10000-0x00007FFCD98D2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4556-100-0x0000000002960000-0x000000000296C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4556-87-0x00000000005D0000-0x00000000007B6000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/4556-91-0x0000000001110000-0x000000000111E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4556-98-0x0000000002950000-0x000000000295E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4556-96-0x0000000002990000-0x00000000029A8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/4556-94-0x0000000002A20000-0x0000000002A70000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4556-93-0x0000000002970000-0x000000000298C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4956-0-0x00007FFCD8E13000-0x00007FFCD8E15000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4956-54-0x000000001ADF0000-0x000000001ADFC000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4956-52-0x00007FFCD8E10000-0x00007FFCD98D2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4956-53-0x00007FFCD8E10000-0x00007FFCD98D2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4956-1-0x00000000001D0000-0x00000000001E2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4956-219-0x00007FFCD8E10000-0x00007FFCD98D2000-memory.dmp

            Filesize

            10.8MB

            Download