44caliber | 14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87

Analysis

max time kernel
149s
max time network
156s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
02-08-2024 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader V2.exe
Size

8.1MB
MD5

70a8a700260d1bf5d40214b4d16f2a4d
SHA1

888afda0f542f857c3627845abb17320c79348a3
SHA256

14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87
SHA512

8d139e071d25106a30b3b00350fe08558bdaf884d039492611d90afd30c11ff08643560dc75ffaf7dafc0c53a96cf2b446239faf2fd8df9d0895d25b746d5d83
SSDEEP

196608:X7fP69w9dHnln76gtmUd74JVCbkQqeDDFloLRj/UVn5HIL6qG:Nvnln7RmUuJVuk0DDFWJCnVGs

Score

10^/10

44caliber xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

147.185.221.20:13908

147.185.221.16:60401

Attributes

Install_directory
%AppData%
install_file
svhost.exe
telegram
https://api.telegram.org/bot7220907212:AAEOc5N7cpqGUVVvnWrzGHm8mdOrYN2e9mc/sendMessage?chat_id=6987872630

Extracted

Family

44caliber

https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\injectdll.exe	family_xworm
behavioral2/memory/4372-16-0x0000000000440000-0x0000000000482000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\loaderr.exe	family_xworm
behavioral2/memory/2892-34-0x0000000000630000-0x0000000000646000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4296 powershell.exe
4396 powershell.exe
4640 powershell.exe
5036 powershell.exe

pid	process
4296	powershell.exe
4396	powershell.exe
4640	powershell.exe
5036	powershell.exe

Drops startup file 4 IoCs

Processes:

injectdll.exeloaderr.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	injectdll.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	injectdll.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	loaderr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	loaderr.exe

Executes dropped EXE 8 IoCs

Processes:

Loader.exeinjectdll.exeloaderr.exefixer.exesvhost.exesvchost.exesvhost.exesvchost.exe

pid process

596 Loader.exe
4372 injectdll.exe
2892 loaderr.exe
4052 fixer.exe
4668 svhost.exe
3480 svchost.exe
2580 svhost.exe
4188 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
596	Loader.exe
4372	injectdll.exe
2892	loaderr.exe
4052	fixer.exe
4668	svhost.exe
3480	svchost.exe
2580	svhost.exe
4188	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

injectdll.exeloaderr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe"	injectdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	loaderr.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 freegeoip.app
2 freegeoip.app
7 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
1	freegeoip.app
2	freegeoip.app
7	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fixer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	fixer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	fixer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2628 schtasks.exe
752 schtasks.exe

pid	process
2628	schtasks.exe
752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

fixer.exeinjectdll.exepowershell.exepowershell.exepowershell.exepowershell.exeloaderr.exe

pid	process
4052	fixer.exe
4052	fixer.exe
4052	fixer.exe
4052	fixer.exe
4372	injectdll.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
4396	powershell.exe
4396	powershell.exe
4396	powershell.exe
4640	powershell.exe
4640	powershell.exe
4640	powershell.exe
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe
2892	loaderr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

injectdll.exeloaderr.exefixer.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4372	injectdll.exe
Token: SeDebugPrivilege	2892	loaderr.exe
Token: SeDebugPrivilege	4052	fixer.exe
Token: SeDebugPrivilege	4372	injectdll.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeIncreaseQuotaPrivilege	4296	powershell.exe
Token: SeSecurityPrivilege	4296	powershell.exe
Token: SeTakeOwnershipPrivilege	4296	powershell.exe
Token: SeLoadDriverPrivilege	4296	powershell.exe
Token: SeSystemProfilePrivilege	4296	powershell.exe
Token: SeSystemtimePrivilege	4296	powershell.exe
Token: SeProfSingleProcessPrivilege	4296	powershell.exe
Token: SeIncBasePriorityPrivilege	4296	powershell.exe
Token: SeCreatePagefilePrivilege	4296	powershell.exe
Token: SeBackupPrivilege	4296	powershell.exe
Token: SeRestorePrivilege	4296	powershell.exe
Token: SeShutdownPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeSystemEnvironmentPrivilege	4296	powershell.exe
Token: SeRemoteShutdownPrivilege	4296	powershell.exe
Token: SeUndockPrivilege	4296	powershell.exe
Token: SeManageVolumePrivilege	4296	powershell.exe
Token: 33	4296	powershell.exe
Token: 34	4296	powershell.exe
Token: 35	4296	powershell.exe
Token: 36	4296	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeIncreaseQuotaPrivilege	4396	powershell.exe
Token: SeSecurityPrivilege	4396	powershell.exe
Token: SeTakeOwnershipPrivilege	4396	powershell.exe
Token: SeLoadDriverPrivilege	4396	powershell.exe
Token: SeSystemProfilePrivilege	4396	powershell.exe
Token: SeSystemtimePrivilege	4396	powershell.exe
Token: SeProfSingleProcessPrivilege	4396	powershell.exe
Token: SeIncBasePriorityPrivilege	4396	powershell.exe
Token: SeCreatePagefilePrivilege	4396	powershell.exe
Token: SeBackupPrivilege	4396	powershell.exe
Token: SeRestorePrivilege	4396	powershell.exe
Token: SeShutdownPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeSystemEnvironmentPrivilege	4396	powershell.exe
Token: SeRemoteShutdownPrivilege	4396	powershell.exe
Token: SeUndockPrivilege	4396	powershell.exe
Token: SeManageVolumePrivilege	4396	powershell.exe
Token: 33	4396	powershell.exe
Token: 34	4396	powershell.exe
Token: 35	4396	powershell.exe
Token: 36	4396	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeIncreaseQuotaPrivilege	4640	powershell.exe
Token: SeSecurityPrivilege	4640	powershell.exe
Token: SeTakeOwnershipPrivilege	4640	powershell.exe
Token: SeLoadDriverPrivilege	4640	powershell.exe
Token: SeSystemProfilePrivilege	4640	powershell.exe
Token: SeSystemtimePrivilege	4640	powershell.exe
Token: SeProfSingleProcessPrivilege	4640	powershell.exe
Token: SeIncBasePriorityPrivilege	4640	powershell.exe
Token: SeCreatePagefilePrivilege	4640	powershell.exe
Token: SeBackupPrivilege	4640	powershell.exe
Token: SeRestorePrivilege	4640	powershell.exe
Token: SeShutdownPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeSystemEnvironmentPrivilege	4640	powershell.exe
Token: SeRemoteShutdownPrivilege	4640	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

injectdll.exeloaderr.exe

pid process

4372 injectdll.exe
2892 loaderr.exe

pid	process
4372	injectdll.exe
2892	loaderr.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Loader V2.exeLoader.exeinjectdll.exeloaderr.exe

description	pid	process	target process
PID 4604 wrote to memory of 596	4604	Loader V2.exe	Loader.exe
PID 4604 wrote to memory of 596	4604	Loader V2.exe	Loader.exe
PID 4604 wrote to memory of 4372	4604	Loader V2.exe	injectdll.exe
PID 4604 wrote to memory of 4372	4604	Loader V2.exe	injectdll.exe
PID 596 wrote to memory of 2892	596	Loader.exe	loaderr.exe
PID 596 wrote to memory of 2892	596	Loader.exe	loaderr.exe
PID 596 wrote to memory of 4052	596	Loader.exe	fixer.exe
PID 596 wrote to memory of 4052	596	Loader.exe	fixer.exe
PID 4372 wrote to memory of 2628	4372	injectdll.exe	schtasks.exe
PID 4372 wrote to memory of 2628	4372	injectdll.exe	schtasks.exe
PID 2892 wrote to memory of 4296	2892	loaderr.exe	powershell.exe
PID 2892 wrote to memory of 4296	2892	loaderr.exe	powershell.exe
PID 2892 wrote to memory of 4396	2892	loaderr.exe	powershell.exe
PID 2892 wrote to memory of 4396	2892	loaderr.exe	powershell.exe
PID 2892 wrote to memory of 4640	2892	loaderr.exe	powershell.exe
PID 2892 wrote to memory of 4640	2892	loaderr.exe	powershell.exe
PID 2892 wrote to memory of 5036	2892	loaderr.exe	powershell.exe
PID 2892 wrote to memory of 5036	2892	loaderr.exe	powershell.exe
PID 2892 wrote to memory of 752	2892	loaderr.exe	schtasks.exe
PID 2892 wrote to memory of 752	2892	loaderr.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader V2.exe
"C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Roaming\Loader.exe
  "C:\Users\Admin\AppData\Roaming\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Users\Admin\AppData\Local\Temp\loaderr.exe
    "C:\Users\Admin\AppData\Local\Temp\loaderr.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5036
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:752
- - C:\Users\Admin\AppData\Local\Temp\fixer.exe
    "C:\Users\Admin\AppData\Local\Temp\fixer.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- C:\Users\Admin\AppData\Roaming\injectdll.exe
  "C:\Users\Admin\AppData\Roaming\injectdll.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2628

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
PID:3480

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
937B

MD5
40dc80b9b30d2b39502ce4a889c6db37

SHA1
4c8e3aee030a8af8d622bd8f44deb07ec5793f21

SHA256
2dfa544014f8914104ee3949cc9fd97f0322ae2242b8225b5ae449f66819dd39

SHA512
c65c8168f2ce4aa32157a9f9f38686d70affbd84eb261cb83e115294e3018f126fb6718ee46dff5ef54157b54b27db557bf277fe70a4f467fe05e6b6ed66bca9

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
4d655e210df9766913d07c5fc88a88fd

SHA1
b871e286acb97284cce8e3f6663cd10a1e62f74e

SHA256
c92807d6674d3dcbc99139c22132c6eba338c1acaaa5a71f56a5e0751bc1c676

SHA512
207cc1d302c525ae7523572408cdd681858d3fd80fea514d0d01827afdff47598d76b62868f20af009ad71b1af89aecc652b2ad1d751968147425067e14d0621

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
653B

MD5
3126dd3c8290a63343855d7d676f4a20

SHA1
4b06e716d056361a0a428f58014ad1aaca099efe

SHA256
7d01873b5e6be4cfcf6a89ca4d982a62c2e814b61451e5d34172579ebd7be373

SHA512
77d57523536a02ce713d15d053932d2830ed5bb6ae4dc4353f7e9d06819b3d5b3af1a959f6aff6a18b8cbc43e1ad510074a0a6b9ce4f9fe79d9f71aaf1800451

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
638B

MD5
85054e575b47da419a40b697c7cdc278

SHA1
39bd1f02d6c22993219311acb6fed5fd86d248f7

SHA256
00ccd02f0f2e3d2fff25d34cd7a8656442a6b45819ba0f11f345424d3af69118

SHA512
39a01c007fb49d1e03eff43364a512e1c38c10740a928d5bb32b9d0299f4fba1c1d2a7cda728f1a88a4b6d3729ff18e711cd805f4e4ff5315b414165a879b0ec

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
682B

MD5
c716a88607dc44ce368bcc1bb680c2a0

SHA1
21eff6c7a1206a3ab567a4bae3e49a9e3d3a1d32

SHA256
4c8c724e2da7ded3a44d87077bc45ae17ff85101d4cbe57d297dc5ddd6173e6d

SHA512
45c14b649606bee2a689910122c694bbef3340f4191231e5476974425b4d2ccc14b1807ded471d7bee3c5bc48c5ca34ef291b7defffa18a24df1373aa06c15f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
827008fc3b49149ccc4810aa8b0da9e6

SHA1
31d80edc5d4326ab7269cd7c0f74bd1214610bbd

SHA256
812c177767c772c1f5299d9016f2fba49872e5591d3ebac26e21726bfb36a70e

SHA512
1bba7c065dd2873d33556c5439ae9e6cd73a151018c862f8bc90b1abe86a0762ed237def4b8bd406e2d58005dfaf5d45a067a3144cb373ce705bb78b34fa0045

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b53d6f846be8379d9073e90b131262cc

SHA1
2b501d0c5fbc216e68488fffefe6a344c46d71fc

SHA256
99740d3e9cfe5284d4f0c7a86620f4d53fc1c97e328fbf33edfb4731a37bca97

SHA512
7d0d6c8ec70d0e7d78df6dcc47e350880a7ab55322defb2b45d9d13171f0c7ef162555697673043b694f1660086597a23e93265fb46a09452cae7a5a71dc27ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
24ecaf8649da264e4272ac1bbe689417

SHA1
e86511905d7ee22b766f583d85ec7334ce1428fd

SHA256
a3b5322adf9b3c8dca365400b2e29e8f011d9a105e6616dacd69392e2f841d44

SHA512
cb3244599b6163cf6adad161c9190911201dd7d62663ae9284f5b5618fbff2615627da4d5e5f0b0f66cc61ee1bd639a5ff1d28be72aedb16a0382148b304e407

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w55xyjke.ay4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fixer.exe

Filesize
274KB

MD5
88505913c2c75f796c9a021aab2d356d

SHA1
5b5c06998d3e200c21c77ea4efaeaecdc7344e78

SHA256
62e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204

SHA512
6fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905

Download Submit
C:\Users\Admin\AppData\Local\Temp\loaderr.exe

Filesize
65KB

MD5
95f8f28f5a8503461db6804cda9c4934

SHA1
81c0a30e498093d41948777135bbd407c7611cda

SHA256
aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2

SHA512
5c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461

Download Submit
C:\Users\Admin\AppData\Roaming\Loader.exe

Filesize
7.6MB

MD5
aa16f3774491b600121545a5f194cefc

SHA1
c872fe765ecff1dada8378ad8a12cd5cf0425219

SHA256
c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d

SHA512
8b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8

Download Submit
C:\Users\Admin\AppData\Roaming\injectdll.exe

Filesize
244KB

MD5
74ffb0d60d647dd6ad8d00c1bee48011

SHA1
4c8a707a33b35b78f374c66d59f9c2314c20b25f

SHA256
b481f1e0cfe25e5f19da0a0333c78661bf5c75c0b1c616ff4aaaa07aed31efd1

SHA512
fc667f4560d6b19a9a4f37eb0e66c751eb348ffc0db69c7d0bd733dfd2df2dfdadc7b780cd93686350444cc14a54283bafe3afec611bcac3ad0239eda659f46c

Download Submit
memory/596-64-0x00007FFCC5640000-0x00007FFCC581B000-memory.dmp

Filesize
1.9MB

Download
memory/596-17-0x0000000000C10000-0x00000000013A4000-memory.dmp

Filesize
7.6MB

Download
memory/596-13-0x00007FFCC5640000-0x00007FFCC581B000-memory.dmp

Filesize
1.9MB

Download
memory/2892-34-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/4052-33-0x000001E31CE40000-0x000001E31CE8A000-memory.dmp

Filesize
296KB

Download
memory/4296-150-0x00000253304E0000-0x0000025330502000-memory.dmp

Filesize
136KB

Download
memory/4296-153-0x0000025330690000-0x0000025330706000-memory.dmp

Filesize
472KB

Download
memory/4372-141-0x00007FFCC5640000-0x00007FFCC581B000-memory.dmp

Filesize
1.9MB

Download
memory/4372-138-0x00007FFCC5640000-0x00007FFCC581B000-memory.dmp

Filesize
1.9MB

Download
memory/4372-16-0x0000000000440000-0x0000000000482000-memory.dmp

Filesize
264KB

Download
memory/4372-14-0x00007FFCC5640000-0x00007FFCC581B000-memory.dmp

Filesize
1.9MB

Download
memory/4604-0-0x00007FFCC5640000-0x00007FFCC581B000-memory.dmp

Filesize
1.9MB

Download
memory/4604-15-0x00007FFCC5640000-0x00007FFCC581B000-memory.dmp

Filesize
1.9MB

Download
memory/4604-1-0x0000000000940000-0x0000000001158000-memory.dmp

Filesize
8.1MB

Download