stormkitty | 8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe
Size

156KB
MD5

aa50dea32c4398f49128d5b903a38aef
SHA1

cca7429109dd0e0d2d7f046a6af4ff40773d6722
SHA256

8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523
SHA512

6ae2342df6fd7f0b70562b40d608f5f0c8b2230715934adff39ddae01ff7c0cfa9e78bf4261df473a73ad71cdea963d08ce36b919a5ca0f3a264af32eb5795c9
SSDEEP

3072:NUWIAXFeSQ0oMfYMp2fCoeq63ychNeGQVm3Q4x4+VQ6s:NdIuppY6sdeZywNeGC4xI

Score

10^/10

stormkitty xworm collection credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

3.0

sites-sing.gl.at.ply.gg:6789

Mutex

hsYEUqkLaSySRVeL

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00050000000226f8-6.dat	family_xworm
behavioral2/memory/3912-23-0x0000000000290000-0x00000000002A0000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0003000000022cc6-24.dat	family_stormkitty
behavioral2/memory/3304-30-0x0000000000610000-0x0000000000666000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4668	powershell.exe
4512	powershell.exe
920	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
3912	svchost.exe
3304	zzzz.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\ProgramData\OARDHGDN\FileGrabber\Downloads\desktop.ini	zzzz.exe
File created	C:\ProgramData\OARDHGDN\FileGrabber\Pictures\desktop.ini	zzzz.exe
File created	C:\ProgramData\OARDHGDN\FileGrabber\Desktop\desktop.ini	zzzz.exe
File created	C:\ProgramData\OARDHGDN\FileGrabber\Documents\desktop.ini	zzzz.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com
22	freegeoip.app
47	api.ipify.org
48	api.ipify.org
11	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzzz.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	zzzz.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	zzzz.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
4668	powershell.exe
4668	powershell.exe
4512	powershell.exe
4512	powershell.exe
920	powershell.exe
920	powershell.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe
3304	zzzz.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	svchost.exe
Token: SeDebugPrivilege	3304	zzzz.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	3912	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 3912	1708	8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe	88
PID 1708 wrote to memory of 3912	1708	8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe	88
PID 1708 wrote to memory of 3304	1708	8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe	89
PID 1708 wrote to memory of 3304	1708	8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe	89
PID 1708 wrote to memory of 3304	1708	8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe	89
PID 3912 wrote to memory of 4668	3912	svchost.exe	91
PID 3912 wrote to memory of 4668	3912	svchost.exe	91
PID 3912 wrote to memory of 4512	3912	svchost.exe	93
PID 3912 wrote to memory of 4512	3912	svchost.exe	93
PID 3912 wrote to memory of 920	3912	svchost.exe	95
PID 3912 wrote to memory of 920	3912	svchost.exe	95

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzzz.exe

C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe
"C:\Users\Admin\AppData\Local\Temp\8fe04c6d9be067ca408438d4fcf316b7ff72897700e86f683ba65a1bea677523.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- C:\Users\Admin\AppData\Local\Temp\zzzz.exe
  "C:\Users\Admin\AppData\Local\Temp\zzzz.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OARDHGDN\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Desktop\CheckpointEnter.rtf

Filesize
330KB

MD5
ad0a983f6478af5396fcbe0a98039ffa

SHA1
1296a5d84d835dbbf3dbe2be02b77305b01b2f5f

SHA256
3928de7e8a41a69509c03702bc9737d93c9f23694cc7880518ccdfed3d814820

SHA512
e6d5c89527f14ed40b73c3a2d7229c7f61fb7fdf8e7187cc9eb8dd8cf29cb3e566ccb591837fc81ea59b0011b636e6ec9b9f2a3c3a4ee57491bf94d4f9c3f837

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Desktop\FormatRestore.css

Filesize
192KB

MD5
86b57ec464c2c20a202a1f3872b098c5

SHA1
8b1a0330c0f6fc5c00d4886b0a3a880feeb92eb6

SHA256
56720e9beac72c6d33efe0e1841b346fb7f8c05bb0dbcca298cecfa605f8c736

SHA512
1937f9163f9212b55c3ad24678bfcf6cd7a95e27ae408ea5499b2b871359d739bc1ec731f9b310f75a4d2af2b649b61cb5b46433454f29bd21aad9f4955d2080

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Desktop\NewPing.xlsx

Filesize
298KB

MD5
e037dd87bec8a0fdf3636b3e4fb72c40

SHA1
72019ee9c2ebaf0f7a7688782f6a2b3b7b915690

SHA256
a5dc12d32df8ce4e06832ab570d741120b8e73276456755c853c5a720a226d82

SHA512
5da877836dc2cc06088d1d9bc5361288a204b516ffa4c9016c5ca37feb7383c1d35dfba2946ef63c77f9fe72f647090a0ecd9d085efb8280f3defd081038cda0

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Desktop\RemoveOpen.docx

Filesize
245KB

MD5
e1109a46dd58685a9eb905806c617926

SHA1
5ff1fe5382974997ea72c8bfb1f5f20b21962ade

SHA256
6289568fe75b551141a9041039fa1848876df142434b15a961407e9a91ff6e77

SHA512
473136abe10abb9f2df54c1e336d98608a39eaac3b28d8bd1dc8789417eb9745952f76216456d2fcad4521bf370d85b8c08f82dd263c20101028e68bfaa57a4c

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Desktop\SendSync.pptx

Filesize
352KB

MD5
c68cd01ed3f0899ab903d147f49e62ac

SHA1
6e0a72ab95a8c7ab76b59c003ee0d41b63d849f4

SHA256
a4b335cd48f864e189d51b083164a55bc779f44fad43971e1d471921b4d37178

SHA512
54ba9b7a62841cb5fb7468cab18175412b7dd2b3a8855a98ac8c524d32841452be3e8c2b91734b9dc12444c55cfe896914cecbc8e05b9ab60786988b4a112664

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Documents\CompressConfirm.docx

Filesize
619KB

MD5
8650063ea430fe657dafb50e55b54b97

SHA1
ce946a29c1cb7fc069a1c027f7490b8b2037414b

SHA256
1527f1ea7b4068c921cbdf3a7d77439983826c8b7b56c87df12d54b171f2e60c

SHA512
7c0dae2b7e2b10278d271c30ea595f0eb04a21cdc1142e652ab72f05336801252ab67054114c78e52dd79c1cd333bd8584bf03c8f1529a70f8d10dbe2563bbfb

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Documents\DisconnectTrace.pdf

Filesize
442KB

MD5
f7d8a3b0e8c4c7148a6649dd432743a3

SHA1
9aa24fea52beaca7649c6f616b1887fc656434e5

SHA256
28f062f4a10580e6926cdeba5d6b84a3b959eac10926c5931cb49526b269a694

SHA512
edf89420f38aea46449399c82c0628ec127803299d7e8f1e05cefc6a578967dde9f59242798909581ef0d0c1d1a68786edf2343c54eb72a0b9c66070d252dcbd

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Documents\GetAdd.txt

Filesize
644KB

MD5
5d1198db55d6933af56d4b9ed80d5f6d

SHA1
7124b0974bb4f3d57e212f5eb3b62b3142a5e722

SHA256
ec368770d0b659962a01ea42e1fd5c7d71f9fd78d0c0fef5c0d446a328b2b98d

SHA512
c93dae8d081d73263dacaeeef509495ec39f699a82e3b9165e8d156d595c0b7b91aeacbde13760f4fbc0e66ba1ff16695faae3b7a6f8d3b86725e6593e60e69d

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Downloads\DenyRestore.jpeg

Filesize
238KB

MD5
b47b6dc326379b776be7056bc68121d0

SHA1
efd9e0bd87abc8e7bb9fed05b2a016ccc452601a

SHA256
7659b8eb3f1642870c935380a70dac6c909a3bec0f1d8e1571a73af7c995dcef

SHA512
249ce047d5793db1b81cbbcd94a1e2129988b6e10c1f5b0cd3c5199a7364d0af4ab5cbe230f835be01dba09d7e47b7c61615d994568e4f8ed6fec65aa14aadb7

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Downloads\MeasureExport.css

Filesize
939KB

MD5
1cacf7f00bd9ff35696aabbf67380dba

SHA1
d85b9ba3cee5f769bf2a5f8595a90b4fe3f80bd9

SHA256
bff278707dff6c1b42447d487ec5aec6385fced450439d47f91a716f6d579e0a

SHA512
939ec60ef85e7d1e33c7d1c2f74afd885ae40c9dfb8f6ff0aa929c37213063fa0720d5f45a73297241da0d23e9d7703e751e84a58ef6383d2a466ccd18f103bb

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Downloads\TraceSave.ppt

Filesize
653KB

MD5
bee6ccf93f1b9a4da4f55405ee4a4b7e

SHA1
5f84cb045592149d4bb8cd9527ea107887938879

SHA256
7338e05c3abd6311e47d201be3b4b2f8afed2b8ebf0bdb53d385931cd26dda50

SHA512
a4e571a319f4055981b36b741cb5fc32882a947974c09407189df0d9bd1a13d1fcb66db460dd59c30ec743fb1124f895b1170047240aa7fdd0311cf125fe9bf0

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Pictures\ExpandEdit.jpg

Filesize
470KB

MD5
2485be2813a57f9be6d91e87b18c17a8

SHA1
b0209421203e0431c573eff51fbd7966400f17dc

SHA256
0e17a3be7f9976391892008ff71f78b0793f0c22cd64ba6d736887b1f7d58912

SHA512
c1fede9318b1fbd72acc043ca65a57d7b43a3ed3263575af806eb98e7a8eed406c6af3132f00bd164d4acf630344c8cc088346c2a1844f3fc30dcd68fd6d043b

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Pictures\InstallSet.bmp

Filesize
679KB

MD5
a21f4feeddbb9488420fa202f7d70828

SHA1
d0b41cc3b912503757fbe87348f65a77c36871f1

SHA256
e5b0044fe4f65b9421c94ce05af41e88f49c03d410299f27ddf8815bb55a7ead

SHA512
d6801028aae52e358214067a889e824c7bbb0eb59efb863c1bdf99f204cef8918cdcfa991a31d64a2888b83bbd1d396ca521f1a35f5f45523edbaebf68a2c213

Download Submit
C:\ProgramData\OARDHGDN\FileGrabber\Pictures\MergeConvert.svg

Filesize
1.4MB

MD5
b77d53630ac8ed6d777e9d1671aa4e2a

SHA1
1d7dfc4f532317bdaa9114f1de8e958a48130a97

SHA256
85b1830880c7bc6d2371e35951d5a88244b177ef1eeba5b252ba74f1ef589279

SHA512
bfb757df6ab586f167ef32bccaf2a4ef53d194a27443e9dcb434c180b4c14be9b006da6cd417cead3e5e8b36b726df4998c6c622ffc8d5ef2fee2124c49e5d82

Download Submit
C:\ProgramData\OARDHGDN\Process.txt

Filesize
4KB

MD5
5bd73d85694c0fdd9f6738eab192cb89

SHA1
182fde5cd98659e8f7f23dc131e38e84f13135e9

SHA256
52d986dd1f099c75355bf88d2e256729bf6e7e5b588b0976fe3e08e083e28f59

SHA512
a19021fbea1a6dc88bc766fe900e227bc7f0059f423e3e12c45f0f6eacdec6e04a11901d2d213bd0b16413d88f7b7a5f083f0515a1f85e19e9fa2fd82f33b965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p3brrn0s.zqm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
35KB

MD5
90feaeac1ed833652f5267124acd8293

SHA1
ba3fa9aa1c28e54d712bf8766234410d56494859

SHA256
a9ad869209d1344ab64479f2f1557291b97358451a4aa6d32da2f570de02851b

SHA512
0b29579c520bd59fddb14e50c2f4c7ab407ee6177cc2682461c1308f78bacfc151b5d3fc16c2b5b566fca40fdba683cf403b7efaa23fe3b9b5efec1ad0568042

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzzz.exe

Filesize
320KB

MD5
de4824c195cf1b2bb498511ef461e49b

SHA1
f15ca6d0e02c785cce091dbd716cd43e3f5a80bd

SHA256
51813dfedbe02f03d08b4728187eadb4948d8be40c9d8fe6e4e1cb61fa7ae209

SHA512
b211a636f2799d90ce38348dbbc7dbc69ac5374129c7896a137f03a57fe78139a030c1edb90cfc4203799d77a8720df431da75986aa1d8b16274030ad1db770a

Download Submit
memory/1708-0-0x00007FFD766D3000-0x00007FFD766D5000-memory.dmp

Filesize
8KB

Download
memory/1708-27-0x00007FFD766D0000-0x00007FFD77191000-memory.dmp

Filesize
10.8MB

Download
memory/1708-22-0x00007FFD766D0000-0x00007FFD77191000-memory.dmp

Filesize
10.8MB

Download
memory/1708-1-0x0000000000B30000-0x0000000000B5E000-memory.dmp

Filesize
184KB

Download
memory/3304-30-0x0000000000610000-0x0000000000666000-memory.dmp

Filesize
344KB

Download
memory/3304-138-0x0000000006710000-0x0000000006776000-memory.dmp

Filesize
408KB

Download
memory/3304-133-0x00000000069D0000-0x0000000006F74000-memory.dmp

Filesize
5.6MB

Download
memory/3304-132-0x0000000006380000-0x0000000006412000-memory.dmp

Filesize
584KB

Download
memory/3304-119-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download
memory/3304-29-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download
memory/3912-118-0x00007FFD766D0000-0x00007FFD77191000-memory.dmp

Filesize
10.8MB

Download
memory/3912-28-0x00007FFD766D0000-0x00007FFD77191000-memory.dmp

Filesize
10.8MB

Download
memory/3912-23-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/4668-74-0x000002740F790000-0x000002740F7B2000-memory.dmp

Filesize
136KB

Download