Overview

overview

10

Static

static

3

EZTEAM.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1799s
  • max time network
    1794s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-uk
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-uklocale:uk-uaos:windows10-2004-x64systemwindows
  • submitted
    21-08-2024 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EZTEAM.exe

  • Size

    4.6MB

  • MD5

    631c9f13ed307ab87ea9c913705fdbc5

  • SHA1

    33bd6f5e1087f3e2f345387cd576405750a3cbf2

  • SHA256

    b0024dd1d6af38b098b2ae0fc79ca693f55e145b01f8e31c29be40089070b0df

  • SHA512

    0104a56bfa48603ac2dc2c4bd71ade7b79f3d2fec24ceb0dfaff2edd52c340d3e1eefe47bb64ab4d6b1b89b9b559125120a794e2e4382ff0a3391c04426114e6

  • SSDEEP

    98304:I4oWcj2LFBbvcp4CFa6DJjJhF1dPH9BQ/CEckk6:ICzTNC31J1K/1/

Score
10/10
umbralxwormcredential_accessdiscoveryevasionexecutionpersistenceratspywarestealerthemidatrojan

Malware Config

Extracted

Family

xworm

C2

executive-platforms.gl.at.ply.gg:53515

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Umbral payload 4 IoCs
  • Detect Xworm Payload 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 34 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\EZTEAM.exe
    "C:\Users\Admin\AppData\Local\Temp\EZTEAM.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Users\Admin\XClient.exe
      "C:\Users\Admin\XClient.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • UAC bypass
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1568
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1180
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3500
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4128
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4480
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3292
      • C:\Users\Admin\AppData\Local\Temp\bcdwrj.exe
        "C:\Users\Admin\AppData\Local\Temp\bcdwrj.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4764
        • C:\Windows\SYSTEM32\attrib.exe
          "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\bcdwrj.exe"
          4⤵
          • Views/modifies file attributes
          PID:2552
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bcdwrj.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3952
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4824
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3992
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3888
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1752
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
            PID:876
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic.exe" csproduct get uuid
            4⤵
              PID:1544
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1304
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic" path win32_VideoController get name
              4⤵
              • Detects videocard installed
              PID:4636
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\bcdwrj.exe" && pause
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Suspicious use of WriteProcessMemory
              PID:4000
              • C:\Windows\system32\PING.EXE
                ping localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3624
          • C:\Users\Admin\AppData\Local\Temp\jwyokf.exe
            "C:\Users\Admin\AppData\Local\Temp\jwyokf.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4324
            • C:\Windows\SYSTEM32\attrib.exe
              "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\jwyokf.exe"
              4⤵
              • Views/modifies file attributes
              PID:3260
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\jwyokf.exe'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2620
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4032
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3444
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1552
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" os get Caption
              4⤵
                PID:2096
              • C:\Windows\System32\Wbem\wmic.exe
                "wmic.exe" computersystem get totalphysicalmemory
                4⤵
                  PID:3812
                • C:\Windows\System32\Wbem\wmic.exe
                  "wmic.exe" csproduct get uuid
                  4⤵
                    PID:1560
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:5064
                  • C:\Windows\System32\Wbem\wmic.exe
                    "wmic" path win32_VideoController get name
                    4⤵
                    • Detects videocard installed
                    PID:1348
                  • C:\Windows\SYSTEM32\cmd.exe
                    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\jwyokf.exe" && pause
                    4⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    PID:420
                    • C:\Windows\system32\PING.EXE
                      ping localhost
                      5⤵
                      • System Network Configuration Discovery: Internet Connection Discovery
                      • Runs ping.exe
                      PID:3024
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" Get-MpPreference -verbose
                  3⤵
                    PID:4920
                  • C:\Users\Admin\AppData\Local\Temp\axjojb.exe
                    "C:\Users\Admin\AppData\Local\Temp\axjojb.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:884
                • C:\Users\Admin\EZTEAM.exe
                  "C:\Users\Admin\EZTEAM.exe"
                  2⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious use of SetWindowsHookEx
                  PID:1588
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:3060
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:1304
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:2996
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:4832
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:1480
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:2588
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:1440
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:4460
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:4396
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:1144
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:4024
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:4472
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:2320
              • C:\Windows\system32\taskmgr.exe
                "C:\Windows\system32\taskmgr.exe" /4
                1⤵
                • Checks SCSI registry key(s)
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:3888
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:396
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:444
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:4628
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:4900
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:2792
              • C:\Users\Admin\svchost.exe
                C:\Users\Admin\svchost.exe
                1⤵
                • Executes dropped EXE
                PID:380
              • C:\Windows\system32\AUDIODG.EXE
                C:\Windows\system32\AUDIODG.EXE 0x470 0x300
                1⤵
                  PID:4460
                • C:\Users\Admin\svchost.exe
                  C:\Users\Admin\svchost.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1408
                • C:\Users\Admin\svchost.exe
                  C:\Users\Admin\svchost.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4796
                • C:\Users\Admin\svchost.exe
                  C:\Users\Admin\svchost.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4588
                • C:\Users\Admin\svchost.exe
                  C:\Users\Admin\svchost.exe
                  1⤵
                  • Executes dropped EXE
                  PID:2732
                • C:\Users\Admin\svchost.exe
                  C:\Users\Admin\svchost.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1428
                • C:\Users\Admin\svchost.exe
                  C:\Users\Admin\svchost.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1564
                • C:\Users\Admin\svchost.exe
                  C:\Users\Admin\svchost.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1496
                • C:\Users\Admin\svchost.exe
                  C:\Users\Admin\svchost.exe
                  1⤵
                  • Executes dropped EXE
                  PID:2036
                • C:\Users\Admin\svchost.exe
                  C:\Users\Admin\svchost.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4588
                • C:\Users\Admin\svchost.exe
                  C:\Users\Admin\svchost.exe
                  1⤵
                  • Executes dropped EXE
                  PID:2440

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Command and Scripting Interpreter

                1
                T1059

                PowerShell

                1
                T1059.001

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Persistence

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Abuse Elevation Control Mechanism

                1
                T1548

                Bypass User Account Control

                1
                T1548.002

                Hide Artifacts

                1
                T1564

                Hidden Files and Directories

                1
                T1564.001

                Impair Defenses

                2
                T1562

                Disable or Modify Tools

                2
                T1562.001

                Modify Registry

                4
                T1112

                Virtualization/Sandbox Evasion

                1
                T1497

                Credential Access

                Credentials from Password Stores

                1
                T1555

                Credentials from Web Browsers

                1
                T1555.003

                Unsecured Credentials

                1
                T1552

                Credentials In Files

                1
                T1552.001

                Discovery

                Peripheral Device Discovery

                1
                T1120

                Query Registry

                5
                T1012

                Remote System Discovery

                1
                T1018

                System Information Discovery

                6
                T1082

                System Network Configuration Discovery

                1
                T1016

                Internet Connection Discovery

                1
                T1016.001

                Virtualization/Sandbox Evasion

                1
                T1497

                Lateral Movement

                Collection

                Data from Local System

                1
                T1005

                Command and Control

                Web Service

                1
                T1102

                Exfiltration

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                  Filesize

                  2KB

                  MD5

                  d85ba6ff808d9e5444a4b369f5bc2730

                  SHA1

                  31aa9d96590fff6981b315e0b391b575e4c0804a

                  SHA256

                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                  SHA512

                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
                  Filesize

                  654B

                  MD5

                  2ff39f6c7249774be85fd60a8f9a245e

                  SHA1

                  684ff36b31aedc1e587c8496c02722c6698c1c4e

                  SHA256

                  e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                  SHA512

                  1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  ba169f4dcbbf147fe78ef0061a95e83b

                  SHA1

                  92a571a6eef49fff666e0f62a3545bcd1cdcda67

                  SHA256

                  5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

                  SHA512

                  8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  34f595487e6bfd1d11c7de88ee50356a

                  SHA1

                  4caad088c15766cc0fa1f42009260e9a02f953bb

                  SHA256

                  0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

                  SHA512

                  10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  02b66c00c8e2257e9e46dde860a73cc4

                  SHA1

                  a217ab7f43d128f82575714dfeb67c8a9a0dc854

                  SHA256

                  ac3391537377df9ff9eb3cefdb7619227714cc11126801b9a22077ca76f07028

                  SHA512

                  7d7699c0f6385724214f1a73efae5340fad12db9b0387ac92d7d5754aa1ce3dff5e50ecb2757476980111a6e8814804f4294ec9a2f022e252053818055b752a4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  948B

                  MD5

                  5824a6037c081fda5d46de274b6e2799

                  SHA1

                  526367a09300cbde430e8fb44e41cbe7a0937aac

                  SHA256

                  4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

                  SHA512

                  a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  88be3bc8a7f90e3953298c0fdbec4d72

                  SHA1

                  f4969784ad421cc80ef45608727aacd0f6bf2e4b

                  SHA256

                  533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

                  SHA512

                  4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  56b542f1ce46030f16d317e31e4c7a50

                  SHA1

                  007a94b17a78b8584fe6cfecdeaf476bdefcf7f9

                  SHA256

                  a4ca0c6358d00f4419c9785dbdab7ff1837131ebde04f1b6e8a0cc0678993551

                  SHA512

                  fdc4c46f90645a09360e2923c377ba068a408b7c381b99e28079a6249f0f1599db077a9edec15da57e989dfca9f8f7a12aa685edd53af446acdd53958aa08b08

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  64B

                  MD5

                  f8a8f51781c8594d6c320478042fe611

                  SHA1

                  7126e45bfde17c39b576f3278ab939aee8616c94

                  SHA256

                  461f1fd93db44513e73fab0d44fdac1b44c8e7d2abc0dfe737cd767246cb1949

                  SHA512

                  5f596eb90514113579e0f5999d87d9b1538b45b7704af89923507c610a0a8bcf2ce914ac05ff78ebd91ef5f727e428fbea6afad6fbd0bfa515c57b475a41d804

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  719fd150e78f630817910e72ad00fc16

                  SHA1

                  093ef625bd5e314e334cffda49458cde7b8a85aa

                  SHA256

                  17850f8bbb06ed6af4ba88f2c085dd1f3afa20f36f63dc20ad548c1ce61a9455

                  SHA512

                  cd8b52ddf31313f77f905b2203e55ec32e65cf2f47c828d3262b9fe2ec3cc2704d112ba3574be8967b704cb0c1fbc986665b40ab85b1ad129e5bc98354c8e175

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  948B

                  MD5

                  28ef595a6cc9f47b8eccb22d4ed50d6c

                  SHA1

                  4335de707324b15eba79017938c3da2752d3eea5

                  SHA256

                  3abd14d4fe7b5697b2fa84993e7183f4fd2580be5b4e5150da15ddda5a9560b9

                  SHA512

                  687b7849faa62a4dabc240b573afa163f0cda9a80be61cebe28ef1461777744d73b465ac92d065093228068540846e79c899445057f5b906f9b9fa9868132208

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  227556da5e65f6819f477756808c17e4

                  SHA1

                  6ffce766e881ca2a60180bb25f4981b183f78279

                  SHA256

                  101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4

                  SHA512

                  d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  45ad40f012b09e141955482368549640

                  SHA1

                  3f9cd15875c1e397c3b2b5592805577ae88a96cb

                  SHA256

                  ea3b59172f1a33677f9cb3843fb4d6093b806d3a7cf2f3c6d4692f5421f656ce

                  SHA512

                  3de08f8affca1c1450088f560776cf3d65146cadac43c06eb922c7b3cea436e519966cf38458303ffeb1a58c53f8952cffda6c34216fda7594e014b516e83b33

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  64B

                  MD5

                  c6aae9fb57ebd2ae201e8d174d820246

                  SHA1

                  58140d968de47bcf9c78938988a99369bbdb1f51

                  SHA256

                  bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08

                  SHA512

                  5959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  2979eabc783eaca50de7be23dd4eafcf

                  SHA1

                  d709ce5f3a06b7958a67e20870bfd95b83cad2ea

                  SHA256

                  006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

                  SHA512

                  92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  d04b8baf566b3abcaac87a823f36908c

                  SHA1

                  37f788af005ca18eb00a3a02ba5629bf2decaeb2

                  SHA256

                  0c24e36d7554eaeb56a432652582935feed883ff1e8603e623bac20ed23a8e94

                  SHA512

                  a6021d5d96017d23f7dfbe491f42163b3136402e8cde1e210035a173b5a41d5cc4cfbfe146b32ee4406b8276258d348ef416c48b5a9627e59c74f830a5344f1f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0vm3grfm.jxz.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\axjojb.exe
                  Filesize

                  2.4MB

                  MD5

                  7fd1b8fbfd95d2781656d41294547529

                  SHA1

                  efa594f75e2d653499df2d9266f28a6de2ed85be

                  SHA256

                  8f33534fd04867c7607d980d50e9f8abfed2d70f3fdff3e5514e7cf4539a9a91

                  SHA512

                  3acab9b8e6b105538a84479fe8542a192b6dbc8f19fc89107a81dd0e2cc6b87f5ae8f49750f7eeee8dd80313ebfbeb9b9f5a7091e0c76ef91e55522ecc72d3f8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\bcdwrj.exe
                  Filesize

                  231KB

                  MD5

                  dae35caa4639b153b0531ec0ed895a79

                  SHA1

                  03326ba6ddbc338f6165697e86a1439826c7af2b

                  SHA256

                  23f54c809daf84b074a3286df27497739b43f5f98a521e29050a5083f2d405e7

                  SHA512

                  a270a4212187e2292f1b9884c916232fbabfdc45356a32896150c7b7d93a3d9abe173281bff90f7ab35654abce82cba9c55ebeb98de8c612241277ea48bc5d12

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\jwyokf.exe
                  Filesize

                  232KB

                  MD5

                  7012fcfea8e3209d2df4ededfb4f054f

                  SHA1

                  e6a56f17ef923403eb58640a5ba20f38ab86f7bb

                  SHA256

                  dbc02fd38b5ee43d90a25ae195dd3068c6335cb59753ea9b9c4fed784e68d2c1

                  SHA512

                  2e404c87d3fa61266f03f01f8d8337029363ed6fef5931f010a794b59f8bf89575da5626e86e2a9615f5fd3d8b829f678e57e6895b4f52c44d665177b3a68898

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
                  Filesize

                  780B

                  MD5

                  305d94e1bc8af4070ea24e20bb0f6cee

                  SHA1

                  27a7be845b37702e119b7e123a9cdf8e9ff9843b

                  SHA256

                  7dfcab87e9191ab0309e26fe761b0309e000dfa991b8326615751e27b196502c

                  SHA512

                  d8dd0edac3c5cd0f41988c6398b4157c0f1e758f92c182be181812f2f695f80cd16a3b86b56e20428b6f631762f46414b2b8169738e299f2ca0c853800259067

                  Download Submit

                • C:\Users\Admin\EZTEAM.exe
                  Filesize

                  4.5MB

                  MD5

                  b826cc5df747e44487a66c817b489a44

                  SHA1

                  d83fa81746187e6d38f3f573f054993a76db7390

                  SHA256

                  79f9f7d5ce69d7b251ee044e12d3cb96e060e71c661561289c760f12802bc729

                  SHA512

                  a79f0ed0158ad1f6402b66d83885e1c31ea4bf6149c1d86a20e30070e359525993a8eee7c6402cedeaa448e5d1d708ee5718974e444529c184b56b1759e8475b

                  Download Submit

                • C:\Users\Admin\XClient.exe
                  Filesize

                  77KB

                  MD5

                  240ac3d24197bc90f385af9c0dc37813

                  SHA1

                  bfd68cf093c4c30c0873e0c4132c0d75c8497a8e

                  SHA256

                  bd6436f6e215509d8872236f7d98a5c55e5c04ce3ff0b0f09d431e33cef235f0

                  SHA512

                  42fcad036b1ade8abd6ef58bef28be978ebc791cfa1092c3e5799b25f334642d67cf2769c49784af6574a9e97d088945e4edc042ec20118e6d36c7a84df76e4c

                  Download Submit

                • memory/884-480-0x0000023D5BB30000-0x0000023D5BD8E000-memory.dmp

                  Filesize

                  2.4MB

                  Download

                • memory/1180-63-0x0000014625AA0000-0x0000014625AC2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/1568-219-0x000000001B230000-0x000000001B23C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/1568-114-0x00007FFC0FE10000-0x00007FFC10005000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/1568-31-0x0000000000590000-0x00000000005AA000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/1568-463-0x000000001CF00000-0x000000001CF8E000-memory.dmp

                  Filesize

                  568KB

                  Download

                • memory/1568-458-0x000000001B580000-0x000000001B58C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/1568-111-0x000000001B950000-0x000000001BA52000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/1568-46-0x00007FFBF1920000-0x00007FFBF23E1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1568-57-0x00007FFC0FE10000-0x00007FFC10005000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/1568-302-0x000000001D1A0000-0x000000001D4F0000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/1568-108-0x00007FFBF1920000-0x00007FFBF23E1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1568-240-0x000000001B660000-0x000000001B66E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/1588-52-0x00007FFC0FEB0000-0x00007FFC0FEB2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1588-53-0x0000000140000000-0x0000000140B2D000-memory.dmp

                  Filesize

                  11.2MB

                  Download

                • memory/1588-109-0x0000000140000000-0x0000000140B2D000-memory.dmp

                  Filesize

                  11.2MB

                  Download

                • memory/1588-50-0x0000000140000000-0x0000000140B2D000-memory.dmp

                  Filesize

                  11.2MB

                  Download

                • memory/1588-56-0x0000000140000000-0x0000000140B2D000-memory.dmp

                  Filesize

                  11.2MB

                  Download

                • memory/1588-55-0x0000000140000000-0x0000000140B2D000-memory.dmp

                  Filesize

                  11.2MB

                  Download

                • memory/1588-54-0x0000000140000000-0x0000000140B2D000-memory.dmp

                  Filesize

                  11.2MB

                  Download

                • memory/2740-1-0x0000000000AC0000-0x0000000000F5A000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2740-0-0x00007FFBF1923000-0x00007FFBF1925000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/3056-155-0x00000244664F0000-0x000002446650E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/3056-128-0x0000024466110000-0x0000024466150000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/3056-191-0x00000244664E0000-0x00000244664EA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/3056-192-0x0000024466740000-0x0000024466752000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3056-154-0x0000024466520000-0x0000024466570000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/3056-153-0x0000024467DA0000-0x0000024467E16000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/3056-211-0x00000244007E0000-0x00000244008E2000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/4324-322-0x0000021B0F110000-0x0000021B0F150000-memory.dmp

                  Filesize

                  256KB

                  Download