Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2024 18:54

General

  • Target

    downloader11.exe

  • Size

    70.1MB

  • MD5

    7e4b04a254d52d6745a5d614ad447636

  • SHA1

    09972b7895437ba28485ed0be0fadc22d6b710b6

  • SHA256

    769e75f011679a606c9a6afbb6380942d08389ace334bfa7399b44bfcbc7db19

  • SHA512

    e85d6e25cdbf6833de0586d477e0fe3741d5223e4f3be8ccc96984dc63eef045ccdf68aaae51c2ff2205da7f911008fbba7915d7553abb5ae92f9bc73c2cc2f8

  • SSDEEP

    393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qRsGg4GUo3N3:lWoI7zGP5ahWc3ImF

Malware Config

Extracted

Family

xworm

C2

83.38.19.195:1603

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Runtime Broker.exe

Signatures

  • Detect Xworm Payload 10 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 9 IoCs
  • Executes dropped EXE 18 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\downloader11.exe
    "C:\Users\Admin\AppData\Local\Temp\downloader11.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\redline.exe""
      2⤵
        PID:3448
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Users\Admin\AppData\Local\Temp\notepad.exe
          "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:3124
          • C:\Users\Public\OneDrive.exe
            "C:\Users\Public\OneDrive.exe"
            4⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3880
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\OneDrive.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4012
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3896
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3764
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2104
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2880
          • C:\Users\Public\Runtime Broker.exe
            "C:\Users\Public\Runtime Broker.exe"
            4⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1412
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:8
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2388
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2072
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:772
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2828
          • C:\Users\Public\svhost.exe
            "C:\Users\Public\svhost.exe"
            4⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4424
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2020
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4036
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2076
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4508
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:5104
          • C:\Users\Public\WmiPrvSE.exe
            "C:\Users\Public\WmiPrvSE.exe"
            4⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3080
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3672
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2096
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3464
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4032
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\Users\Public\WmiPrvSE.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2284
          • C:\Users\Public\SecurityHealthSystray.exe
            "C:\Users\Public\SecurityHealthSystray.exe"
            4⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:536
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\SecurityHealthSystray.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2440
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3612
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4600
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4132
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\ProgramData\SecurityHealthSystray.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:3492
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\redline.exe""
        2⤵
          PID:4500
      • C:\ProgramData\SecurityHealthSystray.exe
        C:\ProgramData\SecurityHealthSystray.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4360
      • C:\ProgramData\svhost.exe
        C:\ProgramData\svhost.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4120
      • C:\ProgramData\Runtime Broker.exe
        "C:\ProgramData\Runtime Broker.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2036
      • C:\Users\Public\WmiPrvSE.exe
        C:\Users\Public\WmiPrvSE.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4792
      • C:\ProgramData\SecurityHealthSystray.exe
        C:\ProgramData\SecurityHealthSystray.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3720
      • C:\ProgramData\svhost.exe
        C:\ProgramData\svhost.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3604
      • C:\ProgramData\Runtime Broker.exe
        "C:\ProgramData\Runtime Broker.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1680
      • C:\Users\Public\WmiPrvSE.exe
        C:\Users\Public\WmiPrvSE.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4732
      • C:\ProgramData\SecurityHealthSystray.exe
        C:\ProgramData\SecurityHealthSystray.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2236
      • C:\ProgramData\svhost.exe
        C:\ProgramData\svhost.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2604
      • C:\ProgramData\Runtime Broker.exe
        "C:\ProgramData\Runtime Broker.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4812
      • C:\Users\Public\WmiPrvSE.exe
        C:\Users\Public\WmiPrvSE.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:376

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

        Filesize

        654B

        MD5

        2ff39f6c7249774be85fd60a8f9a245e

        SHA1

        684ff36b31aedc1e587c8496c02722c6698c1c4e

        SHA256

        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

        SHA512

        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        77d622bb1a5b250869a3238b9bc1402b

        SHA1

        d47f4003c2554b9dfc4c16f22460b331886b191b

        SHA256

        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

        SHA512

        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        d28a889fd956d5cb3accfbaf1143eb6f

        SHA1

        157ba54b365341f8ff06707d996b3635da8446f7

        SHA256

        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

        SHA512

        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        10890cda4b6eab618e926c4118ab0647

        SHA1

        1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

        SHA256

        00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

        SHA512

        a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        5cfe303e798d1cc6c1dab341e7265c15

        SHA1

        cd2834e05191a24e28a100f3f8114d5a7708dc7c

        SHA256

        c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

        SHA512

        ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        2d06ce10e4e5b9e174b5ebbdad300fad

        SHA1

        bcc1c231e22238cef02ae25331320060ada2f131

        SHA256

        87d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c

        SHA512

        38cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        9c740b7699e2363ac4ecdf496520ca35

        SHA1

        aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

        SHA256

        be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

        SHA512

        8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        ef647504cf229a16d02de14a16241b90

        SHA1

        81480caca469857eb93c75d494828b81e124fda0

        SHA256

        47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

        SHA512

        a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        842eee3dc3a0924d1a287bd0d761c532

        SHA1

        012d688d98698bfcee7178da3e43882455d86874

        SHA256

        f278a3e84b8aaeae28dcd82e03ee55949dc71ed18da44fd18b217b2ad74de5f9

        SHA512

        9d5919123bfa90a777b3c267dd8d751d0b31b0dd77b442abcf9c7ca44f3b4c0387d5bb5342b5c1a3a7823435ca1089de3758ef9caf14454993b9eb548bac5c0e

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        96e3b86880fedd5afc001d108732a3e5

        SHA1

        8fc17b39d744a9590a6d5897012da5e6757439a3

        SHA256

        c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294

        SHA512

        909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        dbb22d95851b93abf2afe8fb96a8e544

        SHA1

        920ec5fdb323537bcf78f7e29a4fc274e657f7a4

        SHA256

        e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

        SHA512

        16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        465286a9b31a4fa4831f9d3a2925c88e

        SHA1

        4ba832802f83872ff47a59ace1057bceb38a1955

        SHA256

        24522f12ccd8284ed705803f2c1a3b12ba7d675d300fed443ca9eb55fead55fb

        SHA512

        84e4d5f00257670fea86e4397f3b814174609daf24488a82c4ce726f81b5891561a8c56d4053c76a8bc27318685d482dae5e15ba28c1cd14049c15bd552f95f5

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        65a68df1062af34622552c4f644a5708

        SHA1

        6f6ecf7b4b635abb0b132d95dac2759dc14b50af

        SHA256

        718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35

        SHA512

        4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        a0029556e3dc9eb984c44114efbd8c3c

        SHA1

        cfb4b2a6e7ff280d4105932025c59288b8fd9e78

        SHA256

        7165399596ee49a876b216ee285a2bdbe44ee4e92cb8a42fad6959699f74062d

        SHA512

        0ad0375e0fc0f7e50c29bd6099d84819c4a7a7032203d96e01d3544ae6258c510bcce06c11aa672c42707194eed52101083995da38538ddde85d33062cd71741

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_04krvgey.ove.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Local\Temp\e6acf542-692a-4eeb-8143-80ce8cd764ce\AgileDotNetRT64.dll

        Filesize

        4.2MB

        MD5

        05b012457488a95a05d0541e0470d392

        SHA1

        74f541d6a8365508c794ef7b4ac7c297457f9ce3

        SHA256

        1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

        SHA512

        6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

      • C:\Users\Admin\AppData\Local\Temp\notepad.exe

        Filesize

        7.7MB

        MD5

        5dc898e0f4a504cf08b3bf1121108cfd

        SHA1

        ebccf6c07546640bcd6db32d99cf3e1a30a415c9

        SHA256

        14cd22fbf91e4e47cd635359460b65f57ebc39b68956db35b55090890b4a2dcf

        SHA512

        a0ef35d1f21ef2703c27946a57830db25b6ad7f8d01d4439021887f82198d07a4f62417c99590deb29d0c9ea4028d84f72ee37955653f63f57dfe37c90b0db02

      • C:\Users\Admin\AppData\Local\Temp\redline.exe

        Filesize

        6KB

        MD5

        307dca9c775906b8de45869cabe98fcd

        SHA1

        2b80c3a2fd4a235b2cc9f89315a554d0721c0dd1

        SHA256

        8437bd0ef46a19c9a7c294c53e0429b40e76ebbd5fe9fd73a9025752495ddb1c

        SHA512

        80c03f7add3a33a5df7b1f1665253283550dac484d26339ecd85672fb506dce44bd0bf96275d5c41a2e7369c3b604de377b7f5985d7d0d76c7ac663d60a67a1c

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk

        Filesize

        1KB

        MD5

        6cae93213a37ee0703c0a0d1dd311d5a

        SHA1

        1f0cce35b6c0ebc94edc09cdc52ee74f995b68a2

        SHA256

        4db5eceecde1bc0412e53037786ac98c6b5ca8c6c6a746b6466eef219436b306

        SHA512

        f413564ab0a2a584c70c022149eafd336ab7586d9de34469720eea0a86549a65290ffa9307ef037f79702a8ce541ebbffcac272d2dfd6c5bc47b1b57ae0370c0

      • C:\Users\Public\OneDrive.exe

        Filesize

        158KB

        MD5

        f73513e6c124d9749dfd123151e6db5f

        SHA1

        4779c67fd22ca94d8e6493d2ff4926c420a6660d

        SHA256

        1b6126e0c126c7bf6c89a8930e0ae65d09bb8bb6f1a5561e8c7108120ebdd0e0

        SHA512

        7ffa503e5259c3273c64078ee0f7911e037f0a10629078d2ff269ae5db1eab528138c4d02dd06e0668521bc75a8e2a99e5df50002098be9f0dc47b87c0cae7b5

      • C:\Users\Public\Runtime Broker.exe

        Filesize

        61KB

        MD5

        91d837ae278e58ffae9b9cecb989127b

        SHA1

        5d95e758e763ac6390abd58e4e53238c6bb4c7a5

        SHA256

        348d4b3310a62ffa0313285c4e7903d8757b6aa904b8614443a6ac966b4c392a

        SHA512

        b645023240e0cb4029058c235031fed22fed79b93db324c6c385eb02291b3fe1d053585e6372e0f0b96265ff432b8f574d4e0a8c99edfd22069e417375c3870f

      • C:\Users\Public\SecurityHealthSystray.exe

        Filesize

        250KB

        MD5

        ffe034d7354384175a0c41efe19cb7df

        SHA1

        9601ec9a836547f21b39acc43b48fa5258863551

        SHA256

        b3a04200c5bdc579d24c279e04c31db6f623177b629ea1086cb64362417ac910

        SHA512

        e782dece3f1b9fa572f0efb587fdbbee6657c8f089656626c27d1ad032854aabec09eb35e63c91b53f061a44b2a595832ad2d8e01760a7d1df6e09157b3daa92

      • C:\Users\Public\WmiPrvSE.exe

        Filesize

        127KB

        MD5

        669b9254354d91b88d1e2ed0a819ad3a

        SHA1

        aba685e5c4661bcf3b41b26ff7948c785b57a95e

        SHA256

        3e96447e464c59ec274c7cba90ec8e88814273fcdec782ed896949f476c592e4

        SHA512

        e9b268d92737e999d8e5297f6eb4038962d7bc610285dc746dd9d01ebaa1b9789eada1e131ed345a06fb6b608a73c34e7cfebc4797a9f34bdd304f23457ae0a4

      • C:\Users\Public\svhost.exe

        Filesize

        63KB

        MD5

        407deed69dbb3dc1aa3e9fc1befdc54c

        SHA1

        aa58d9656c172cdd23512dfaf14d202fb447ecf9

        SHA256

        3c226cbe5a0e25ca489394ce37951eabb65ae0a86151d16d145fb63df2933128

        SHA512

        45c6b2b9280e288517c8233cb2b90e49f214e354f6056cf7dd163e382c14b82508eaa6590166ffdcd265f2e3a3c612a25bd5166eafef825b896f53ede621b2da

      • memory/536-80-0x00000000001B0000-0x00000000001F4000-memory.dmp

        Filesize

        272KB

      • memory/1412-65-0x0000000000800000-0x0000000000816000-memory.dmp

        Filesize

        88KB

      • memory/3080-79-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

      • memory/3124-15-0x00007FFF9AC40000-0x00007FFF9B7C4000-memory.dmp

        Filesize

        11.5MB

      • memory/3124-18-0x00007FFF9C670000-0x00007FFF9C7BE000-memory.dmp

        Filesize

        1.3MB

      • memory/3124-17-0x00007FFF9AC40000-0x00007FFF9B7C4000-memory.dmp

        Filesize

        11.5MB

      • memory/3124-8-0x0000000000250000-0x0000000000A04000-memory.dmp

        Filesize

        7.7MB

      • memory/3124-81-0x00007FFF9AC40000-0x00007FFF9B7C4000-memory.dmp

        Filesize

        11.5MB

      • memory/3880-49-0x0000000000790000-0x00000000007BC000-memory.dmp

        Filesize

        176KB

      • memory/4012-94-0x0000019EEE930000-0x0000019EEE952000-memory.dmp

        Filesize

        136KB

      • memory/4424-76-0x0000000000A30000-0x0000000000A46000-memory.dmp

        Filesize

        88KB