xworm | 5bbf73a1e1f6bd7fa7885fc8e052e36920d9ac928b97ca9db978676664a2a064

Analysis

max time kernel
131s
max time network
147s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
04/09/2024, 10:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Confirmación de pago1.exe
Size

956KB
MD5

43cb0ab95c193e4c0929aca7fbd6589e
SHA1

ad6e821b83255801ddde3fe162c7a8e93abe5c33
SHA256

5bbf73a1e1f6bd7fa7885fc8e052e36920d9ac928b97ca9db978676664a2a064
SHA512

2c0c14ec714e1b1bbaeec624a8a6899ee8454e1c6b6350bc43c2168adf1aff544763864ed7177d97bbbb53c8205daa2549b45d5fe2663bce19cb6f4447d0d4f1
SSDEEP

12288:jzjLf30WH0mkPStI1lRHIZAtGW1wTlnKhKKKNbi3mw:fjj0yYx3dCAMbiP

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

taraji111.duckdns.org:31823

Mutex

RFfb2ploDgN8rSit

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2100-26-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1980	powershell.exe
2332	powershell.exe
4128	powershell.exe
3384	powershell.exe
3960	powershell.exe
4828	powershell.exe
688	powershell.exe
3608	powershell.exe
2628	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
1104	Confirmación de pago1.exe
1540	Confirmación de pago1.exe
3312	Confirmación de pago1.exe
2040	Confirmación de pago1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\Confirmación de pago1 = "C:\\Users\\Admin\\AppData\\Roaming\\Confirmación de pago1.exe"	Confirmación de pago1.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3220 set thread context of 2100	3220	Confirmación de pago1.exe	76
PID 1104 set thread context of 1540	1104	Confirmación de pago1.exe	93
PID 3312 set thread context of 2040	3312	Confirmación de pago1.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Confirmación de pago1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Confirmación de pago1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Confirmación de pago1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Confirmación de pago1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Confirmación de pago1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Confirmación de pago1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
164	schtasks.exe
1472	schtasks.exe
3716	schtasks.exe
1848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1980	powershell.exe
2332	powershell.exe
1980	powershell.exe
2332	powershell.exe
1980	powershell.exe
2332	powershell.exe
688	powershell.exe
688	powershell.exe
688	powershell.exe
3608	powershell.exe
3608	powershell.exe
3608	powershell.exe
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe
2100	Confirmación de pago1.exe
3384	powershell.exe
3960	powershell.exe
3384	powershell.exe
3960	powershell.exe
3384	powershell.exe
3960	powershell.exe
4128	powershell.exe
4828	powershell.exe
4128	powershell.exe
4828	powershell.exe
4128	powershell.exe
4828	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2100	Confirmación de pago1.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2100	Confirmación de pago1.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	1540	Confirmación de pago1.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	2040	Confirmación de pago1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2100	Confirmación de pago1.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 1980	3220	Confirmación de pago1.exe	70
PID 3220 wrote to memory of 1980	3220	Confirmación de pago1.exe	70
PID 3220 wrote to memory of 1980	3220	Confirmación de pago1.exe	70
PID 3220 wrote to memory of 2332	3220	Confirmación de pago1.exe	72
PID 3220 wrote to memory of 2332	3220	Confirmación de pago1.exe	72
PID 3220 wrote to memory of 2332	3220	Confirmación de pago1.exe	72
PID 3220 wrote to memory of 164	3220	Confirmación de pago1.exe	73
PID 3220 wrote to memory of 164	3220	Confirmación de pago1.exe	73
PID 3220 wrote to memory of 164	3220	Confirmación de pago1.exe	73
PID 3220 wrote to memory of 2100	3220	Confirmación de pago1.exe	76
PID 3220 wrote to memory of 2100	3220	Confirmación de pago1.exe	76
PID 3220 wrote to memory of 2100	3220	Confirmación de pago1.exe	76
PID 3220 wrote to memory of 2100	3220	Confirmación de pago1.exe	76
PID 3220 wrote to memory of 2100	3220	Confirmación de pago1.exe	76
PID 3220 wrote to memory of 2100	3220	Confirmación de pago1.exe	76
PID 3220 wrote to memory of 2100	3220	Confirmación de pago1.exe	76
PID 3220 wrote to memory of 2100	3220	Confirmación de pago1.exe	76
PID 2100 wrote to memory of 688	2100	Confirmación de pago1.exe	77
PID 2100 wrote to memory of 688	2100	Confirmación de pago1.exe	77
PID 2100 wrote to memory of 688	2100	Confirmación de pago1.exe	77
PID 2100 wrote to memory of 3608	2100	Confirmación de pago1.exe	79
PID 2100 wrote to memory of 3608	2100	Confirmación de pago1.exe	79
PID 2100 wrote to memory of 3608	2100	Confirmación de pago1.exe	79
PID 2100 wrote to memory of 2628	2100	Confirmación de pago1.exe	81
PID 2100 wrote to memory of 2628	2100	Confirmación de pago1.exe	81
PID 2100 wrote to memory of 2628	2100	Confirmación de pago1.exe	81
PID 2100 wrote to memory of 1472	2100	Confirmación de pago1.exe	83
PID 2100 wrote to memory of 1472	2100	Confirmación de pago1.exe	83
PID 2100 wrote to memory of 1472	2100	Confirmación de pago1.exe	83
PID 1104 wrote to memory of 3384	1104	Confirmación de pago1.exe	87
PID 1104 wrote to memory of 3384	1104	Confirmación de pago1.exe	87
PID 1104 wrote to memory of 3384	1104	Confirmación de pago1.exe	87
PID 1104 wrote to memory of 3960	1104	Confirmación de pago1.exe	89
PID 1104 wrote to memory of 3960	1104	Confirmación de pago1.exe	89
PID 1104 wrote to memory of 3960	1104	Confirmación de pago1.exe	89
PID 1104 wrote to memory of 3716	1104	Confirmación de pago1.exe	90
PID 1104 wrote to memory of 3716	1104	Confirmación de pago1.exe	90
PID 1104 wrote to memory of 3716	1104	Confirmación de pago1.exe	90
PID 1104 wrote to memory of 1540	1104	Confirmación de pago1.exe	93
PID 1104 wrote to memory of 1540	1104	Confirmación de pago1.exe	93
PID 1104 wrote to memory of 1540	1104	Confirmación de pago1.exe	93
PID 1104 wrote to memory of 1540	1104	Confirmación de pago1.exe	93
PID 1104 wrote to memory of 1540	1104	Confirmación de pago1.exe	93
PID 1104 wrote to memory of 1540	1104	Confirmación de pago1.exe	93
PID 1104 wrote to memory of 1540	1104	Confirmación de pago1.exe	93
PID 1104 wrote to memory of 1540	1104	Confirmación de pago1.exe	93
PID 3312 wrote to memory of 4128	3312	Confirmación de pago1.exe	95
PID 3312 wrote to memory of 4128	3312	Confirmación de pago1.exe	95
PID 3312 wrote to memory of 4128	3312	Confirmación de pago1.exe	95
PID 3312 wrote to memory of 4828	3312	Confirmación de pago1.exe	97
PID 3312 wrote to memory of 4828	3312	Confirmación de pago1.exe	97
PID 3312 wrote to memory of 4828	3312	Confirmación de pago1.exe	97
PID 3312 wrote to memory of 1848	3312	Confirmación de pago1.exe	98
PID 3312 wrote to memory of 1848	3312	Confirmación de pago1.exe	98
PID 3312 wrote to memory of 1848	3312	Confirmación de pago1.exe	98
PID 3312 wrote to memory of 2040	3312	Confirmación de pago1.exe	101
PID 3312 wrote to memory of 2040	3312	Confirmación de pago1.exe	101
PID 3312 wrote to memory of 2040	3312	Confirmación de pago1.exe	101
PID 3312 wrote to memory of 2040	3312	Confirmación de pago1.exe	101
PID 3312 wrote to memory of 2040	3312	Confirmación de pago1.exe	101
PID 3312 wrote to memory of 2040	3312	Confirmación de pago1.exe	101
PID 3312 wrote to memory of 2040	3312	Confirmación de pago1.exe	101
PID 3312 wrote to memory of 2040	3312	Confirmación de pago1.exe	101

C:\Users\Admin\AppData\Local\Temp\Confirmación de pago1.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmación de pago1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Confirmación de pago1.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HEhzZiE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HEhzZiE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F4.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:164
- C:\Users\Admin\AppData\Local\Temp\Confirmación de pago1.exe
  "C:\Users\Admin\AppData\Local\Temp\Confirmación de pago1.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Confirmación de pago1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:688
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Confirmación de pago1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Confirmación de pago1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Confirmación de pago1" /tr "C:\Users\Admin\AppData\Roaming\Confirmación de pago1.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1472

C:\Users\Admin\AppData\Roaming\Confirmación de pago1.exe
"C:\Users\Admin\AppData\Roaming\Confirmación de pago1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Confirmación de pago1.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3384
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HEhzZiE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HEhzZiE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCBB7.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3716
- C:\Users\Admin\AppData\Roaming\Confirmación de pago1.exe
  "C:\Users\Admin\AppData\Roaming\Confirmación de pago1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1540

C:\Users\Admin\AppData\Roaming\Confirmación de pago1.exe
"C:\Users\Admin\AppData\Roaming\Confirmación de pago1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Confirmación de pago1.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HEhzZiE.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4828
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HEhzZiE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB155.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1848
- C:\Users\Admin\AppData\Roaming\Confirmación de pago1.exe
  "C:\Users\Admin\AppData\Roaming\Confirmación de pago1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Confirmación de pago1.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2a17c1b7431cd8563c13016be12fcf12

SHA1
273a242a2e8ce9106ca307e5c9632df4f41eafdb

SHA256
863dff9b5811656259059ead62ee6760c3367287479dd7fdfc60cf1fa4aa4dc1

SHA512
28c3348e6791d168f51a0eb453fe3b8e54ab22492fafc5a4dd586078e0cd584c421d891037eed2b50957d3546688499b2f2894b73541ae82827a3ac0071eafc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
98b481e185f8f324d81ccfc3d628d8cd

SHA1
2b4330962cf0bfae28ef0fb1cb41580f9fc870d6

SHA256
e7934455ebe04a98a80f65677160ec61acb5c008af8e71528c76e09f67c8aa3a

SHA512
f58b00e3aa8f2f05e680138932038b77bb03f3bc6d86f73fb212fa892c339cb5069e72228d6e306d7f4b97b1d4d9116a71f390dc652d18b1beb7e2b350f85c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7a1ddfbb2da75df84400c2224fcbe6a6

SHA1
bd8cf60d451b1c92c4212395061740c0a6dada39

SHA256
b0bee42c34c931b24547a259e1faf073dd38802ff590c28a6ff71840453ae600

SHA512
b0e536befe6f11c64655837b0688b1f2d14a1138d104c6e6356385680f33de7b30389bdf248fd652d8d363c8e1ac4170bf8faab9c6efd8fa1c2cbe70c1ee692c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0692718ce57376b543b2f8e02468003f

SHA1
bd006a03d327263ee34b014907eaf95e21f142ea

SHA256
5f9c8b6dab9de668ac5b57b2af2e91e292ab17bcaa76f9ff90beb781816392e9

SHA512
5ca1c549301a54c1cb8994abe0c74c034296d49ba297fe58927e17cb4e514ca927c8f246e8e2359b34d7072789d483ed253feb6caac5c2a5d60eebec3d079f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0b034fcdc948fa2d26f727a22f41cd8b

SHA1
e1498ac39ff12890b8c0bbac9924a6d4861a3249

SHA256
63368fbda76fc6bb303ac86f9df3caf9cec27cac28dc6d89e8b70fb01fb93999

SHA512
213180e6f094867b463edee3c7ef1dfca9fb5e8b4cf4c072fc898ca9276cd2f8ed7c901c46ab56bc41c94e9dad88d98c6c4880605fa6755071ebe2a90a8a05c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3559cdd4ca57fcd2ee32dee70ced0ff5

SHA1
27fd935c5fda46a593d313dc16ab902ec5605a28

SHA256
dc5446bc748dd3e438f9bea218ab28775ed4109444c571062c9711a0d0e46e44

SHA512
a5078f485993a4dee0ade3dd3a524aaf3fc396d1794ac083b94d4824d53a50d9ef7625da65fb1c41dfabc380b7ff64f13da5b8dfcec7e42e18198546b2d58169

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svng5kfy.nip.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F4.tmp

Filesize
1KB

MD5
1e9e73bd91cc3b67ce0c16328d3bca69

SHA1
9fc7035b842043555da82a236f4b0f6fe317479b

SHA256
91b8c231cb6a61ca30e877d8225080119733d1b5060ef369c92c21e685bd40ad

SHA512
f26b3e3c437484a6c7fd0e5bd9cf31280aa48c2635ad68e4d9d44645e5289d937ae5d23c722bfcd6ef25162dc82954de9a351383957556af6ddf1f879ad0b299

Download Submit
C:\Users\Admin\AppData\Roaming\Confirmación de pago1.exe

Filesize
956KB

MD5
43cb0ab95c193e4c0929aca7fbd6589e

SHA1
ad6e821b83255801ddde3fe162c7a8e93abe5c33

SHA256
5bbf73a1e1f6bd7fa7885fc8e052e36920d9ac928b97ca9db978676664a2a064

SHA512
2c0c14ec714e1b1bbaeec624a8a6899ee8454e1c6b6350bc43c2168adf1aff544763864ed7177d97bbbb53c8205daa2549b45d5fe2663bce19cb6f4447d0d4f1

Download Submit
memory/688-508-0x0000000073D90000-0x0000000073DDB000-memory.dmp

Filesize
300KB

Download
memory/1980-30-0x0000000007EE0000-0x0000000008230000-memory.dmp

Filesize
3.3MB

Download
memory/1980-71-0x0000000073D90000-0x0000000073DDB000-memory.dmp

Filesize
300KB

Download
memory/1980-19-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-17-0x0000000004A90000-0x0000000004AC6000-memory.dmp

Filesize
216KB

Download
memory/1980-24-0x0000000007510000-0x0000000007532000-memory.dmp

Filesize
136KB

Download
memory/1980-25-0x00000000075B0000-0x0000000007616000-memory.dmp

Filesize
408KB

Download
memory/1980-20-0x00000000076D0000-0x0000000007CF8000-memory.dmp

Filesize
6.2MB

Download
memory/1980-27-0x0000000007620000-0x0000000007686000-memory.dmp

Filesize
408KB

Download
memory/1980-18-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-80-0x00000000095B0000-0x0000000009655000-memory.dmp

Filesize
660KB

Download
memory/1980-31-0x00000000082B0000-0x00000000082CC000-memory.dmp

Filesize
112KB

Download
memory/1980-32-0x00000000082D0000-0x000000000831B000-memory.dmp

Filesize
300KB

Download
memory/1980-33-0x00000000085D0000-0x0000000008646000-memory.dmp

Filesize
472KB

Download
memory/1980-596-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/1980-81-0x0000000009990000-0x0000000009A24000-memory.dmp

Filesize
592KB

Download
memory/2100-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2332-68-0x0000000009940000-0x000000000995E000-memory.dmp

Filesize
120KB

Download
memory/2332-66-0x0000000009980000-0x00000000099B3000-memory.dmp

Filesize
204KB

Download
memory/2332-67-0x0000000073D90000-0x0000000073DDB000-memory.dmp

Filesize
300KB

Download
memory/2332-460-0x0000000009C20000-0x0000000009C3A000-memory.dmp

Filesize
104KB

Download
memory/2332-483-0x0000000009C10000-0x0000000009C18000-memory.dmp

Filesize
32KB

Download
memory/2628-996-0x0000000070630000-0x000000007067B000-memory.dmp

Filesize
300KB

Download
memory/3220-6-0x0000000004C80000-0x0000000004D1C000-memory.dmp

Filesize
624KB

Download
memory/3220-4-0x0000000004A00000-0x0000000004A0A000-memory.dmp

Filesize
40KB

Download
memory/3220-9-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/3220-8-0x00000000735CE000-0x00000000735CF000-memory.dmp

Filesize
4KB

Download
memory/3220-7-0x0000000004C50000-0x0000000004C68000-memory.dmp

Filesize
96KB

Download
memory/3220-1-0x0000000000090000-0x000000000010E000-memory.dmp

Filesize
504KB

Download
memory/3220-2-0x0000000004D50000-0x000000000524E000-memory.dmp

Filesize
5.0MB

Download
memory/3220-10-0x0000000007410000-0x0000000007462000-memory.dmp

Filesize
328KB

Download
memory/3220-3-0x0000000004950000-0x00000000049E2000-memory.dmp

Filesize
584KB

Download
memory/3220-29-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/3220-0-0x00000000735CE000-0x00000000735CF000-memory.dmp

Filesize
4KB

Download
memory/3220-5-0x00000000735C0000-0x0000000073CAE000-memory.dmp

Filesize
6.9MB

Download
memory/3384-1258-0x000000006F480000-0x000000006F4CB000-memory.dmp

Filesize
300KB

Download
memory/3384-1224-0x0000000007640000-0x0000000007990000-memory.dmp

Filesize
3.3MB

Download
memory/3384-1227-0x0000000007F40000-0x0000000007F8B000-memory.dmp

Filesize
300KB

Download
memory/3384-1265-0x00000000090A0000-0x0000000009145000-memory.dmp

Filesize
660KB

Download
memory/3608-766-0x00000000099E0000-0x0000000009A85000-memory.dmp

Filesize
660KB

Download
memory/3608-761-0x0000000070630000-0x000000007067B000-memory.dmp

Filesize
300KB

Download
memory/3608-744-0x0000000008610000-0x000000000865B000-memory.dmp

Filesize
300KB

Download
memory/3608-742-0x0000000007FE0000-0x0000000008330000-memory.dmp

Filesize
3.3MB

Download
memory/3960-1266-0x000000006F480000-0x000000006F4CB000-memory.dmp

Filesize
300KB

Download
memory/4128-1701-0x00000000083B0000-0x0000000008700000-memory.dmp

Filesize
3.3MB

Download
memory/4128-1731-0x000000006F480000-0x000000006F4CB000-memory.dmp

Filesize
300KB

Download
memory/4828-1742-0x000000006F480000-0x000000006F4CB000-memory.dmp

Filesize
300KB

Download