xworm | c2306587c0e582a16037717598479523ba07d1afb646ab4a4ab63173adaaa971

Analysis

max time kernel
34s
max time network
35s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17/11/2024, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Api-AutoUpdaterV2.exe
Size

87KB
MD5

9f9e3e562c3ace91fd36c7d9b49c56a7
SHA1

32317350629c0591b49726ad71ab49e12b208918
SHA256

c2306587c0e582a16037717598479523ba07d1afb646ab4a4ab63173adaaa971
SHA512

8a60f2a143475fed2837a670717c5e35bcb0c0602fd633cda4efdfdd95ae15c407077fca5b7e5ac1dd771acc994f7f3b3fdff589dc3f613bce6144cdc3c7df8d
SSDEEP

1536:CLVnqRcrCwNlhr/CbCRSCpv1ZLFNxdlub5mUnaC9UWGIiEdrRFbw0I5oKV+Uq4Q3:CslcCbCRBnFNblub5mUavWGAfFbwVVTQ

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

job-moore.gl.at.ply.gg:49404

Attributes

Install_directory
%ProgramData%
install_file
Helper.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3096-58-0x000000001BFA0000-0x000000001BFB6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2260	powershell.exe
2068	powershell.exe
1592	powershell.exe
4056	powershell.exe
3268	powershell.exe
2468	powershell.exe
3848	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	Api-AutoUpdaterV2.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk	Api-AutoUpdaterV2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk	Api-AutoUpdaterV2.exe

Executes dropped EXE 1 IoCs

pid	Process
1072	Api-AutoUpdaterV2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\ProgramData\\WindowsDefender"	Api-AutoUpdaterV2.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
516	schtasks.exe
2568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4056	powershell.exe
1580	taskmgr.exe
1580	taskmgr.exe
4056	powershell.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
3268	powershell.exe
3268	powershell.exe
1580	taskmgr.exe
1580	taskmgr.exe
2468	powershell.exe
2468	powershell.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
3848	powershell.exe
3848	powershell.exe
1580	taskmgr.exe
2260	powershell.exe
2260	powershell.exe
1580	taskmgr.exe
2068	powershell.exe
2068	powershell.exe
1580	taskmgr.exe
1592	powershell.exe
1592	powershell.exe
1580	taskmgr.exe
1580	taskmgr.exe
3096	Api-AutoUpdaterV2.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3096	Api-AutoUpdaterV2.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	1580	taskmgr.exe
Token: SeSystemProfilePrivilege	1580	taskmgr.exe
Token: SeCreateGlobalPrivilege	1580	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	4056	powershell.exe
Token: SeSecurityPrivilege	4056	powershell.exe
Token: SeTakeOwnershipPrivilege	4056	powershell.exe
Token: SeLoadDriverPrivilege	4056	powershell.exe
Token: SeSystemProfilePrivilege	4056	powershell.exe
Token: SeSystemtimePrivilege	4056	powershell.exe
Token: SeProfSingleProcessPrivilege	4056	powershell.exe
Token: SeIncBasePriorityPrivilege	4056	powershell.exe
Token: SeCreatePagefilePrivilege	4056	powershell.exe
Token: SeBackupPrivilege	4056	powershell.exe
Token: SeRestorePrivilege	4056	powershell.exe
Token: SeShutdownPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeSystemEnvironmentPrivilege	4056	powershell.exe
Token: SeRemoteShutdownPrivilege	4056	powershell.exe
Token: SeUndockPrivilege	4056	powershell.exe
Token: SeManageVolumePrivilege	4056	powershell.exe
Token: 33	4056	powershell.exe
Token: 34	4056	powershell.exe
Token: 35	4056	powershell.exe
Token: 36	4056	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeIncreaseQuotaPrivilege	3268	powershell.exe
Token: SeSecurityPrivilege	3268	powershell.exe
Token: SeTakeOwnershipPrivilege	3268	powershell.exe
Token: SeLoadDriverPrivilege	3268	powershell.exe
Token: SeSystemProfilePrivilege	3268	powershell.exe
Token: SeSystemtimePrivilege	3268	powershell.exe
Token: SeProfSingleProcessPrivilege	3268	powershell.exe
Token: SeIncBasePriorityPrivilege	3268	powershell.exe
Token: SeCreatePagefilePrivilege	3268	powershell.exe
Token: SeBackupPrivilege	3268	powershell.exe
Token: SeRestorePrivilege	3268	powershell.exe
Token: SeShutdownPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeSystemEnvironmentPrivilege	3268	powershell.exe
Token: SeRemoteShutdownPrivilege	3268	powershell.exe
Token: SeUndockPrivilege	3268	powershell.exe
Token: SeManageVolumePrivilege	3268	powershell.exe
Token: 33	3268	powershell.exe
Token: 34	3268	powershell.exe
Token: 35	3268	powershell.exe
Token: 36	3268	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeIncreaseQuotaPrivilege	2468	powershell.exe
Token: SeSecurityPrivilege	2468	powershell.exe
Token: SeTakeOwnershipPrivilege	2468	powershell.exe
Token: SeLoadDriverPrivilege	2468	powershell.exe
Token: SeSystemProfilePrivilege	2468	powershell.exe
Token: SeSystemtimePrivilege	2468	powershell.exe
Token: SeProfSingleProcessPrivilege	2468	powershell.exe
Token: SeIncBasePriorityPrivilege	2468	powershell.exe
Token: SeCreatePagefilePrivilege	2468	powershell.exe
Token: SeBackupPrivilege	2468	powershell.exe
Token: SeRestorePrivilege	2468	powershell.exe
Token: SeShutdownPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeSystemEnvironmentPrivilege	2468	powershell.exe
Token: SeRemoteShutdownPrivilege	2468	powershell.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe
1580	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3096	Api-AutoUpdaterV2.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 4056	3096	Api-AutoUpdaterV2.exe	86
PID 3096 wrote to memory of 4056	3096	Api-AutoUpdaterV2.exe	86
PID 3096 wrote to memory of 3268	3096	Api-AutoUpdaterV2.exe	92
PID 3096 wrote to memory of 3268	3096	Api-AutoUpdaterV2.exe	92
PID 3096 wrote to memory of 2468	3096	Api-AutoUpdaterV2.exe	94
PID 3096 wrote to memory of 2468	3096	Api-AutoUpdaterV2.exe	94
PID 3096 wrote to memory of 516	3096	Api-AutoUpdaterV2.exe	98
PID 3096 wrote to memory of 516	3096	Api-AutoUpdaterV2.exe	98
PID 3096 wrote to memory of 3848	3096	Api-AutoUpdaterV2.exe	100
PID 3096 wrote to memory of 3848	3096	Api-AutoUpdaterV2.exe	100
PID 3096 wrote to memory of 2260	3096	Api-AutoUpdaterV2.exe	102
PID 3096 wrote to memory of 2260	3096	Api-AutoUpdaterV2.exe	102
PID 3096 wrote to memory of 2068	3096	Api-AutoUpdaterV2.exe	104
PID 3096 wrote to memory of 2068	3096	Api-AutoUpdaterV2.exe	104
PID 3096 wrote to memory of 1592	3096	Api-AutoUpdaterV2.exe	106
PID 3096 wrote to memory of 1592	3096	Api-AutoUpdaterV2.exe	106
PID 3096 wrote to memory of 2568	3096	Api-AutoUpdaterV2.exe	109
PID 3096 wrote to memory of 2568	3096	Api-AutoUpdaterV2.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe
"C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Api-AutoUpdaterV2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Api-AutoUpdaterV2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Api-AutoUpdaterV2" /tr "C:\ProgramData\Api-AutoUpdaterV2.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Api-AutoUpdaterV2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1592
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2568

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1580

C:\ProgramData\Api-AutoUpdaterV2.exe
"C:\ProgramData\Api-AutoUpdaterV2.exe"
1⤵
- Executes dropped EXE
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Api-AutoUpdaterV2.exe

Filesize
87KB

MD5
9f9e3e562c3ace91fd36c7d9b49c56a7

SHA1
32317350629c0591b49726ad71ab49e12b208918

SHA256
c2306587c0e582a16037717598479523ba07d1afb646ab4a4ab63173adaaa971

SHA512
8a60f2a143475fed2837a670717c5e35bcb0c0602fd633cda4efdfdd95ae15c407077fca5b7e5ac1dd771acc994f7f3b3fdff589dc3f613bce6144cdc3c7df8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
119c7ae449382e726bbce58ac7096b60

SHA1
f45821ffec1a4a562d250eba652b6016352feed5

SHA256
6716b561c7d81e6d5f81f0d06d333f73db21b3d16f664e8b2d521b11ca291521

SHA512
040f436d1715d04736200c1250cc49f7d125030f5919c9ecb4026ab0e188e111831d372557c2677ca12004b84f5592f3b4369f74096344a337e3e84c3ec0bc87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d94e8aa23c7ad2db6f972739506306

SHA1
bd6d73d0417971c0077f772352d2f538a6201024

SHA256
dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

SHA512
4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a0363f5c09a6963431963c20d2aebb57

SHA1
776773f69229f14fb7440613951cce1ff900214d

SHA256
df302cb3cf45ac418f781ca1a5219096676477c7295c9e3e78e28a7306e16337

SHA512
c5fcb057e9af32d61ccec321c2f3adfffe4b8fd98bb15bd2412b07d3abcd1195724cd2c87b4e0fe8c758bfeeff976a060279005b1272c38cdd14ecf3ab29ddf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0d4599bc1d01dd972599956f3895759e

SHA1
d9ec6a80cab0d116cd821e0bd0c4c5a3d7ee8d6d

SHA256
0624f17f14db596be458150f3f70c66577fce868cbe4a905e9362f5d853dd412

SHA512
a3d945574c14a231058796fa14d802605a3982da1b7e24417a4c059b8185be5f13d0c6f27f82bfe57f9bb1b06fe64540eb0c9e83e93ba1a4ad2614802b3f049b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f5ffc5fcfe9f4b27eeaf116938c9419a

SHA1
aaa5146bb86f1ed3e20498c880e42b42c1500e8a

SHA256
c68ad1b03fddb6c9f685e54e82ae618ee321a22a774b6afef615b2a87a5c3624

SHA512
c1adb8992a39234149575259c888586ccaeeb60096bc6792b6c7faf9fb012a8058cd4e3f8b0f425165e375cb2b739965a18278e4d5c877376c26f85d63257656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17a9abe8cbb71401b7b5abf9bff3ef37

SHA1
647d8aba67a4fda071f731f7d2f6afa8408f2f6e

SHA256
b935f7bb89344a7e03e0eafdb9e0368ae3c9e1d864063de6ef50cc5c68d4f122

SHA512
9dcc503c76ebc0685047b62376a4a9958842a8a433f34ce70b7472d53d48c12dd693d21ee44a2dfe2299a6f484a7c15eb8f174ae065252f4a9c747eba4860b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pm1sy1qr.aon.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk

Filesize
688B

MD5
993bec05deca25b7b526f4a548c0256e

SHA1
d862472b79c3681062c856f8ce50f1c0d724c863

SHA256
eae2358b3ae184db18eb781deff8d6fa26bc1f7cc86c560e3f13d820443701e5

SHA512
fe9fd17ea5432b4246d68a6de172c9fe3efdaa52a3705f4ee8de312d0611c5bbef42c175cfc43ab2a522ecf1a99892123bed816dc117dd007cad26426375b9b6

Download Submit
memory/1580-23-0x000002AD2E0D0000-0x000002AD2E0D1000-memory.dmp

Filesize
4KB

Download
memory/1580-17-0x000002AD2E0D0000-0x000002AD2E0D1000-memory.dmp

Filesize
4KB

Download
memory/1580-27-0x000002AD2E0D0000-0x000002AD2E0D1000-memory.dmp

Filesize
4KB

Download
memory/1580-26-0x000002AD2E0D0000-0x000002AD2E0D1000-memory.dmp

Filesize
4KB

Download
memory/1580-25-0x000002AD2E0D0000-0x000002AD2E0D1000-memory.dmp

Filesize
4KB

Download
memory/1580-24-0x000002AD2E0D0000-0x000002AD2E0D1000-memory.dmp

Filesize
4KB

Download
memory/1580-28-0x000002AD2E0D0000-0x000002AD2E0D1000-memory.dmp

Filesize
4KB

Download
memory/1580-22-0x000002AD2E0D0000-0x000002AD2E0D1000-memory.dmp

Filesize
4KB

Download
memory/1580-18-0x000002AD2E0D0000-0x000002AD2E0D1000-memory.dmp

Filesize
4KB

Download
memory/1580-16-0x000002AD2E0D0000-0x000002AD2E0D1000-memory.dmp

Filesize
4KB

Download
memory/3096-0-0x00007FFA4E073000-0x00007FFA4E075000-memory.dmp

Filesize
8KB

Download
memory/3096-54-0x00007FFA4E073000-0x00007FFA4E075000-memory.dmp

Filesize
8KB

Download
memory/3096-55-0x00007FFA4E070000-0x00007FFA4EB32000-memory.dmp

Filesize
10.8MB

Download
memory/3096-58-0x000000001BFA0000-0x000000001BFB6000-memory.dmp

Filesize
88KB

Download
memory/3096-2-0x00007FFA4E070000-0x00007FFA4EB32000-memory.dmp

Filesize
10.8MB

Download
memory/3096-1-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/3096-111-0x000000001C040000-0x000000001C04C000-memory.dmp

Filesize
48KB

Download
memory/4056-31-0x00007FFA4E070000-0x00007FFA4EB32000-memory.dmp

Filesize
10.8MB

Download
memory/4056-15-0x00007FFA4E070000-0x00007FFA4EB32000-memory.dmp

Filesize
10.8MB

Download
memory/4056-14-0x00007FFA4E070000-0x00007FFA4EB32000-memory.dmp

Filesize
10.8MB

Download
memory/4056-13-0x000001FCC7A20000-0x000001FCC7A42000-memory.dmp

Filesize
136KB

Download
memory/4056-3-0x00007FFA4E070000-0x00007FFA4EB32000-memory.dmp

Filesize
10.8MB

Download