stormkitty | dba0c17d6101161862cb98fd0d5cc2c9c196ef3c561a6159d4df9cff2da4cc8f

Analysis

max time kernel
486s
max time network
489s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spf.exe
Size

66.1MB
MD5

2424c3fe215d77e8e460a8f6796de636
SHA1

07b47f0878c5859b6681c6bd14cf2a464729f330
SHA256

dba0c17d6101161862cb98fd0d5cc2c9c196ef3c561a6159d4df9cff2da4cc8f
SHA512

52208cef403e4d36cd0704e8da0e159511a28ad972176e3dbc7fd47111cd4a5e0331d22df4f89d939b6a317d51345818f9bcc24219c9d0fc8818c005ecf7238a
SSDEEP

1572864:nu43xWJUEl1vVvo3fXzU/Pymw7NtvPeJxHIa6p02SfkHn4HfQ:nu4BaUEPdvo3fXziqdNJ0H+0hkHMI

Score

10^/10

stormkitty xworm discovery evasion execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

cash-infections.gl.at.ply.gg:54632

Mutex

uaiEP0l5RwMqBswG

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000500000001e747-7.dat	family_xworm
behavioral2/memory/1580-15-0x00000000006F0000-0x0000000000702000-memory.dmp	family_xworm

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/1580-91-0x000000001D9C0000-0x000000001DAE0000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3436	powershell.exe
3664	powershell.exe
1668	powershell.exe
1540	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	spf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	spf.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spoofer.lnk	spf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spf.exe	spf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Spoofer.lnk	spf.exe

Executes dropped EXE 2 IoCs

pid	Process
1580	spf.exe
2912	sigma reported.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	sigma reported.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	sigma reported.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	sigma reported.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\ImagePath	sigma reported.exe

Power Settings 1 TTPs 14 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4700	powercfg.exe
2200	powercfg.exe
4600	cmd.exe
3396	powercfg.exe
5064	cmd.exe
4868	powercfg.exe
3828	powercfg.exe
3488	cmd.exe
2180	powercfg.exe
1728	cmd.exe
4404	powercfg.exe
992	cmd.exe
3056	cmd.exe
3444	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2912	sigma reported.exe
2912	sigma reported.exe
2912	sigma reported.exe
2912	sigma reported.exe
2912	sigma reported.exe
2912	sigma reported.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4572	sc.exe
3048	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
3904	taskkill.exe
4596	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Document Windows\z = 090000000000000000000000010000003900000000000000ffffffff000000000000ffff	sigma reported.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1668	powershell.exe
1668	powershell.exe
1540	powershell.exe
1540	powershell.exe
3436	powershell.exe
3436	powershell.exe
3664	powershell.exe
3664	powershell.exe
2912	sigma reported.exe
2912	sigma reported.exe
1580	spf.exe
2912	sigma reported.exe
2912	sigma reported.exe
2912	sigma reported.exe
2912	sigma reported.exe
2912	sigma reported.exe
2912	sigma reported.exe
2912	sigma reported.exe
2912	sigma reported.exe
2912	sigma reported.exe
2912	sigma reported.exe
2912	sigma reported.exe
2912	sigma reported.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	spf.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	2912	sigma reported.exe
Token: SeDebugPrivilege	1580	spf.exe
Token: SeShutdownPrivilege	4700	powercfg.exe
Token: SeCreatePagefilePrivilege	4700	powercfg.exe
Token: SeShutdownPrivilege	4700	powercfg.exe
Token: SeCreatePagefilePrivilege	4700	powercfg.exe
Token: SeShutdownPrivilege	2180	powercfg.exe
Token: SeCreatePagefilePrivilege	2180	powercfg.exe
Token: SeShutdownPrivilege	2200	powercfg.exe
Token: SeCreatePagefilePrivilege	2200	powercfg.exe
Token: SeShutdownPrivilege	4868	powercfg.exe
Token: SeCreatePagefilePrivilege	4868	powercfg.exe
Token: SeShutdownPrivilege	3828	powercfg.exe
Token: SeCreatePagefilePrivilege	3828	powercfg.exe
Token: SeShutdownPrivilege	4404	powercfg.exe
Token: SeCreatePagefilePrivilege	4404	powercfg.exe
Token: SeShutdownPrivilege	3396	powercfg.exe
Token: SeCreatePagefilePrivilege	3396	powercfg.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	4596	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1580	spf.exe
2912	sigma reported.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1580	536	spf.exe	84
PID 536 wrote to memory of 1580	536	spf.exe	84
PID 536 wrote to memory of 2912	536	spf.exe	85
PID 536 wrote to memory of 2912	536	spf.exe	85
PID 1580 wrote to memory of 1668	1580	spf.exe	90
PID 1580 wrote to memory of 1668	1580	spf.exe	90
PID 1580 wrote to memory of 1540	1580	spf.exe	92
PID 1580 wrote to memory of 1540	1580	spf.exe	92
PID 1580 wrote to memory of 3436	1580	spf.exe	95
PID 1580 wrote to memory of 3436	1580	spf.exe	95
PID 1580 wrote to memory of 3664	1580	spf.exe	97
PID 1580 wrote to memory of 3664	1580	spf.exe	97
PID 2912 wrote to memory of 2708	2912	sigma reported.exe	104
PID 2912 wrote to memory of 2708	2912	sigma reported.exe	104
PID 2708 wrote to memory of 4572	2708	cmd.exe	106
PID 2708 wrote to memory of 4572	2708	cmd.exe	106
PID 2912 wrote to memory of 3540	2912	sigma reported.exe	107
PID 2912 wrote to memory of 3540	2912	sigma reported.exe	107
PID 3540 wrote to memory of 3048	3540	cmd.exe	109
PID 3540 wrote to memory of 3048	3540	cmd.exe	109
PID 2912 wrote to memory of 3708	2912	sigma reported.exe	110
PID 2912 wrote to memory of 3708	2912	sigma reported.exe	110
PID 3708 wrote to memory of 2628	3708	cmd.exe	112
PID 3708 wrote to memory of 2628	3708	cmd.exe	112
PID 2912 wrote to memory of 3056	2912	sigma reported.exe	113
PID 2912 wrote to memory of 3056	2912	sigma reported.exe	113
PID 3056 wrote to memory of 4700	3056	cmd.exe	115
PID 3056 wrote to memory of 4700	3056	cmd.exe	115
PID 2912 wrote to memory of 3488	2912	sigma reported.exe	116
PID 2912 wrote to memory of 3488	2912	sigma reported.exe	116
PID 3488 wrote to memory of 2180	3488	cmd.exe	118
PID 3488 wrote to memory of 2180	3488	cmd.exe	118
PID 2912 wrote to memory of 1728	2912	sigma reported.exe	119
PID 2912 wrote to memory of 1728	2912	sigma reported.exe	119
PID 1728 wrote to memory of 2200	1728	cmd.exe	121
PID 1728 wrote to memory of 2200	1728	cmd.exe	121
PID 2912 wrote to memory of 5064	2912	sigma reported.exe	122
PID 2912 wrote to memory of 5064	2912	sigma reported.exe	122
PID 5064 wrote to memory of 4868	5064	cmd.exe	124
PID 5064 wrote to memory of 4868	5064	cmd.exe	124
PID 2912 wrote to memory of 4600	2912	sigma reported.exe	125
PID 2912 wrote to memory of 4600	2912	sigma reported.exe	125
PID 4600 wrote to memory of 3828	4600	cmd.exe	127
PID 4600 wrote to memory of 3828	4600	cmd.exe	127
PID 2912 wrote to memory of 3444	2912	sigma reported.exe	128
PID 2912 wrote to memory of 3444	2912	sigma reported.exe	128
PID 3444 wrote to memory of 4404	3444	cmd.exe	130
PID 3444 wrote to memory of 4404	3444	cmd.exe	130
PID 2912 wrote to memory of 992	2912	sigma reported.exe	131
PID 2912 wrote to memory of 992	2912	sigma reported.exe	131
PID 992 wrote to memory of 3396	992	cmd.exe	133
PID 992 wrote to memory of 3396	992	cmd.exe	133
PID 2912 wrote to memory of 2400	2912	sigma reported.exe	134
PID 2912 wrote to memory of 2400	2912	sigma reported.exe	134
PID 2912 wrote to memory of 3904	2912	sigma reported.exe	135
PID 2912 wrote to memory of 3904	2912	sigma reported.exe	135
PID 2912 wrote to memory of 4596	2912	sigma reported.exe	136
PID 2912 wrote to memory of 4596	2912	sigma reported.exe	136

C:\Users\Admin\AppData\Local\Temp\spf.exe
"C:\Users\Admin\AppData\Local\Temp\spf.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spf.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spf.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spf.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spf.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Spoofer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Spoofer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
- C:\Users\Admin\AppData\Local\Temp\sigma reported.exe
  "C:\Users\Admin\AppData\Local\Temp\sigma reported.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /C sc stop bam
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\system32\sc.exe
      sc stop bam
      4⤵
      Launches sc.exe
      PID:4572
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /C SC CONFIG "bam" START= DISABLED
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\system32\sc.exe
      SC CONFIG "bam" START= DISABLED
      4⤵
      Launches sc.exe
      PID:3048
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /C fsutil behavior set DisableLastAccess 3
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\system32\fsutil.exe
      fsutil behavior set DisableLastAccess 3
      4⤵
      PID:2628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C powercfg /hibernate off
    3⤵
    - Power Settings
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\system32\powercfg.exe
      powercfg /hibernate off
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C powercfg /x -disk-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -disk-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C powercfg /x -disk-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -disk-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3396
- - C:\Windows\SYSTEM32\w32tm.exe
    w32tm /resync
    3⤵
    PID:2400
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /F /IM agent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3904
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill /F /IM battle.net.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spf.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05626d543357a7b9aab66738323d7ac6

SHA1
8a0366530637b0f977af59dde44fae4df8906f0f

SHA256
352265151df8fcc298bbbde14c4ddff51683a9a43416ce1987511ee7a27fa433

SHA512
11222b457bce9d25eca8b7f4768c5706ad117960d122bf049f94158725187fbaea86f38b3910402043f5a565dcc5faca535366880c0bd92f58a799931a32401d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67c47240cc90de5d56338fdedb9ce2a2

SHA1
f56c843e20711a744638ec85842a82f437cfde68

SHA256
8e7dd332a5db18a40196355226f95137965757cfc87d25d133557e5e097cab3d

SHA512
ac74960d342e1885a5522a4e1422c43cb4c3056c0d5dacad438c345efdfe26bd9d015a1ef4bd24c90c6db4f7d6687a992c834f638b045a7b2500404e242f855a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e58749a7a1826f6ea62df1e2ef63a32b

SHA1
c0bca21658b8be4f37b71eec9578bfefa44f862d

SHA256
0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

SHA512
4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvpjbrif.owv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spf.exe

Filesize
50KB

MD5
64470671400941aa271bb9961c65009d

SHA1
e684951964a2fdfffd8e107768c27cc8541f8219

SHA256
692eb4845bc59eb61fd3340f8cfb7692392d4e9e8dd1aa22bd64f89e3dd34614

SHA512
8583abcb6c163921469567363a4173e4e748fd49beca77cd36ae5a10bf59627b369dab50d4723d3f84e8f453ed95ee688f2db7724ba15a2ee2a995385b5003d8

Download Submit
memory/536-27-0x00007FFAABF90000-0x00007FFAACA51000-memory.dmp

Filesize
10.8MB

Download
memory/536-3-0x00007FFAABF90000-0x00007FFAACA51000-memory.dmp

Filesize
10.8MB

Download
memory/536-1-0x0000000000510000-0x000000000472A000-memory.dmp

Filesize
66.1MB

Download
memory/536-0-0x00007FFAABF93000-0x00007FFAABF95000-memory.dmp

Filesize
8KB

Download
memory/1580-83-0x00007FFAABF90000-0x00007FFAACA51000-memory.dmp

Filesize
10.8MB

Download
memory/1580-87-0x00007FFAABF90000-0x00007FFAACA51000-memory.dmp

Filesize
10.8MB

Download
memory/1580-14-0x00007FFAABF90000-0x00007FFAACA51000-memory.dmp

Filesize
10.8MB

Download
memory/1580-132-0x00007FFAABF90000-0x00007FFAACA51000-memory.dmp

Filesize
10.8MB

Download
memory/1580-15-0x00000000006F0000-0x0000000000702000-memory.dmp

Filesize
72KB

Download
memory/1580-28-0x00007FFAABF90000-0x00007FFAACA51000-memory.dmp

Filesize
10.8MB

Download
memory/1580-91-0x000000001D9C0000-0x000000001DAE0000-memory.dmp

Filesize
1.1MB

Download
memory/1580-90-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

Filesize
48KB

Download
memory/1668-38-0x0000028A4EDB0000-0x0000028A4EDD2000-memory.dmp

Filesize
136KB

Download
memory/2912-76-0x00007FF7C1EB0000-0x00007FF7C2EB0000-memory.dmp

Filesize
16.0MB

Download
memory/2912-86-0x00007FFA8A340000-0x00007FFA8A350000-memory.dmp

Filesize
64KB

Download
memory/2912-85-0x00007FFA8A340000-0x00007FFA8A350000-memory.dmp

Filesize
64KB

Download
memory/2912-84-0x00007FFA8A340000-0x00007FFA8A350000-memory.dmp

Filesize
64KB

Download
memory/2912-74-0x00007FFACA490000-0x00007FFACA492000-memory.dmp

Filesize
8KB

Download