Overview

overview

10

Static

static

10

nigger.exe

windows7-x64

10

nigger.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    883s
  • max time network
    893s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 20:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    nigger.exe

  • Size

    64KB

  • MD5

    6f8774e5839ed8ed21449f097122f0d9

  • SHA1

    666790bd8f79903fcb4788ed3ef6552bf2d7c340

  • SHA256

    978edd60b16702006e25e55cbcc1e69c112e451dd19c649825980fb98019cec9

  • SHA512

    9d371e4b2ce6c356a57a19fd1b070e67ccbc37fc206d1d8e6c3f2b444065d64664420d64f788c459fd4632a1f1b4bc850d10e5a0dd9b9b4667bdb8f4c3d09b53

  • SSDEEP

    1536:yP2rvEPQLEMlRGvqzRXJ69b3XhNQpzO862MO1fQKvixfav:yP2rv8GTx9569b3kpuO1fQ5av

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

memory-lottery.gl.at.ply.gg:4444

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 15 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\nigger.exe
    "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nigger.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'nigger.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\security'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'security'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1164
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "security" /tr "C:\Users\Admin\AppData\Roaming\security"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4164
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\ConvertUnblock.svg
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffcce3d46f8,0x7ffcce3d4708,0x7ffcce3d4718
      2⤵
        PID:4968
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10006006055530651771,10844206661915324958,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        2⤵
          PID:916
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,10006006055530651771,10844206661915324958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1384
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,10006006055530651771,10844206661915324958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
          2⤵
            PID:3032
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10006006055530651771,10844206661915324958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
            2⤵
              PID:3568
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10006006055530651771,10844206661915324958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
              2⤵
                PID:4108
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10006006055530651771,10844206661915324958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
                2⤵
                  PID:1812
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10006006055530651771,10844206661915324958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2900
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10006006055530651771,10844206661915324958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
                  2⤵
                    PID:2372
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10006006055530651771,10844206661915324958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
                    2⤵
                      PID:3248
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10006006055530651771,10844206661915324958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
                      2⤵
                        PID:392
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10006006055530651771,10844206661915324958,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
                        2⤵
                          PID:2644
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:5068
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4704
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2356
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5104
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3252
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3108
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:32
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2744
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4196
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4188
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2940
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1060
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2656
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2020
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1580
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1172
                          • C:\Users\Admin\AppData\Roaming\security
                            C:\Users\Admin\AppData\Roaming\security
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3620

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                  Filesize

                                  2KB

                                  MD5

                                  d85ba6ff808d9e5444a4b369f5bc2730

                                  SHA1

                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                  SHA256

                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                  SHA512

                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\security.log
                                  Filesize

                                  654B

                                  MD5

                                  2ff39f6c7249774be85fd60a8f9a245e

                                  SHA1

                                  684ff36b31aedc1e587c8496c02722c6698c1c4e

                                  SHA256

                                  e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                  SHA512

                                  1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  7de1bbdc1f9cf1a58ae1de4951ce8cb9

                                  SHA1

                                  010da169e15457c25bd80ef02d76a940c1210301

                                  SHA256

                                  6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

                                  SHA512

                                  e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                  Filesize

                                  152B

                                  MD5

                                  85ba073d7015b6ce7da19235a275f6da

                                  SHA1

                                  a23c8c2125e45a0788bac14423ae1f3eab92cf00

                                  SHA256

                                  5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

                                  SHA512

                                  eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  5KB

                                  MD5

                                  8fe8a99c1710332de8170051dca7be0f

                                  SHA1

                                  7148838419513312ed6f202ac607e5b70517d31d

                                  SHA256

                                  9b7e0a1f6d618340890798fe6e379fb44e7a590ffd338a5bd7cfbdbcb85d62d9

                                  SHA512

                                  6726712ec262353edc050d98b8ee54d96bc79264f5d7159a471d8af2b1625163cafc7580dc42d294e85e07cef94023900445320f9fc3ae331dfa66719d5a3da6

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                  Filesize

                                  6KB

                                  MD5

                                  2a1288eec50b6a8e2da6deca157d6f48

                                  SHA1

                                  0a751f0ee35c43eca33fd80e183c384fc6a6c6a9

                                  SHA256

                                  0d35a905c1445966a5d179ae41df0eb6cd304f0fca7d628888a7914b418b6872

                                  SHA512

                                  2a3977ae24c36b29f44b6db882a68a2829e4800683eea1bdb869d9ab3d30fe8c405ae213cf263242b23ca61876d07b06b7b9ca4019719f73341cc45fd920cfa3

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                  Filesize

                                  10KB

                                  MD5

                                  5662f1478091805f3c8d76b478a0587a

                                  SHA1

                                  89a5ae9ff66f379e0ecd3851a13e3fad41e26db0

                                  SHA256

                                  0d14f4c5a4640ebe98a3d9b7c54dd25deb4b427c0c3a9c5627b6c716fb55d40e

                                  SHA512

                                  a6891ffb337128969c3d9fa23e2955e89185d452446890a027fc37e032943f7d40e7863d673082061331de2e75f1272414b3134e8888c8f7d93ef4f6ec1dc652

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                                  Filesize

                                  264KB

                                  MD5

                                  f50f89a0a91564d0b8a211f8921aa7de

                                  SHA1

                                  112403a17dd69d5b9018b8cede023cb3b54eab7d

                                  SHA256

                                  b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                  SHA512

                                  bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  944B

                                  MD5

                                  77d622bb1a5b250869a3238b9bc1402b

                                  SHA1

                                  d47f4003c2554b9dfc4c16f22460b331886b191b

                                  SHA256

                                  f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                  SHA512

                                  d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  944B

                                  MD5

                                  da5c82b0e070047f7377042d08093ff4

                                  SHA1

                                  89d05987cd60828cca516c5c40c18935c35e8bd3

                                  SHA256

                                  77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

                                  SHA512

                                  7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  944B

                                  MD5

                                  eb1ad317bd25b55b2bbdce8a28a74a94

                                  SHA1

                                  98a3978be4d10d62e7411946474579ee5bdc5ea6

                                  SHA256

                                  9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

                                  SHA512

                                  d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1gvejyx.phv.ps1
                                  Filesize

                                  60B

                                  MD5

                                  d17fe0a3f47be24a6453e9ef58c94641

                                  SHA1

                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                  SHA256

                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                  SHA512

                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\security
                                  Filesize

                                  64KB

                                  MD5

                                  6f8774e5839ed8ed21449f097122f0d9

                                  SHA1

                                  666790bd8f79903fcb4788ed3ef6552bf2d7c340

                                  SHA256

                                  978edd60b16702006e25e55cbcc1e69c112e451dd19c649825980fb98019cec9

                                  SHA512

                                  9d371e4b2ce6c356a57a19fd1b070e67ccbc37fc206d1d8e6c3f2b444065d64664420d64f788c459fd4632a1f1b4bc850d10e5a0dd9b9b4667bdb8f4c3d09b53

                                  Download Submit

                                • memory/4672-55-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/4672-80-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/4672-0-0x00007FFCD4323000-0x00007FFCD4325000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/4672-1-0x0000000000780000-0x0000000000796000-memory.dmp

                                  Filesize

                                  88KB

                                  Download

                                • memory/4804-17-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/4804-14-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/4804-13-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/4804-12-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/4804-2-0x000001F525FC0000-0x000001F525FE2000-memory.dmp

                                  Filesize

                                  136KB

                                  Download