Overview

overview

10

Static

static

10

BootstrapperFixer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BootstrapperFixer.exe

  • Size

    74KB

  • MD5

    aa65192e44a3bda4ea039571429abac5

  • SHA1

    e1c8f9861e01d1b042d7267c5d7a6b7562f05c7f

  • SHA256

    03015c4f39849613a41ed43ed036ad274f80d005509177fcc902c80a36bb3fea

  • SHA512

    0e48d517c8730548497aba3fc99a1baa38f640e9f46f8061ac3f8dd9cb47eb5bfb0bb5daa24ef690225112b748b926ed3449623764f400b3aa2705f3987ffa3c

  • SSDEEP

    1536:/AySegvs9JRF1AFF9lr9bWsn7D9U64CURikOh1ATt:/Ukj1AZ/bWODsCURikOLmt

Score
10/10
xwormdiscoveryexecutionpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

C2

uk-theory.gl.at.ply.gg:28001

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 62 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\BootstrapperFixer.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperFixer.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:416
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperFixer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BootstrapperFixer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\BootstrapperFixer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:396
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "BootstrapperFixer" /tr "C:\ProgramData\BootstrapperFixer.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4176
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4544
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffe469e46f8,0x7ffe469e4708,0x7ffe469e4718
        3⤵
          PID:2800
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,9247163297425103547,17381357578598198904,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
          3⤵
            PID:4892
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,9247163297425103547,17381357578598198904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1292
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,9247163297425103547,17381357578598198904,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
            3⤵
              PID:4116
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,9247163297425103547,17381357578598198904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
              3⤵
                PID:4396
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,9247163297425103547,17381357578598198904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
                3⤵
                  PID:2504
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,9247163297425103547,17381357578598198904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4068 /prefetch:8
                  3⤵
                    PID:1484
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,9247163297425103547,17381357578598198904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4068 /prefetch:8
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4408
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,9247163297425103547,17381357578598198904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
                    3⤵
                      PID:60
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,9247163297425103547,17381357578598198904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
                      3⤵
                        PID:2008
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,9247163297425103547,17381357578598198904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
                        3⤵
                          PID:3936
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,9247163297425103547,17381357578598198904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
                          3⤵
                            PID:3404
                        • C:\Windows\System32\schtasks.exe
                          "C:\Windows\System32\schtasks.exe" /delete /f /tn "BootstrapperFixer"
                          2⤵
                            PID:5056
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD663.tmp.bat""
                            2⤵
                              PID:1696
                              • C:\Windows\system32\timeout.exe
                                timeout 3
                                3⤵
                                • Delays execution with timeout.exe
                                PID:3152
                          • C:\Windows\system32\taskmgr.exe
                            "C:\Windows\system32\taskmgr.exe" /4
                            1⤵
                            • Checks SCSI registry key(s)
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            PID:3020
                          • C:\ProgramData\BootstrapperFixer.exe
                            C:\ProgramData\BootstrapperFixer.exe
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3500
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4444
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4180
                              • C:\ProgramData\BootstrapperFixer.exe
                                C:\ProgramData\BootstrapperFixer.exe
                                1⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2212

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\ProgramData\BootstrapperFixer.exe
                                Filesize

                                74KB

                                MD5

                                aa65192e44a3bda4ea039571429abac5

                                SHA1

                                e1c8f9861e01d1b042d7267c5d7a6b7562f05c7f

                                SHA256

                                03015c4f39849613a41ed43ed036ad274f80d005509177fcc902c80a36bb3fea

                                SHA512

                                0e48d517c8730548497aba3fc99a1baa38f640e9f46f8061ac3f8dd9cb47eb5bfb0bb5daa24ef690225112b748b926ed3449623764f400b3aa2705f3987ffa3c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BootstrapperFixer.exe.log
                                Filesize

                                654B

                                MD5

                                2ff39f6c7249774be85fd60a8f9a245e

                                SHA1

                                684ff36b31aedc1e587c8496c02722c6698c1c4e

                                SHA256

                                e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                SHA512

                                1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                Filesize

                                2KB

                                MD5

                                d85ba6ff808d9e5444a4b369f5bc2730

                                SHA1

                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                SHA256

                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                SHA512

                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                36988ca14952e1848e81a959880ea217

                                SHA1

                                a0482ef725657760502c2d1a5abe0bb37aebaadb

                                SHA256

                                d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

                                SHA512

                                d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                fab8d8d865e33fe195732aa7dcb91c30

                                SHA1

                                2637e832f38acc70af3e511f5eba80fbd7461f2c

                                SHA256

                                1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

                                SHA512

                                39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                88235e3638a3217e42f70a3d1e06ea90

                                SHA1

                                aa3d413ecc1a70a84b5bb462207101e484bcf520

                                SHA256

                                10192ce5b95d36bfec20892fd52fc1be8bd74cd7d5e7d684195d2b7aad5938c2

                                SHA512

                                7daab8611f4006bdbb3e1d8a5aac8453d0a95d969f8d20c3cd1be961d1292b57f2451b4860545f732035c3e39b0e0088fa1c321893dd820a1814977ba0a57eb7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                5644de8ab20aea00acfbaa3696de7b08

                                SHA1

                                0799059f3fc4f4f4445d57972baa427c1065dbdd

                                SHA256

                                cd9c72c854c4a484936b4814a488563278864ede6a48bddbf9517614a219677c

                                SHA512

                                7976f6e980a52d14b72ee5490b7511fda5d59e20d41f1c3263c836a3a1d7a2cdb8ba07b800683e2901704f50e4c428eb15acc74550c11214ac1aafbfbfc63bb6

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                f42fd83fc8eb10a255489cf7d0f25d3f

                                SHA1

                                95496ce15449125a6f7281665e4539a356117ec6

                                SHA256

                                71e63ac29f41ccfa6232bbbba0ff798aebeea7d9587a43c0fb98d0403e9c6789

                                SHA512

                                d18a7341ba6bda94b8b019a63884e8ef1bd035ff2997e085bcfa6a51137ca9f860fbda96f91fcb9761d436d4db05cc949a5d8b7da4a172e05d3a3f29ea3ca341

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                10KB

                                MD5

                                1992409f17d51bc45cca7e0452fd5d0f

                                SHA1

                                25db89b16dab3f2ef3c91abcfadd067d2c617f43

                                SHA256

                                f18b90505f66d34131d0e97f1cb65d3082810821c06a8de138306a004e086842

                                SHA512

                                c5f7d2ace2f9597c8685b03de7d07a27ed513b016cc585ad8d17cf49f2f40ee5ed3b40382e67287f585caf08a5879d9402bd7dd65780e29a9e90e6ca8840c219

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                Filesize

                                10KB

                                MD5

                                50f25fcb98957351a60fe0f500586c9c

                                SHA1

                                7d793c4682a10eb35310b1b9f912265eb9dd9373

                                SHA256

                                3327ddbae974741e9bf383248b8ffee6175b0343bd108a7d4dda503d05b77a9e

                                SHA512

                                4b6adb6c5d8f3b8d0ef98f430cddee2e754be26b6ace124549faa7af933e6af81fceb5b5055d1bb4319da7e62ea53dc99f1484648cd9214c147433a9f1c64988

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                                Filesize

                                264KB

                                MD5

                                f50f89a0a91564d0b8a211f8921aa7de

                                SHA1

                                112403a17dd69d5b9018b8cede023cb3b54eab7d

                                SHA256

                                b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                SHA512

                                bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                2979eabc783eaca50de7be23dd4eafcf

                                SHA1

                                d709ce5f3a06b7958a67e20870bfd95b83cad2ea

                                SHA256

                                006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

                                SHA512

                                92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Filesize

                                944B

                                MD5

                                ba169f4dcbbf147fe78ef0061a95e83b

                                SHA1

                                92a571a6eef49fff666e0f62a3545bcd1cdcda67

                                SHA256

                                5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

                                SHA512

                                8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oclmv41l.ere.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\tmp8C2A.tmp
                                Filesize

                                100KB

                                MD5

                                1b942faa8e8b1008a8c3c1004ba57349

                                SHA1

                                cd99977f6c1819b12b33240b784ca816dfe2cb91

                                SHA256

                                555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

                                SHA512

                                5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\tmpD663.tmp.bat
                                Filesize

                                169B

                                MD5

                                9535b2ae60f1c487e8b5b97421c5bf6d

                                SHA1

                                6d931ea0d88497255619c8032f6695b10ae95e0d

                                SHA256

                                efa66e15c96dcf8e31fb6b8e52a0cf25123038a273f25118720175d487a11008

                                SHA512

                                3cc773a91366603325daaff9fef5fcadda40f9938f1e9239f98c9c4eacd6f835a20738043072c2c2a4f741ca69919e8c90bb03d518746991cc80f9bb9ec0d057

                                Download Submit

                              • C:\Users\Admin\Desktop\How To Decrypt My Files.html
                                Filesize

                                723B

                                MD5

                                553cf6c7e10d1c701098d7e1d0a01839

                                SHA1

                                3cbdf41c6d02de51754a2696a382485be5175771

                                SHA256

                                bfbb59fa451071b37088b6286c3e5941f2536c4d9a1b77c1c6e987da9545b6ae

                                SHA512

                                591ace58027c743e663598f29857e3fa52e47e5a015dfb5e46570fcc563b623306b6e9de5df0aed2f5242c7ae88178aced6c909ec3b8c075b5d7239922d3183c

                                Download Submit

                              • C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
                                Filesize

                                16B

                                MD5

                                d20202cd990c16618f027a3f19b33dc5

                                SHA1

                                12f5340f695fad857585d2340ea92418f4bcaae8

                                SHA256

                                86bd080fe157b60308115481624e5dd717ff7f183cecdbfda562dc482fa119f3

                                SHA512

                                5f308fd98be94f72d64d3c97b67ca07caed54f8390cb346f82c7f6264c9a1a3d9ec52c5a3b03b3581685888b1b6364de105cbac70c0ed9d60d0f3b475023bba7

                                Download Submit

                              • memory/416-57-0x00007FFE4CDD3000-0x00007FFE4CDD5000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/416-355-0x000000001BEC0000-0x000000001BECC000-memory.dmp

                                Filesize

                                48KB

                                Download

                              • memory/416-0-0x00007FFE4CDD3000-0x00007FFE4CDD5000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/416-360-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/416-64-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/416-68-0x0000000001560000-0x000000000156C000-memory.dmp

                                Filesize

                                48KB

                                Download

                              • memory/416-1-0x0000000000D80000-0x0000000000D98000-memory.dmp

                                Filesize

                                96KB

                                Download

                              • memory/416-350-0x000000001BE30000-0x000000001BE6A000-memory.dmp

                                Filesize

                                232KB

                                Download

                              • memory/416-2-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2540-18-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2540-3-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2540-14-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/2540-13-0x000001579E990000-0x000001579E9B2000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/2540-15-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

                                Filesize

                                10.8MB

                                Download

                              • memory/3020-40-0x000001DFED880000-0x000001DFED881000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3020-31-0x000001DFED880000-0x000001DFED881000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3020-33-0x000001DFED880000-0x000001DFED881000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3020-32-0x000001DFED880000-0x000001DFED881000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3020-37-0x000001DFED880000-0x000001DFED881000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3020-43-0x000001DFED880000-0x000001DFED881000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3020-42-0x000001DFED880000-0x000001DFED881000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3020-41-0x000001DFED880000-0x000001DFED881000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3020-38-0x000001DFED880000-0x000001DFED881000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3020-39-0x000001DFED880000-0x000001DFED881000-memory.dmp

                                Filesize

                                4KB

                                Download