xworm | 6b66904ae1929991852392fe2d578712738799cdd82539507d714f536eb8e0ed

Analysis

max time kernel
984s
max time network
990s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm.V6.0.zip
Size

28.7MB
MD5

ce625cf1e3e25d470c2e7a298409dab2
SHA1

94f465e9baa3099c2a7b8e5d30e8fc481b0b41a3
SHA256

6b66904ae1929991852392fe2d578712738799cdd82539507d714f536eb8e0ed
SHA512

0ac55745455542d68be326f5e5d48131da093ba47c24cfd06c2be0f3f0651219bf692b3fed5ac62cd16a191c0f7852b73ef8bc709f344eb3b36948b44bc3a480
SSDEEP

786432:OHqaRtCZZfm0+lGmlNinnXEDggGiO72vAgbHGaG:OHqytCO0+lF0hgGZNgbHGp

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

EEarXqazEvX73BCq

Attributes

Install_directory
%AppData%
install_file
Chrome Update.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL

aes.plain

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023ba6-18.dat	family_xworm
behavioral2/files/0x0008000000023bac-45.dat	family_xworm
behavioral2/memory/4824-47-0x0000000000650000-0x0000000000678000-memory.dmp	family_xworm
behavioral2/files/0x0018000000023baa-44.dat	family_xworm
behavioral2/memory/2760-49-0x0000000000590000-0x00000000005BE000-memory.dmp	family_xworm
behavioral2/memory/4036-48-0x0000000000A70000-0x0000000000A9C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1712	powershell.exe
1692	powershell.exe
4000	powershell.exe
3944	powershell.exe
4360	powershell.exe
2356	powershell.exe
2492	powershell.exe
4264	powershell.exe
4588	powershell.exe
4132	powershell.exe
2728	powershell.exe
4152	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Xworm V6.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Xworm V6.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Xworm V6.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Chrome Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Xworm V6.0.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe

Executes dropped EXE 64 IoCs

pid	Process
4960	Xworm V6.0.exe
4824	OneDrive.exe
2760	msedge.exe
4036	Chrome Update.exe
1452	Xworm V5.6.exe
3004	Xworm V6.0.exe
2600	Chrome Update.exe
2108	OneDrive.exe
1016	OneDrive.exe
3844	msedge.exe
4140	Chrome Update.exe
5060	msedge.exe
4948	Xworm V5.6.exe
2736	Chrome Update.exe
724	OneDrive.exe
2656	msedge.exe
1844	Xworm V6.0.exe
4052	OneDrive.exe
4964	msedge.exe
3088	Chrome Update.exe
856	Xworm V5.6.exe
2156	Xworm V6.0.exe
376	OneDrive.exe
3808	msedge.exe
2408	Chrome Update.exe
4520	Xworm V5.6.exe
4280	OneDrive.exe
2908	Chrome Update.exe
5116	msedge.exe
2380	Chrome Update.exe
3496	OneDrive.exe
448	msedge.exe
2260	Chrome Update.exe
4944	OneDrive.exe
4572	msedge.exe
2356	Chrome Update.exe
2276	OneDrive.exe
1220	msedge.exe
1612	Chrome Update.exe
1488	OneDrive.exe
2672	msedge.exe
2020	Chrome Update.exe
1108	OneDrive.exe
4076	msedge.exe
2884	OneDrive.exe
3224	Chrome Update.exe
1036	msedge.exe
4636	Chrome Update.exe
1356	OneDrive.exe
4608	msedge.exe
3120	OneDrive.exe
760	Chrome Update.exe
876	msedge.exe
3540	OneDrive.exe
2924	Chrome Update.exe
1832	msedge.exe
1164	OneDrive.exe
4020	Chrome Update.exe
2260	msedge.exe
1432	OneDrive.exe
3152	Chrome Update.exe
4684	msedge.exe
4396	Chrome Update.exe
4664	OneDrive.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe"	Chrome Update.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
26	pastebin.com
27	pastebin.com
28	pastebin.com
29	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2136	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3132	schtasks.exe
1516	schtasks.exe
1396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
212	7zFM.exe
212	7zFM.exe
2492	powershell.exe
2492	powershell.exe
2356	powershell.exe
2356	powershell.exe
2492	powershell.exe
2356	powershell.exe
1712	powershell.exe
1712	powershell.exe
1712	powershell.exe
4132	powershell.exe
4132	powershell.exe
1692	powershell.exe
1692	powershell.exe
1692	powershell.exe
4132	powershell.exe
2728	powershell.exe
2728	powershell.exe
4152	powershell.exe
4152	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
2728	powershell.exe
4152	powershell.exe
3944	powershell.exe
3944	powershell.exe
4360	powershell.exe
4360	powershell.exe
3944	powershell.exe
4360	powershell.exe
4588	powershell.exe
4588	powershell.exe
4588	powershell.exe
2760	msedge.exe
4824	OneDrive.exe
4036	Chrome Update.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
4036	Chrome Update.exe
4036	Chrome Update.exe
4036	Chrome Update.exe
4036	Chrome Update.exe
4036	Chrome Update.exe
4036	Chrome Update.exe
4824	OneDrive.exe
4824	OneDrive.exe
4824	OneDrive.exe
4824	OneDrive.exe
4824	OneDrive.exe
4824	OneDrive.exe
2760	msedge.exe
2760	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
212	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	212	7zFM.exe
Token: 35	212	7zFM.exe
Token: SeSecurityPrivilege	212	7zFM.exe
Token: SeSecurityPrivilege	212	7zFM.exe
Token: SeDebugPrivilege	4824	OneDrive.exe
Token: SeDebugPrivilege	4036	Chrome Update.exe
Token: SeDebugPrivilege	2760	msedge.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	2760	msedge.exe
Token: SeDebugPrivilege	4824	OneDrive.exe
Token: SeDebugPrivilege	4036	Chrome Update.exe
Token: SeSecurityPrivilege	212	7zFM.exe
Token: SeDebugPrivilege	1016	OneDrive.exe
Token: SeDebugPrivilege	4140	Chrome Update.exe
Token: SeDebugPrivilege	3844	msedge.exe
Token: SeDebugPrivilege	2108	OneDrive.exe
Token: SeDebugPrivilege	5060	msedge.exe
Token: SeDebugPrivilege	2600	Chrome Update.exe
Token: SeSecurityPrivilege	212	7zFM.exe
Token: SeSecurityPrivilege	212	7zFM.exe
Token: SeDebugPrivilege	724	OneDrive.exe
Token: SeDebugPrivilege	2736	Chrome Update.exe
Token: SeDebugPrivilege	2656	msedge.exe
Token: SeSecurityPrivilege	212	7zFM.exe
Token: SeSecurityPrivilege	212	7zFM.exe
Token: SeDebugPrivilege	4052	OneDrive.exe
Token: SeDebugPrivilege	4964	msedge.exe
Token: SeDebugPrivilege	3088	Chrome Update.exe
Token: SeSecurityPrivilege	212	7zFM.exe
Token: SeDebugPrivilege	376	OneDrive.exe
Token: SeDebugPrivilege	3808	msedge.exe
Token: SeDebugPrivilege	2408	Chrome Update.exe
Token: SeDebugPrivilege	2908	Chrome Update.exe
Token: SeDebugPrivilege	4280	OneDrive.exe
Token: SeDebugPrivilege	5116	msedge.exe
Token: SeDebugPrivilege	2380	Chrome Update.exe
Token: SeDebugPrivilege	3496	OneDrive.exe
Token: SeDebugPrivilege	448	msedge.exe
Token: SeDebugPrivilege	2260	Chrome Update.exe
Token: SeDebugPrivilege	4944	OneDrive.exe
Token: SeDebugPrivilege	4572	msedge.exe
Token: SeDebugPrivilege	2276	OneDrive.exe
Token: SeDebugPrivilege	2356	Chrome Update.exe
Token: SeDebugPrivilege	1220	msedge.exe
Token: SeDebugPrivilege	1612	Chrome Update.exe
Token: SeDebugPrivilege	1488	OneDrive.exe
Token: SeDebugPrivilege	2672	msedge.exe
Token: SeDebugPrivilege	2020	Chrome Update.exe
Token: SeDebugPrivilege	1108	OneDrive.exe
Token: SeDebugPrivilege	4076	msedge.exe
Token: SeDebugPrivilege	2884	OneDrive.exe
Token: SeDebugPrivilege	3224	Chrome Update.exe
Token: SeDebugPrivilege	1036	msedge.exe
Token: SeDebugPrivilege	4636	Chrome Update.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe
212	7zFM.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2760	msedge.exe
4824	OneDrive.exe
4036	Chrome Update.exe
748	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4960	212	7zFM.exe	97
PID 212 wrote to memory of 4960	212	7zFM.exe	97
PID 4960 wrote to memory of 4824	4960	Xworm V6.0.exe	100
PID 4960 wrote to memory of 4824	4960	Xworm V6.0.exe	100
PID 4960 wrote to memory of 2760	4960	Xworm V6.0.exe	101
PID 4960 wrote to memory of 2760	4960	Xworm V6.0.exe	101
PID 4960 wrote to memory of 4036	4960	Xworm V6.0.exe	102
PID 4960 wrote to memory of 4036	4960	Xworm V6.0.exe	102
PID 4960 wrote to memory of 1452	4960	Xworm V6.0.exe	103
PID 4960 wrote to memory of 1452	4960	Xworm V6.0.exe	103
PID 4036 wrote to memory of 2356	4036	Chrome Update.exe	104
PID 4036 wrote to memory of 2356	4036	Chrome Update.exe	104
PID 4824 wrote to memory of 2492	4824	OneDrive.exe	105
PID 4824 wrote to memory of 2492	4824	OneDrive.exe	105
PID 2760 wrote to memory of 4264	2760	msedge.exe	107
PID 2760 wrote to memory of 4264	2760	msedge.exe	107
PID 4824 wrote to memory of 1712	4824	OneDrive.exe	111
PID 4824 wrote to memory of 1712	4824	OneDrive.exe	111
PID 4036 wrote to memory of 4132	4036	Chrome Update.exe	113
PID 4036 wrote to memory of 4132	4036	Chrome Update.exe	113
PID 2760 wrote to memory of 1692	2760	msedge.exe	115
PID 2760 wrote to memory of 1692	2760	msedge.exe	115
PID 2760 wrote to memory of 2728	2760	msedge.exe	117
PID 2760 wrote to memory of 2728	2760	msedge.exe	117
PID 4824 wrote to memory of 4152	4824	OneDrive.exe	119
PID 4824 wrote to memory of 4152	4824	OneDrive.exe	119
PID 4036 wrote to memory of 4000	4036	Chrome Update.exe	120
PID 4036 wrote to memory of 4000	4036	Chrome Update.exe	120
PID 4036 wrote to memory of 3944	4036	Chrome Update.exe	123
PID 4036 wrote to memory of 3944	4036	Chrome Update.exe	123
PID 2760 wrote to memory of 4360	2760	msedge.exe	124
PID 2760 wrote to memory of 4360	2760	msedge.exe	124
PID 4824 wrote to memory of 4588	4824	OneDrive.exe	127
PID 4824 wrote to memory of 4588	4824	OneDrive.exe	127
PID 4036 wrote to memory of 3132	4036	Chrome Update.exe	131
PID 4036 wrote to memory of 3132	4036	Chrome Update.exe	131
PID 4824 wrote to memory of 1516	4824	OneDrive.exe	130
PID 4824 wrote to memory of 1516	4824	OneDrive.exe	130
PID 2760 wrote to memory of 1396	2760	msedge.exe	134
PID 2760 wrote to memory of 1396	2760	msedge.exe	134
PID 212 wrote to memory of 3004	212	7zFM.exe	142
PID 212 wrote to memory of 3004	212	7zFM.exe	142
PID 3004 wrote to memory of 1016	3004	Xworm V6.0.exe	145
PID 3004 wrote to memory of 1016	3004	Xworm V6.0.exe	145
PID 3004 wrote to memory of 3844	3004	Xworm V6.0.exe	146
PID 3004 wrote to memory of 3844	3004	Xworm V6.0.exe	146
PID 3004 wrote to memory of 4140	3004	Xworm V6.0.exe	147
PID 3004 wrote to memory of 4140	3004	Xworm V6.0.exe	147
PID 3004 wrote to memory of 4948	3004	Xworm V6.0.exe	149
PID 3004 wrote to memory of 4948	3004	Xworm V6.0.exe	149
PID 212 wrote to memory of 2136	212	7zFM.exe	158
PID 212 wrote to memory of 2136	212	7zFM.exe	158
PID 212 wrote to memory of 1844	212	7zFM.exe	159
PID 212 wrote to memory of 1844	212	7zFM.exe	159
PID 1844 wrote to memory of 4052	1844	Xworm V6.0.exe	160
PID 1844 wrote to memory of 4052	1844	Xworm V6.0.exe	160
PID 1844 wrote to memory of 4964	1844	Xworm V6.0.exe	161
PID 1844 wrote to memory of 4964	1844	Xworm V6.0.exe	161
PID 1844 wrote to memory of 3088	1844	Xworm V6.0.exe	162
PID 1844 wrote to memory of 3088	1844	Xworm V6.0.exe	162
PID 1844 wrote to memory of 856	1844	Xworm V6.0.exe	163
PID 1844 wrote to memory of 856	1844	Xworm V6.0.exe	163
PID 2156 wrote to memory of 376	2156	Xworm V6.0.exe	170
PID 2156 wrote to memory of 376	2156	Xworm V6.0.exe	170

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Xworm.V6.0.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Local\Temp\7zO4D0CA6D7\Xworm V6.0.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4D0CA6D7\Xworm V6.0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
    "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4588
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1516
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4360
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1396
- - C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3944
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3132
- - C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
    3⤵
    - Executes dropped EXE
    PID:1452
- C:\Users\Admin\AppData\Local\Temp\7zO4D02E038\Xworm V6.0.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4D02E038\Xworm V6.0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
    "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1016
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- - C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4140
- - C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
    3⤵
    - Executes dropped EXE
    PID:4948
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4D0B1329\ErrorLogs.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\7zO4D0CDC69\Xworm V6.0.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4D0CDC69\Xworm V6.0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
    "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- - C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3088
- - C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
    "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
    3⤵
    - Executes dropped EXE
    PID:856

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:748

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:724

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Users\Admin\Desktop\Xworm V6.0.exe
"C:\Users\Admin\Desktop\Xworm V6.0.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:4520

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
PID:4608

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:3120

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
PID:760

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
PID:876

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:3540

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
PID:2924

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
PID:1832

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
PID:4020

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
PID:2260

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:1432

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
PID:3152

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
PID:4684

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
PID:4396

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
PID:4052

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
PID:2072

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
PID:3744

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xworm V6.0.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0342b267f79ac6d33bf583a0b3b04dd1

SHA1
78ef2010a90ff2fa10d68628b39647d9773983ab

SHA256
dc0ea9007b6ac003b0f10a0f34361ee5defb05495c29a35d2951c4e4a604f1c5

SHA512
c484d055c44f353d1eeb1b626751d8863b0ed5af13376f46b62726568e8c7e4589986a7badf1a3de40f69c40ae6a4fa8fd4b2e47180a7cad17daa3943faf00d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb22d95851b93abf2afe8fb96a8e544

SHA1
920ec5fdb323537bcf78f7e29a4fc274e657f7a4

SHA256
e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

SHA512
16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
336e5ecd286a50d241ded3783713c713

SHA1
15b57d7e4d6e2235894875620c99715b506d6f13

SHA256
85203e7ac1b91c21c5e7ead187c3ed702b2524cd7ffde1451066e624a8ab0ce1

SHA512
b59e9b6c247aaf0124354d79c3366a0ded6e95b9afd8ce3b4d3e29e876b5b0722f6193c8fed9e473cfd7312e1232874af7a83bd3627001a0bf689923fc4b1440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a53fcd7ca5f768ef5b87edc8ff9274aa

SHA1
cf5838b36607558f3f25ca29921c523ad9cda3f9

SHA256
2366de0b561dd9d45362c9fca44eb0aae96766fb55848b63f29f599d6cef7d99

SHA512
c642f4c3d12e8abf4c29141a068c9c93a7e8cca4442ffbaca037362b517abf55d9fc69b1653c63c8a07d3f17f159839f60912d7d0fef760a0a2770fb0d093fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4D0B1329\ErrorLogs.txt

Filesize
224B

MD5
f77f4fb386c891a5640cf26473cebea4

SHA1
db2fc673ed4b895561caf8670d1e40204a3d6fa6

SHA256
633eef2d5302c0c224cd71aeb7d29901564f30e5a9b3d31cc0a55c1c6eeb3d5c

SHA512
47fe461ccb295c95d951c0499d943febdc7b9b41923bd03b9b0876e52abc220cde47dd4a3ff13e98f991636fc21b6ef5297b679dde8dcd38b51cd0648eea38f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4D0CA6D7\Xworm V6.0.exe

Filesize
15.5MB

MD5
fae9f588f8bf2ea148c92de1083eb8a2

SHA1
8103ee4ad2ba5c5ab6fafa80fbc536646fdabaa9

SHA256
54e8a0545faac8f1de60cfacd3baf32135ee0a2b296f5ff36a0bd4a87abe1394

SHA512
f05ddbcc784d3903e3d151155060a6fccbda672c183c2b71d7601e7c16579ff225a00156d3203ee3990b6a19cce7022644352f3db8b5b862928d6b3b0034ec0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe

Filesize
152KB

MD5
16cdd301591c6af35a03cd18caee2e59

SHA1
92c6575b57eac309c8664d4ac76d87f2906e8ef3

SHA256
11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

SHA512
a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
29B

MD5
fff3a196c8c8c909b28ee06cf72fd9c6

SHA1
3311fe0cd4fd217dab2fa893ca605442f76cfc68

SHA256
86ada28e147781a7f491082ef0c468efdeddb82639e5854546ed9bdef49e03ea

SHA512
ae18952e894a0f9e129b39beec17c9f57b2fe3791c8199f06ae29cbcda5d28cf7eaabb7386f9675b6a454cb8ee448b5d5b231901470e4b480d7d85cb69e99639

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
87B

MD5
4fe00b888c18166f4130753bf61c41a7

SHA1
b108aade4b1d1240c6f1638ee39f5b969fc7a6e2

SHA256
d597246461ea45fbf9dd9587d2baa48c812a256d55faacc1f69085e0b24d82cd

SHA512
0568ef130ffa2ca2e05a7c3912dc0cc4841195a986a75dc16e9ff3d6a08dcd15986b21ff6578b1f71a333bfe5d6088a795ffd47580d294c64869b4a3a4054f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
113B

MD5
7415007e2776bc2baf6fda17f008ea3b

SHA1
2ba20b4df2130fc2133c790eb52c4f15168d7180

SHA256
ca8a0b34518c1091526d65c0962f94f72bfb755e060cb84c36c349f297fdf5a2

SHA512
67f802d89690bbbb18974b5dc04ec806cc23a9118fd5b91d446972efa356f1eab1cb4bd101c30798bf0facbef1db8efee6d484b7a19931ba4dd08b4ab2454b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
139B

MD5
2944f38672af71357715356845e1e869

SHA1
c6e37c6ad97e86f520dd1e20a35566dba81e8610

SHA256
95f1cebac94467740a188fda6bc2a25f4ed4ebe3cb76766cccb5538458d4bdc8

SHA512
810ae92e177e791066908935ebaf6f2ad5bdfa93412de35a753fdba088f3d8b9a9fc8861ac0408d1f494283483f14c5cc284b81fdf3d699164fbb1bb9e605c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
165B

MD5
fcb5e613298b02799d2c3d5f9c59a094

SHA1
8b89857e41b9dd77c8b99be8931b1911fd866ebb

SHA256
36cca3a66b8402e78d5fe4e9aae9923de10f55fe6da6e92b1983e53e0bd529b2

SHA512
4fac0daf574e96c07853bd0973e0f04a58bf80da9a4f85155508fb28957ce394ec6b6cbd60db33e63db7d0ac0df90fc493102c5b783e1b6abd51288f874a33d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
240B

MD5
49cd36b9a8cb91d957822b50a475184c

SHA1
a18d7fca65440441eb4eea839cb13bf486a3cece

SHA256
7b784f178ed65d8e88faaff0603745bc535534bbc27c547cc36e5ef3831f0ade

SHA512
338311e91074ebcf400b069a10e5ddbd0827cb76f93c272dcfa10956d1203aa8dbed5242a256ad1bd42c49e8ffe71f9ecfb0bdec46d2fe697c37c8613d240d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
315B

MD5
005b80b48b9cf19e6003a8e643a5d998

SHA1
9627a2569a50205816f8e14f30037e29d5ca7d94

SHA256
0b181d445fab43b717b17ed38c6e8fde081d6fe539bd090271d1eab1a2c65496

SHA512
9294b1fc016e4a501efc5756adf5033dfc48e1aa3b774843b1da1b0e75953ac934138e1199f80293de59466605477c86bb275d053447d7579fe50f859934412a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ka0c3vry.kqc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
memory/1452-62-0x000001C76ED80000-0x000001C76FC68000-memory.dmp

Filesize
14.9MB

Download
memory/2492-63-0x000001B5EE730000-0x000001B5EE752000-memory.dmp

Filesize
136KB

Download
memory/2760-49-0x0000000000590000-0x00000000005BE000-memory.dmp

Filesize
184KB

Download
memory/4036-48-0x0000000000A70000-0x0000000000A9C000-memory.dmp

Filesize
176KB

Download
memory/4824-47-0x0000000000650000-0x0000000000678000-memory.dmp

Filesize
160KB

Download
memory/4960-12-0x00007FF94AB93000-0x00007FF94AB95000-memory.dmp

Filesize
8KB

Download
memory/4960-13-0x0000000000220000-0x00000000011A0000-memory.dmp

Filesize
15.5MB

Download