stealerium | 0bc0e4ad660c382f3291d9cff6e43e4e4f2a6875678b8557bf237f2ef5360eb8

Resubmissions

27-01-2025 18:13

250127-wt52ys1ldl 10

26-01-2025 18:42

250126-xcbbpazjax 10

Analysis

max time kernel
44s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PlainX Crypter.exe
Size

13.1MB
MD5

e02070f24247621be04948fefe100a81
SHA1

e41afedf121e07b6598355562fdf5725a5dc4064
SHA256

d087091be3376d85fc1d39523f82ebe1d01b7ac4e4d10f1855f374498fddcc71
SHA512

ca39dbf2f1b9a6d3071e2d18e51ed9d5f222ed4155721faebcf72c2aad929607a027eaf5d1f0942d4c6827260ff3be6d2516e5d4f26a7fd0e53eb5e39a261dfc
SSDEEP

196608:M9dla9WjVQJz4JuRuVXt7teDDT5A0GJLz8o2Z/NA1cV1zoXfKNPqxTP6fHrCoz/B:M9dfdXtWDT5no2Z1Wcb0IPuC/r/ya+8

Score

10^/10

stealerium xworm discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

jrutcxTxqD08SKSB

Attributes

Install_directory
%ProgramData%
install_file
OneDrive.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL

aes.plain

Extracted

Family

stealerium

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/sendMessage?chat_id=

Attributes

email
[email protected]
url
https://szurubooru.zulipchat.com/api/v1/messages

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023bff-6.dat	family_xworm
behavioral2/files/0x0007000000023ca8-17.dat	family_xworm
behavioral2/files/0x0007000000023ca9-27.dat	family_xworm
behavioral2/memory/3980-36-0x0000000000410000-0x0000000000438000-memory.dmp	family_xworm
behavioral2/memory/1500-42-0x00000000000F0000-0x000000000011E000-memory.dmp	family_xworm
behavioral2/memory/516-33-0x00000000002A0000-0x00000000002CC000-memory.dmp	family_xworm

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4304	powershell.exe
1288	powershell.exe
2164	powershell.exe
3308	powershell.exe
2292	powershell.exe
400	powershell.exe
4468	powershell.exe
632	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Chrome Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	update.dotnet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PlainX Crypter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	OneDrive.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe

Executes dropped EXE 8 IoCs

pid	Process
516	Chrome Update.exe
3980	OneDrive.exe
1500	msedge.exe
4388	OwnZ Crypter Cracked.exe
2664	update.dotnet.exe
3584	msedge.exe
1224	OneDrive.exe
4516	XClient.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 23 IoCs

Web Service

T1102

flow	ioc
35	pastebin.com
58	pastebin.com
20	pastebin.com
27	pastebin.com
15	pastebin.com
21	pastebin.com
23	pastebin.com
29	pastebin.com
32	pastebin.com
37	pastebin.com
11	raw.githubusercontent.com
13	pastebin.com
81	pastebin.com
45	pastebin.com
55	pastebin.com
34	pastebin.com
30	pastebin.com
33	pastebin.com
24	pastebin.com
31	pastebin.com
79	pastebin.com
9	raw.githubusercontent.com
22	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OwnZ Crypter Cracked.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4076	timeout.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1900	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3892	schtasks.exe
4548	schtasks.exe
2008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4304	powershell.exe
4304	powershell.exe
4388	OwnZ Crypter Cracked.exe
632	powershell.exe
632	powershell.exe
1288	powershell.exe
1288	powershell.exe
2164	powershell.exe
2164	powershell.exe
3308	powershell.exe
3308	powershell.exe
2292	powershell.exe
2292	powershell.exe
400	powershell.exe
400	powershell.exe
4468	powershell.exe
4468	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	516	Chrome Update.exe
Token: SeDebugPrivilege	3980	OneDrive.exe
Token: SeDebugPrivilege	1500	msedge.exe
Token: SeDebugPrivilege	2664	update.dotnet.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	4388	OwnZ Crypter Cracked.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	3584	msedge.exe
Token: SeDebugPrivilege	1224	OneDrive.exe
Token: SeDebugPrivilege	4516	XClient.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 516	3620	PlainX Crypter.exe	82
PID 3620 wrote to memory of 516	3620	PlainX Crypter.exe	82
PID 3620 wrote to memory of 3980	3620	PlainX Crypter.exe	83
PID 3620 wrote to memory of 3980	3620	PlainX Crypter.exe	83
PID 3620 wrote to memory of 1500	3620	PlainX Crypter.exe	84
PID 3620 wrote to memory of 1500	3620	PlainX Crypter.exe	84
PID 3620 wrote to memory of 4388	3620	PlainX Crypter.exe	85
PID 3620 wrote to memory of 4388	3620	PlainX Crypter.exe	85
PID 3620 wrote to memory of 4388	3620	PlainX Crypter.exe	85
PID 3620 wrote to memory of 2664	3620	PlainX Crypter.exe	86
PID 3620 wrote to memory of 2664	3620	PlainX Crypter.exe	86
PID 3980 wrote to memory of 632	3980	OneDrive.exe	88
PID 3980 wrote to memory of 632	3980	OneDrive.exe	88
PID 1500 wrote to memory of 4304	1500	msedge.exe	89
PID 1500 wrote to memory of 4304	1500	msedge.exe	89
PID 1500 wrote to memory of 1288	1500	msedge.exe	93
PID 1500 wrote to memory of 1288	1500	msedge.exe	93
PID 516 wrote to memory of 3892	516	Chrome Update.exe	92
PID 516 wrote to memory of 3892	516	Chrome Update.exe	92
PID 3980 wrote to memory of 2164	3980	OneDrive.exe	96
PID 3980 wrote to memory of 2164	3980	OneDrive.exe	96
PID 1500 wrote to memory of 3308	1500	msedge.exe	98
PID 1500 wrote to memory of 3308	1500	msedge.exe	98
PID 3980 wrote to memory of 2292	3980	OneDrive.exe	100
PID 3980 wrote to memory of 2292	3980	OneDrive.exe	100
PID 1500 wrote to memory of 400	1500	msedge.exe	102
PID 1500 wrote to memory of 400	1500	msedge.exe	102
PID 3980 wrote to memory of 4468	3980	OneDrive.exe	104
PID 3980 wrote to memory of 4468	3980	OneDrive.exe	104
PID 1500 wrote to memory of 4548	1500	msedge.exe	106
PID 1500 wrote to memory of 4548	1500	msedge.exe	106
PID 3980 wrote to memory of 2008	3980	OneDrive.exe	108
PID 3980 wrote to memory of 2008	3980	OneDrive.exe	108
PID 2664 wrote to memory of 3952	2664	update.dotnet.exe	111
PID 2664 wrote to memory of 3952	2664	update.dotnet.exe	111
PID 3952 wrote to memory of 5060	3952	cmd.exe	113
PID 3952 wrote to memory of 5060	3952	cmd.exe	113
PID 3952 wrote to memory of 1900	3952	cmd.exe	114
PID 3952 wrote to memory of 1900	3952	cmd.exe	114
PID 3952 wrote to memory of 4076	3952	cmd.exe	115
PID 3952 wrote to memory of 4076	3952	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PlainX Crypter.exe
"C:\Users\Admin\AppData\Local\Temp\PlainX Crypter.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Users\Admin\AppData\Roaming\Chrome Update.exe
  "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3892
- C:\Users\Admin\AppData\Roaming\OneDrive.exe
  "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2008
- C:\Users\Admin\AppData\Roaming\msedge.exe
  "C:\Users\Admin\AppData\Roaming\msedge.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4548
- C:\Users\Admin\AppData\Roaming\OwnZ Crypter Cracked.exe
  "C:\Users\Admin\AppData\Roaming\OwnZ Crypter Cracked.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Users\Admin\AppData\Roaming\update.dotnet.exe
  "C:\Users\Admin\AppData\Roaming\update.dotnet.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b2fed868-9c1d-4021-8557-60a5161b5152.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5060
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2664
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1900
  - - C:\Windows\system32\timeout.exe
      timeout /T 2 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:4076

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3161f4edbc9b963debe22e29658050b

SHA1
45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

SHA256
1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

SHA512
006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b577f5e5ce7f7d4a220c6bde8041e5bb

SHA1
6745d982e8abde881dcb97a58dd78f010170a0be

SHA256
c232b84813368c796d25dc0b24f9c2a0a2818d60c09407396d7ec17fb82b592e

SHA512
e09696425f049926b75f35544d4db00065f8dd408f2504a105a6339fc9a85ba5ddea0f06131b3a6c0e87943964c53082180112050e5f121b38e45e8f16a43c2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2d6d8fcd02f8f29b7487a8f96e4d4119

SHA1
3f2f674997ace9fff0eb09c2fd0ca1763451cccc

SHA256
1d45ec846d0342f53c333a90d9cfb8cd7444bf9ed77eb7a3669ba491a4882dc9

SHA512
09d52edc3ecc4dc879e147f6c02f3446dd04c5aa0ceca8eb5d8e481a35152b13dffec25dae0f036137535b418ec2e3ab284996dd05426011a8e2e6c5a2a655ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n40yguvs.cvf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2fed868-9c1d-4021-8557-60a5161b5152.bat

Filesize
152B

MD5
8f13c6786cd14b466a99cdd7fa89385f

SHA1
59a7ece829fec80ccd77c81e30f0e8f5e2c753d8

SHA256
9836438ee9dd6edf5b81ef900beec51a55cbe4c034ce60a1697e7ecaf49cea97

SHA512
d4028385accb70c3622a50737eb0d4fb4b43478e8f9a4ff6007bdb9352894fb3d881a1ad9dc865ca5a80b8fa8f02e00a0b7b103f98d29d58358835ed2bad05b5

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome Update.exe

Filesize
153KB

MD5
8b8585c779df2f6df99f749d3b07f146

SHA1
b553267f8e6f2bb6531ca2cb330e0d6b7bc41a1d

SHA256
4a9d13e9b68d26c6feb71856b7a61a2a1b8f2dc1c7aaa9ad5dfd5609b5a2da6c

SHA512
b89cae4386d0b8173b87533b5af3d863a188836185d105d6007786ba0e415537e84b759b8c22b37430ee544c554db9f50aa21466c5549c8b80c4f5a3fa6cb5c7

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Roaming\OwnZ Crypter Cracked.exe

Filesize
6.4MB

MD5
912d0dbf45dddf56894ba193ae36e51f

SHA1
db3a3ad9f02d654f1f32baeec74a6868ade402a9

SHA256
24cf39d5a16c0cdce77c41523af6040d666da2f1dc98d005f7510b0bad6901dd

SHA512
18a28e48d11e97057338d2f69afaa513cc61a71093de9ba1688881ec545c8c2af27ef9761cc87d00a3860ec264555443707b2fffa712249bd68db947c2568ebd

Download Submit
C:\Users\Admin\AppData\Roaming\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
C:\Users\Admin\AppData\Roaming\update.dotnet.exe

Filesize
6.1MB

MD5
b3899dd5602b3587ee487ba34d7cfd47

SHA1
ace70e4fcea9b819eaf5bda4453866698252357f

SHA256
28c53ad86d705da7e21a1c0cbc996e15ab8f024368aa031b025d05f3dfdbeb2e

SHA512
104b8252db4e9a88e388370a6def71e0cbb536604d5a41ac60169a35a9662980d1359000d5ea316f29deb4c534678e86e266bba12bb0b658f2666d13b26c200a

Download Submit
memory/516-33-0x00000000002A0000-0x00000000002CC000-memory.dmp

Filesize
176KB

Download
memory/516-167-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

Filesize
10.8MB

Download
memory/516-169-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

Filesize
10.8MB

Download
memory/516-35-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

Filesize
10.8MB

Download
memory/516-102-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

Filesize
10.8MB

Download
memory/1500-42-0x00000000000F0000-0x000000000011E000-memory.dmp

Filesize
184KB

Download
memory/2664-63-0x000001B70C920000-0x000001B70CF36000-memory.dmp

Filesize
6.1MB

Download
memory/3620-0-0x00007FFFAEA13000-0x00007FFFAEA15000-memory.dmp

Filesize
8KB

Download
memory/3620-1-0x0000000000F10000-0x0000000001C2E000-memory.dmp

Filesize
13.1MB

Download
memory/3980-36-0x0000000000410000-0x0000000000438000-memory.dmp

Filesize
160KB

Download
memory/3980-168-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

Filesize
10.8MB

Download
memory/3980-38-0x00007FFFAEA10000-0x00007FFFAF4D1000-memory.dmp

Filesize
10.8MB

Download
memory/4304-69-0x000002A12E1D0000-0x000002A12E1F2000-memory.dmp

Filesize
136KB

Download