stealerium | b8574159eebd064a1d7854e8422fb0222759bbc31b1469ff7866a06b4aa560f0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2025 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm.V6.0.zip
Size

34.5MB
MD5

a0b7d7f290385441b7b4c863d3873a22
SHA1

c66d5b61e0c82c05ce271994775bf6124457b6e1
SHA256

b8574159eebd064a1d7854e8422fb0222759bbc31b1469ff7866a06b4aa560f0
SHA512

10ddf84eb55a0b4fbd3a6f4e2549801e897b4789baedf9b73ba00c62afe62ba8f7536f00a223a762922b46826a987a89fd3b298a6fd594978b2205c38b1b3b78
SSDEEP

786432:SAei7Z9K1koiZEj6mcaFf8G46pvzgbHGgCZ1p6XEDgkP9YA/:aqSiFhuUJOgbHGahkPH/

Score

10^/10

stealerium xworm execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

OnCH8EVI1tYADuXo

Attributes

Install_directory
%LocalAppData%
install_file
msedge.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL
telegram
https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=5279018187

aes.plain

Extracted

Family

stealerium

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/sendMessage?chat_id=

Attributes

email
[email protected]
url
https://szurubooru.zulipchat.com/api/v1/messages

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023d11-7.dat	family_xworm
behavioral2/files/0x0007000000023d12-18.dat	family_xworm
behavioral2/memory/4912-37-0x0000000000180000-0x00000000001AE000-memory.dmp	family_xworm
behavioral2/files/0x0007000000023d13-36.dat	family_xworm
behavioral2/memory/4344-33-0x00000000001F0000-0x000000000021C000-memory.dmp	family_xworm
behavioral2/memory/4920-38-0x00000000008F0000-0x0000000000918000-memory.dmp	family_xworm

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1460	powershell.exe
2268	powershell.exe
2604	powershell.exe
1428	powershell.exe
4768	powershell.exe
3004	powershell.exe
5092	powershell.exe
2968	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Chrome Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	update.dotnet.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe

Executes dropped EXE 13 IoCs

pid	Process
4344	Chrome Update.exe
4920	OneDrive.exe
4912	msedge.exe
2400	Xworm V5.6.exe
3720	update.dotnet.exe
60	Chrome Update.exe
2220	OneDrive.exe
5096	msedge.exe
3956	Xworm V5.6.exe
1784	update.dotnet.exe
2632	XClient.exe
4952	OneDrive.exe
2036	msedge.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Chrome Update.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 31 IoCs

Web Service

T1102

flow	ioc
57	pastebin.com
88	pastebin.com
74	pastebin.com
81	pastebin.com
62	pastebin.com
64	pastebin.com
82	pastebin.com
60	pastebin.com
70	pastebin.com
69	pastebin.com
75	raw.githubusercontent.com
77	pastebin.com
79	pastebin.com
89	pastebin.com
50	pastebin.com
56	pastebin.com
59	pastebin.com
61	pastebin.com
72	pastebin.com
76	pastebin.com
78	pastebin.com
52	raw.githubusercontent.com
58	pastebin.com
63	pastebin.com
73	pastebin.com
80	pastebin.com
51	pastebin.com
53	raw.githubusercontent.com
83	pastebin.com
68	pastebin.com
71	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
376	timeout.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2644	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4056	schtasks.exe
3976	schtasks.exe
3188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
2268	powershell.exe
2268	powershell.exe
2268	powershell.exe
2604	powershell.exe
2604	powershell.exe
1428	powershell.exe
1428	powershell.exe
2604	powershell.exe
1428	powershell.exe
4768	powershell.exe
4768	powershell.exe
4768	powershell.exe
3004	powershell.exe
3004	powershell.exe
3004	powershell.exe
5092	powershell.exe
5092	powershell.exe
2968	powershell.exe
2968	powershell.exe
5092	powershell.exe
2968	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4344	Chrome Update.exe
Token: SeDebugPrivilege	4912	msedge.exe
Token: SeDebugPrivilege	4920	OneDrive.exe
Token: SeDebugPrivilege	3720	update.dotnet.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	60	Chrome Update.exe
Token: SeDebugPrivilege	2220	OneDrive.exe
Token: SeDebugPrivilege	5096	msedge.exe
Token: SeDebugPrivilege	1784	update.dotnet.exe
Token: SeDebugPrivilege	2632	XClient.exe
Token: SeDebugPrivilege	2036	msedge.exe
Token: SeDebugPrivilege	4952	OneDrive.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 4344	4668	XWorm V6.0.exe	109
PID 4668 wrote to memory of 4344	4668	XWorm V6.0.exe	109
PID 4668 wrote to memory of 4920	4668	XWorm V6.0.exe	110
PID 4668 wrote to memory of 4920	4668	XWorm V6.0.exe	110
PID 4668 wrote to memory of 4912	4668	XWorm V6.0.exe	111
PID 4668 wrote to memory of 4912	4668	XWorm V6.0.exe	111
PID 4668 wrote to memory of 2400	4668	XWorm V6.0.exe	112
PID 4668 wrote to memory of 2400	4668	XWorm V6.0.exe	112
PID 4668 wrote to memory of 3720	4668	XWorm V6.0.exe	113
PID 4668 wrote to memory of 3720	4668	XWorm V6.0.exe	113
PID 4920 wrote to memory of 1460	4920	OneDrive.exe	114
PID 4920 wrote to memory of 1460	4920	OneDrive.exe	114
PID 4912 wrote to memory of 2268	4912	msedge.exe	117
PID 4912 wrote to memory of 2268	4912	msedge.exe	117
PID 4344 wrote to memory of 4056	4344	Chrome Update.exe	120
PID 4344 wrote to memory of 4056	4344	Chrome Update.exe	120
PID 4920 wrote to memory of 2604	4920	OneDrive.exe	122
PID 4920 wrote to memory of 2604	4920	OneDrive.exe	122
PID 4912 wrote to memory of 1428	4912	msedge.exe	124
PID 4912 wrote to memory of 1428	4912	msedge.exe	124
PID 4920 wrote to memory of 4768	4920	OneDrive.exe	126
PID 4920 wrote to memory of 4768	4920	OneDrive.exe	126
PID 4912 wrote to memory of 3004	4912	msedge.exe	128
PID 4912 wrote to memory of 3004	4912	msedge.exe	128
PID 4920 wrote to memory of 5092	4920	OneDrive.exe	131
PID 4920 wrote to memory of 5092	4920	OneDrive.exe	131
PID 4912 wrote to memory of 2968	4912	msedge.exe	133
PID 4912 wrote to memory of 2968	4912	msedge.exe	133
PID 4912 wrote to memory of 3188	4912	msedge.exe	135
PID 4912 wrote to memory of 3188	4912	msedge.exe	135
PID 4920 wrote to memory of 3976	4920	OneDrive.exe	136
PID 4920 wrote to memory of 3976	4920	OneDrive.exe	136
PID 3720 wrote to memory of 4604	3720	update.dotnet.exe	144
PID 3720 wrote to memory of 4604	3720	update.dotnet.exe	144
PID 4604 wrote to memory of 2476	4604	cmd.exe	146
PID 4604 wrote to memory of 2476	4604	cmd.exe	146
PID 4604 wrote to memory of 2644	4604	cmd.exe	147
PID 4604 wrote to memory of 2644	4604	cmd.exe	147
PID 4604 wrote to memory of 376	4604	cmd.exe	148
PID 4604 wrote to memory of 376	4604	cmd.exe	148
PID 4200 wrote to memory of 60	4200	XWorm V6.0.exe	150
PID 4200 wrote to memory of 60	4200	XWorm V6.0.exe	150
PID 4200 wrote to memory of 2220	4200	XWorm V6.0.exe	151
PID 4200 wrote to memory of 2220	4200	XWorm V6.0.exe	151
PID 4200 wrote to memory of 5096	4200	XWorm V6.0.exe	152
PID 4200 wrote to memory of 5096	4200	XWorm V6.0.exe	152
PID 4200 wrote to memory of 3956	4200	XWorm V6.0.exe	153
PID 4200 wrote to memory of 3956	4200	XWorm V6.0.exe	153
PID 4200 wrote to memory of 1784	4200	XWorm V6.0.exe	154
PID 4200 wrote to memory of 1784	4200	XWorm V6.0.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\XWorm.V6.0.zip
1⤵
PID:836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2204

C:\Users\Admin\Desktop\XWorm V6.0.exe
"C:\Users\Admin\Desktop\XWorm V6.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4056
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3976
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3188
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe
  "C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\01ce6dd8-70a6-447a-8e0a-bcb27d4e6f49.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2476
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3720
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2644
  - - C:\Windows\system32\timeout.exe
      timeout /T 2 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:376

C:\Users\Admin\Desktop\XWorm V6.0.exe
"C:\Users\Admin\Desktop\XWorm V6.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe
  "C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1784

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V6.0.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\01ce6dd8-70a6-447a-8e0a-bcb27d4e6f49.bat

Filesize
152B

MD5
686c615da5cd9d4de08aee9a69b5097f

SHA1
4f1554ab61592249506360618e13a630daa18d16

SHA256
7d65934251bd22b5e2bf46fa58d7d99137ab12639a62160976e84c206b49c061

SHA512
ee90d551b9b83f4f4a31627a1b8e876732176755001672438c0ea8512d0bd428d25dd4c1b739c55d63ecf635db59d99850327e56957af33f4ae2d4277fedfcbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe

Filesize
153KB

MD5
8b8585c779df2f6df99f749d3b07f146

SHA1
b553267f8e6f2bb6531ca2cb330e0d6b7bc41a1d

SHA256
4a9d13e9b68d26c6feb71856b7a61a2a1b8f2dc1c7aaa9ad5dfd5609b5a2da6c

SHA512
b89cae4386d0b8173b87533b5af3d863a188836185d105d6007786ba0e415537e84b759b8c22b37430ee544c554db9f50aa21466c5549c8b80c4f5a3fa6cb5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tsj1h4xj.ij0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe

Filesize
6.1MB

MD5
b3899dd5602b3587ee487ba34d7cfd47

SHA1
ace70e4fcea9b819eaf5bda4453866698252357f

SHA256
28c53ad86d705da7e21a1c0cbc996e15ab8f024368aa031b025d05f3dfdbeb2e

SHA512
104b8252db4e9a88e388370a6def71e0cbb536604d5a41ac60169a35a9662980d1359000d5ea316f29deb4c534678e86e266bba12bb0b658f2666d13b26c200a

Download Submit
memory/1460-70-0x000001D4FD120000-0x000001D4FD142000-memory.dmp

Filesize
136KB

Download
memory/2400-59-0x000001573A250000-0x000001573B138000-memory.dmp

Filesize
14.9MB

Download
memory/3720-63-0x000001D8561D0000-0x000001D8567E6000-memory.dmp

Filesize
6.1MB

Download
memory/4344-33-0x00000000001F0000-0x000000000021C000-memory.dmp

Filesize
176KB

Download
memory/4668-64-0x00007FFBB6CE0000-0x00007FFBB77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4668-0-0x00007FFBB6CE3000-0x00007FFBB6CE5000-memory.dmp

Filesize
8KB

Download
memory/4668-3-0x00007FFBB6CE0000-0x00007FFBB77A1000-memory.dmp

Filesize
10.8MB

Download
memory/4668-1-0x00000000000A0000-0x0000000001634000-memory.dmp

Filesize
21.6MB

Download
memory/4912-37-0x0000000000180000-0x00000000001AE000-memory.dmp

Filesize
184KB

Download
memory/4920-38-0x00000000008F0000-0x0000000000918000-memory.dmp

Filesize
160KB

Download