stealerium | hxxps://github[.]com/HexShifter0/Xworm-V6[.]0/releases/download/BugFix%2BNewFeature/XWorm[.]V6[.]0[.]zip

Analysis

max time kernel
133s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/HexShifter0/Xworm-V6.0/releases/download/BugFix%2BNewFeature/XWorm.V6.0.zip

Score

10^/10

stealerium xworm discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

WcpxqjjxSrB6UOUw

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL
telegram
https://api.telegram.org/bot7483240807:AAHWuUBi6sW9ZOb0kfXVbzbMVyLtPj-9vZY/sendMessage?chat_id=5279018187

aes.plain

Extracted

Family

stealerium

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/sendMessage?chat_id=

Attributes

email
[email protected]
url
https://szurubooru.zulipchat.com/api/v1/messages

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c27-87.dat	family_xworm
behavioral1/files/0x0007000000023c28-99.dat	family_xworm
behavioral1/memory/4408-109-0x00000000001F0000-0x000000000021C000-memory.dmp	family_xworm
behavioral1/files/0x0007000000023c29-111.dat	family_xworm
behavioral1/memory/2856-119-0x0000000000F00000-0x0000000000F2E000-memory.dmp	family_xworm
behavioral1/memory/3876-116-0x0000000000DD0000-0x0000000000DF8000-memory.dmp	family_xworm

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2964	powershell.exe
3172	powershell.exe
4440	powershell.exe
448	powershell.exe
372	powershell.exe
1756	powershell.exe
4688	powershell.exe
1164	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	Chrome Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	update.dotnet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	update.dotnet.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe

Executes dropped EXE 13 IoCs

pid	Process
4408	Chrome Update.exe
3876	OneDrive.exe
2856	msedge.exe
2620	Xworm V5.6.exe
404	update.dotnet.exe
4920	XClient.exe
2848	msedge.exe
4220	OneDrive.exe
632	Chrome Update.exe
1324	OneDrive.exe
4396	msedge.exe
4148	Xworm V5.6.exe
2196	update.dotnet.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
59	pastebin.com
71	pastebin.com
77	pastebin.com
81	pastebin.com
91	pastebin.com
125	pastebin.com
52	raw.githubusercontent.com
78	pastebin.com
93	pastebin.com
98	pastebin.com
106	pastebin.com
121	pastebin.com
66	pastebin.com
87	pastebin.com
56	pastebin.com
84	pastebin.com
110	pastebin.com
117	pastebin.com
120	pastebin.com
129	pastebin.com
132	pastebin.com
136	pastebin.com
61	pastebin.com
82	pastebin.com
83	pastebin.com
90	pastebin.com
94	pastebin.com
130	pastebin.com
140	pastebin.com
76	pastebin.com
88	pastebin.com
113	pastebin.com
124	pastebin.com
134	pastebin.com
60	pastebin.com
75	pastebin.com
79	pastebin.com
105	pastebin.com
131	pastebin.com
137	pastebin.com
70	pastebin.com
72	pastebin.com
92	pastebin.com
68	pastebin.com
116	pastebin.com
119	pastebin.com
128	raw.githubusercontent.com
53	pastebin.com
54	pastebin.com
89	pastebin.com
103	pastebin.com
104	pastebin.com
122	pastebin.com
100	pastebin.com
107	pastebin.com
111	pastebin.com
114	pastebin.com
108	pastebin.com
118	pastebin.com
135	pastebin.com
133	pastebin.com
57	pastebin.com
74	pastebin.com
80	pastebin.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
2156	timeout.exe
2508	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
2884	taskkill.exe
1876	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133829300121203209"	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4612	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3740	schtasks.exe
3288	schtasks.exe
3316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1468	chrome.exe
1468	chrome.exe
4440	powershell.exe
4440	powershell.exe
448	powershell.exe
448	powershell.exe
448	powershell.exe
4440	powershell.exe
372	powershell.exe
372	powershell.exe
1756	powershell.exe
1756	powershell.exe
372	powershell.exe
1756	powershell.exe
1164	powershell.exe
1164	powershell.exe
4688	powershell.exe
4688	powershell.exe
4688	powershell.exe
1164	powershell.exe
2964	powershell.exe
2964	powershell.exe
2964	powershell.exe
3172	powershell.exe
3172	powershell.exe
3172	powershell.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe
3912	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1468	chrome.exe
1468	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 3652	1468	chrome.exe	84
PID 1468 wrote to memory of 3652	1468	chrome.exe	84
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 1184	1468	chrome.exe	85
PID 1468 wrote to memory of 4928	1468	chrome.exe	86
PID 1468 wrote to memory of 4928	1468	chrome.exe	86
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87
PID 1468 wrote to memory of 5012	1468	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/HexShifter0/Xworm-V6.0/releases/download/BugFix%2BNewFeature/XWorm.V6.0.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff933efcc40,0x7ff933efcc4c,0x7ff933efcc58
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,5471413609479677222,17473239209135921327,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1928,i,5471413609479677222,17473239209135921327,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,5471413609479677222,17473239209135921327,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2484 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,5471413609479677222,17473239209135921327,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,5471413609479677222,17473239209135921327,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4780,i,5471413609479677222,17473239209135921327,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3684,i,5471413609479677222,17473239209135921327,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4368 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3844,i,5471413609479677222,17473239209135921327,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:840

C:\Users\Admin\Downloads\XWorm.V6.0\XWorm V6.0.exe
"C:\Users\Admin\Downloads\XWorm.V6.0\XWorm V6.0.exe"
1⤵
PID:372
- C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4408
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3316
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2964
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3740
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  PID:2856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3172
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3288
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe
  "C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:404
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7d8e19a0-4ecc-4e07-b0d5-362a80019d58.bat"
    3⤵
    PID:1940
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1460
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 404
      4⤵
      Kills process with taskkill
      PID:2884
  - - C:\Windows\system32\timeout.exe
      timeout /T 2 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2156

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm.V6.0\_readme_if_its_not_working.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4612

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
PID:4920

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
PID:2848

C:\Users\Admin\Downloads\XWorm.V6.0\XWorm V6.0.exe
"C:\Users\Admin\Downloads\XWorm.V6.0\XWorm V6.0.exe"
1⤵
PID:3604
- C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe
  "C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2196
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\57387cd0-5df8-4202-ad03-5a712ba6f519.bat"
    3⤵
    PID:3364
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4056
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2196
      4⤵
      Kills process with taskkill
      PID:1876
  - - C:\Windows\system32\timeout.exe
      timeout /T 2 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9e716eb62d9a0e2d25a989d1ada1f7fa

SHA1
6cad732bc688801ac0e8163c9301e430f34c6e06

SHA256
630fc42f65324f9172fda0cb8cce7d10ad26810a6822a82d9d76577b37cfe54f

SHA512
59259c8a08cda5b45a049cfb54ff5612ef297c68c087ff7a9bec864f226f87999da8edb1cacfdb1ed109a89887b7d3a640978eee1ab04c8166d1a8efa875dc2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
55a8d7e4642227c5cd5a4b733ab16a34

SHA1
c04632dd1f449bc5b63ba987b69b5229afa175df

SHA256
0aa44710d46b3aa2ab2a82dc486a876b0cd5d28a884e7664e6120ea77b7a6f23

SHA512
2eedbf760677cbb66e4bc0e8662f2b7eb67aa78311b7a8b1c211cf27b308db4b0afc4954c80c126b7c182580f3c9a8ca10ff4942c2f6920bf1e4ddf4419026b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
71cfab0d7fcd7d5e4691ec6389730162

SHA1
8df875eeb0e4f8686756b1a8b41daa9c402cac2d

SHA256
39f48881368c5ea68e3cea18c26611011e0b8f1d2592ae1a0885e26dbe521d3c

SHA512
8638a53d005fd604f0caf99de04b1002e8012076d9d3ee74eff6c5df168ca535f9d9691397c9dc447ce7dbb07636876713ccff1bb17f6924fa4ccee0cbf788ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
73169fde275fd2c3c1b13cf2883cb74f

SHA1
f4afdb37f94ebfe4cc734dc5f1e6f9c85eb3d230

SHA256
d79a14afc8d506d6dea131f0253dacee6aea7c2b2f57088be9df0de433bc6e1c

SHA512
6991fa13b6c28a4b6130f49e3323dc3f75a038753b227361e9073a51f2a345eb5fa18aef4719d71f021a27261a5324dcc88a8d5980f4ddadd656e28c34b0277a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9baa0a74b6b4205752a50a79381550c2

SHA1
a3b34ef94a19dff0f506d843b2ab49eb08cc6aa6

SHA256
efc7c4ae5a280739f079cfe93277b62fdf10004c4a5ed11b69a32661c52778c0

SHA512
527c35cc1e7a0fc1bf354fc9ea1fd73dfa0af5fb128bef26e97769e7965d8737777900745447d53273e2a327ae119fb7de7bd0e9fe27c56b7c9cdbed8d89f6c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fb022408cae95d96db7cc26f764332b5

SHA1
0672be8b25d8799001eebec8e34babef7acab1c6

SHA256
8f6f3d5592fe5a996705a0c4e40b1ddc14093210ca61031e79b9e8f42bc3d67a

SHA512
fd71460b28535cc48a477a8ff81716c0518a6aef444e9180856a6ff94fa2020aa80d8001ae6fd9c1fb1afa6a603acff388dcaa2abd6c73d21c4da3056f1c03ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4026fb2e59cc33718f34e22ff9a21814

SHA1
088205f329d01d61528f32c92d0beda998733e7a

SHA256
4bde6faa6d773034910a9567ecb683e30d124698139bc488c8fa89ba537c59bc

SHA512
163607dfc2e0c7c684fff88e8d3ba367d700d8dc7ab90423b428f6a1dc7832681b7c33d91e40e7edaccbc5adce58a9724033961e7cfb4dd3ab4ae9617d253b2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
988b98f4f6e23f95fe09f5b3c9529c2a

SHA1
d18f2482cdcd52fb0c59506ce39a112e28efd6ae

SHA256
4f82bde6698f025f9f8f7609eee6312ff5ee1817303d0a5489a883d7de71dfb2

SHA512
9e8ac3aad0806f91544be551ed716bf4fd856a62089af5f87c2459bf929455695a60baa2fe56ce2c242d04e25d85ff9fc9e0bc21ea6e180652126a705a4cdfa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e5d2166c1582549db8425c901b8d76b4

SHA1
75bd1865c08d5617b6952b40c371729b8686c5f7

SHA256
bb6409313128cf3ded528d5721aecaf8d815efa7e7e7303a83163f36c9054b07

SHA512
b43184d12e22fb24493676861ccc13d985318a2dedcae04e6515e809d474c38cdf768c3a4c2c9f5dcb0a644d4b41070005ccd15cbe605398f3981cfbb2c6d1ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
565674cb1a9a5a18a14293e75ad34cf8

SHA1
3fe1a8bf8594e11fb76208708918ce43f76ca5e5

SHA256
9f727f5a4ab81c388c931a5e0383b7be1eb85446be6b6a908469457facf3f9d9

SHA512
0a6bcd383f03ba2c060da02b5b34db6aaadcb41f7441145bf41050a560e340239c1dfaf2c0efabef85734bd51c49bdf71cd8e7fa2eb28e3875fb77feb1c7ae02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
37fc60d3f52ad9ede435f30ed8f57cac

SHA1
0e17142bd81cab39656d5fd3bb16e0208c587242

SHA256
393a7600066debab3d0190b4dcadd86472c628e0eea66e5b66404840b8d3724c

SHA512
84edf12997a6c848ffeba2d97d5de42e646fcaf52c30961e50b726960a4271311b391a1033f20417b04adde8faa2c387e9fe9c4c31296efa214f9d4be73ed5aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
eeb679ea72ddaee8b25152e28b09fb2c

SHA1
4f12b99f3e5c0b67eeec50dde9163f3f448de14d

SHA256
6a17fd573c37512f334334048a76313fa8bbbb97633f1b35498ef4fa2e4bc794

SHA512
b40ebe0d7938f935e1dca92dd3ded26af42898b6d1b3018ca6cdc1af6028a6288d354f612e1e1da4aa3e57b45851178a2b18c25d4506d72b7e4af996f23d4b52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
9fb36ed09104545c7c3a2686dc5e624c

SHA1
5a9f29537220de2c01cc421691c6ff666e9d5751

SHA256
3c1148b29311bb3781c2ebe391d1b0413f8471935a24793df032509242c7e122

SHA512
ebdad12eda50f1262b8b45ef6da85cb448ad9406a097455fcfd916339ec7059bb3f9f5224d6f990369fe1844b374e315ac790ae76ab66469d2e0ea0015c02c2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
b9b174cbf63099133eafbb61b336fa49

SHA1
89ec5c131dde62002be6e2b682bc71c26fb0ec3a

SHA256
216a4672df8394102ca19ad08cb055c3987ec027a9a9386db381c2841a8969a5

SHA512
1e7f0d5ad57f712f86b879f234807e4bb974c01dd0349785d3e1e048e0ef565db6d23407a9e7a0c5ea004e31b88e009ddfe41249f699b7be255aa446c1bc5079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V6.0.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Temp\57387cd0-5df8-4202-ad03-5a712ba6f519.bat

Filesize
152B

MD5
ff8dded810f7d82bdc48c436c829d8da

SHA1
b38c7f77b55ed864f1bfd3f6baeabd282ae4c57a

SHA256
ede93c43214a58b7ced439d007f4ce1b147d9600a8a5851286c248534cdf7785

SHA512
ffc80c73a3f54659c3e7525118f4b17343dccc04a65d2ed8897007360be856aef89b66fd19d6703b490cc399fe1668dec82b32787dad3bea66ca65ca429db7d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d8e19a0-4ecc-4e07-b0d5-362a80019d58.bat

Filesize
151B

MD5
f74614f8c1225c310a98f55f39be5c5c

SHA1
9b5533b39f8697499ebc2d961ebae06369338be2

SHA256
968d562bcd308da97b85e2379d488d0c35eb24c8a78a74cd6f79879d2af0c13e

SHA512
e0aaac066225febd515d506f2c5abe6524439efde518663fa44b1757d8638904539aeb43d7f4d7b02afc6d7b10209c2b198c5fda19890df956957e5f1621391d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe

Filesize
153KB

MD5
8b8585c779df2f6df99f749d3b07f146

SHA1
b553267f8e6f2bb6531ca2cb330e0d6b7bc41a1d

SHA256
4a9d13e9b68d26c6feb71856b7a61a2a1b8f2dc1c7aaa9ad5dfd5609b5a2da6c

SHA512
b89cae4386d0b8173b87533b5af3d863a188836185d105d6007786ba0e415537e84b759b8c22b37430ee544c554db9f50aa21466c5549c8b80c4f5a3fa6cb5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jygld0wi.1od.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe

Filesize
6.1MB

MD5
b3899dd5602b3587ee487ba34d7cfd47

SHA1
ace70e4fcea9b819eaf5bda4453866698252357f

SHA256
28c53ad86d705da7e21a1c0cbc996e15ab8f024368aa031b025d05f3dfdbeb2e

SHA512
104b8252db4e9a88e388370a6def71e0cbb536604d5a41ac60169a35a9662980d1359000d5ea316f29deb4c534678e86e266bba12bb0b658f2666d13b26c200a

Download Submit
memory/372-82-0x0000000000A20000-0x0000000001FB4000-memory.dmp

Filesize
21.6MB

Download
memory/372-145-0x00007FF920940000-0x00007FF921401000-memory.dmp

Filesize
10.8MB

Download
memory/372-91-0x00007FF920940000-0x00007FF921401000-memory.dmp

Filesize
10.8MB

Download
memory/372-81-0x00007FF920943000-0x00007FF920945000-memory.dmp

Filesize
8KB

Download
memory/404-144-0x00000179D4570000-0x00000179D4B86000-memory.dmp

Filesize
6.1MB

Download
memory/448-147-0x000001FAF5760000-0x000001FAF5782000-memory.dmp

Filesize
136KB

Download
memory/2620-140-0x00000155C62A0000-0x00000155C7188000-memory.dmp

Filesize
14.9MB

Download
memory/2856-119-0x0000000000F00000-0x0000000000F2E000-memory.dmp

Filesize
184KB

Download
memory/3876-116-0x0000000000DD0000-0x0000000000DF8000-memory.dmp

Filesize
160KB

Download
memory/4408-109-0x00000000001F0000-0x000000000021C000-memory.dmp

Filesize
176KB

Download