stealerium | hxxps://github[.]com/HexShifter0/Xworm-V6[.]0/releases/download/BugFix%2BNewFeature/XWorm[.]V6[.]0[.]zip

Analysis

max time kernel
270s
max time network
270s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12/02/2025, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/HexShifter0/Xworm-V6.0/releases/download/BugFix%2BNewFeature/XWorm.V6.0.zip

Score

10^/10

stealerium xworm discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

jrutcxTxqD08SKSB

Attributes

Install_directory
%ProgramData%
install_file
OneDrive.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL

aes.plain

Extracted

Family

stealerium

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/sendMessage?chat_id=

Attributes

email
[email protected]
url
https://szurubooru.zulipchat.com/api/v1/messages

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0007000000027f4d-231.dat	family_xworm
behavioral1/files/0x0007000000027f4e-243.dat	family_xworm
behavioral1/files/0x0007000000027f4f-257.dat	family_xworm
behavioral1/memory/3736-270-0x0000000000BC0000-0x0000000000BE8000-memory.dmp	family_xworm
behavioral1/memory/1176-269-0x0000000000660000-0x000000000068C000-memory.dmp	family_xworm
behavioral1/memory/4568-271-0x00000000006F0000-0x000000000071E000-memory.dmp	family_xworm

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2204	powershell.exe
1720	powershell.exe
2092	powershell.exe
2936	powershell.exe
3628	powershell.exe
3940	powershell.exe
3784	powershell.exe
1164	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\Control Panel\International\Geo\Nation	Chrome Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\Control Panel\International\Geo\Nation	update.dotnet.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe

Executes dropped EXE 6 IoCs

pid	Process
1176	Chrome Update.exe
3736	OneDrive.exe
4568	msedge.exe
1696	Xworm V5.6.exe
1196	update.dotnet.exe
2660	OneDrive.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
39	pastebin.com
40	pastebin.com
42	raw.githubusercontent.com
43	raw.githubusercontent.com
47	pastebin.com
48	pastebin.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3104	MicrosoftEdgeUpdate.exe
3084	MicrosoftEdgeUpdate.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3344	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4376	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-156903528-2922517348-1168185335-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4372	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3732	schtasks.exe
4516	schtasks.exe
324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3032	chrome.exe
3032	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1528	chrome.exe
1164	powershell.exe
1164	powershell.exe
2204	powershell.exe
2204	powershell.exe
1164	powershell.exe
2204	powershell.exe
1720	powershell.exe
1720	powershell.exe
2092	powershell.exe
2092	powershell.exe
1720	powershell.exe
2092	powershell.exe
2936	powershell.exe
2936	powershell.exe
2936	powershell.exe
3628	powershell.exe
3628	powershell.exe
3628	powershell.exe
1176	Chrome Update.exe
1176	Chrome Update.exe
3940	powershell.exe
3940	powershell.exe
3940	powershell.exe
3784	powershell.exe
3784	powershell.exe
3784	powershell.exe
4568	msedge.exe
4568	msedge.exe
3736	OneDrive.exe
3736	OneDrive.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3032	chrome.exe
3032	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe
Token: SeShutdownPrivilege	3032	chrome.exe
Token: SeCreatePagefilePrivilege	3032	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1176	Chrome Update.exe
4568	msedge.exe
3736	OneDrive.exe
3248	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 936	3032	chrome.exe	82
PID 3032 wrote to memory of 936	3032	chrome.exe	82
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3544	3032	chrome.exe	83
PID 3032 wrote to memory of 3548	3032	chrome.exe	84
PID 3032 wrote to memory of 3548	3032	chrome.exe	84
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85
PID 3032 wrote to memory of 3044	3032	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/HexShifter0/Xworm-V6.0/releases/download/BugFix%2BNewFeature/XWorm.V6.0.zip
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7fff70dbcc40,0x7fff70dbcc4c,0x7fff70dbcc58
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,16024888078870299696,17619780067653260727,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,16024888078870299696,17619780067653260727,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,16024888078870299696,17619780067653260727,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,16024888078870299696,17619780067653260727,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:32
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,16024888078870299696,17619780067653260727,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4072,i,16024888078870299696,17619780067653260727,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5012,i,16024888078870299696,17619780067653260727,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,16024888078870299696,17619780067653260727,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:1872

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4700

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzcyQzA0NTQtMTNDNy00OUEyLTg5RDAtMzI0Q0YxMTk0Qjg3fSIgdXNlcmlkPSJ7MjM1OUJEMTItM0QwNi00NDA4LTk4RjgtNzU5NjdGMjMxNjdDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QzY4RTdCNUMtNzdBOC00MjU4LUEzQ0EtOUFFODY4MTYyOThEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzM5MjcwMTc2IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM3NDE5NzIxMjIwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTA0MzY4MjU1OSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3084

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzcyQzA0NTQtMTNDNy00OUEyLTg5RDAtMzI0Q0YxMTk0Qjg3fSIgdXNlcmlkPSJ7MjM1OUJEMTItM0QwNi00NDA4LTk4RjgtNzU5NjdGMjMxNjdDfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntDNEEzODY4Ri0xMkI5LTQwQUItQTQwOC0wMkRGRTI5RkYzRjJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xOTUuNDMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBjb2hvcnQ9InJyZkAwLjU4Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjEiIHJkPSI2NjE2IiBwaW5nX2ZyZXNobmVzcz0iezRCQTc1MjIwLTc3RjAtNEI5RC04RjEwLTE1NTQxNERBN0FERH0iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNzQ2NTYzODYzNzQyMCI-PHVwZGF0ZWNoZWNrLz48cGluZyBhY3RpdmU9IjEiIGE9IjEiIHI9IjEiIGFkPSI2NjE2IiByZD0iNjYxNiIgcGluZ19mcmVzaG5lc3M9Ins2MzdEMDVERS05RDVDLTRGREEtOEExRC01N0Y5OENDNTZDRDZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjY2MTUiIGNvaG9ydD0icnJmQDAuMzkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTYiIHBpbmdfZnJlc2huZXNzPSJ7QzRCNEZEMUMtRkIyMi00QkZCLTgyQ0UtMjRBMzc4QjlGMkZFfSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3612

C:\Users\Admin\Downloads\XWorm.V6.0\XWorm V6.0.exe
"C:\Users\Admin\Downloads\XWorm.V6.0\XWorm V6.0.exe"
1⤵
PID:1716
- C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1176
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3732
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3784
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:324
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3940
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4516
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe
  "C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1196
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6a931f79-bfdd-4eb6-968a-36c86ddb66bb.bat"
    3⤵
    PID:2992
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4536
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1196
      4⤵
      Kills process with taskkill
      PID:4376
  - - C:\Windows\system32\timeout.exe
      timeout /T 2 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:3344

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm.V6.0\_readme_if_its_not_working.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4372

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3248

C:\ProgramData\OneDrive.exe
"C:\ProgramData\OneDrive.exe"
1⤵
- Executes dropped EXE
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
382KB

MD5
787eb45d05362da367d3e18b72ec040e

SHA1
eb5043145e079d4a9b10ff168f62f398369a4a0b

SHA256
6eb74fb17baff882835963b83edf45aaeabbf18f05a00154127bc949887f433e

SHA512
483efc6728ed340cf330bc492fa7a5b6ab4802f5e7d96e94fa5e2c2d1e5fac8b93094b22cf55f5fc14004dbdece9abc92ce6afa3e57224259022a07a8abb1df0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5fedff994f4782d85f7e576165c915bb

SHA1
4a2d3ab0370593b8f3bf1278c33c0fa639b449e8

SHA256
c864bfc1b371ef8c46dc2978d3148b49ba038249b7bf9c02f3bed48d7c1f0e0a

SHA512
42806b0716fac948982dc5b85f33f77362895a2b9822b3638c54439bfc9c05499e634a364e669f585259377b12392a2ef35b808d4a22cd7093f3586868fd580f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0595eb02e75d576acff7c15ffcbc188a

SHA1
ab590b0bf5dc4f71dd3a6a0a3a427716764d7e8d

SHA256
045abd48a75b7ae646a709a497d77fbf7a5e7269bfd3998faf0af0a8af688bc4

SHA512
4308c1498d2087eb2ee00066927f0b479ad0a39f0dca76e4b8475dbd921b5e8a3ceb69c651734ff5540237c961087a273f8c7a40eeb73c3111af24a01e3adbf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
4fe903323f0ad31c9ed5a2157a6c4129

SHA1
871de346ac84ea4b8b6d57e6df1100f344dc6c3b

SHA256
017d0381c6089ebf4219df2d34e530e932dd766da185980249babccd5c13a29d

SHA512
2e1f04e3a759b5cf9cf8bc530e329f61f3721de737630226c3cfce32e493d95c086d4b62f484d65b32ce4ca4282a928a13d92344ca6421946c4eb143fc155403

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fd5b02342514959d719ab476327d3575

SHA1
f4c4d717f7c658f6bf79053e7e889ab18a311e01

SHA256
3515e65b3303a903af78583b6c686f8b2225de70033807481069c6c9630e7a51

SHA512
d3f1de6854e492f397139c16ee2f4b312f9846985b2e0302e212e33615f5a827f95718fd1c128bcbe86a5a950d6bf81408e7f84ec9a5bdc3ebc3fb282dcd9bf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b4f66a2d99bdcb19f3cbaf5fbd09e5c4

SHA1
644eca73a2ed6b3452218baedfe0d81b2b6fce69

SHA256
b042ad3730ac830dbccb0d21c795b1457a07036440846d80c63c528850d4b61b

SHA512
1292814f03bf44e8c10eeabf0c18dcb9a9b61f72360b6b1f7d7efddd18d45424971333c8178e2871a5ee2a881d2f5f535a76c73379b6645766915df089c7a14a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e6e45d180505974beaea0d50eb4480e8

SHA1
233fb9999a0695ff8cac7f875cf655c0f6008ccf

SHA256
2c3ff8784de2dc07133ea004ccbea6b59df0117c00ad4e9d1e35dd264616eea3

SHA512
79f5114da2f36e3d5019e167c2a893a83e1531dd6991b52abe5a04ac7c20b46df234bb277e32135c05b1f6bf31c1bc786a5f25eb7f484dcd38abe9e953bbd676

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f95c8ed0bf48ea1e837cec119360a530

SHA1
e3a5d634512def979b97cc79abce9b77c7364edb

SHA256
635c705f8147a0f1b16817848f1292f8e656815269c7fe3ee412f86df916a4c6

SHA512
49f6f720529f4bea83360480012ff55e2f73d34b23eca83145f25a6d3839d03ec52a20e1c68d2ea44908087884a26e43dce45ed8e9dafbf337b38a838ab0cfd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
881b4fd545dc14782e4db6431ee27283

SHA1
0d16f24da7ce9e2349d3f472e52f45b025cd2e31

SHA256
a909e11ec72738f10c46beefb544680de3bb9b2bd637c73c83f43d6e04bbc9a4

SHA512
8a86cc4c1a10d7a8b26f2b0ef2cfc16a45be5a7020748d6b443a48ee966b46e81e50543a5739591aecc1e84a3b5f2e7da8e2eebb399057aa926200974ee9e32a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3b496dae8cbc7c99a8f7487fb124c787

SHA1
716c438bb5bce4a387d08b8a1896905f669e2454

SHA256
c50cf3d49efccffbca2c1067398caac20aaf5a58caaf22e596ff38fb5aca0568

SHA512
d87adb063e705685b46f9cb4ceff4fe13e30975ae77d3e04df844fb0b9a98d9e02c1e39a2069259a6c3ad9a51b2ffde5351b2992282dcece9fe2461adcbafe4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
28bab9d4449d3770922cc753737cd010

SHA1
12444e91eee8f1edb8b3c6f56b7242a35608cb86

SHA256
72701c8972f90cbf884fa1f3a69153f145220a93ce7cb774dcbef3c5bcac9246

SHA512
53ce7318ae2d886d95ba097bbed566dcf7e1ab88a84a1b18e52fd8232258b501b27a910e430d5a360223c7f456a7716e7c3da27ba9e722cef29ff613a53e34d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
201f005ce4e28766b394cc8de1f4f8bb

SHA1
3ba3838746465def1a3847dbf77089408addfe80

SHA256
5a7a2ff0251ca7d3c48460c8c176db7b397f8b94030fb67f2aefe4c303c1227c

SHA512
a2a424fbbf903c33270975c6857048e3213ccfa43e9a1c65d0ddba229145af0c1b03a6fe2e46bc9b8da91282f29903614ec53f3ea9ddf7d47c5576928b6dba13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
358d861dcf748e8f912d7dc7755487b5

SHA1
7f650ecb9171f38c76a0d9bad0339e08a31673fc

SHA256
162601f325482433cf01fe23953e84463200d6bb35948e1466316884ccb46e53

SHA512
318867488369fbab6a093eb8ff05e3883b912ff72eb01e75bfdd25bc38a25ecf24cf3e7ca24bc250a4c41a261dacd79ccf725f824e57e941037103b3186fa5c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
43d55b1140adb3296ef4f4c00bef2630

SHA1
5484c871abb771835b0b00571ced6f2f12b8955a

SHA256
fa882eccc63748382c140abaeac4a24b8d6478ada9b88b2a3cc82059a180e095

SHA512
2b7a0bff5c5005bf402d3573364e67a9479e682e48ad839d79122af2a5241afb39b90343aa2f0ff17b314540d3bec104e824e03ea0a4e7c1f9b85ee30eab657e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
87bd4e2bd95738a2f3652b4e89fbcca7

SHA1
c3660c7f90d4b5edd2847f606e5e81cbcf16eb7a

SHA256
7d73e16386a38660b58875c30bccc6552be3543921e3ed1aeea43443465bfc1a

SHA512
12947a21c22d543ad0f8ffffe3c5128614545c52c693c64b7e969da8be5f871298c4f9a542693d16f7d7c1a3a220027c558247dc906a6817d2843d823ae89486

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a4bb976a9761143a60ae4c2932c6f1ab

SHA1
569fe7b1a7cd2ef62690c3a461e396957ba1b35f

SHA256
8fe9bbccb4a63dbfbeb8f44f5dd2b6fa37880427439aa3f6cea06031006ae91c

SHA512
82080457586ce4c468654951a1d2df19a98d3b349120904899a9b619e2e5e7fc349ced345b1c01d4896fceff36a50cbdddd76cd45228df1537e734d788515688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e1919e07a074fe526586a5740ba3494e

SHA1
2396961141b45d4fb326b22038b17c7aa74736ab

SHA256
3331448f425aa80394768d5024e97fe681a13268e2ee7af979c88a7279268504

SHA512
5195d6b623663df02e85af3a80760fa57c0c699f566bf7e84907a7470741720a2f475b5ca382023077b0d0d2167878f6c5e4cb2c610d0f8b9c8c5ffbce35d096

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e07ed7a9916385a3d4295db33c8f8d09

SHA1
aa6b9c7f200df125131d442d605b3de795962a43

SHA256
177f1f951e36fb2f90d7865b9dddc4febc41a89b5330aed6068429523667c2e5

SHA512
739477abeaf9a207d8f773723f68d4c187b9454bfb8cf166c3d61b06e7586fc076b7ab8086bca01f36dc7c0fcef731b421d1f590aef8c3e1182a94970aeab150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bb016a35a82812c8ab85a383350b6797

SHA1
233df72398f458b01d6a56ce430d2678bb145567

SHA256
60c0f350b1ba4995a65a4efa9e9e9973026db75e2d23e1a66c5abb55dd8dd332

SHA512
3fb28ed71626c9f93336973ff0caf513782dc4054b4b5ffaae2a49c1b453a92e80760a0856167c0f1275604db4d49d5ac9fbe114d6e0bb84c0a8180ee189b45f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
07e6878ec73a00dc3249a820fcd98ca5

SHA1
5d3ea32ac48a31026e218283ced42e50a1ede597

SHA256
c9c55d254083df3aea7812cff4468f3e033852fc8f27138f8c5c2f0b25149e29

SHA512
e1d60d900b4f771bc963464a146ffd8e5b32dfc95a217ef08aada994579ebef4ca7e1ff8202d42344f2bccee65788f26639fde72779fe0c925c771cf0452c8d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6937371a775464264d4010e803af5722

SHA1
b6c4226bc87ce3cbddb0203838ab15c4d85ce66b

SHA256
2dc2b599700fd462cb514a7ba4616c93bec0094c0681c1bc8f66cb7b2e586900

SHA512
0200edf34133fe9ccc0d9fc7495622e0084c0fd47e8f646994d899ca3ee0f1dd0f7437d52f76cd609ef4f4f77350d1b42266449e8c3397bd2084b3ff075caa43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5e47dd411f75d347a8180b0dc8e05223

SHA1
b8c1be3e824955a53386b525da9e596060f0495c

SHA256
4dd0c8d0223de1cd8caf788bba5ef29a2e8c369ba6b28cc1036c38e703480ca1

SHA512
34c1b4580bb7c7db9dfdc95cb7039661ad8ede7b83bf29f74847f67059f2015cf94cbc87b7a534dc7fdc468377e55c18008ff70339cce9d6fff24ec99acda7f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
9ac8dbdd9b7be105edf7b1fbc33a7793

SHA1
8a4218e0604784fd73f453f7ecbd2234aed2f0d2

SHA256
b21a92794334f2fddb353dd8bc44860406fd2aa77b926937130bc466978ea621

SHA512
b42955a26e82f416bacf272a10882b84e992f39d36fbb3d438339c30762a31ee1a8a2b9338b511a4e91847adfdc011df187f81394857e0cd80a18f97c560082b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
125KB

MD5
cf429e543bfb361b38c2319b2b7dbcf6

SHA1
25e48b1895be1f3a2083845625f59bdb1f4f69dc

SHA256
9625a25e314b3786926376e6731e8cba0adbac46b8dc2c53eb85fa0c8c8409be

SHA512
97b5e4d1e742ee57d3014ff14c372c34730d393b60a5e06bd1d63c7981d784a9ba1a478e4e425950169eb57017554d6543d42693ff273e9c1bf1c5ebd39a6e52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36340152168c21d56d650d9171c1939f

SHA1
8be039c0da3da074f7b7907747fcb87f3efe009e

SHA256
2a331e92eeb4733cf35c171143c8c18560c64159dd23b80655d42191fb503e3a

SHA512
8cc11d8def0329f3a2cbf5e539567e27e2ff795c51d3b30e6e8b8066ab094309b25769bc158dc3c9396f241f9c3ec5c177423342eff9a5769125ac1a0916a0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5332026f2d529c2f695471b18f948724

SHA1
3d763734bcbd69b4c37519060b2d02043ca4fd88

SHA256
e5cfa62ac6a080d52b010cc54df7257391f3665eea6341133242e6b96625922f

SHA512
f1496d788d5ea185abd6019b08782672a86864061f408ac816c470a8a1a72693cfd55d5d75f9cfd7324725d4e6df0211d490619a5b8b80e7b76be4286390383c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
280B

MD5
fde5efd8e2f395b723c76be429d9be2f

SHA1
b6f53e4c2a872e2db6745fddf47c7639bf57ca70

SHA256
db12227022ef69754fdbd83c5af5df5a37673b6d13b0bfa4d9223efb7951a14c

SHA512
6b154f9481f5b089e50d551f249213820d73ce669c6c2d35d6dedd53a8e6235cccbc729a51629328b26c966d68235486c95d4f7268f06bb1ea42a6c6a03e94b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a931f79-bfdd-4eb6-968a-36c86ddb66bb.bat

Filesize
152B

MD5
032c2e124a5fd957d26139a78b7e790a

SHA1
cdc76d5bdda62beeaa14d3219fb57b7481760cd7

SHA256
ad73b7270ddf61a35014d61eff1f641174660c6826f369f5fa51d33dfa35c8f0

SHA512
cccdef942f3ae8786122a9b479446949e2a21a0274d9ff58b5a3588a9e5936c5fc6e2e4c21d41995e0855418778aca221f2ba3657074f7134426171aa9f8bd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe

Filesize
153KB

MD5
8b8585c779df2f6df99f749d3b07f146

SHA1
b553267f8e6f2bb6531ca2cb330e0d6b7bc41a1d

SHA256
4a9d13e9b68d26c6feb71856b7a61a2a1b8f2dc1c7aaa9ad5dfd5609b5a2da6c

SHA512
b89cae4386d0b8173b87533b5af3d863a188836185d105d6007786ba0e415537e84b759b8c22b37430ee544c554db9f50aa21466c5549c8b80c4f5a3fa6cb5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5k5jj22k.g0k.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe

Filesize
6.1MB

MD5
b3899dd5602b3587ee487ba34d7cfd47

SHA1
ace70e4fcea9b819eaf5bda4453866698252357f

SHA256
28c53ad86d705da7e21a1c0cbc996e15ab8f024368aa031b025d05f3dfdbeb2e

SHA512
104b8252db4e9a88e388370a6def71e0cbb536604d5a41ac60169a35a9662980d1359000d5ea316f29deb4c534678e86e266bba12bb0b658f2666d13b26c200a

Download Submit
C:\Users\Admin\Downloads\XWorm.V6.0.zip

Filesize
34.5MB

MD5
a0b7d7f290385441b7b4c863d3873a22

SHA1
c66d5b61e0c82c05ce271994775bf6124457b6e1

SHA256
b8574159eebd064a1d7854e8422fb0222759bbc31b1469ff7866a06b4aa560f0

SHA512
10ddf84eb55a0b4fbd3a6f4e2549801e897b4789baedf9b73ba00c62afe62ba8f7536f00a223a762922b46826a987a89fd3b298a6fd594978b2205c38b1b3b78

Download Submit
memory/1176-269-0x0000000000660000-0x000000000068C000-memory.dmp

Filesize
176KB

Download
memory/1196-302-0x0000018A8AFB0000-0x0000018A8B5C6000-memory.dmp

Filesize
6.1MB

Download
memory/1696-286-0x000001B60E010000-0x000001B60EEF8000-memory.dmp

Filesize
14.9MB

Download
memory/1716-226-0x0000000000DC0000-0x0000000002354000-memory.dmp

Filesize
21.6MB

Download
memory/2204-304-0x000002129C440000-0x000002129C462000-memory.dmp

Filesize
136KB

Download
memory/3736-270-0x0000000000BC0000-0x0000000000BE8000-memory.dmp

Filesize
160KB

Download
memory/4568-271-0x00000000006F0000-0x000000000071E000-memory.dmp

Filesize
184KB

Download