hxxps://anonfiles[.]com/o2r5R7Wfy5/XWorm_V3[.]1_zip

Resubmissions

14-02-2023 20:36

230214-zdxmesga75 7

14-02-2023 20:35

14-02-2023 20:24

14-02-2023 19:55

14-02-2023 19:46

14-02-2023 19:39

Analysis

max time kernel
326s
max time network
326s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-02-2023 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anonfiles.com/o2r5R7Wfy5/XWorm_V3.1_zip

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2896	XWorm V3.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\mysellix.io	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\mysellix.io\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A44FB701-ACAE-11ED-B51C-6E705F4A26E5} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000095f576cc4659c2489740a466447dd5d600000000020000000000106600000001000020000000541d19188b3aa32f3a56c256d95392779fc3af299135a522e19a409a4c0975a7000000000e8000000002000020000000794f61d6daa6ea06939668e71c9c5adb13ca5d29db092cb28e0672b2c75d7f062000000065d7238c7178b51e904d725416027bb09b32491a1f8131bd69c9e6894d4ce0ff400000005466b431395bf63ead0a7a3ea30b6d9e4e6053112781b12f08fb250664c87a24c8f6d8f90f70a1c392125c52742b854776190abeb5d5be1c905216dbc3eef5a8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10999580bb40d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000095f576cc4659c2489740a466447dd5d60000000002000000000010660000000100002000000015a81b77dfb569b04e9ec1599e482d5bb5fe98335c4999feb583f7753921098e000000000e80000000020000200000007092745d051ad34bc76d37287cfe406b54b67b44ef6e4e9b2408a21b07fb2d8a90000000c70d44b66b10315eac68344bddd35874af5b3ef2a236b4aab25be243f5173477f45e98d9659f247c3ec2bf2478b5f266e3c5235d501d11e467235ea29cf1ae3f4230296a624ac51a657a9580b6c442eb780aeccb1d50ea9a35e87a432f0faee8af8d2a4d42e847cc5a4b799228ed1bc00656038cdce9709a90cd15e31f2c1e7882d9ed090c585cee0d0199ca812c6b2d40000000d43267f4f6ca5faae3f4ce74e846c43d91bf400bd351f9856d711c456002e0f13cb0988d8c42995e42fc591e1eae9ce627ebb21157f65d773ced56dd60031701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383175135"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\XWorm V3.1.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2896	XWorm V3.1.exe
2896	XWorm V3.1.exe
2896	XWorm V3.1.exe
2896	XWorm V3.1.exe
2896	XWorm V3.1.exe
2896	XWorm V3.1.exe
2896	XWorm V3.1.exe
2896	XWorm V3.1.exe
2896	XWorm V3.1.exe
2896	XWorm V3.1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2896	XWorm V3.1.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	firefox.exe
Token: SeDebugPrivilege	1472	firefox.exe
Token: SeDebugPrivilege	1472	firefox.exe
Token: SeRestorePrivilege	2516	7zG.exe
Token: 35	2516	7zG.exe
Token: SeSecurityPrivilege	2516	7zG.exe
Token: SeSecurityPrivilege	2516	7zG.exe
Token: 33	2588	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2588	AUDIODG.EXE
Token: 33	2588	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2588	AUDIODG.EXE
Token: SeDebugPrivilege	2896	XWorm V3.1.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1472	firefox.exe
1472	firefox.exe
1472	firefox.exe
1472	firefox.exe
2516	7zG.exe
2896	XWorm V3.1.exe
2644	iexplore.exe
2896	XWorm V3.1.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1472	firefox.exe
1472	firefox.exe
1472	firefox.exe
2896	XWorm V3.1.exe
2896	XWorm V3.1.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1472	firefox.exe
1472	firefox.exe
1472	firefox.exe
2644	iexplore.exe
2644	iexplore.exe
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 1472	1536	firefox.exe	26
PID 1536 wrote to memory of 1472	1536	firefox.exe	26
PID 1536 wrote to memory of 1472	1536	firefox.exe	26
PID 1536 wrote to memory of 1472	1536	firefox.exe	26
PID 1536 wrote to memory of 1472	1536	firefox.exe	26
PID 1536 wrote to memory of 1472	1536	firefox.exe	26
PID 1536 wrote to memory of 1472	1536	firefox.exe	26
PID 1536 wrote to memory of 1472	1536	firefox.exe	26
PID 1536 wrote to memory of 1472	1536	firefox.exe	26
PID 1536 wrote to memory of 1472	1536	firefox.exe	26
PID 1472 wrote to memory of 1704	1472	firefox.exe	28
PID 1472 wrote to memory of 1704	1472	firefox.exe	28
PID 1472 wrote to memory of 1704	1472	firefox.exe	28
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 960	1472	firefox.exe	29
PID 1472 wrote to memory of 1212	1472	firefox.exe	30
PID 1472 wrote to memory of 1212	1472	firefox.exe	30
PID 1472 wrote to memory of 1212	1472	firefox.exe	30
PID 1472 wrote to memory of 1212	1472	firefox.exe	30
PID 1472 wrote to memory of 1212	1472	firefox.exe	30
PID 1472 wrote to memory of 1212	1472	firefox.exe	30
PID 1472 wrote to memory of 1212	1472	firefox.exe	30

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://anonfiles.com/o2r5R7Wfy5/XWorm_V3.1_zip
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://anonfiles.com/o2r5R7Wfy5/XWorm_V3.1_zip
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.0.1531208277\1850615466" -parentBuildID 20200403170909 -prefsHandle 1184 -prefMapHandle 1176 -prefsLen 1 -prefMapSize 219796 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 1260 gpu
    3⤵
    PID:1704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.3.1807515898\460576076" -childID 1 -isForBrowser -prefsHandle 1768 -prefMapHandle 1760 -prefsLen 156 -prefMapSize 219796 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 1592 tab
    3⤵
    PID:960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1472.13.533335279\1410860832" -childID 2 -isForBrowser -prefsHandle 2664 -prefMapHandle 2660 -prefsLen 6938 -prefMapSize 219796 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1472 "\\.\pipe\gecko-crash-server-pipe.1472" 2676 tab
    3⤵
    PID:1212

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm V3.1\" -spe -an -ai#7zMap3778:82:7zEvent28492
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2516

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x560
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Users\Admin\Downloads\XWorm V3.1\XWorm V3.1\XWorm V3.1.exe
"C:\Users\Admin\Downloads\XWorm V3.1\XWorm V3.1\XWorm V3.1.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://evilcoder.sellix.io/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2644
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2712

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56b5b037ec43e54f96a8e583c9bdfedd

SHA1
3ec1278a6021f39c71271d5da5265ed5475e747c

SHA256
db62f75cc718042be40fcf8d5651699bd6ead2af9a750a0bcd54f5aa23d88dd7

SHA512
7e788b3819abb97cbcd1aaeaefe77a9e5066b51a80139f8e6158ecf95723c3438d467b4fdcd2439b2020acd3674d797a883fe6aac87aa224f4d53ed2f9abf8ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat

Filesize
20KB

MD5
761f1c18a0472b7d02967150010c345e

SHA1
7086c2d47b6aecc56c5780b99151cf287b576dac

SHA256
25f8619b2accd5645e2cd7f699db800017e911c3cf52cb7562b2c921a95c7344

SHA512
6093088279bff3e5e50660a6c0d7c2fdfcd7082627ced6bb00c2e3361e7d235549a048819dfe176f8412c806989a3ee9e8094fd31670ecdbcd46ad90e32e6c9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FNORGVHQ.txt

Filesize
606B

MD5
4be890f15f67cea9af925e95ce39c10c

SHA1
73182194e79dc82dd28adaddb75758d2b9339d7f

SHA256
4b33e98cfffc259a2944bc7feddde946445ecba71f7ddd58a738e4f420c19611

SHA512
1ed1f3f6eddbaf3912c413606bfe4f2bab165d7bac0be64c21dd7ef4beeb0eb55ba3e3376a8849fb05d03b3f9c1a5680a706b69df9b96fc442445f6656e8b888

Download Submit
C:\Users\Admin\Downloads\XWorm V3.1.zip

Filesize
26.0MB

MD5
ecd4e67a1348937b5bc87adb9f3a0bbf

SHA1
733f9348d8502bcfe806a70b505310d3a0dfe5bb

SHA256
196492fd93a1a3d3ed70fab37c250c30061005344ff73d4db7d1b548e7276e06

SHA512
65a614581cca29bdeb52741a8d9889f424fece40f60584abed3d8573c490846232d6e21ddb2cc419c288cd5e09db341e1efe744deb28e64e484e89dc6a84eea4

Download Submit
C:\Users\Admin\Downloads\XWorm V3.1\XWorm V3.1\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Downloads\XWorm V3.1\XWorm V3.1\Intro.wav

Filesize
1.7MB

MD5
dc28d546b643c5a33c292ae32d7cf43b

SHA1
b1f891265914eea6926df765bce0f73f8d9d6741

SHA256
20dcc4f50eb47cafda7926735df9ef8241598b83e233066ea495d4b8aa818851

SHA512
9d8c1bb61b6f564044aad931e685387df9bc00a92ab5efe7191b94a3d45c7d98a6f71d8ae5668252d6a7b5b44ab6704464d688772aedac8bdb2773d5765d4d56

Download Submit
C:\Users\Admin\Downloads\XWorm V3.1\XWorm V3.1\XWorm V3.1.exe

Filesize
6.9MB

MD5
37a9fdc56e605d2342da88a6e6182b4b

SHA1
20bc3df33bbbb676d2a3c572cff4c1d58c79055d

SHA256
422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58

SHA512
f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3

Download Submit
C:\Users\Admin\Downloads\XWorm V3.1\XWorm V3.1\XWorm V3.1.exe

Filesize
6.9MB

MD5
37a9fdc56e605d2342da88a6e6182b4b

SHA1
20bc3df33bbbb676d2a3c572cff4c1d58c79055d

SHA256
422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58

SHA512
f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3

Download Submit
C:\Users\Admin\Downloads\XWorm V3.1\XWorm V3.1\XWorm V3.1.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
memory/2516-54-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

Filesize
8KB

Download
memory/2896-62-0x000000001B6E6000-0x000000001B705000-memory.dmp

Filesize
124KB

Download
memory/2896-61-0x000000001B6E6000-0x000000001B705000-memory.dmp

Filesize
124KB

Download
memory/2896-60-0x000000001EA50000-0x000000001F5BA000-memory.dmp

Filesize
11.4MB

Download
memory/2896-59-0x0000000000250000-0x0000000000946000-memory.dmp

Filesize
7.0MB

Download
memory/2896-69-0x000000001B6E6000-0x000000001B705000-memory.dmp

Filesize
124KB

Download