Analysis Overview
Threat Level: Known bad
The file https://files.this.ovh/XWorm%20V5.3.7z was found to be: Known bad.
Malicious Activity Summary
AgentTesla
AgentTesla payload
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-07 00:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-07 00:50
Reported
2024-03-07 00:53
Platform
win10v2004-20240226-en
Max time kernel
168s
Max time network
168s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{EE4EA080-FA66-42EC-A91C-B0E8C91CD87C} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://files.this.ovh/XWorm%20V5.3.7z
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5428 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5256 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5432 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=4300 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=6140 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=6240 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5684 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5740 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6768 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm V5.3\" -ad -an -ai#7zMap18091:80:7zEvent11100
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6804 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x2fc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5544 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe
"C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe"
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe
"C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe"
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe
"C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffa2d402e98,0x7ffa2d402ea4,0x7ffa2d402eb0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2652 --field-trial-handle=2656,i,3503374473874483600,11681607495144380324,262144 --variations-seed-version /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2716 --field-trial-handle=2656,i,3503374473874483600,11681607495144380324,262144 --variations-seed-version /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2828 --field-trial-handle=2656,i,3503374473874483600,11681607495144380324,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=4140 --field-trial-handle=2656,i,3503374473874483600,11681607495144380324,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=4520 --field-trial-handle=2656,i,3503374473874483600,11681607495144380324,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4560 --field-trial-handle=2656,i,3503374473874483600,11681607495144380324,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4864 --field-trial-handle=2656,i,3503374473874483600,11681607495144380324,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4928 --field-trial-handle=2656,i,3503374473874483600,11681607495144380324,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5140 --field-trial-handle=2656,i,3503374473874483600,11681607495144380324,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4284 --field-trial-handle=2656,i,3503374473874483600,11681607495144380324,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4284 --field-trial-handle=2656,i,3503374473874483600,11681607495144380324,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | files.this.ovh | udp |
| US | 8.8.8.8:53 | files.this.ovh | udp |
| US | 8.8.8.8:53 | files.this.ovh | udp |
| US | 172.67.178.43:443 | files.this.ovh | tcp |
| US | 172.67.178.43:443 | files.this.ovh | tcp |
| US | 172.67.178.43:443 | files.this.ovh | tcp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.178.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.6.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 88.221.134.17:443 | bzib.nelreports.net | tcp |
| GB | 92.123.241.137:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | dl-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | dl-edge.smartscreen.microsoft.com | udp |
| GB | 51.11.108.188:443 | dl-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | 17.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.108.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| GB | 142.250.200.42:443 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 13.89.179.12:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 12.179.89.13.in-addr.arpa | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| GB | 92.123.128.161:443 | www.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 8.8.8.8:53 | 161.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| GB | 92.123.128.161:443 | www.bing.com | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| GB | 142.250.180.3:443 | update.googleapis.com | tcp |
| US | 13.107.246.64:443 | edge-mobile-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.104.245.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| GB | 172.165.61.93:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 93.61.165.172.in-addr.arpa | udp |
| GB | 92.123.128.149:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.128.123.92.in-addr.arpa | udp |
Files
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\Icons\icon (15).ico
| MD5 | e3143e8c70427a56dac73a808cba0c79 |
| SHA1 | 63556c7ad9e778d5bd9092f834b5cc751e419d16 |
| SHA256 | b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188 |
| SHA512 | 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc |
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe
| MD5 | bf8a1c0619550f26c630679f66c36328 |
| SHA1 | 7e7b4bdc7d4d34f8256d9183bc0064e37157a236 |
| SHA256 | 3f6e9c631f01e0f3285fbc54114e7a170c64550e57d5f94366eb4e400b476a3b |
| SHA512 | e0a26ece35c10cf909fc7a6158327cff97c8fea1f27d94791e994c751ac7ce16f05b760499f9dc6d9a8289208b4954fe602e7c7812439f52ae5dba87b841ec43 |
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe
| MD5 | c9b34731287261bfea156f203897ece8 |
| SHA1 | 1b96723c76c18806fba44f1ad4d353ea6ae76ad4 |
| SHA256 | 712c8cfb72520a63cd774499c4d5bf1b5f796fe5192e1d31cbea65e5f6fc5df3 |
| SHA512 | 18281c39d904513f8ef3ca4db7d047711e23d55c8883f47065c28661837f2eeb9630f37001ce287a3075c97e972c47fac0d625d2af8756951251100e4f70b5a5 |
memory/2276-142-0x00007FFA33960000-0x00007FFA34421000-memory.dmp
memory/2276-143-0x0000020FD4110000-0x0000020FD7388000-memory.dmp
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe
| MD5 | b8095be67bd7c9afc6f31e57dc4d8e12 |
| SHA1 | 36dc23475e8e4ea6bc23718904cd29c2e3235f72 |
| SHA256 | 2b48a1b425be6aa121eb76e412629322ebf3387cb6c74abfed629b70477159fd |
| SHA512 | d0ec13b33a4a51df716a9b347bba29b77b45f6db790e82db49b70b9105c337b4ae4a380da2a91571f1ea5afb7ad13b01a43aca05026cc53cc1e7320f1240c61f |
memory/1164-145-0x00007FFA33960000-0x00007FFA34421000-memory.dmp
memory/2276-146-0x0000020FD7730000-0x0000020FD7731000-memory.dmp
memory/2276-147-0x0000020FD9170000-0x0000020FD9180000-memory.dmp
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\Guna.UI2.dll
| MD5 | bcc0fe2b28edd2da651388f84599059b |
| SHA1 | 44d7756708aafa08730ca9dbdc01091790940a4f |
| SHA256 | c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef |
| SHA512 | 3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8 |
memory/2276-149-0x0000020FF1C40000-0x0000020FF1E34000-memory.dmp
memory/2276-151-0x0000020FF1880000-0x0000020FF18AC000-memory.dmp
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\GMap.NET.Core.dll
| MD5 | 819352ea9e832d24fc4cebb2757a462b |
| SHA1 | aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11 |
| SHA256 | 58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86 |
| SHA512 | 6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a |
memory/2276-153-0x0000020FF2130000-0x0000020FF2412000-memory.dmp
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\GMap.NET.WindowsForms.dll
| MD5 | 32a8742009ffdfd68b46fe8fd4794386 |
| SHA1 | de18190d77ae094b03d357abfa4a465058cd54e3 |
| SHA256 | 741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365 |
| SHA512 | 22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b |
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\NAudio.dll
| MD5 | 3b87d1363a45ce9368e9baec32c69466 |
| SHA1 | 70a9f4df01d17060ec17df9528fca7026cc42935 |
| SHA256 | 81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451 |
| SHA512 | 1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7 |
memory/2276-155-0x0000020FF1940000-0x0000020FF19C2000-memory.dmp
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\FastColoredTextBox.dll
| MD5 | b746707265772b362c0ba18d8d630061 |
| SHA1 | 4b185e5f68c00bef441adb737d0955646d4e569a |
| SHA256 | 3701b19ccdac79b880b197756a972027e2ac609ebed36753bd989367ea4ef519 |
| SHA512 | fd67f6c55940509e8060da53693cb5fbac574eb1e79d5bd8f9bbd43edbd05f68d5f73994798a0eed676d3e583e1c6cde608b54c03604b3818520fa18ad19aec8 |
memory/2276-157-0x0000020FF19D0000-0x0000020FF1A2A000-memory.dmp
memory/2276-159-0x0000020FD7760000-0x0000020FD7768000-memory.dmp
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\IconExtractor.dll
| MD5 | 640d8ffa779c6dd5252a262e440c66c0 |
| SHA1 | 3252d8a70a18d5d4e0cc84791d587dd12a394c2a |
| SHA256 | 440912d85d2f98bb4f508ab82847067c18e1e15be0d8ecdcff0cc19327527fc2 |
| SHA512 | e12084f87bd46010aded22be30e902c5269a6f6bc88286d3bef17c71d070b17beada0fe9e691a2b2f76202b5f9265329f6444575f89aff8551c486eafe4d5f32 |
memory/2276-161-0x0000020FF1E40000-0x0000020FF1FA8000-memory.dmp
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\SimpleObfuscator.dll
| MD5 | 36eeec5c7b1104051c541766293a1284 |
| SHA1 | 5923a2ca10546e2f5b5faea2c775da48c044e16b |
| SHA256 | 4f73b661a1b1de05057a0471be167ff4a15c8997b6ac772791d6bb946ad9cee3 |
| SHA512 | 7bf57c51b500c424dc57c6991edf3481b86abbfb45593856c50b4f5e44fe8a2c1cee1b60e0cf00b2773612dad9128289f9108ff9881524e95198311b35efc691 |
memory/2276-163-0x0000020FF1B00000-0x0000020FF1BB2000-memory.dmp
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\Newtonsoft.Json.dll
| MD5 | 195ffb7167db3219b217c4fd439eedd6 |
| SHA1 | 1e76e6099570ede620b76ed47cf8d03a936d49f8 |
| SHA256 | e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d |
| SHA512 | 56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac |
memory/2276-164-0x0000020FD9170000-0x0000020FD9180000-memory.dmp
memory/2276-165-0x0000020FF2420000-0x0000020FF2D56000-memory.dmp
memory/2276-166-0x0000020FF2D60000-0x0000020FF394C000-memory.dmp
memory/2276-167-0x0000020FD9170000-0x0000020FD9180000-memory.dmp
C:\Users\Admin\Downloads\XWorm V5.3\XWorm V5.3\XWorm V5.3.exe
| MD5 | 850f41edaffcf0a3ced7ce53c8cb9b3f |
| SHA1 | 43a6f3f9f57a941762d8f8159e02deedc268d03a |
| SHA256 | 5fe68635bfdf4f54899933378b3ba18c1b2926514d7352e5427069e576ecf3a1 |
| SHA512 | 17fbe5791b42b1ec871e831f76979b69b4da6fee5f3bb39fb90fb3530204699ce54525f38f2f742c6f54da7cbb3e5e1ae6e94343da07cbfa47326ba9b2a2621c |
memory/5232-169-0x00007FFA33960000-0x00007FFA34421000-memory.dmp
memory/2276-170-0x0000020FD9170000-0x0000020FD9180000-memory.dmp
memory/2276-171-0x00007FFA33960000-0x00007FFA34421000-memory.dmp
memory/2276-172-0x0000020FD9170000-0x0000020FD9180000-memory.dmp
memory/1164-174-0x000001A5DF4E0000-0x000001A5DF4F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c6d0b1d0ebc744e45a702e6a9fa7b8ea |
| SHA1 | 20e7dd56b71649ea0198ad4c316dad60e8cd5475 |
| SHA256 | 5ed5f31b2bfd3f9ba5e19a16114e951debd6b4164f9a7bb6946294e243efa389 |
| SHA512 | f3c7637c989df8038b97bfe40db99f8794c58c7e877a52fd75578a06efcd2373af88bae75723a94920d03917b80c123d0208ce7894a46fb6e26a2c09539b15bd |
memory/1164-180-0x000001A5DF4E0000-0x000001A5DF4F0000-memory.dmp
\??\pipe\crashpad_2316_VSRPLMHBLYWWRSGR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e59f17ca44af272a9b1f5d2b52bb6285 |
| SHA1 | 93e0e96e6a54bdf2ce5014c68679c92355f1c601 |
| SHA256 | 687ec44f20ead9699ad30ba4709245024ff043e9463e5f532a7a0fe6a1343a46 |
| SHA512 | 0f3ca2c0e53f6345bce9a13fa09cdc68d4db65155a66283739acb03ffbb5cc36a79c42219458a6d37b4436e1e0dac22569f4e03803d3412ebed6c6b2c9533447 |
memory/1164-201-0x000001A5DF4E0000-0x000001A5DF4F0000-memory.dmp
memory/1164-203-0x00007FFA33960000-0x00007FFA34421000-memory.dmp
memory/1164-204-0x000001A5DF4E0000-0x000001A5DF4F0000-memory.dmp
memory/2276-207-0x0000020FD9170000-0x0000020FD9180000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/2276-216-0x0000020FD9170000-0x0000020FD9180000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4990d18a2051b63defbf92b055e6f235 |
| SHA1 | 13835dd9f7dd43edba60469d04c8f7a7312a210b |
| SHA256 | 2c9e40f06e837600268e2d0bc76da08f94ca6a85762005114f51cfb819ee1038 |
| SHA512 | ee14fa822154fda7ef95f8e7ad07dbbd30e911fdcf70baee4376e218e1db80e2a268ff3dc73859c1372962a809a2531c80f0560f7fd56ed82446d7d96f57997c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2a570350aae322ebac22d78e1442626c |
| SHA1 | 3192668ef16f250c87fa14d6b84c676a72fa651f |
| SHA256 | 2dc1d7952bbdc0884fb7128bd3520ea19e4737cf7acf7b34f82f3e261910f50a |
| SHA512 | bd0a1b13aa7f3a290489a8fb5ff709d208ac5f484e2315d35207e513948de40aa690e24c1fb8f1d3db34b037e86c6d102064fd505d911a937330458774aed9f1 |
memory/2276-242-0x0000020FD9170000-0x0000020FD9180000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | d8ec6887a74ea76a7b56f03609cddb02 |
| SHA1 | b47100c43f78f69e2b018be5a297c988ed9a1ebb |
| SHA256 | 4c5ebe357474196de57e40d75cafeeac4478028a4980c1e8653daf2cb717efe7 |
| SHA512 | 4779f7e14508d1b212f51ee08c1cc34cdcfccd444aa3dff97c37c1c4c4d8d33f76524aace5172c5ee4dbb715f85474d846dfb0052717ea4f8ef716f5f565d656 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
memory/5232-269-0x00007FFA33960000-0x00007FFA34421000-memory.dmp
memory/5232-270-0x000001A6B0F80000-0x000001A6B0F90000-memory.dmp