Analysis Overview
SHA256
fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d
Threat Level: Shows suspicious behavior
The file XWorm v5.1-5.2.7z was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Checks computer location settings
Drops file in System32 directory
Program crash
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-14 12:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-14 12:50
Reported
2024-03-14 12:53
Platform
win7-20231129-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\7z_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.7z\ = "7z_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\7z_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\7z_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\7z_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.7z | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\7z_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\7z_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2248 wrote to memory of 1804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2248 wrote to memory of 1804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2248 wrote to memory of 1804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1804 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1804 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1804 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1804 wrote to memory of 2756 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2.7z"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2.7z
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2.7z"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 453e1185c41dee4b87839be3989a40d3 |
| SHA1 | e0423b6cbb3265d90f5ed3c00f70763c874208ef |
| SHA256 | 6b7170d4b182758b1e1bcd2627e22e1644d46935c7ff736fd39a94ec7934fb0d |
| SHA512 | 10675edc73b144f9b9daf9860d1bd32c9c30ea18b7fba0dac6f2149abce3c6f0690158be35a19ea34a1a1ca0f7a8124eff7d10f8efff393b6198eb70f4e6265c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-14 12:50
Reported
2024-03-14 12:53
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0A1B6C28\XWorm V5.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0A1DEE58\XWormLoader 5.2 x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0A1094B8\XWorm V5.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0A11ADE8\XWormLoader 5.2 x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0A1CDAF8\XWormLoader 5.2 x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0A12D609\XWormLoader 5.2 x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0A140A39\XWormLoader 5.2 x32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0A1F8749\XWorm V5.2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0A1B6C28\XWorm V5.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0A1094B8\XWorm V5.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO0A1F8749\XWorm V5.2.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\lodctr.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\lodctr.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zO0A140A39\XWormLoader 5.2 x32.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2.7z"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2.7z"
C:\Users\Admin\AppData\Local\Temp\7zO0A1B6C28\XWorm V5.2.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0A1B6C28\XWorm V5.2.exe"
C:\Users\Admin\AppData\Local\Temp\7zO0A1DEE58\XWormLoader 5.2 x64.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0A1DEE58\XWormLoader 5.2 x64.exe"
C:\Users\Admin\AppData\Local\Temp\7zO0A1094B8\XWorm V5.2.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0A1094B8\XWorm V5.2.exe"
C:\Users\Admin\AppData\Local\Temp\7zO0A11ADE8\XWormLoader 5.2 x64.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0A11ADE8\XWormLoader 5.2 x64.exe"
C:\Users\Admin\AppData\Local\Temp\7zO0A1CDAF8\XWormLoader 5.2 x64.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0A1CDAF8\XWormLoader 5.2 x64.exe"
C:\Users\Admin\AppData\Local\Temp\7zO0A12D609\XWormLoader 5.2 x64.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0A12D609\XWormLoader 5.2 x64.exe"
C:\Users\Admin\AppData\Local\Temp\7zO0A140A39\XWormLoader 5.2 x32.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0A140A39\XWormLoader 5.2 x32.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4948 -ip 4948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 884
C:\Users\Admin\AppData\Local\Temp\7zO0A1F8749\XWorm V5.2.exe
"C:\Users\Admin\AppData\Local\Temp\7zO0A1F8749\XWorm V5.2.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO0A1BBC59\Fixer.bat" "
C:\Windows\system32\lodctr.exe
lodctr /r
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zO0A1B6C28\XWorm V5.2.exe
| MD5 | 28ff0723244b3da9ecfa4a9e3ef2e0a8 |
| SHA1 | c1070b71c2d1938adf6e0518e036f416f5b13d0e |
| SHA256 | 1ac19d5a3071ef082e943ab7101e40f2f99f426f4b903f3ad4c53a0262de5471 |
| SHA512 | 8888be21f9b212efe8523c03f192a9f21a2f281969a993017288649ef56bdf8df11f9026564a64e5a7fc74bebe2f9998e8eb0d9d08e898e1f5065bd36734329d |
C:\Users\Admin\AppData\Local\Temp\7zO0A1B6C28\XWorm V5.2.exe
| MD5 | 266cf0df8cb5f6c8ee98ee824e1d8414 |
| SHA1 | 59948c2c4788d61c07bb61932c588ca901a39e66 |
| SHA256 | 4be39c846476599a7f0a798575f700ef6732e9424be54bd34c86e0e7fbcbfeed |
| SHA512 | 0aea8ddacdbfeccc92bdc4f37a7c025560489c0be3d3ad319a8a55067eb04d7db064203fbe5c664be8975a9e0cb9d3e82719182d72ccfaffeae3a99414ee6a08 |
C:\Users\Admin\AppData\Local\Temp\7zO0A1B6C28\XWorm V5.2.exe
| MD5 | c7f29ed90be0853dc41841740e1a55c4 |
| SHA1 | 6c8a8c7d1896b879ebffb1c898a6a83f4224d650 |
| SHA256 | cc50e9fac4148f22a362b35d829cea610b6b0a5a12ef79fb552e2c1281ba5778 |
| SHA512 | aeaae460b62e30e4ed481809e1db1bf767acd3037292f4385fb305bb7065dcaafe9ac619edf345ad0a3a60bbea71f8389bb9f47d056e2e5f9895343c7482bae1 |
memory/5108-12-0x00007FF9DDDB0000-0x00007FF9DE871000-memory.dmp
memory/5108-13-0x000002E51B150000-0x000002E51BD88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll
| MD5 | 2f1a50031dcf5c87d92e8b2491fdcea6 |
| SHA1 | 71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f |
| SHA256 | 47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed |
| SHA512 | 1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8 |
memory/5108-20-0x000002E537340000-0x000002E537350000-memory.dmp
memory/5108-21-0x000002E537350000-0x000002E537F3C000-memory.dmp
memory/5108-22-0x00007FF9DDDB0000-0x00007FF9DE871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO0A1DEE58\XWormLoader 5.2 x64.exe
| MD5 | e6a20535b636d6402164a8e2d871ef6d |
| SHA1 | 981cb1fd9361ca58f8985104e00132d1836a8736 |
| SHA256 | b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2 |
| SHA512 | 35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30 |
memory/2520-35-0x00007FF9DDDB0000-0x00007FF9DE871000-memory.dmp
memory/2520-36-0x0000000000EE0000-0x0000000000F00000-memory.dmp
memory/2520-37-0x00007FF9DDDB0000-0x00007FF9DE871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO0A1094B8\XWorm V5.2.exe
| MD5 | 8680e43c5bf1e3f32f094bd778519eb2 |
| SHA1 | f067fa483e75824dfc0eb6c67e376bfb6dd2af00 |
| SHA256 | 4bed66a442977665bbfdd37f46518f6dc43564a719fd7295636950903e922e27 |
| SHA512 | d103570902ac07db6732d01d41431aaa6d75801aa8a2c7eaec663a94787a3a8b2fd49c0210a115cce813d8ae32fa3567f28086fc497453ccab5a0a0c65ef480a |
C:\Users\Admin\AppData\Local\Temp\7zO0A1094B8\XWorm V5.2.exe
| MD5 | 7c815ac45eb19d78a3d4bd4f17a8e8e9 |
| SHA1 | 6fa7751f78901622061fb49824a0213b66c8ca9c |
| SHA256 | d4f568c6da0613c1392f2f8af33e58188d154cee682af4ab63122f604b8239dd |
| SHA512 | e6b76f211b33bad9f9c2904878d0ed4bfbbf076be25d69b01befec0b993efaede0a009b3bf089c83a5a5b0f8a638a162089025d733f7df3cc26e65e862de2c97 |
memory/240-50-0x00007FF9DDDB0000-0x00007FF9DE871000-memory.dmp
memory/240-53-0x000001DE7B860000-0x000001DE7B870000-memory.dmp
memory/240-54-0x00007FF9DDDB0000-0x00007FF9DE871000-memory.dmp
memory/860-67-0x0000000000250000-0x0000000000270000-memory.dmp
memory/860-68-0x00007FF9DDDB0000-0x00007FF9DE871000-memory.dmp
memory/860-69-0x00007FF9DDDB0000-0x00007FF9DE871000-memory.dmp
memory/4428-82-0x0000000000880000-0x00000000008A0000-memory.dmp
memory/4428-83-0x00007FF9DDDB0000-0x00007FF9DE871000-memory.dmp
memory/4428-84-0x00007FF9DDDB0000-0x00007FF9DE871000-memory.dmp
memory/1624-97-0x00000000001A0000-0x00000000001C0000-memory.dmp
memory/1624-98-0x00007FF9DDDB0000-0x00007FF9DE871000-memory.dmp
memory/1624-99-0x00007FF9DDDB0000-0x00007FF9DE871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO0A140A39\XWormLoader 5.2 x32.exe
| MD5 | f3b2ec58b71ba6793adcc2729e2140b1 |
| SHA1 | d9e93a33ac617afe326421df4f05882a61e0a4f2 |
| SHA256 | 2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae |
| SHA512 | 473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495 |
memory/4948-112-0x00000000002D0000-0x00000000002F0000-memory.dmp
memory/4948-113-0x0000000074740000-0x0000000074EF0000-memory.dmp
memory/4948-114-0x0000000074740000-0x0000000074EF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO0A1F8749\XWorm V5.2.exe
| MD5 | 098992c67a6f432b6a5f8a45b6e78505 |
| SHA1 | 29b48037e00118f3c2123ace5ca864b1b5eed05f |
| SHA256 | 4a59b90bd69e992cd014af071e674316e106930b5c89d988a84e1e4e78f4aefd |
| SHA512 | f4bbd8c6613e495a0abb0f955f6c07a9fe8693d9e616ec1939f3d07925278f70d593674c3a5a050334c67b49b9fa95c0667386492ab2a02ea8060141d92b6276 |
C:\Users\Admin\AppData\Local\Temp\7zO0A1F8749\XWorm V5.2.exe
| MD5 | 36e9a3ae270156718220327b7f63f979 |
| SHA1 | 010c63df5909fa1cc3dce44656f18973cc058744 |
| SHA256 | dc5019c772d45f00129ef8ff1cda6239c4dccc113c872849e08feba8043240ba |
| SHA512 | 841dbb6840115e54f8d454f73fbf11a46cfd914b631b13b832d2b213858c01ea5091ef8b58489b830e2a403230dc18841f2d616f3986c5d74ebf4b9c30ad243b |
memory/1156-127-0x00007FF9DDDB0000-0x00007FF9DE871000-memory.dmp
memory/1156-129-0x000002D3ABB90000-0x000002D3ABBA0000-memory.dmp
memory/1156-130-0x00007FF9DDDB0000-0x00007FF9DE871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO0A1BBC59\Fixer.bat
| MD5 | 2dabc46ce85aaff29f22cd74ec074f86 |
| SHA1 | 208ae3e48d67b94cc8be7bbfd9341d373fa8a730 |
| SHA256 | a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55 |
| SHA512 | 6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3 |
C:\Windows\System32\perfh011.dat
| MD5 | f4f62aa4c479d68f2b43f81261ffd4e3 |
| SHA1 | 6fa9ff1dbb2c6983afc3d57b699bc1a9d9418daa |
| SHA256 | c2f81f06c86bf118a97fba7772d20d2c4ba92944551cd14e9d9bab40bf22816c |
| SHA512 | cbd94b41fc3136c05981e880e1f854a5847a18708459112ca7eb0bdcb04d0034c42af8c58501a21ae56e07a29751236af9735b0a4ded3a6b0ef57d717acd5ff3 |
C:\Windows\System32\perfh009.dat
| MD5 | 1ad05e460c6fbb5f7b96e059a4ab6cef |
| SHA1 | 1c3e4e455fa0630aaa78a1d19537d5ff787960cf |
| SHA256 | 0ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71 |
| SHA512 | c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f |
C:\Windows\System32\perfh010.dat
| MD5 | f9fcefdf318c60de1e79166043b85ec4 |
| SHA1 | a99d480b322c9789c161ee3a46684f030ec9ad33 |
| SHA256 | 9c92309f7a11b916d0e9b99f9083f58b1a2fa7a9aad283b064f01c11781160e7 |
| SHA512 | 881e112fedccc8643d872396baf726ceb7a49c5cce09489ddcb88400b5a4578dd5ee62a4082d81a6c721c74edb00d84d225e08ab892cc094976149a1a2c486d8 |
C:\Windows\System32\perfc010.dat
| MD5 | bea0a3b9b4dc8d06303d3d2f65f78b82 |
| SHA1 | 361df606ee1c66a0b394716ba7253d9785a87024 |
| SHA256 | e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927 |
| SHA512 | 341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88 |
C:\Windows\System32\perfh00C.dat
| MD5 | 518020fbecea70e8fecaa0afe298a79e |
| SHA1 | c16d691c479a05958958bd19d1cb449769602976 |
| SHA256 | 9a139a16fe741593e50fa5e1e2a0c706c0eba7f4d1e1a7a91035428185fde125 |
| SHA512 | ff910efee092c2b4a3fa1114f745feb7d01a38b55b0345e0118cdc601a056f79035bd92c76b49559480b515da4cd66d2fbe789baacdde67485cab989ff009b2e |
C:\Windows\System32\perfc00C.dat
| MD5 | 8b4b53cf469919a32481ce37bcce203a |
| SHA1 | 58ee96630adf29e79771bfc39a400a486b4efbb0 |
| SHA256 | a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42 |
| SHA512 | 62217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575 |
C:\Windows\System32\perfh00A.dat
| MD5 | 49032045f6bcb9f676c7437df76c7ffa |
| SHA1 | f1bf3ba149cd1e581fe12fb06e93d512fe3a241b |
| SHA256 | 089f30c1e60f038627531d486659fab66a8b927d65e4eca18f104d6ae4c7f641 |
| SHA512 | 55b459b7787e6efacdcc17adb830dc3172a316ff8dd3b14a51bf4496a9479f513ae279a839674b472c1424170ee4aa63a5d45fc7fbd38a533a885282858c74f1 |
C:\Windows\System32\perfc00A.dat
| MD5 | 69c02ba10f3f430568e00bcb54ddf5a9 |
| SHA1 | 8b95d298633e37c42ea5f96ac08d950973d6ee9d |
| SHA256 | 62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e |
| SHA512 | 16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e |
C:\Windows\System32\perfh007.dat
| MD5 | b9a5000ea316ac348cf77beb0e5bc379 |
| SHA1 | 4e666af14169eb10a0a08ac2f5ed5ecf4764df46 |
| SHA256 | 1b25a6879c667258cdb900683004ef007c6b3a1a933d823b124d9a6acf9de608 |
| SHA512 | 9fd911586a0aebec11c48e9f78de3b3f6e41c98a2770f5ac10d0a3947b4b3f326a8c5028c478c8634fb84a071186606e69a7aff83b1cf972d4728e3923503118 |
C:\Windows\System32\perfc007.dat
| MD5 | 54eaefa841aa52bb3580aaa0e64094d1 |
| SHA1 | 2bf779d07fe707a2adec9045ea06e95f219c1d18 |
| SHA256 | 783878d5cdfa9dcf40d7ff3e7b5bfcf692c70188d1bab5dd7c646735122a8870 |
| SHA512 | a539aec842b76a000a61ca00f39a2557390e26a4ab34e3722bf3b252bd580a575951f7ad72853c256e0f0f03aa3a1552178965ca74696cf372ae00328bc28f6a |
C:\Windows\System32\perfc011.dat
| MD5 | 17fc81a0e3f9fc02821e40166f1cb09f |
| SHA1 | 2931659b064a216371420db215b1f48de29a1858 |
| SHA256 | fe933b8ae9d8fb3283a76b42cfed31be01d02c91cd7ba742b399df613762fff2 |
| SHA512 | 19a93f08124962c9826cb6794b897ddc3dd3391e2b24cebd70c2a8027aa082d2b65f2d92ba438684d6e0490f1dabb714bcb17561b951807589c5ce920f2e6031 |