fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d

Analysis

max time kernel
221s
max time network
461s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm v5.1-5.2.7z
Size

54.5MB
MD5

76219b3556e25086fc52f8e2b93fbd0c
SHA1

066a0f875820e51a60c3552a06b7b97f8bab6bbc
SHA256

fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d
SHA512

ccc974b8e446409c7940ef8314b2a912a2f8c0272721148d4dca5b739702106e69c9c7d106137a576b7a7a846d4f9ac770685a07d7a588ba34d0167acb07f104
SSDEEP

786432:8IagoCEXKlCpMqIEJkseGG+5ELbzcFdcyt5/ks3FkAPYxpL+q7RRHEm+0NyvZZGl:8JgXCzIsGrPzcFrt1F3Yxxrr+4yvZE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

XWormLoader 5.2 x64.exeXWormLoader 5.2 x64.exe

pid process

2704 XWormLoader 5.2 x64.exe
2312 XWormLoader 5.2 x64.exe
Loads dropped DLL 21 IoCs

Processes:

pid process

1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
3020
1196
1196
1196
1196
2936
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2704	XWormLoader 5.2 x64.exe
2312	XWormLoader 5.2 x64.exe

pid	process
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
3020
1196
1196
1196
1196
2936

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D519A441-04C3-11EF-8414-4A4F109F65B0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e000000000200000000001066000000010000200000004c00e69c6dc71b93a052fd7323dbee255ba7f39630d0ed9cb3e87b61a581a682000000000e8000000002000020000000eaa1e7a8a9a6a0e39f2a17ab2df80f1398ce751991d44519d2ae0684c407e7bb90000000d54abec209675ee413e975aa02844681a34c5b1a1304919339aeb4b903309fbbd200ddd9a07d93a67309b6fdff22e25bc3701566ef410d9c1ff54c8dffde7a3167fbacfaf49e37363420e9050a81a6137ad674b2644ef30e77e08648abece974650626ffd88a84e83f46cf209e7a8ccb1251115eec2a5abe25d2924e8109f258afd8edab4dcb454696151b434b371c7040000000101cd48b7f85559b410b7951415670d73d1685c1bfba5bfde4e0ce2c7485128cb2af8ed3ec6951d98f0d5d96d70c398d3ac7dd2227cf65f56919d179aaff43f4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000bda571c5b67ccaef78a743ba11abbe5532db69e0bb2de6da7274a8735a07ed92000000000e80000000020000200000007c6c0d726c4ea8067a86c97e542284da560c2334d91d3011def3a60a2635f063200000006ec755fdec8947cae00572c335d06681fdd76d424649303fe6b55f6b69cb302f400000007a47a4877ecd2282f90ac5f29e6608c2dca5d18f447c73ba53381364e65180e7453c61f23f6e23abf60011b5a85476bc227cccf5af5a7010b00765e1c7de22bd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90cf28b9d098da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420404331"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exe

pid process

1248 chrome.exe
1248 chrome.exe
1248 chrome.exe
1248 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

1340 7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	1340	7zFM.exe
Token: 35	1340	7zFM.exe
Token: SeSecurityPrivilege	1340	7zFM.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe
Token: SeShutdownPrivilege	1248	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

7zFM.exeiexplore.exechrome.exe

pid	process
1340	7zFM.exe
1340	7zFM.exe
1340	7zFM.exe
2612	iexplore.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe
1248	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2612 iexplore.exe
2612 iexplore.exe
2624 IEXPLORE.EXE
2624 IEXPLORE.EXE
2624 IEXPLORE.EXE
2624 IEXPLORE.EXE

pid	process
2612	iexplore.exe
2612	iexplore.exe
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeXWormLoader 5.2 x64.exeiexplore.exechrome.exe

description	pid	process	target process
PID 3008 wrote to memory of 1340	3008	cmd.exe	7zFM.exe
PID 3008 wrote to memory of 1340	3008	cmd.exe	7zFM.exe
PID 3008 wrote to memory of 1340	3008	cmd.exe	7zFM.exe
PID 2704 wrote to memory of 2612	2704	XWormLoader 5.2 x64.exe	iexplore.exe
PID 2704 wrote to memory of 2612	2704	XWormLoader 5.2 x64.exe	iexplore.exe
PID 2704 wrote to memory of 2612	2704	XWormLoader 5.2 x64.exe	iexplore.exe
PID 2612 wrote to memory of 2624	2612	iexplore.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 2624	2612	iexplore.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 2624	2612	iexplore.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 2624	2612	iexplore.exe	IEXPLORE.EXE
PID 1248 wrote to memory of 2116	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 2116	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 2116	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 468	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 1784	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 1784	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 1784	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 2892	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 2892	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 2892	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 2892	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 2892	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 2892	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 2892	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 2892	1248	chrome.exe	chrome.exe
PID 1248 wrote to memory of 2892	1248	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2.7z"
1⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2.7z"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1340

C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=XWormLoader 5.2 x64.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5ea9758,0x7fef5ea9768,0x7fef5ea9778
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1380,i,318333333422901826,4384035539331645268,131072 /prefetch:2
2⤵
PID:468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1380,i,318333333422901826,4384035539331645268,131072 /prefetch:8
2⤵
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1380,i,318333333422901826,4384035539331645268,131072 /prefetch:8
2⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2312 --field-trial-handle=1380,i,318333333422901826,4384035539331645268,131072 /prefetch:1
2⤵
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1380,i,318333333422901826,4384035539331645268,131072 /prefetch:1
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1168 --field-trial-handle=1380,i,318333333422901826,4384035539331645268,131072 /prefetch:2
2⤵
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1236 --field-trial-handle=1380,i,318333333422901826,4384035539331645268,131072 /prefetch:1
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3436 --field-trial-handle=1380,i,318333333422901826,4384035539331645268,131072 /prefetch:8
2⤵
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3224 --field-trial-handle=1380,i,318333333422901826,4384035539331645268,131072 /prefetch:8
2⤵
PID:648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3544 --field-trial-handle=1380,i,318333333422901826,4384035539331645268,131072 /prefetch:1
2⤵
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3780 --field-trial-handle=1380,i,318333333422901826,4384035539331645268,131072 /prefetch:8
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1596 --field-trial-handle=1380,i,318333333422901826,4384035539331645268,131072 /prefetch:1
2⤵
PID:2956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2440 --field-trial-handle=1380,i,318333333422901826,4384035539331645268,131072 /prefetch:1
2⤵
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3908 --field-trial-handle=1380,i,318333333422901826,4384035539331645268,131072 /prefetch:1
2⤵
PID:544

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2956

C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
402ef2310173d0fe9e911c37b4af5840

SHA1
452b60f09ebce3c5db3fe1e7d45c8f2a268f945b

SHA256
40bcecca32779ef96588ed62275da1eb3c911cc475513597fcf5a6d9be60bfd6

SHA512
d01516869b85062d89bdfbaaa98e09ea405f2a45bdf1e0fd3a9777662c4c7cc25f2310eda842233db48cf8c698a022c9a34b81c454a123c4a4b20c868d9f1ae1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c154c98c46bf26f9c86d422643dd4844

SHA1
c87039c6bec64fb3941888bfed7b30bb6e5127a2

SHA256
1ffe644fae5e2337e3cce52d2e0a9b0185d84146afa31e2d5fec3f65a15875b5

SHA512
a889bebba554b7fa2a8cba6d53bcdb43a28c95155454ed88d86b08473ae41c5f4126ea1c9c852d26b27f26975a1771193d041602fa538288d0065881c134db33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c93f4c67abae11b4bc527b4e3e6c3564

SHA1
78d310aeac101e00e2382d1975b6260c3cffc3f9

SHA256
875d64f41f50eddf1c6b8fde95cb6e5e664bebb51c78b810f0bca24695422d42

SHA512
10a15b9794c2cbe76e97f0c0d6cd8b66799925d19792546bdd3676a2d5f6d3bea4aab42ff6b8c3f43438aba8eb50bf45d8b33f1437db795454076f01fa9d4a40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05a1fa38f8a523e97737986829dc631c

SHA1
9befe5f50e6c1bf06a1c6ede4d247da61802c8f5

SHA256
5b5e2e454c71566e550bb0726b544dac6f1226ff719ed8ee5f4981fbf12153b2

SHA512
d7f28678881a97063f17493426358842ac206c3a4e093561ea7c299e26f7da35509e53aaefa822745785e78ed665e52665d36f0556d20d79ca31049d0a62ee8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2116d70035e70536b8bccb458ecf502

SHA1
eae63158f2914aa56357dadf881d1ce830f367c2

SHA256
d850805b7a9b1d27298d02faa0ce83fe89e4fc9696093bac8fadefe9d48d711c

SHA512
09aa9ccb75aa5846b710a2ccffc18912a0d192b12baca13a2336dc94690097919da4dd080f72e5f266fa3b4cfd0d9ee84dc938b80caa3eebf15fc842f6254986

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
899e17fa174d10000a65d93ffccd2269

SHA1
4d38bea4f24b2070a252368087bb2d0fbb382b36

SHA256
3e9b4eca77ef10663cafcfbbed47f36e733bff15e907a733f2ad6e0d50695edb

SHA512
f84182239c46e6d8b096d141e297e92264121a184290af80fa56e7e448c15064bcdc1f439a9d7da73250c56844eb0ed6b9676d90dfc7cf674075847d32488bea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
edcc481d0b395520371ec5895c6a4b36

SHA1
d00a1e4ec99a4f9b61995484acedbcdfb234d5d1

SHA256
971bee8ce90661566368fc82db1eb5b478c898ce40fda5eec6810e1dd766d908

SHA512
a81b38e2c9c7128e63a3fc0f7c0b202ec5cfe3509f25523741bf68de8c27c7ab9628c36dfd29d3c60684bbacecdd086080d9524233cdeb6157c2ded7a0482595

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
91a343297e45f1733c8bd0f22cd52e80

SHA1
a0e4cfa6b687923a76764f255fe930823643dc8b

SHA256
8aa450e316f535ab74139d23eb94ecbde5f64f795747f3761580804f0cd2bb7c

SHA512
29c7477c481438d5ce47d8a30fbd0c10381545b0b438d41f507c4a09bb75028b9a7033c485c4d9f11249e1d982f92e6eb937bbdf1d6acc6f68d3713ff2f92331

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52c58581614dee2171d17b24aa209ee9

SHA1
ff885270ed668a6ced64ca5419392191bc7327e3

SHA256
d3ce54bdd9f0c879839981722f221c13ca32c89275e5f827a41980ccc86294dc

SHA512
0fd7604a43b85ae40013e64684954f6388d63b627834bb5a21b56468fa24fb7cfc45355e1b154c924d0e915113b419328989acf92d211c0be9765068e65d2093

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3462cfad0bcf45705a08f0d3d650125b

SHA1
1ff2bd77da31a9a3fc0a5b60ed3a2597c97e17b8

SHA256
f9ae37c2c91e8dfeb6f4eb1c9894aa0b25c4360cfc3a9dd516ba5ed51957f767

SHA512
b77de88c01d3709791016421eedfdbedb20d800067aa6b0ae68ca61fddaf23306eabef19425d5d0083bf22fbfd6616dc305292bfe028a414d854ec7837522906

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a6d0f5b584502636224a0f77e9e2ef3

SHA1
5894c635c04559bdd80e4ed743decfc949f33d25

SHA256
89a1b30e189d0226fc82fb1484af0ef5d07b443343d49d8f2834f70481332468

SHA512
78bd75b6251f3ede59b0fe74834a2031cadfdceb618226315040418dd083d40a510570160d1c55def652f2021bf91509beeabfaca3a11f6f824add7786127307

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd38d247376c6abc760ba9a25c09ac99

SHA1
09add5382778ba85439e867bbce1abf6f122089b

SHA256
258f952d68a384a60086c685486f0978d2fae5550cf1173e458b5373f18f3086

SHA512
6aac787494d5928a80dfaf269963870d94186beeabcae0da300703f7e88d5b998595b645ab1746b4d2aa57d98dddbca5703ed33d565208fa5f56206d68a167d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
983B

MD5
75c4ae893e46e78fd0c78a3430df66ca

SHA1
806e2419b55df0b5548dc713230dd1495308b9fc

SHA256
b9a7dbd4519f673d754cd5899453138663c5542a0448695ee0d689265835e927

SHA512
103b43f8c0c87761980e6255ed3e6546c7bf28c4960b9f03873e0d97f32075b64151263a54f6b6d37a8f2573afd2e701614628a15683c2359bf11aea6a9b9153

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
792B

MD5
57171108beb7c39dd70152f42149bb1f

SHA1
e0b733c656e6a5545dc22dd1b6752dee05a7fb4c

SHA256
792aa0aa5204d239e0f7ebbe522f095a2e70cfa6384359614c0e4d7e61f789b0

SHA512
e9cfed4e2397ba9af747906245ff5ccc4b814bfdece00bf772436cb0f887f76024f7315eebf3fc016145ebb3da9b06a8c619d41413fc19e3271662c9d84b71ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
744fd682f3dbde6d6d1de5ebe5793909

SHA1
303da3db37b772022b54a7c3570a1242031f5b1c

SHA256
764a56ef8a343d247caea3a636f251a124e760c7c1c0ff7379e4ea8611d5d8e4

SHA512
4bf389e159a73b6f9b6f70c22911e920702006254ea3165b73b36cac294694575bb5a46e85cf235c4e0c94c33a0a58a858ec0bf99d6ecc35b061d0baa0ee5501

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9625b87bc8eb4610ed0ee9b9a5f30b75

SHA1
7e10a9222984ec7bac6e3c780c3a32959f344694

SHA256
e234b68e20d85daeb5accdcc44472dd7cd536fcdf68074dabb331d2e45fdee66

SHA512
10d3cc4374f2465892d4f0137706e85d16c64c57d7035ac111466d73065a6efdaa6e51a0d9775dc4731966edb57ddb34e58bc5ce1143a0aa2ec731a65355de5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9bca12b82957d0e5db7518db35e6df2d

SHA1
c70d608c0f93d02ca7f8338e2e1ed3545c586ad1

SHA256
698e09f9a11a04f5e36e30d4ba50cdcb61bbe0b8729c967e6ab6e46ac758d227

SHA512
077a0e1bb743f432e72097d0ccd98946b7c01c3cdc9b12840ffb1b77aa9b9c8a28021b5d7f3751e22a4f486dd49cf4f8d3ede01cd1ca8aad409798249d909d2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC3571156\XWorm\XWorm V5.1\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC3571156\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar21AB.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\??\pipe\crashpad_1248_ATVFQOUJIWOZOPXQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe

Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit