agenttesla | 01a0c31283f9105ff1cd59672d168f435e0a2a536d66584746aef636c9164b21

Analysis

max time kernel
306s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tcp_tunnel.py
Size

5KB
MD5

6d53d6a2d7114b0f4819dc53246f5b2b
SHA1

834625f9c44c4e2909fc081a0a8d54aa27a75d26
SHA256

01a0c31283f9105ff1cd59672d168f435e0a2a536d66584746aef636c9164b21
SHA512

9f6e2e5e8cdee79df103f0e35923aa2123cdbb23ad7f9a6234a9e634e94bab24ce1492be25fea1e705ffdc91070bde7270d202eb82df680de47cab65ea848082
SSDEEP

96:6/WbVfvWWEuTqyvszKpzat/w/4+cJkY+GBc++8+K5M:BVfvWDuTqyv4Mce4+cJkY+GBc++87M

Score

10^/10

agenttesla xworm execution keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost.exe	family_xworm
behavioral1/memory/1712-484-0x0000000000310000-0x000000000033A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\Guna.UI2.dll	family_agenttesla
behavioral1/memory/3160-559-0x0000028C794F0000-0x0000028C796E4000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4880 powershell.exe
1972 powershell.exe
4612 powershell.exe
4620 powershell.exe

pid	process
4880	powershell.exe
1972	powershell.exe
4612	powershell.exe
4620	powershell.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost.exe	net_reactor
behavioral1/memory/1712-484-0x0000000000310000-0x000000000033A000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XwormLoader.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	XwormLoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 5 IoCs

Processes:

XwormLoader.exesvchost.exeXworm V5.6.exesvchost.exesvchost.exe

pid process

2992 XwormLoader.exe
1712 svchost.exe
3160 Xworm V5.6.exe
4416 svchost.exe
1588 svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2992	XwormLoader.exe
1712	svchost.exe
3160	Xworm V5.6.exe
4416	svchost.exe
1588	svchost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1736 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1688 timeout.exe

pid	process
1736	schtasks.exe

pid	process
1688	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeXworm V5.6.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623788701716693"	chrome.exe

Modifies registry class 3 IoCs

Processes:

chrome.execmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid process

1712 svchost.exe

pid	process
1712	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exeXworm V5.6.exetaskmgr.exe

pid	process
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
4484	chrome.exe
4484	chrome.exe
4612	powershell.exe
4612	powershell.exe
4620	powershell.exe
4620	powershell.exe
4880	powershell.exe
4880	powershell.exe
1972	powershell.exe
1972	powershell.exe
1712	svchost.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Xworm V5.6.exe

pid process

3160 Xworm V5.6.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

5004 chrome.exe
5004 chrome.exe
5004 chrome.exe
5004 chrome.exe
5004 chrome.exe
5004 chrome.exe
5004 chrome.exe

pid	process
3160	Xworm V5.6.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe
Token: SeShutdownPrivilege	5004	chrome.exe
Token: SeCreatePagefilePrivilege	5004	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exeXworm V5.6.exetaskmgr.exe

pid	process
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
4356	7zG.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeXworm V5.6.exetaskmgr.exe

pid	process
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
5004	chrome.exe
3160	Xworm V5.6.exe
3160	Xworm V5.6.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exesvchost.exe

pid process

4704 OpenWith.exe
1712 svchost.exe

pid	process
4704	OpenWith.exe
1712	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 5004 wrote to memory of 1784	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 1784	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 4184	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 3044	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 3044	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe
PID 5004 wrote to memory of 860	5004	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tcp_tunnel.py
1⤵
- Modifies registry class
PID:4392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe238bab58,0x7ffe238bab68,0x7ffe238bab78
2⤵
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:2
2⤵
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:8
2⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2292 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:8
2⤵
PID:860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:1
2⤵
PID:4176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:1
2⤵
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4316 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:1
2⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3048 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:8
2⤵
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4252 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:8
2⤵
PID:2964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:8
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4912 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:8
2⤵
PID:3436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:8
2⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4232 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:8
2⤵
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4220 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:8
2⤵
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:8
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4564 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:1
2⤵
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4592 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:1
2⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4996 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:1
2⤵
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:8
2⤵
PID:620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3140 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:8
2⤵
PID:2216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3140 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:1
2⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:8
2⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1916,i,7466575456265407157,11231729402422733119,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4484

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1072

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm_V5.6\" -spe -an -ai#7zMap25828:82:7zEvent11362
1⤵
- Suspicious use of FindShellTrayWindow
PID:4356

C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\XwormLoader.exe
"C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\XwormLoader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2992

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
3⤵
- Creates scheduled task(s)
PID:1736

C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\Xworm V5.6.exe
"C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\Xworm V5.6.exe"
2⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp37AB.tmp.bat""
2⤵
PID:2604

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1688

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2360

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x30c 0x404
1⤵
PID:4904

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:224

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
288B

MD5
9655202de229eb5cb90f90663eab1c03

SHA1
3c502c74ceace8691dbd89289403571e57a7bc88

SHA256
0aece3d71c952dc16cf224f043274cf8bd0145f6d4268fd6e71809d4515ade94

SHA512
52a22805a9211d33baea65c413e172619bfffcb5c60019c1475045973068ec5c97ca0c9b24687b6f3ff710c69f577b8ab5aa5c1483e5f32b93032a75519070a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
bde60677443eff6196d40ec4b878cf74

SHA1
be29d822f309b030494a9d800aba3894c8ff892c

SHA256
ed0d61d28b6fd0607221165c929f4dc66f752eb39807236488797ee071d0387d

SHA512
fc9c7acd18d199a81a20cca0f8b1b52f84f501225bd63c4adc9c312b10cca120003821ef5b83c2a4f5ea3f6a790637a5c68a84972b8741d6c966cd06d9b914fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
9dd0d48de4279b402f3221bb36bbc7fe

SHA1
607d109ba463a33730bb3ffb36c6fbc6c60c892a

SHA256
c196bdab31bd83c0cdb37547383c10e92221cebeee94c802c66bfe59b87bcf59

SHA512
16ef7546c22f8f60c7bc6c9d745530c492ef8713297549c1eb5a9af10d7977d864904a246ac1e93d6e80fe4578ce8e0d291c1f650ea11e1ea035bd15f1410cbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
118ab7a01768b50c0ba18c6209eb9a84

SHA1
7fd4da984d50eacc9915816edb49c977423c85fb

SHA256
0b41c69809218ad63cd725974ab03684f1365307aa4be33212f49f8211360494

SHA512
ffe8a16e2f1c0c14d479312ca4ff93c909883c69c79550483ccca92720a180956bb0b9af94bb1a832e78022b373485497d0a89cd1f8518d532c57dfb11384743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
690B

MD5
16373feeed528bfc14b18ec2b1a97d91

SHA1
d653b3e6554ce5bd7387187eb9a6674895c184df

SHA256
893a0a2d99ad434cce0e7fb48458d2763b07f7b97f7e82fa1269e6e8043e8a48

SHA512
d36bbe09676c26e5065de6d98c3ba0240429bf3f2c8d5df01699e7a8754321281b23e2925ed7c440365a15191d8499fcd0e23eb4e43d36ddad5dd15b009a3e53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
5f7d6f0c755be5df1cbadb9e9f700635

SHA1
7a397cb0c88977ee6e445deb78db633674f34ac5

SHA256
1b5f2fac4e64facd499e03b868a556258048b9ba2ed083ddeadad2bbbbfde1c9

SHA512
a6c98b0f5754eabc228c70dae7fb7b1f7fd596f6b15dc2f4ae4b7417143089f157d91de2fe463abaabee58405265d6e7e4962db5c10e19faa37e3fb7937df394

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
48fa93ef1fbcb752ca79b43ce911bc52

SHA1
7a7bbff15c31fe3b84728c3507448d1f58cc351f

SHA256
4a3c7cf4c43514e9f7530289ad2938aa5fbf6abd49b14c534779b662043a666a

SHA512
a61f751a94529fff5798dc24eaea4e62607a38e791c896fb53849c5121ff448ebf221ae43a6bb902077963c03b4888cb393f7ee86c1dfd9f04693a76adf4d9e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
f0b0a6e9767f3f60139e1f59eecac3d3

SHA1
85ef0f2ecf42031b540b62c93f1d72c4b0db5082

SHA256
e7cc5c17fc8478d18c961a03df8a4d221bee85549932c608d41efca7e9b4c412

SHA512
613b491f7f9a41983289d8678d161332255e18a2d3808154dcbfd586866120dab9073fd8c71ed731351f1b677b4e6fee95d23ae44dee09c97a9ffff4c20dcf64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
d4bd8f31194c3e7dcd8622d8d676ea85

SHA1
c8be368dfa27ab00fe3dd4c6a668f4e6575e1d36

SHA256
ccf31d88f1dfc9bd8fc64a4d261c9667d107b4bfed3d4dd3e982af803df97145

SHA512
657a73f0420a94cca755e2c8bb3441d3330921b97b3e1bb7e6d02aa9e2d84171a4f93233b687beb126be494a353c451e2d9ce0b7affb4d93735a21829dbb63a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
265KB

MD5
aded9668496afb46015dff307f805c45

SHA1
f9a75698d6705ef60a0055349f09487eee30d060

SHA256
d429e6865b314cf19f0f7c1a87c1e8042ac8246747979693350e7bddeb2a95ad

SHA512
f867d2f28a7a51de4962463d10b7e51c240cc6a274d190f0087e6f60880e3bc9970f152895917bb3d9f8bbacb199c08921ec89a894ec6bd0b0dd86f9a11d374c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
285KB

MD5
c5ba23d1bdc1be237dfbcf2032799740

SHA1
f58599d7bb542ea63fc4211d0e84b42c9942274e

SHA256
a27ab404f52e7c420aefbf599d130bc4d2590394f35a38775081cb608cfee3dd

SHA512
05d2d0035d87b2f4674d16125b7828e753dc2226669a6fee0c2516a933e535d265a267fdbbe0c4c4d34daa3bb10c443b98c7b51487e885987f35368b1ad34d05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
265KB

MD5
f1d199fe8705314e6d05f6fc495adabd

SHA1
06290219dca4de9a22e961edc58d3f0d6a626db3

SHA256
998f86507102693455e8dd4b623552b30fa77a84ce8b6900fec8790fd10ee326

SHA512
25f009db7d2a1ca91d9312267b21d84609132a136287f46190030a741b1b1b06a0a8152a4137ce0319f4c51575853996b7292346b99f3bad54396d620053e9de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
265KB

MD5
5e04fcda13129aba14fd21ba059174fb

SHA1
6fc51cefbc8ff0ad466076671aff3b2042d8e93d

SHA256
752e683451777fc0bb4209c284dffd5a6a024bfcbe7ae393eb734bd72949a8ec

SHA512
5aff772395e5429450e8710299bd0d8edb95052907446f22c47f3ab92de804d85c3c6944c34dd12a3b8cebc808bb4aedb1c038bfaff1c38f662b8e08bb1eab66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
101KB

MD5
f267e966dda101c0de24c918598b0647

SHA1
d9a2de299ac72e748058d6248d68fdb83a4fa80d

SHA256
28bf6ee0a3899bd4e51021d3988e9de7f47aa799595b50cea93f935ddaa97369

SHA512
be553ef5be8071903542f6c76ebfe948a45614fe490d2e43ac14facd6072b6f4f48680fd29db38198da14653a659afe83f47ec1a5944ec1fbe5ce3352c10528d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
97KB

MD5
bd1eb4ce83beb368a89171195d2b187c

SHA1
3ba24ba07caca4f90659dcdae05297480d99a01c

SHA256
71e471d80a53bf8440b1992645a4d2170ea5f65b1c37c0416726ab8d14d4f7df

SHA512
85536eeaeb940c110b95bf8fb7a0b9a99933c46def201e7e8086f14b6594d8f2de929488f7d2284dfea6e1950c7022d334ff62e8387fad84fc39c5b967d60611

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581ac6.TMP
Filesize
88KB

MD5
0e95960f992cdd6ea3fd369a6d612d3e

SHA1
8ee1a0e309185e9d7d55fa9a1c0384975a5762a4

SHA256
f5c956227a148191be5dd40f0d7f8e74a944caae92673b56b444acb975906242

SHA512
713581589fef710fd8361795c26033d1e596c457894e320115a12f1de12944d1b2be6753542a9d6df072a54f4418db8af3745cea737d77d1bb8eb36f9a359fde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4165c906a376e655973cef247b5128f1

SHA1
c6299b6ab8b2db841900de376e9c4d676d61131e

SHA256
fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4

SHA512
15783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8c272630e8e17428959afdf706dd25f2

SHA1
fbb34885bdd622ad0cd223158c061afb79ecf575

SHA256
516b559dd72807ab74670c2838aecb8042483d94dcadd774f2636a54e116e1b9

SHA512
d5ae6616d4c36b6134b325e1880ff44e5c90e858989d8199a1137b07b6f0ad3242fafc320adc337148eedb61459ce97116259b4b6aa2c4c0beedd37d8e269cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qe1l51pp.jmc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
144KB

MD5
4b90399888a12fb85ccc3d0190d5a1d3

SHA1
3326c027bac28b9480b0c7f621481a6cc033db4e

SHA256
cede03d0ef98d200bd5b68f6ca4e0d74e2a62fc430a38083663c3031dbb1c77f

SHA512
899ec2df2f5d70716ad5d0686bfe0a6c66ccbcf7f0485efbdfc0615f90b3526cd3d31069fa66c7c6ae8bba6ce92200836c50da40a3731888b7326b970d93216a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp37AB.tmp.bat
Filesize
176B

MD5
424444b12009ecf270aca4dfc81f8eda

SHA1
36ea75dfd1e49f4bc18e56244fdac12bfe31c5da

SHA256
69a66b7156497f0b652d2cadec8c344609078a1ba6123b5ac7c7b176eead42f2

SHA512
0e7f1c91bd238632f7b7c3955e77066cdd9679110eeb44b9508b9f0bbdce4d07a2c9f8a24f47fea434b4091bc5f46e0155c4d87fc48f88009c93841c027e2a78

Download Submit
C:\Users\Admin\Downloads\XWorm_V5.6.rar
Filesize
19.0MB

MD5
3b7597e2bc5087ebd2f7c9f8267e75cf

SHA1
45288e58f31b55c7dee46e18f645a934787d6fa7

SHA256
38a143f3edf52364adf51a3f7ca7d52682ac87812ceb52182e09628ac07d00fa

SHA512
17aeea2e6db4e67c26f9b44e1a050456ed1bbd1c5e71ef3b0ab48a1daad5637a4261565816059d1359954c1df09ee087c0bff4b3419b83b50187739bbf74d9bd

Download Submit
C:\Users\Admin\Downloads\XWorm_V5.6.rar.crdownload
Filesize
22.6MB

MD5
e0d97dcb2cfb54d66b1b5b929341359d

SHA1
2f847aa36437ebee7ba991ecb1eb3503bab379ca

SHA256
9d6a69ad30bb114735a2d6a8c93cf40e5fd697985524f8ecd1b676f585674345

SHA512
c47147a787c46fc2943edcd0047004ad3d697fde162f3849b3a8192569515c6f4b9f9c64d47aa16e324bd9cfdb5348f8c6832bca2237f0b4dc8dacfe933e9115

Download Submit
C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\GeoIP.dat
Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\Guna.UI2.dll
Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\Icons\icon (15).ico
Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\Sounds\Intro.wav
Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\Xworm V5.6.exe
Filesize
14.9MB

MD5
db51a102eab752762748a2dec8f7f67a

SHA1
194688ec1511b83063f7b0167ae250764b7591d1

SHA256
93e5e7f018053c445c521b010caff89e61f61743635db3500aad32d6e495abb2

SHA512
fb2fb6605a17fedb65e636cf3716568e85b8ea423c23e0513eb87f3a3441e2cabc4c3e6346225a9bf7b81e97470f3ab516feea649a7afb5cdf02faff8d7f09a5

Download Submit
C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\XwormLoader.exe
Filesize
7.8MB

MD5
f194b7e7fdbfe0fbf70673937337dc05

SHA1
ca1fb45e83d267ce039a4639181b5f790f5b3241

SHA256
3e4cbe1810496aff2ef544d0aa0b5f8d1c69e2a4e86c21921348ede7a9db3967

SHA512
d63a5d2c84b42944820622fae2bc1cb681ea1e709b9972c35bfca28e198bc18f86f63718b62e50aafa59005df13f2d0f6edd017947133a2cd53688a7cd5844e2

Download Submit
\??\pipe\crashpad_5004_HUQUSGOGSZPQBUMT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-573-0x00000299342B0000-0x00000299342B1000-memory.dmp

Filesize
4KB

Download
memory/224-572-0x00000299342B0000-0x00000299342B1000-memory.dmp

Filesize
4KB

Download
memory/224-566-0x00000299342B0000-0x00000299342B1000-memory.dmp

Filesize
4KB

Download
memory/224-567-0x00000299342B0000-0x00000299342B1000-memory.dmp

Filesize
4KB

Download
memory/224-574-0x00000299342B0000-0x00000299342B1000-memory.dmp

Filesize
4KB

Download
memory/224-578-0x00000299342B0000-0x00000299342B1000-memory.dmp

Filesize
4KB

Download
memory/224-577-0x00000299342B0000-0x00000299342B1000-memory.dmp

Filesize
4KB

Download
memory/224-576-0x00000299342B0000-0x00000299342B1000-memory.dmp

Filesize
4KB

Download
memory/224-575-0x00000299342B0000-0x00000299342B1000-memory.dmp

Filesize
4KB

Download
memory/224-568-0x00000299342B0000-0x00000299342B1000-memory.dmp

Filesize
4KB

Download
memory/1712-484-0x0000000000310000-0x000000000033A000-memory.dmp

Filesize
168KB

Download
memory/2992-495-0x000000001CD60000-0x000000001D22E000-memory.dmp

Filesize
4.8MB

Download
memory/2992-471-0x000000001BC10000-0x000000001BCB6000-memory.dmp

Filesize
664KB

Download
memory/3160-559-0x0000028C794F0000-0x0000028C796E4000-memory.dmp

Filesize
2.0MB

Download
memory/3160-500-0x0000028C75C70000-0x0000028C76B58000-memory.dmp

Filesize
14.9MB

Download
memory/4612-502-0x0000017D56DE0000-0x0000017D56E02000-memory.dmp

Filesize
136KB

Download