Overview
overview
10Static
static
10XWorm V5.2 .rar
windows11-21h2-x64
10XWorm V5.2...ox.dll
windows11-21h2-x64
1XWorm V5.2...er.bat
windows11-21h2-x64
1XWorm V5.2...re.dll
windows11-21h2-x64
1XWorm V5.2...ms.dll
windows11-21h2-x64
1XWorm V5.2...I2.dll
windows11-21h2-x64
1XWorm V5.2...or.dll
windows11-21h2-x64
1XWorm V5.2...db.dll
windows11-21h2-x64
1XWorm V5.2...db.dll
windows11-21h2-x64
1XWorm V5.2...ks.dll
windows11-21h2-x64
1XWorm V5.2...il.dll
windows11-21h2-x64
1XWorm V5.2...ts.dll
windows11-21h2-x64
1XWorm V5.2...re.dll
windows11-21h2-x64
1XWorm V5.2...rs.dll
windows11-21h2-x64
1XWorm V5.2...ed.dll
windows11-21h2-x64
1XWorm V5.2...ls.dll
windows11-21h2-x64
1XWorm V5.2...io.dll
windows11-21h2-x64
1XWorm V5.2...on.dll
windows11-21h2-x64
1XWorm V5.2...ws.dll
windows11-21h2-x64
1XWorm V5.2...ne.dll
windows11-21h2-x64
1XWorm V5.2...at.dll
windows11-21h2-x64
1XWorm V5.2...rd.dll
windows11-21h2-x64
1XWorm V5.2...ss.dll
windows11-21h2-x64
1XWorm V5.2...er.dll
windows11-21h2-x64
1XWorm V5.2...er.dll
windows11-21h2-x64
1XWorm V5.2...DP.dll
windows11-21h2-x64
1XWorm V5.2...NC.dll
windows11-21h2-x64
1XWorm V5.2...ry.dll
windows11-21h2-x64
1XWorm V5.2...ps.dll
windows11-21h2-x64
1XWorm V5.2...ns.dll
windows11-21h2-x64
1XWorm V5.2...er.dll
windows11-21h2-x64
1XWorm V5.2...ps.dll
windows11-21h2-x64
1Resubmissions
10-07-2024 16:39
240710-t51v9sybkn 10Analysis
-
max time kernel
401s -
max time network
383s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-07-2024 16:39
Behavioral task
behavioral1
Sample
XWorm V5.2 .rar
Resource
win11-20240709-en
Behavioral task
behavioral2
Sample
XWorm V5.2 password 1234/XWorm V5.2/FastColoredTextBox.dll
Resource
win11-20240709-en
Behavioral task
behavioral3
Sample
XWorm V5.2 password 1234/XWorm V5.2/Fixer.bat
Resource
win11-20240709-en
Behavioral task
behavioral4
Sample
XWorm V5.2 password 1234/XWorm V5.2/GMap.NET.Core.dll
Resource
win11-20240709-en
Behavioral task
behavioral5
Sample
XWorm V5.2 password 1234/XWorm V5.2/GMap.NET.WindowsForms.dll
Resource
win11-20240709-en
Behavioral task
behavioral6
Sample
XWorm V5.2 password 1234/XWorm V5.2/Guna.UI2.dll
Resource
win11-20240709-en
Behavioral task
behavioral7
Sample
XWorm V5.2 password 1234/XWorm V5.2/IconExtractor.dll
Resource
win11-20240709-en
Behavioral task
behavioral8
Sample
XWorm V5.2 password 1234/XWorm V5.2/Mono.Cecil.Mdb.dll
Resource
win11-20240709-en
Behavioral task
behavioral9
Sample
XWorm V5.2 password 1234/XWorm V5.2/Mono.Cecil.Pdb.dll
Resource
win11-20240709-en
Behavioral task
behavioral10
Sample
XWorm V5.2 password 1234/XWorm V5.2/Mono.Cecil.Rocks.dll
Resource
win11-20240709-en
Behavioral task
behavioral11
Sample
XWorm V5.2 password 1234/XWorm V5.2/Mono.Cecil.dll
Resource
win11-20240709-en
Behavioral task
behavioral12
Sample
XWorm V5.2 password 1234/XWorm V5.2/MonoMod.Backports.dll
Resource
win11-20240709-en
Behavioral task
behavioral13
Sample
XWorm V5.2 password 1234/XWorm V5.2/MonoMod.Core.dll
Resource
win11-20240709-en
Behavioral task
behavioral14
Sample
XWorm V5.2 password 1234/XWorm V5.2/MonoMod.ILHelpers.dll
Resource
win11-20240709-en
Behavioral task
behavioral15
Sample
XWorm V5.2 password 1234/XWorm V5.2/MonoMod.Iced.dll
Resource
win11-20240709-en
Behavioral task
behavioral16
Sample
XWorm V5.2 password 1234/XWorm V5.2/MonoMod.Utils.dll
Resource
win11-20240709-en
Behavioral task
behavioral17
Sample
XWorm V5.2 password 1234/XWorm V5.2/NAudio.dll
Resource
win11-20240709-en
Behavioral task
behavioral18
Sample
XWorm V5.2 password 1234/XWorm V5.2/Newtonsoft.Json.dll
Resource
win11-20240709-en
Behavioral task
behavioral19
Sample
XWorm V5.2 password 1234/XWorm V5.2/Plugins/ActiveWindows.dll
Resource
win11-20240709-en
Behavioral task
behavioral20
Sample
XWorm V5.2 password 1234/XWorm V5.2/Plugins/All-In-One.dll
Resource
win11-20240709-en
Behavioral task
behavioral21
Sample
XWorm V5.2 password 1234/XWorm V5.2/Plugins/Chat.dll
Resource
win11-20240709-en
Behavioral task
behavioral22
Sample
XWorm V5.2 password 1234/XWorm V5.2/Plugins/Clipboard.dll
Resource
win11-20240709-en
Behavioral task
behavioral23
Sample
XWorm V5.2 password 1234/XWorm V5.2/Plugins/Cmstp-Bypass.dll
Resource
win11-20240709-en
Behavioral task
behavioral24
Sample
XWorm V5.2 password 1234/XWorm V5.2/Plugins/FileManager.dll
Resource
win11-20240709-en
Behavioral task
behavioral25
Sample
XWorm V5.2 password 1234/XWorm V5.2/Plugins/HBrowser.dll
Resource
win11-20240709-en
Behavioral task
behavioral26
Sample
XWorm V5.2 password 1234/XWorm V5.2/Plugins/HRDP.dll
Resource
win11-20240709-en
Behavioral task
behavioral27
Sample
XWorm V5.2 password 1234/XWorm V5.2/Plugins/HVNC.dll
Resource
win11-20240709-en
Behavioral task
behavioral28
Sample
XWorm V5.2 password 1234/XWorm V5.2/Plugins/HVNCMemory.dll
Resource
win11-20240709-en
Behavioral task
behavioral29
Sample
XWorm V5.2 password 1234/XWorm V5.2/Plugins/HiddenApps.dll
Resource
win11-20240709-en
Behavioral task
behavioral30
Sample
XWorm V5.2 password 1234/XWorm V5.2/Plugins/Informations.dll
Resource
win11-20240709-en
Behavioral task
behavioral31
Sample
XWorm V5.2 password 1234/XWorm V5.2/Plugins/Keylogger.dll
Resource
win11-20240709-en
Behavioral task
behavioral32
Sample
XWorm V5.2 password 1234/XWorm V5.2/Plugins/Maps.dll
Resource
win11-20240709-en
General
-
Target
XWorm V5.2 .rar
-
Size
30.3MB
-
MD5
68b6d1867b72e17f1d23acd2a4832ee8
-
SHA1
e94284ac4809d37ffd4257a9ac70d552825670ba
-
SHA256
e4b004dd8c3648aee2d1efe073cdf5a79c89fffab06395e9c6b57fde30fcf024
-
SHA512
3de63c69a17b2ee498eca01b08478b0744930302674a9c6c1490737ab7870bfa35583a26ad3a54d82bf980ac25150c6cf91706d5ee70fbf2a16b27bdd1435851
-
SSDEEP
786432:hy+VwnbHHdXmR6ZMZ7EU1oFuuTCq6v7AU:bVmnUIM+WheQD
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\Guna.UI2.dll family_agenttesla behavioral1/memory/484-206-0x0000023D65110000-0x0000023D65304000-memory.dmp family_agenttesla -
Executes dropped EXE 3 IoCs
Processes:
XWormLoader 5.2 x64.exeXWormLoader 5.2 x64.exeXWormLoader 5.2 x64.exepid process 484 XWormLoader 5.2 x64.exe 1192 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe -
Loads dropped DLL 3 IoCs
Processes:
XWormLoader 5.2 x64.exeXWormLoader 5.2 x64.exeXWormLoader 5.2 x64.exepid process 484 XWormLoader 5.2 x64.exe 1192 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\XWorm V5.2.exe agile_net behavioral1/memory/484-196-0x0000023D65390000-0x0000023D65FC8000-memory.dmp agile_net -
Drops file in System32 directory 2 IoCs
Processes:
chrome.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF chrome.exe File created \??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF chrome.exe -
Drops file in Windows directory 1 IoCs
Processes:
chrome.exedescription ioc process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
msedge.exeXWormLoader 5.2 x64.exeXWormLoader 5.2 x64.exechrome.exeXWormLoader 5.2 x64.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWormLoader 5.2 x64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWormLoader 5.2 x64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWormLoader 5.2 x64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWormLoader 5.2 x64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 64 IoCs
Processes:
OpenWith.execmd.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Applications\7zFM.exe OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Applications\7zFM.exe\shell\open\command OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000e95852881000372d5a6970003c0009000400efbee9585288e95852882e0000004ef50000000019000000000000000000000000000000d3676f0037002d005a0069007000000014000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Applications\7zFM.exe\shell\open OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000e9588d89110050524f4752417e310000740009000400efbec5525961e9588d892e0000003f0000000000010000000000000000004a000000000056e55200500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Applications OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Applications\7zFM.exe\shell OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff OpenWith.exe Key created \Registry\User\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\NotificationData OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
chrome.exemsedge.exemsedge.exeidentity_helper.exemsedge.exechrome.exemsedge.exeXWormLoader 5.2 x64.exepid process 2760 chrome.exe 2760 chrome.exe 3960 msedge.exe 3960 msedge.exe 424 msedge.exe 424 msedge.exe 1928 identity_helper.exe 1928 identity_helper.exe 5456 msedge.exe 5456 msedge.exe 484 chrome.exe 484 chrome.exe 484 chrome.exe 484 chrome.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
OpenWith.exe7zFM.exeXWormLoader 5.2 x64.exepid process 4380 OpenWith.exe 3440 7zFM.exe 4144 XWormLoader 5.2 x64.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
chrome.exemsedge.exepid process 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zFM.exeXWormLoader 5.2 x64.exeXWormLoader 5.2 x64.exechrome.exeXWormLoader 5.2 x64.exedescription pid process Token: SeRestorePrivilege 3440 7zFM.exe Token: 35 3440 7zFM.exe Token: SeSecurityPrivilege 3440 7zFM.exe Token: SeDebugPrivilege 484 XWormLoader 5.2 x64.exe Token: SeDebugPrivilege 1192 XWormLoader 5.2 x64.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeDebugPrivilege 4144 XWormLoader 5.2 x64.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe Token: SeShutdownPrivilege 2760 chrome.exe Token: SeCreatePagefilePrivilege 2760 chrome.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
7zFM.exechrome.exemsedge.exeXWormLoader 5.2 x64.exepid process 3440 7zFM.exe 3440 7zFM.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
chrome.exemsedge.exeXWormLoader 5.2 x64.exepid process 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 2760 chrome.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 424 msedge.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe 4144 XWormLoader 5.2 x64.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
OpenWith.exeMiniSearchHost.exepid process 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 4380 OpenWith.exe 1856 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
OpenWith.exechrome.exedescription pid process target process PID 4380 wrote to memory of 3440 4380 OpenWith.exe 7zFM.exe PID 4380 wrote to memory of 3440 4380 OpenWith.exe 7zFM.exe PID 2760 wrote to memory of 2200 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2200 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 2128 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 4696 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 4696 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe PID 2760 wrote to memory of 860 2760 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 .rar"1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2 .rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\XWormLoader 5.2 x64.exe"C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\XWormLoader 5.2 x64.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\XWormLoader 5.2 x64.exe"C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\XWormLoader 5.2 x64.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7ec9cc40,0x7ffd7ec9cc4c,0x7ffd7ec9cc582⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,2022266254670193062,9678358884663642917,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1868 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,2022266254670193062,9678358884663642917,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2140 /prefetch:32⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,2022266254670193062,9678358884663642917,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2240 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,2022266254670193062,9678358884663642917,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3116 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,2022266254670193062,9678358884663642917,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3176 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4436,i,2022266254670193062,9678358884663642917,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4320 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4620,i,2022266254670193062,9678358884663642917,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4612 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,2022266254670193062,9678358884663642917,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4920 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4584,i,2022266254670193062,9678358884663642917,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4604 /prefetch:82⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\XWormLoader 5.2 x64.exe"C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\XWormLoader 5.2 x64.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ffd765b3cb8,0x7ffd765b3cc8,0x7ffd765b3cd83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2072 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16001857206899206512,7199232049535301970,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6120 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd765b3cb8,0x7ffd765b3cc8,0x7ffd765b3cd83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xa0,0x10c,0x7ffd765b3cb8,0x7ffd765b3cc8,0x7ffd765b3cd83⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004F01⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idxFilesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lockFilesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.valFilesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5fa636a2c187ef7ed4aeebec99524c787
SHA169121b15bc5336b6872435fedd14c7d847284f24
SHA256174135973148a092fe79362b22f66d60de72e6f489c5ab3e51d91668f782d932
SHA5126fab7f5a5f7677e640ef3cfdf75caf00436012da9f89b4f35188eef3a4131689617d2d031311561dda652793f4a3779236c27a9eb1c4e25d1cc92e4693971b79
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD533aef139859eb48c5b99fdc20624dbfd
SHA1d24827364525c7073abfc14a068e90b824645476
SHA25687ef3e1c87f2446ef6f3617340fd2c71e84680895e835a66d576eb5929dd7365
SHA512a791fa1cfcefe98472a32846568a95ccf6fe1676b6740c75db860955e5f5815e73131c69ed6eb10dc55f34cee405d186b274f5e6bb6d1612754d8269674862c9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD5069d3831161a35c9aafdfe1a9ca21bd5
SHA1dcdf372b73b3bfb5a34801c64730b9ddc028d814
SHA2560207877db5bace99d94f90def2ff932967c167c3baef7519bdafb96723e17d57
SHA512ad2fff16b3ed833ef61e89675543d73c698b342206f61653439d1b95cfd4b87eccf99244510994286884f6b9e551ff5ae7cf40e379da4f5a1a97ca8e63f73fbc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD52aaa423d373d3b248766d0e1962f20dc
SHA1f7f1e0cff7b3710201ddd1040c84b3071d6c190a
SHA2564d32c13f8554f8f78a7d99a14ebe1a7fcb58be11ab1b808227d4cd79819617e9
SHA5128d5454e2adde844abc72aacd3d6edee8fa2802c40d0f08bfe116ce3b04857997a0e0489b578c400ed02db0c76c02a7bc853e9f350e57fdfcb0c7a5f2a2d9f8ed
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD5ea57d030854fb8e8c4a0f7b2106a68d9
SHA1b1e871f2d41be07aeb0d14a3451e5cf4a3c22df7
SHA256555d6635ce7d5b8ceda26e81181f9c81aa73db05c2cafa08908cf59289885d24
SHA5122568f02b577c8541b396222a933600954a203167528a9c4363c17d00b30502275394c3ae942135aa66e40f7993af75a0ba05c92a6f399f2f2309f0ae65a3400b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD5bd8ce5c385b7d08f84d147d29bc0c106
SHA1046ac8c216c1a6e167bdf5e65ebf1a9ab815dc28
SHA25603edad643992213f1d7b161a7d8277e2e03ac4a0e4c5c99f6f69b780006c37b4
SHA51210013cbe67952edf4c9ab448356927e5abe3620d4ecc06aa237917b99720ead9bad0ea962c4b3244a54dbfd4a38f654dc53c7c731d1977b063b608cfa923cb32
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD50fa5e1c0fcef6e8250cd7cc4557a4e53
SHA138fdee503dc9498e4bdd877b2a86678a937cb2ac
SHA2560a03f6e3efdb0414e47eb4639e1cfd60f7523691e562d23a5c0ad239993f3182
SHA5121916a0d057743f16a0be2fa391bd5c222d25c694271a1aaf71883327cc37e0e6b7cf400e83361c1c7e52fbe511ffac5c6fcbc115941209d367e893d254c03090
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5e689ce60514ab8e71bb4c554ecc03317
SHA13f31d86aa5fe6a4fa939bf6d5ca625d3d5eaf43b
SHA256a5454f65b8f330300e9aef76fb27577bf39b5150a390a0e999855d35b0666abd
SHA5129df11ddcdf5db91c3d7786e216175e768f3e5b9ace85b583dcf3e96f3aba6a724dd5afa69c693dee8354ac3d9055fe17f20690bc8449f1c48bb3197e75b95889
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD50e1ea6a0c2229016e39a0b29718b8381
SHA178e3d99fb305ef376df7d96b1f52ec3fc01e4225
SHA256af335640e8ac85348861e32b7783358031fba0c568479c65fa1e0213a396d3b1
SHA5127b6c1428ef882543b31eafa6bbb9bdbea11fbfd7f4ef2eb1fb3683fa227ceec8ef5e433f7c2f460457dd45238b3aaa2fe16c797034fcf5fbd02fe671c96cac02
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD55d71e17885098ebecda93ff318c19f3d
SHA109162d39b1648283d5dd57b155406f767021b723
SHA256126f9bc2b14e3a64ec384582c3cc867bef4e8247c24d203bc7492d1280a36049
SHA512ee554069b0182c222a92a8113fb85570c40e9f01bbaa7812f1e9c7343fc4be008eeba357746a50530f8639a32df5044fa001a1786e1fca4a81835fd1aae3c054
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD5eac4bd1e359d729495f2421fa26d3db7
SHA1dd2411badf3310095fd8f6531eef710ac8d87241
SHA256baa8dd3d2f2277d6f5720602ec7b99f972291b06583d0a5648126df416058ff6
SHA512489e4248a35af55e0ce091d803d88dd8da8579078eb80082b555eaeea20a4cb229b5fdfb794a83bb9057f7245e842d46ab4ae31310b776627193459d4155a469
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD546fcea581b8ea029f51bed73d97d615a
SHA113ae18863a7d1592bf4670d0c833fde302c1f34e
SHA256f0196c7c43b851e6ad3cf15c9dd6976cbbc44c998813eb2433e6463c5a46a280
SHA5121a1c9946cc65bde1a1f66b9e5c264fdafa26676e0b6d63723a63d2e45dc42a107d7ed76f5378d7efa1102780a9352134016cc2d406b890fa03371ae8fa7d3101
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD5de46495338c6724df678ffb7c9767d54
SHA104c62cac41f0d39f37b8035bb7c82f5f87939a98
SHA2568c5d9c347d6df39ab38b0d364a259d71532babc5fd81b33bbce0d3444850a55f
SHA5122dd1e19b470c78eecaebb9012213537df047f5e5a411c9bbfe5869a5180531e7e9303166ecd64781535dc43d2693c85bad6e42f681b5e90861a65b1de58e6a59
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD5107d83567a98d4b0a07fae7d7a2591b0
SHA1138f1b90e50b5671493b6965ef3c625ab53f4de9
SHA256d5ea6c4a903f8015f54eb63c8e615048a47988e026299e1cd355e8cb8284c7a9
SHA5125171ef92dbf90b8c977e4e8b916a57037e90c920fee417ef2b50e79a361915862698895516a2008846dc2e743c7e56c87245147b7e47e40c06d78c04fa1a167f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD5e91924a9c50fbee3410aab60ab362829
SHA1bd622cdd8bae3e5c5a8b4a163e50feee7d72c581
SHA256500bc696a11075cfcbf1958b72732e7a0c23931ab6526c0e29624cffe20a7b02
SHA5127c26c14f198609a0f165a6fc71d6f3d92e013547e81db389fe10be054779c74a057c17adf0463284cbad446c8fde9779079ebd40d5d0574ec196f9283184e260
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
15KB
MD579fb7c3d5a4773811fe678007d96c8fe
SHA18c33a19c3a9b1a6458ad4e19f638a4e107efd385
SHA2566bc167b8fdb2c2902358f88a1b5d5dbaf25b034763cf39993e419f0501a8724c
SHA51273165f4f6427c18eabacfa85329cd596d8ce5a1bbd8276396727d0a28ad86eeec71a91f6a82e46d72d4acc718609d348b0a0fb2df42606c221f59934e315da3a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\edad7aa5-7b3e-4408-ba0f-18cb6600a761.tmpFilesize
8KB
MD509d4f51378c90ff6404acd154eb242c8
SHA15bfbd1853c06d3dbfccb4c5a5e18dff1ede76784
SHA256e46f66de298433e250a3daaf96823a14d2da9e225419d253d8b8e40ce6349dff
SHA5121d437ccf14e71ba09bd3f9275134f6d7348541cfb547235cee3cdc997275723c17976d27ed5deba8eadbc2118026c992add883c9e6add497d2ff7419cdb31603
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
92KB
MD5034f007151d90944e1f54913f3f7465c
SHA1103dbd5e0fe695f3a20910b71a8a9b420b938f3d
SHA2563eaf4884e63aa6be42e7e40eefe31a0a99d5b8b0738c28d686a59de3d3164aa2
SHA5122b57ca3cf88ac2a7b1c206b195af87f989b42d3dfd7240b94630d02979d09c8388f5cb6d72d0a2fbae2425e329df8940b094a480a2692c41aae27ffa26c79395
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
92KB
MD5e1e1057ebd0ad6b04f453dfe96acd517
SHA1061976489684e6957f322e56eb8e97e2197f3668
SHA2569f8cc5eb9ed2576ff7019c5e21d455c4b2a50fcafa509412264a5ce0c71b123a
SHA512d61a67697d0af5761edfbe41476f79e965caf5c5ce2479a88b277e7d18243501b3ab65cd2ea9c61468344aa67a252a8db1ca1bfd3d0fa155c91fdfdf426c4ed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWormLoader 5.2 x64.exe.logFilesize
1KB
MD533bb549a6f0e5d5b27d2af0a0894a55d
SHA1c6b7b943d8a8d50da22c40d2f80960af63b18ec2
SHA256f7d6ec766167a17fce46669ca54b383d4468a21faf2eaa5eb02aa1a3b1a2af08
SHA5122e57b52b60bbd44f07c81f605118922650a6da1a4cd85ecfab4f954f476a7a851e1a71ae7e74a57153dabf7ea49bb6a50ca2c73c384871d5f68f05db6e37ced8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD521cf39beee4d807318a05a10dc3f1bf3
SHA101ef7fc09919eb33292a76934d3f2b5ba248f79c
SHA256b766823dabbf6f78e2ee7c36d231d6708800126dc347ce3e83f4bf27bc6e2939
SHA5120baf8b0964d390b9eb7fafd217037709ac4ab31abcdf63598244026c31284cd838f12d628dcffe35d5661ba15a5e4f3b82c7c2d9226ac88856a07b5b7b415291
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f1998107017edc46fed4599ad24cfe53
SHA147e92f0646f0de9241c59f88e0c10561a2236b5e
SHA256cc6838475e4b8d425548ceb54a16d41fb91d528273396a8f0b216889d79e0caa
SHA512ef7228c3da52bf2a88332b9d902832ed18176dfff7c295abfbaab4e82399dc21600b125c8dad615eb1580fab2f4192251a7f7c557842c9cac0209033a3113816
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001Filesize
28KB
MD5f4017127d1ec466e5eaa9381fb542920
SHA1431fec3f952f5e45c4ff64a992f7a5d91be34460
SHA25621befff8e26723141b552ff1ab105e9a50d448527155100052d087377f22adbd
SHA512a04a4c40f6fd422ae1cc3f63ef51c221cd5c08cd52352ccb4683abdf3a5e7654d028d227c7fa3736c3baac4d73377743a0fa03e63a5487d6ed8e64e44cde8c01
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002Filesize
80KB
MD514e39be019da848a73da7658165674cb
SHA1e016473c4189a8cc3dbff754a48b3e42d68af25a
SHA25639595a1806156cfcadf3cc4e20c5c3f3eec721386a0551790a15f025ba9402bd
SHA512828a383de549871aa80ec960a7e371ef47da96d01ebb9628d1484ceed9eb698aec5109b3de0b24ff8000610a2c2d633616c9fd28d380656fecbaa930cffed029
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD52ececf143d25455539008d6e6491130a
SHA1c2da644a19a6061501b040fda175eee3d6920db5
SHA256a0cceae9f571a34a3f940f546bb3eed0efd528534c4c0d5169432704323c522f
SHA51264a6a1f05ad793bcfd345d563514af16ccdfd9d396f93eb2c2984601ba8846eaf97b00d37bcc6db1ffa9e444178599e52afb67e12f94822caeda18da8f1330d0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
442B
MD5284915a4caf84b9f2f8c03db1ec687da
SHA1673d2d4f7596e6c770441eeab7aecafa2cdf45b1
SHA2568eb8a33aafe824df9726ec755d07d950821767232e227199c61c32bf308e9937
SHA512128ba49129858f67a2dd7faf41e6607df0227dfa2c124ea699eb837841fcc2b16ca5a4ebfd3cda7e165049c2bbda7eb7a8f1d6a8ab310ecf75354728daa023c8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD551588b2275d2a4d9748f196d2c18c386
SHA136801ba853fb7f8182769e03de14afb5ee4ea920
SHA256d14f466e7979d19d1973a801fbf48167c41ca4dd6f3d17ac92876054bbdb9560
SHA512189794640607554e1be8112e6a8697ff83241b17bd748c15043f250f5094bcbc85c5fb0dd4e2dbdb38b241cf5ca83e516a5c23b36b85bffe1d40fbaaaf72dbfe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5cb8314ed4d18d8f3ebab459d24c74cee
SHA1ba03f1b8ca20638d5a98292177a11bf954684f97
SHA25638b71d8cebbfa61795fb026428157d11a7b5b172ed718d0bd5ce14fae0566d76
SHA512e40ce67a53f2a5b9b7d17bb633fb912d45e6124925307251e46f0973f044b38ab9daa5338f493ba83b002b1684dff703066f67b0991c0d4f0a768f92cce3809a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c45e7a176454c3d6b7756be4fc3c7f7b
SHA1d9a3ff4be70c74147d71a4785439055f61a1a6de
SHA256c7114e23b4369cba250f6b1426a918d4557345463175230e9547166decfe0e25
SHA51224f7e0aba7e353bdbc569ba7abfccbb8f24208cdcb5bd348e053baddc9735105bf17b15aa11677f471ac13b1c1678b9b4b1ef8af7e7545d6e0b72622cac04152
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
538B
MD59d1fb222d5761441039d6e2f434678d2
SHA1324d9c6fd80d84ff884686740d07826a8944ccb8
SHA25649dbf7d494845429624adac1c3da3399154f73094fd0d01a16cb88d33517ad7e
SHA512fcad3dadfcb3a1f991c10651d9757f970b1f90029969216626c715c137c4201434e5e602074bd73a11907b658111bf06d50f1d2ce090148c10642359b93c2334
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c6b06.TMPFilesize
538B
MD54a24b2fabece2b77de06bae58fcfd060
SHA1f0a02dbc35cb578408bc2b4d2559450d663bd5c7
SHA256718d8ef91414e1555dc2420074badc353f798fea264cfef43178be8a6e6785ae
SHA512437a1bff7a6882fc08b0904392abef44e1261151a46745c9c6fa97de2f86e3aa7fb7c8396403478d16c7146f0e815f184b98f1c2bd5008e185769d51df19aa7b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b93211443d6292c6b5a10821dd7fadc5
SHA126e47e0b79b359e425d70a64443454e29a63064e
SHA256bf9fd7a96425f94f9da89cc12ba9b6995484af9784c76f1abe848b8c267d151f
SHA512ab87958c408ecbd5c9eb65eeabcc6cf09b5f4e7d0fb300908119d0fee668daa4732c71245f5601b9e945af1dc564418bc9af5af685edc4d9470b786cbc31e42a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ef4836393e9982c8cbcad5e4fd0a1320
SHA1efb91e078ba3b0a6a342457557bbe1217113ca8f
SHA256fe767cdf437463020a9f7deaac6dc07f59798623fb8960751a94c82b7891aed2
SHA512931d20df1ad5eede1278030e0df391e661dbd9f7648c8ebac9c9d6f3b18836110382ed56bf8dc9f966936a555d5bbdc89d7716e99b3e2597fe09cff79d063a7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5a7d1e439ad0ff9217bc2de85ff3a32c4
SHA1a31926de775330752b17adfcaf1b23b225c143df
SHA2566e0a27e775f4ce15a40550d5ea27501063080618c5644fd91996c89796bd9586
SHA51227d4eb3662cdb8af0420341c3f3bf2f2dfe7613d271b40376e0874d6d9d08cad540e943450fce2807a3785769303e866f26723ebb02d156a7194fd346396cc72
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5aa2a6d7236103404046a757e6b50a617
SHA1a56b318870ef5dc7fce26d80c215a3f29987c7ba
SHA256166f2db40f9ca140cecc6d7ada695dfc7b3ce2f2420481080512198072d4ffd5
SHA512d0db3cc153d7a9bec5ea98901b03457b627a0228a63eab1e8eb78e3b42a3ea84488d44f488784c017eeb788fea60b79b1f2da1dd814e6347ef9515109d711732
-
C:\Users\Admin\AppData\Local\Temp\7zE07D10A58\XWorm V5.2 password 1234\XWorm V5.2\Icons\icon (15).icoFilesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dllFilesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\GeoIP.datFilesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\Guna.UI2.dllFilesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\Mono.Cecil.dllFilesize
350KB
MD5de69bb29d6a9dfb615a90df3580d63b1
SHA174446b4dcc146ce61e5216bf7efac186adf7849b
SHA256f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc
SHA5126e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\MonoMod.Backports.dllFilesize
138KB
MD5dd43356f07fc0ce082db4e2f102747a2
SHA1aa0782732e2d60fa668b0aadbf3447ef70b6a619
SHA256e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6
SHA512284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\MonoMod.Core.dllFilesize
216KB
MD5b808181453b17f3fc1ab153bf11be197
SHA1bce86080b7eb76783940d1ff277e2b46f231efe9
SHA256da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd
SHA512a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\MonoMod.ILHelpers.dllFilesize
6KB
MD56512e89e0cb92514ef24be43f0bf4500
SHA1a039c51f89656d9d5c584f063b2b675a9ff44b8e
SHA2561411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0
SHA5129ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\MonoMod.Utils.dllFilesize
319KB
MD579f1c4c312fdbb9258c2cdde3772271f
SHA1a143434883e4ef2c0190407602b030f5c4fdf96f
SHA256f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a
SHA512b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\RVGLib.dllFilesize
241KB
MD5d34c13128c6c7c93af2000a45196df81
SHA1664c821c9d2ed234aea31d8b4f17d987e4b386f1
SHA256aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7
SHA51291f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\Sounds\Intro.wavFilesize
238KB
MD5ad3b4fae17bcabc254df49f5e76b87a6
SHA11683ff029eebaffdc7a4827827da7bb361c8747e
SHA256e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf
SHA5123d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\XWorm V5.2.exeFilesize
12.2MB
MD58b7b015c1ea809f5c6ade7269bdc5610
SHA1c67d5d83ca18731d17f79529cfdb3d3dcad36b96
SHA2567fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e
SHA512e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\XWormLoader 5.2 x64.exeFilesize
109KB
MD5e6a20535b636d6402164a8e2d871ef6d
SHA1981cb1fd9361ca58f8985104e00132d1836a8736
SHA256b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2
SHA51235856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30
-
C:\Users\Admin\Desktop\XWorm V5.2 password 1234\XWorm V5.2\XWormLoader 5.2 x64.exe.configFilesize
187B
MD515c8c4ba1aa574c0c00fd45bb9cce1ab
SHA10dad65a3d4e9080fa29c42aa485c6102d2fa8bc8
SHA256f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15
SHA51252baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4
-
\??\pipe\crashpad_2760_LOAINUGJXXAGJMHDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/484-194-0x0000023D64590000-0x0000023D645AA000-memory.dmpFilesize
104KB
-
memory/484-185-0x0000023D4A400000-0x0000023D4A406000-memory.dmpFilesize
24KB
-
memory/484-214-0x0000023D64F10000-0x0000023D650C3000-memory.dmpFilesize
1.7MB
-
memory/484-212-0x0000023D64F10000-0x0000023D650C3000-memory.dmpFilesize
1.7MB
-
memory/484-211-0x0000023D64F10000-0x0000023D650C3000-memory.dmpFilesize
1.7MB
-
memory/484-210-0x0000023D64F10000-0x0000023D650C3000-memory.dmpFilesize
1.7MB
-
memory/484-189-0x0000023D646B0000-0x0000023D64706000-memory.dmpFilesize
344KB
-
memory/484-209-0x0000023D64F10000-0x0000023D650C3000-memory.dmpFilesize
1.7MB
-
memory/484-208-0x0000023D64F10000-0x0000023D650C3000-memory.dmpFilesize
1.7MB
-
memory/484-183-0x0000023D645C0000-0x0000023D645E8000-memory.dmpFilesize
160KB
-
memory/484-207-0x0000023D64F10000-0x0000023D650C3000-memory.dmpFilesize
1.7MB
-
memory/484-206-0x0000023D65110000-0x0000023D65304000-memory.dmpFilesize
2.0MB
-
memory/484-179-0x0000000000CB0000-0x0000000000CD0000-memory.dmpFilesize
128KB
-
memory/484-216-0x0000023D64F10000-0x0000023D650C3000-memory.dmpFilesize
1.7MB
-
memory/484-204-0x0000023D667D0000-0x0000023D673BC000-memory.dmpFilesize
11.9MB
-
memory/484-187-0x0000023D64650000-0x0000023D646AE000-memory.dmpFilesize
376KB
-
memory/484-196-0x0000023D65390000-0x0000023D65FC8000-memory.dmpFilesize
12.2MB
-
memory/484-215-0x0000023D64F10000-0x0000023D650C3000-memory.dmpFilesize
1.7MB
-
memory/484-218-0x0000023D64F10000-0x0000023D650C3000-memory.dmpFilesize
1.7MB
-
memory/484-190-0x0000023D4A3C0000-0x0000023D4A3C6000-memory.dmpFilesize
24KB
-
memory/484-181-0x0000023D4A450000-0x0000023D4A492000-memory.dmpFilesize
264KB
-
memory/484-193-0x0000023D64710000-0x0000023D6474C000-memory.dmpFilesize
240KB
-
memory/484-191-0x0000023D4A3D0000-0x0000023D4A3D6000-memory.dmpFilesize
24KB
-
memory/1192-222-0x0000026C28DC0000-0x0000026C28DC6000-memory.dmpFilesize
24KB
-
memory/1192-257-0x0000026C42120000-0x0000026C422D3000-memory.dmpFilesize
1.7MB
-
memory/1192-223-0x0000026C28DD0000-0x0000026C28DD6000-memory.dmpFilesize
24KB
-
memory/1192-221-0x0000000000CB0000-0x0000000000CD0000-memory.dmpFilesize
128KB
-
memory/1192-226-0x0000026C42120000-0x0000026C422D3000-memory.dmpFilesize
1.7MB
-
memory/1192-227-0x0000026C42120000-0x0000026C422D3000-memory.dmpFilesize
1.7MB
-
memory/1192-268-0x0000026C42120000-0x0000026C422D3000-memory.dmpFilesize
1.7MB
-
memory/4144-523-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-538-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-290-0x0000017D821B0000-0x0000017D821B6000-memory.dmpFilesize
24KB
-
memory/4144-573-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-302-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-583-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-289-0x0000017D82190000-0x0000017D82196000-memory.dmpFilesize
24KB
-
memory/4144-593-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-594-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-478-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-468-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-618-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-449-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-629-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-434-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-409-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-657-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-380-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB
-
memory/4144-667-0x0000017D9CC70000-0x0000017D9CE23000-memory.dmpFilesize
1.7MB