Analysis Overview
SHA256
fe6371034d55bb7583081b03f4aec7274f8340cfea4740325cb52e1c6ac77f6d
Threat Level: Known bad
The file XWorm v5.1-5.2.7z was found to be: Known bad.
Malicious Activity Summary
AgentTesla
AgentTesla payload
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
Browser Information Discovery
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Enumerates system info in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-29 22:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-29 22:45
Reported
2024-08-29 22:49
Platform
win11-20240802-en
Max time kernel
218s
Max time network
213s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Applications\7zFM.exe\shell\open | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Applications\7zFM.exe | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Applications\7zFM.exe\shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000000259e17b1000372d5a6970003c0009000400efbe0259e17b0259e17b2e000000b79d020000000a000000000000000000000000000000bc4c490037002d005a0069007000000014000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Applications\7zFM.exe\shell\open\command | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c003100000000000259177d110050524f4752417e310000740009000400efbec55259610259177d2e0000003f0000000000010000000000000000004a00000000009468c500500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Applications | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2.7z"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2.7z"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1896 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eeb7e4a-199e-4f83-ab02-3f37b6e125bf} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c79be947-bc8f-435a-b0aa-f90cf0beb52c} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3288 -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 3276 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {674d6671-be0d-400c-8a73-8c406767ab41} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3644 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2b95e6e-a2f1-46dc-abab-4b054ae8fa3f} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4728 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4620 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c65bbc8c-8111-493c-99d2-dacd6d7b7f60} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" utility
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 3 -isForBrowser -prefsHandle 5320 -prefMapHandle 5276 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b096011-bafc-493a-aef2-6a5fec8569c9} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -childID 4 -isForBrowser -prefsHandle 5448 -prefMapHandle 5452 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61d8ffe7-44f0-4c68-affd-a394c02d3af2} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 5 -isForBrowser -prefsHandle 5608 -prefMapHandle 5612 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {584ce853-f123-4e63-8d1a-784ddd39f5e9} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6104 -childID 6 -isForBrowser -prefsHandle 5836 -prefMapHandle 6096 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0aa7cfd3-f0ff-4acb-853f-22794e638386} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6432 -childID 7 -isForBrowser -prefsHandle 6424 -prefMapHandle 6420 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {319f5e3c-0be9-47f8-9858-8fca02729bb0} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6384 -childID 8 -isForBrowser -prefsHandle 6560 -prefMapHandle 6564 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8de26877-609d-4b38-85e4-244bad981fb1} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4556 -childID 9 -isForBrowser -prefsHandle 2740 -prefMapHandle 4584 -prefsLen 27919 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0abfa6c0-b8a5-494e-8758-f02b5cceceeb} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3628 -childID 10 -isForBrowser -prefsHandle 5984 -prefMapHandle 6784 -prefsLen 27919 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69763753-04d8-4d91-a5d6-d20be6258079} 1096 "\\.\pipe\gecko-crash-server-pipe.1096" tab
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe
"C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb2ef63cb8,0x7ffb2ef63cc8,0x7ffb2ef63cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8979471644337250836,3269200950150816690,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,8979471644337250836,3269200950150816690,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,8979471644337250836,3269200950150816690,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8979471644337250836,3269200950150816690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8979471644337250836,3269200950150816690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8979471644337250836,3269200950150816690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb2ef63cb8,0x7ffb2ef63cc8,0x7ffb2ef63cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8979471644337250836,3269200950150816690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8979471644337250836,3269200950150816690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,8979471644337250836,3269200950150816690,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3996 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8979471644337250836,3269200950150816690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8979471644337250836,3269200950150816690,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,8979471644337250836,3269200950150816690,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8979471644337250836,3269200950150816690,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8979471644337250836,3269200950150816690,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Fixer.bat" "
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004D0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:50162 | tcp | |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.149.97.1:443 | firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net | tcp |
| N/A | 127.0.0.1:50170 | tcp | |
| US | 216.239.36.21:80 | virustotal.com | tcp |
| US | 216.239.36.21:443 | virustotal.com | tcp |
| US | 74.125.34.46:443 | ghs-svc-https-c46.ghs-ssl.googlehosted.com | tcp |
| US | 8.8.8.8:53 | 46.34.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| GB | 216.58.201.99:443 | www.recaptcha.net | tcp |
| GB | 216.58.201.99:443 | www.recaptcha.net | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.169.217.172.in-addr.arpa | udp |
| GB | 216.58.213.3:443 | recaptcha.net | tcp |
| US | 8.8.8.8:53 | recaptcha.net | udp |
| GB | 216.58.213.3:443 | recaptcha.net | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | udp |
| US | 35.190.72.216:443 | prod.classify-client.prod.webservices.mozgcp.net | tcp |
| GB | 172.217.169.14:443 | redirector.gvt1.com | tcp |
| GB | 88.221.134.155:80 | a19.dscg10.akamai.net | tcp |
| GB | 172.217.169.14:443 | redirector.gvt1.com | udp |
| GB | 74.125.175.38:443 | r1.sn-aigzrnsr.gvt1.com | tcp |
| US | 8.8.8.8:53 | 38.175.125.74.in-addr.arpa | udp |
| GB | 74.125.175.38:443 | r1.sn-aigzrnsr.gvt1.com | udp |
| GB | 216.58.201.99:443 | www.recaptcha.net | tcp |
| GB | 216.58.213.3:443 | recaptcha.net | tcp |
| US | 216.239.32.36:443 | region1.google-analytics.com | udp |
| GB | 216.58.201.99:443 | www.recaptcha.net | udp |
| GB | 216.58.213.3:443 | recaptcha.net | udp |
| GB | 142.250.179.228:443 | www.google.com | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 34.111.35.152:443 | cdn4.cdn-telegram.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zE442D1387\XWorm\XWorm V5.1\Icons\icon (15).ico
| MD5 | e3143e8c70427a56dac73a808cba0c79 |
| SHA1 | 63556c7ad9e778d5bd9092f834b5cc751e419d16 |
| SHA256 | b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188 |
| SHA512 | 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc |
C:\Users\Admin\AppData\Local\Temp\7zE442D1387\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe.config
| MD5 | 15c8c4ba1aa574c0c00fd45bb9cce1ab |
| SHA1 | 0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8 |
| SHA256 | f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15 |
| SHA512 | 52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\66bfc163-ea4d-4a92-b59b-057eb1d87092
| MD5 | 848cc306382de325ef26e059e1c22fdb |
| SHA1 | ac1b71c278bf8dc85f948bb429d773849b7d3e1a |
| SHA256 | a3c04826fd38e357bd88b4e5f3b122b91de4fe90d8f1aa09e4b7cc65bd4cb018 |
| SHA512 | 55e8dcda8aa8694e5f3fe40f52a069b83e8baceb6847b700cdd3dbbfc4611aae99f5341f0396bac3741c1429fed90214c06ee09f7c54f8e6e86556f260785b4a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\caffc980-f265-4ec5-9b50-d05d3c68d65e
| MD5 | 28ae3fbb0148f2f25878cde355e7310c |
| SHA1 | 20b6de469458e4541019ad265218536efc76194a |
| SHA256 | a66d2e140520e914f2d3202b5f159bbfb9b44472723f773d5cf24fa7d671d184 |
| SHA512 | 067d8cef8d01a1886903a0151ce06b85077f0562c3eb3fd09fe58e6e57eba7af5d068b176e09b2009e1298e297825442028ee1fc911cb7c565b1a93754ee015e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\5ee429f6-8690-4a1a-9c6e-ef8171b36585
| MD5 | 632097a04d6d74dd6d2aa8a7ef1425ee |
| SHA1 | fc845794f8e9b7a155977eb53bcd1e947defec7c |
| SHA256 | 0a569ad21410d949261570cba6a05e00b3e3ed75d8dd37bd138c1f9fec4ca11d |
| SHA512 | 07fba66bcfbea8e18cf405bd710ebf0782621c8a24df74b558b34fbdacde8cc1483c21edb68e58719f44119d5e143799eecc25f0557ea534a3af043a2a3cec5c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | abda8bbcae8a8b9c15b036f5ebad83bb |
| SHA1 | 6cdfc980a2b3f6cc364991f132da351c96c180b2 |
| SHA256 | 112fbeec0e4917871878428651995792b54aa2c8824e1a11fdf1086ff1a9cb79 |
| SHA512 | 4e9145f8cca8c3a6a2ed04948fc825093fbea4c2b9ef0461214a9e707965a8a086e273d067148d11f5b9428d3806b01f6e19fb7ed2ee11ecc4db83067df68178 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | 2b6cf602cd491d0622f766b885fb5e64 |
| SHA1 | e968f2054b1e42897f3419cab1a646a18cf4c320 |
| SHA256 | 2ca24708e739dea91362342a1cd4f8c4813587fafad466169c15136f14bcd1a8 |
| SHA512 | d7049cdb81c1afd2a690fb065cfd1494e88b83b2660bbce0ff68e7fbe4e720c5de0f717a2787b4b3cbf9ae2bedd0f5e8382af8d761a00db25a0ee03d6460903f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\activity-stream.discovery_stream.json
| MD5 | 951f748fde13d0116463d364369ae0d1 |
| SHA1 | ede75d1b85b29f864123f9fbcf6fc5b7c9b51836 |
| SHA256 | b1e737597032fbb1d9e80e436b280f251efa08750882c4e6665beddc1e52e76f |
| SHA512 | e05dd999cdaa14fcc5019b812cbe895d5a2a22416d627c63d7d9da3b0a7f3f4590a48f6ad4745751ba1523fa54037ddde654587bd426cb5eb7ca3687d85d250c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js
| MD5 | 5afe18310bb3b6e8cd98ec6faedc4bed |
| SHA1 | 4c9d8965593ee1eb126d2e372ab338a51de7e996 |
| SHA256 | af662525a7b522703e6be41073aaea6c39dfa33a995ea61e5d74af9184390d64 |
| SHA512 | b059d0c02eaed4402d63cb5f532228052ca474c2fc58913619f68c7913dac4f5bea636d57dcceea20c5b17c3995ce0963765066812af7796a7d0c72eaf0e9427 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 3061015ccd7cbf856d5d39d2e4fbe928 |
| SHA1 | ebea48009f1ed533f45b598bdd995f6da73987db |
| SHA256 | 2e249462a9a31b58b2291e22a03479840bf7ddf6d5f04f9aee49f6c1c4ee26cc |
| SHA512 | c9a5fe521cf213d1cc8d5a952807936958bd944cd770ffa50845e54fbadbd9fe69ab125290089d15cc0cea5f467a28705594c196eb4fb41baeb8f7a0bf8da8e8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js
| MD5 | 021f6fdc4b950cfbb057602045e1dab2 |
| SHA1 | 4b8637ad811ad84522ab786c4f16e2f28c3c53cd |
| SHA256 | 7f7729daafba1c1c171beb4a7622ae788f25c0f63a259a0e97cb406f66224eb0 |
| SHA512 | ea22c470c2e170bfc840b3cf1c536e8d50eaf347718affa26eb2099513b9cd339ed2e4480829b6111095c5fb14424d23f0697f358d97ab233891d2901aa94056 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin
| MD5 | 0db6cb5838457a62036f697127601122 |
| SHA1 | 19be57cdb36ab8f0cb3214759b3e0b16d247aa44 |
| SHA256 | 72b19e23643b9f3547153dd9c1f9e7b4afa19e4b03618e5a13d66487bb574b6f |
| SHA512 | dac6a22bf8c9396cf7937e0a05edfc46dbf39012557f5e4aa1605fd206c999563fb783f0df2b73aa69d5e3ce843137b79e90334899ffed2e16c14d59578a032d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\storage\default\https+++www.virustotal.com\cache\morgue\28\{3b601047-4381-48af-873b-9a2f07206f1c}.final
| MD5 | 624596959cf551c60dddeab00ad2816d |
| SHA1 | beab11a94f1452f25cbe4bc1d94b3e1f7896f3dd |
| SHA256 | db6de7ca840a002b3d7c1f0f6957ecfd8e02df4bf3c62d2e38908214b7db9c29 |
| SHA512 | 837268eab73b75a4a21d27978d3c39419f5ce93d78d653c46ef9552dfda7164503e70e8aed8c7af649138e7aafda241a6cebb7988f326b5084dcf7a06cd62768 |
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe
| MD5 | 8b7b015c1ea809f5c6ade7269bdc5610 |
| SHA1 | c67d5d83ca18731d17f79529cfdb3d3dcad36b96 |
| SHA256 | 7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e |
| SHA512 | e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\doomed\16612
| MD5 | c6c583e4163913f0bab590be979edbd2 |
| SHA1 | d5a35c9a96b2b4984615efb32c248600d6db4053 |
| SHA256 | 01ff8c2877bef5811738652e26d03716a0eb838801062ab0feaed6d45f10e04a |
| SHA512 | 5318db730be6f97f4c1f6ec4e9543d8d844ebbab5346664718d6dc22de8a34522a7e17b255bae52eb0bc2f5e982abbc5b663253323b05946d40606066fd6ca9e |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\doomed\15289
| MD5 | 3d65383450f1fb96c6e26254fff8c497 |
| SHA1 | 59e51054cb696044cb98cea1ea9a1833a28ba629 |
| SHA256 | 309593dfb02cfef2a16022ade87591ed027b1dd7a5e8e169011065e3203fa95c |
| SHA512 | dccf72e2289a13a6262c01a2e97e9ab7f7be6665d1971a6c38e30a1df6a2d64d5cced01061fbeb7d4dace149474c6142d4aeb75b7408dc7ad8c1c24130e3d870 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp
| MD5 | dbfc3397f667fc919a9254521433ba05 |
| SHA1 | 03c757dcc394532c351205640ab99ba3d021d007 |
| SHA256 | ed85931f64a3338ae949e43e7bf86bd5d05795c7dc72ffdb62def6081fbfec5c |
| SHA512 | 9bf06498e5297ab0bc412308651b31bcbb56bf27d54391c635df87d5ffa5edec053bd51769c418c4f1147151be7e0b21bf063fabdc9d7b800e7d62c0a814f33c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js
| MD5 | b3d6bb8573ae513ca0bd0d98c928f675 |
| SHA1 | 94a3d0180e369d0ae494b922462b01dfc4cea421 |
| SHA256 | ff4e31415af8c0b61ffd6aaf4393e4670b57efa936609f1fd2d0ff0426a8e1d9 |
| SHA512 | ee3676508099e9fcca62ba3ff881991742c91a0e5d874a3a60fec0a492b4b376fef823358916c56ffcad6ebd880a22b33087554177554af0d895a36309247cb2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
| MD5 | 2a461e9eb87fd1955cea740a3444ee7a |
| SHA1 | b10755914c713f5a4677494dbe8a686ed458c3c5 |
| SHA256 | 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc |
| SHA512 | 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
| MD5 | 842039753bf41fa5e11b3a1383061a87 |
| SHA1 | 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153 |
| SHA256 | d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c |
| SHA512 | d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 09372174e83dbbf696ee732fd2e875bb |
| SHA1 | ba360186ba650a769f9303f48b7200fb5eaccee1 |
| SHA256 | c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f |
| SHA512 | b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 9e52fa645867f82b7401f756b92c5dc4 |
| SHA1 | 3fe79da6d7bdb7c837459e737d9ac0892c290429 |
| SHA256 | e87338968ef8788a3ecfe6604472fbabb94317db42770fa8ad357fcb7e0d7826 |
| SHA512 | 43f54665797e3cfe940dd21da5a0982e0fb6fb8630d68ff07e272c9e9a23d70a5fedf6da1318a74febaf253de187a62e75a5d4d1ec9348ed7efa8de3e57ac4d7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\AlternateServices.bin
| MD5 | 9192baaf7791318db97b7f842d9aa48a |
| SHA1 | 97054cf9b6ec778eb88927f74475605a01c2f92b |
| SHA256 | acd9c0a59c8179900812717e2eba8ea49b411bfa814e31d261d6b4d7fcbc22b3 |
| SHA512 | cbed9c6a9ef581e22566cb9e990e86f35bcd5cf28f16f93e859a4fe05224dfbd982100e8e8d8740bba31a5ca23736660234e97d85192a81201aae94826c46264 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | 0a8747a2ac9ac08ae9508f36c6d75692 |
| SHA1 | b287a96fd6cc12433adb42193dfe06111c38eaf0 |
| SHA256 | 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03 |
| SHA512 | 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
| MD5 | bf957ad58b55f64219ab3f793e374316 |
| SHA1 | a11adc9d7f2c28e04d9b35e23b7616d0527118a1 |
| SHA256 | bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda |
| SHA512 | 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
| MD5 | daf7ef3acccab478aaa7d6dc1c60f865 |
| SHA1 | f8246162b97ce4a945feced27b6ea114366ff2ad |
| SHA256 | bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e |
| SHA512 | 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 93f50bb975fb9f431ec7ba50a2dbd157 |
| SHA1 | f3f6f9b2108de67291d8bb47956c8be06dbc55a0 |
| SHA256 | 3885cbb176c6d185a8e446d5c14bee95f9c3985ba3067285aa5bf2ea9bdb5175 |
| SHA512 | f5effbf64d5be29de440ff216259a03b4dffd1ceabc65f7166ae711c1d1b78149f8340a2cfd410d9b63de6ff744f5930984491e497b734307798844d6b8fdacd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 2d44b7d41e4a3a629a278cb2e837d557 |
| SHA1 | 0acf0482cacc1ad0b9ce98f21cedd0a394dec778 |
| SHA256 | 52b1278c6f28bf4471bdd6d864b91f775373a70c6961564c642368647ad97326 |
| SHA512 | 8e2410b8378223a1e5c67705ba45352bd2300a3c884b07e9edc4c08142bc3c305137b9f95644aa46aa1721ede62e0dc1da28a60ad550650883e099a95b1de00c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 7d813e9c06cc1e07193398637e183082 |
| SHA1 | a7489dbad5569fb181069663f10e0eba854fb579 |
| SHA256 | 2664f77e565f3a8671a63fee178c64dbaeca6f4c2b30affefa9f61d31d08bfae |
| SHA512 | 621bfdae47ae575f1ac91e42a2e49f072474a8096842e3df6c292d42db7a270990370eed8158953732407fe448c140c336223b1590b1ba54912c74096e24ee5f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\entries\2390F3CFCD591D36286B9F713F721FDA0957359B
| MD5 | 14ff34f97167e0a1ebdb3a485cde0da3 |
| SHA1 | 165f64e9e418d26bcec341f19d4120a4d14a79fa |
| SHA256 | 2b1c642915f5c3106b60f66c7dd546ecd075f224cb92f69a517d4be143eb5508 |
| SHA512 | 919ae1b4ccca7c22899ce6dcb180c87b5288b6fafd3c719680286578d0b6794de3f9c01dfdf84ecb1e9613827118851adbe97a5038d8335d14ce845a2ad23db1 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\entries\3C5592DD470D592CA7557486DB5F93B4E0AB115A
| MD5 | de2b93eb57dbf06b7bfd759f2bde569c |
| SHA1 | 8527af422ed1b1958644e6b5ed91210b4542e4a8 |
| SHA256 | db5d2889e73be77ccc8ad2656bc88c0ef86b37788dd28ff302d86f6f3b672164 |
| SHA512 | f9d71a672a9aa3cde26e357130a74beed97520db3ba2c0015039cf44bbd54508e6d4841f1173ffb5b35b8ec522ccfda8907a848e1438ce3d6a3a6ac314e6ab3c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 4d73c27e70daf25d5ea94fde218d6303 |
| SHA1 | b9fff90dc47d8b6831f28a9f37c9c24bbb39f891 |
| SHA256 | c001a9b798ad101cfbfc8774a588365fce8578c08f82eb6583b60279688facf8 |
| SHA512 | f858eb451cec1047a8f0e9982bb283c98d0f20fc533967493a549a664146c237df6b9c61e2512bf5cd4124d9540a5051c4290960e106808fc4e9370d8c5e69c5 |
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe
| MD5 | e6a20535b636d6402164a8e2d871ef6d |
| SHA1 | 981cb1fd9361ca58f8985104e00132d1836a8736 |
| SHA256 | b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2 |
| SHA512 | 35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\storage\default\https+++www.virustotal.com\cache\morgue\218\{f0fe0478-c3ad-43d2-9bb4-d0c616c136da}.final
| MD5 | 019da16fe489b4d7d6992fafcbd2169a |
| SHA1 | 81d4a95203b4af8fa9b20f2c0fc5f8e8a28e289c |
| SHA256 | 01d61cfe4c41a2ec37c142393107a699e50716b0dce467d32c7a38e0f9ce40f6 |
| SHA512 | 5137b6e8dc515772449ba670bb527173cb4529220dbdf5317424e16e2d6e5111302d6b6038396855ad74c1ca1c262e3df50a4bd9d3b0728b93ecaeb320cfc71b |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\cache2\doomed\2668
| MD5 | 9003e3273b914fa0686f01caa971ab70 |
| SHA1 | a6ab9cc8fb6484e0f9a366c5af32b090c93e4740 |
| SHA256 | c14ace1e2a11994117c83e013a896ba43f79b035f3c0d4c09c7d283918082e07 |
| SHA512 | 048944114a555d1a67e863c3789c947c94121b6229d904a4bb9619517f4079d4a26163f3a5a72c5a646aeee6a8bd98df3a900b359e2d8728128b121d2bc8e16b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4
| MD5 | a9bb91f2b63f462e0ac6b10bfe9c8a4b |
| SHA1 | 10736fd4e0ad95f168d122c5c1c9c8f4cd1cc3bd |
| SHA256 | 96dbaebc3d3a61ea5371709309807adb24abe11bd531d6d2c6a8c90504af66b8 |
| SHA512 | acad02e3e43d855a007c7c9560aecdd60ae0f58448b7313db165cf020e2866e31cdb6d46a4b19ed5b8644ebd5035de62ef8e3e1fc959a8dae336d763be516c77 |
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\XWorm V5.2.exe.config
| MD5 | 66f09a3993dcae94acfe39d45b553f58 |
| SHA1 | 9d09f8e22d464f7021d7f713269b8169aed98682 |
| SHA256 | 7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7 |
| SHA512 | c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed |
memory/1032-1319-0x000001CD73FF0000-0x000001CD74C28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll
| MD5 | 2f1a50031dcf5c87d92e8b2491fdcea6 |
| SHA1 | 71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f |
| SHA256 | 47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed |
| SHA512 | 1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8 |
memory/1032-1327-0x000001CD781C0000-0x000001CD78DAC000-memory.dmp
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Guna.UI2.dll
| MD5 | bcc0fe2b28edd2da651388f84599059b |
| SHA1 | 44d7756708aafa08730ca9dbdc01091790940a4f |
| SHA256 | c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef |
| SHA512 | 3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8 |
memory/1032-1329-0x000001CD791A0000-0x000001CD79394000-memory.dmp
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\GeoIP.dat
| MD5 | 8ef41798df108ce9bd41382c9721b1c9 |
| SHA1 | 1e6227635a12039f4d380531b032bf773f0e6de0 |
| SHA256 | bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740 |
| SHA512 | 4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\jumpListCache\druEbM4UmGa0OT8cZaZmDsvK+51xaCA0eBc08uU_RHE=.ico
| MD5 | a3c1306e53848dce3a3c2fec6e1cdff2 |
| SHA1 | 87f8463535c624202f9b6efe26e993b0b1f3157c |
| SHA256 | d2d32f8573ccc7ad555d258c8362cfb0b699eb4b004f93dbeb171f3510df055f |
| SHA512 | 871e877c73990e372a7a41d9851e9dcf301efdc543696aa4dbc35b8a121e24b7fcdf76d426b5f90fa3a14253440697de01ffa0d82d417e5490560ce7d9740aa1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c9efc5ba989271670c86d3d3dd581b39 |
| SHA1 | 3ad714bcf6bac85e368b8ba379540698d038084f |
| SHA256 | c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3 |
| SHA512 | c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 302c3de891ef3a75b81a269db4e1cf22 |
| SHA1 | 5401eb5166da78256771e8e0281ca2d1f471c76f |
| SHA256 | 1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58 |
| SHA512 | da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6fd04013217036dd1b1c961321095a9d |
| SHA1 | 105c50e72026fa5ad218f140ddffd83a82c3b727 |
| SHA256 | 18f1e54caeee2a109475f55e1e32b70b33e52073e582e092d63596f5b96e82d5 |
| SHA512 | aa5f1c25c434c31ee53122001c348952ffdfd70205bbb3a9c5c4113e255a7b7b33a6540754bddf85fe212224938f3f24c9e77090405bbff3702ed4270b29406b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4
| MD5 | fcd1b3f7581ded3c695346f894cd5345 |
| SHA1 | ddc424f0b9c9b5d5db3f6ecde6ff1210cb875711 |
| SHA256 | f01abf63856468900795da48e2e315a548d605eb35bec88a60dd21c5b67af805 |
| SHA512 | c42bb2e8815c579fffcc54e5d3263819858d8eb07701d741832691da951afbf1c700b0fba15e2d952d81290ff3b0e7a82b13107588c04a0fa0e4660530ae960a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f4389ffcd46f34ebc7e7c6a29b94b04b |
| SHA1 | f0cb7cf5a9f706f142d39b5fb17248c33f236268 |
| SHA256 | 59c36b983ecd91512a728b0e69ea09392faa9ec8a74f68f1f42b8e66e24a62ba |
| SHA512 | 22c60ee2c01665538e356f9b4f4497a23b0cd5112bb8bf2d889ee5c5f2a7518257bf0db39c19db1adbbd84286368755e1a55d25af9015b20746e0ded6d1fe76d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e0d99143dd23bb43a1b94c9f372549ce |
| SHA1 | 9ddd251aa839549b2ef77663d9d01ef1c2d8b236 |
| SHA256 | 744ef6b36f1344035abede10234670ceae392a8380477a4d58da5d13b8975e8c |
| SHA512 | c7e04c9bdaf126ead0e95938a495089d0d9d6979d05f782fceb4198a48d13d403ed5606d51e798393513e8757a0eeee3f251ccd143cb4cb228f822c1f4852b9a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 783568f44248d7c1f0caeae260c69f9e |
| SHA1 | 0862c3562b2533bb4a73697206f59a301fe3454c |
| SHA256 | b61b7492551245929d4457031f96c0be7dd127326e78f67226f181a506d9a103 |
| SHA512 | 2b99ee94214acddf85f9310b8a155bef00d415f46a5eed786b5e05fe309b5379e2859fd97580f5e117a4a8135fbbddfc37e5b3d48d9ee7d4f8abb95fc68f9704 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 238f2055a7bca6fb6ffac07e8783f962 |
| SHA1 | dac7345ca5257e63fb6665e1b2ca72ce501d4d55 |
| SHA256 | 3460d1cacbb08abd314510ee3b52d4fc59542c09cb06e4010e6a9fe859934204 |
| SHA512 | 96d1c1ff0290ec93fdb6ba1cea491a17b0514e328abc067a3dcf94d7b3b698cb31fe9852f6bc51330b41eddb4bf45a9a44f150fd07e806e9ff38f45bed77a123 |
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Fixer.bat
| MD5 | 2dabc46ce85aaff29f22cd74ec074f86 |
| SHA1 | 208ae3e48d67b94cc8be7bbfd9341d373fa8a730 |
| SHA256 | a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55 |
| SHA512 | 6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3 |
memory/6496-1463-0x00000000001D0000-0x00000000001F0000-memory.dmp
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\RVGLib.dll
| MD5 | d34c13128c6c7c93af2000a45196df81 |
| SHA1 | 664c821c9d2ed234aea31d8b4f17d987e4b386f1 |
| SHA256 | aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7 |
| SHA512 | 91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689 |
memory/6496-1465-0x00000231874E0000-0x0000023187522000-memory.dmp
memory/6496-1469-0x0000023187540000-0x0000023187546000-memory.dmp
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\MonoMod.ILHelpers.dll
| MD5 | 6512e89e0cb92514ef24be43f0bf4500 |
| SHA1 | a039c51f89656d9d5c584f063b2b675a9ff44b8e |
| SHA256 | 1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0 |
| SHA512 | 9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b |
memory/6496-1467-0x0000023187590000-0x00000231875B8000-memory.dmp
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\MonoMod.Backports.dll
| MD5 | dd43356f07fc0ce082db4e2f102747a2 |
| SHA1 | aa0782732e2d60fa668b0aadbf3447ef70b6a619 |
| SHA256 | e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6 |
| SHA512 | 284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e |
memory/6496-1473-0x00000231A0010000-0x00000231A0066000-memory.dmp
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\MonoMod.Utils.dll
| MD5 | 79f1c4c312fdbb9258c2cdde3772271f |
| SHA1 | a143434883e4ef2c0190407602b030f5c4fdf96f |
| SHA256 | f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a |
| SHA512 | b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9 |
memory/6496-1471-0x000002319FF50000-0x000002319FFAE000-memory.dmp
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Mono.Cecil.dll
| MD5 | de69bb29d6a9dfb615a90df3580d63b1 |
| SHA1 | 74446b4dcc146ce61e5216bf7efac186adf7849b |
| SHA256 | f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc |
| SHA512 | 6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015 |
memory/6496-1474-0x0000023185D00000-0x0000023185D06000-memory.dmp
memory/6496-1475-0x0000023185D20000-0x0000023185D26000-memory.dmp
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\MonoMod.Core.dll
| MD5 | b808181453b17f3fc1ab153bf11be197 |
| SHA1 | bce86080b7eb76783940d1ff277e2b46f231efe9 |
| SHA256 | da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd |
| SHA512 | a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3 |
memory/6496-1477-0x0000023187600000-0x000002318763C000-memory.dmp
memory/6496-1478-0x00000231875C0000-0x00000231875DA000-memory.dmp
memory/6496-1479-0x00000231A0CB0000-0x00000231A18E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4
| MD5 | 163c02dcfc460a06c3a90eacaa8ce919 |
| SHA1 | 1e5bdaea0388a6c24f10e8c494372d1e0e7dc9df |
| SHA256 | 27bc333efec6876f7be4d7058f8d123a5865a4bbed02abf51ce9dc09c36f7ff6 |
| SHA512 | 658c3aeee7ccf719c4ef282e994f4a768b2a59af0c89c777124998ee2e55abf867174e4ebc66fc19c0497da7ba871d4df7578200933f582c421257886520947d |
C:\Users\Admin\Desktop\XWorm\XWorm V5.2\Sounds\Intro.wav
| MD5 | ad3b4fae17bcabc254df49f5e76b87a6 |
| SHA1 | 1683ff029eebaffdc7a4827827da7bb361c8747e |
| SHA256 | e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf |
| SHA512 | 3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionstore-backups\recovery.baklz4
| MD5 | ba156e86aec8d83e7684dea4c2f7e4ee |
| SHA1 | 8048980cdc91d150286c7987bf8cd431b9c4b085 |
| SHA256 | 10ff2402bf007f16d1032b16a3e48eebac1a7da9fb3fcd08d089501549006b73 |
| SHA512 | 97685902a1db90311ae3f002fa0e80de254a7d3592ca37b5e61cd9a363fa047df6b57ccaa0a3bf11ba76dea577d422f9a92babd8746165042dc7f2f76768ee94 |