agenttesla | 84d6e79b5ffbb177430dd3848a4a1569dbd1d2748357ba5d664d763c4d6af3cf

Analysis

max time kernel
178s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.2.rar
Size

44.4MB
MD5

b115aa5c5af0ddab4716050ee9c8d4dd
SHA1

20acaa72078e1cadf68c93b0625fac451d611bdb
SHA256

84d6e79b5ffbb177430dd3848a4a1569dbd1d2748357ba5d664d763c4d6af3cf
SHA512

6d710efc7199eefac0fc47b4400bb3c7fbc7836aa2fb5857e2ad93d50f77926a58c37b9ed3a25aec98cfc4f2bf35e6c623c25aa86acd528a8295db1fc1f317ee
SSDEEP

786432:FIYpoVAaEEMtnoP08tWbbUy3S1AMkAblO2v9HYvo2OkQDZ9VZP6lMowO8zohq:6hVAaEdA8bK1ADoX9qo2gDJZPQN8z5

Score

10^/10

agenttesla xworm agilenet discovery execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

18.ip.gl.ply.gg:13256

18.ip.gl.ply.gg:6782

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/EkPd4scK

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023679-428.dat	family_xworm
behavioral1/memory/404-429-0x00000000006E0000-0x00000000006FA000-memory.dmp	family_xworm
behavioral1/files/0x0007000000023677-433.dat	family_xworm
behavioral1/memory/1240-444-0x0000000000B80000-0x0000000000B9A000-memory.dmp	family_xworm
behavioral1/files/0x0007000000023678-445.dat	family_xworm
behavioral1/memory/3188-447-0x0000000000AE0000-0x0000000000AFC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00020000000226c4-431.dat	family_agenttesla
behavioral1/memory/4840-432-0x000001B57E400000-0x000001B57E5F4000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5760	powershell.exe
6096	powershell.exe
5128	powershell.exe
1220	powershell.exe
3860	powershell.exe
5308	powershell.exe
5552	powershell.exe
5920	powershell.exe
624	powershell.exe
556	powershell.exe
3080	powershell.exe
5272	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	test3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	test2.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	test.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	test2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	test3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	test3.exe

Executes dropped EXE 5 IoCs

pid	Process
4840	XWorm V5.2.exe
404	test3.exe
1240	test.exe
3188	test2.exe
5028	XWormLoader 5.2 x64.exe

Loads dropped DLL 2 IoCs

pid	Process
4840	XWorm V5.2.exe
5028	XWormLoader 5.2 x64.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x000700000002367a-416.dat	agile_net
behavioral1/memory/4840-419-0x000001B5792D0000-0x000001B579F08000-memory.dmp	agile_net
behavioral1/memory/5028-499-0x000002CFF0C00000-0x000002CFF1838000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	test2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	test3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	test.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
172	4.tcp.eu.ngrok.io
102	pastebin.com
103	pastebin.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133700396751456470"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2748	schtasks.exe
5892	schtasks.exe
1036	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
556	powershell.exe
556	powershell.exe
556	powershell.exe
3080	powershell.exe
3080	powershell.exe
3080	powershell.exe
3860	powershell.exe
3860	powershell.exe
3860	powershell.exe
5272	powershell.exe
5272	powershell.exe
5272	powershell.exe
5308	powershell.exe
5308	powershell.exe
5308	powershell.exe
5552	powershell.exe
5552	powershell.exe
5552	powershell.exe
5760	powershell.exe
5760	powershell.exe
5760	powershell.exe
5920	powershell.exe
5920	powershell.exe
5920	powershell.exe
6096	powershell.exe
6096	powershell.exe
5128	powershell.exe
5128	powershell.exe
6096	powershell.exe
5128	powershell.exe
1220	powershell.exe
1220	powershell.exe
1220	powershell.exe
624	powershell.exe
624	powershell.exe
624	powershell.exe
1240	test.exe
1240	test.exe
404	test3.exe
404	test3.exe
3188	test2.exe
3188	test2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3796	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3796	7zFM.exe
Token: 35	3796	7zFM.exe
Token: SeSecurityPrivilege	3796	7zFM.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe
Token: SeCreatePagefilePrivilege	2704	chrome.exe
Token: SeShutdownPrivilege	2704	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3796	7zFM.exe
3796	7zFM.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe
2704	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1688	OpenWith.exe
1240	test.exe
404	test3.exe
3188	test2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 228	2704	chrome.exe	115
PID 2704 wrote to memory of 228	2704	chrome.exe	115
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 4236	2704	chrome.exe	116
PID 2704 wrote to memory of 1604	2704	chrome.exe	117
PID 2704 wrote to memory of 1604	2704	chrome.exe	117
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118
PID 2704 wrote to memory of 3648	2704	chrome.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"
1⤵
- Modifies registry class
PID:2244

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3836,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
1⤵
PID:1892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5068

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffebf05cc40,0x7ffebf05cc4c,0x7ffebf05cc58
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,622648038422643197,7950514119458842679,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2020,i,622648038422643197,7950514119458842679,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2044 /prefetch:3
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,622648038422643197,7950514119458842679,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2460 /prefetch:8
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,622648038422643197,7950514119458842679,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3440,i,622648038422643197,7950514119458842679,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3748,i,622648038422643197,7950514119458842679,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4604,i,622648038422643197,7950514119458842679,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,622648038422643197,7950514119458842679,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4564,i,622648038422643197,7950514119458842679,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5300,i,622648038422643197,7950514119458842679,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:1088

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4736

C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  PID:5800

C:\Users\Admin\Desktop\XWorm V5.2\test3.exe
"C:\Users\Admin\Desktop\XWorm V5.2\test3.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XWorm V5.2\test3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'test3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5760
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2748

C:\Users\Admin\Desktop\XWorm V5.2\test.exe
"C:\Users\Admin\Desktop\XWorm V5.2\test.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XWorm V5.2\test.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'test.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5128
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5892

C:\Users\Admin\Desktop\XWorm V5.2\test2.exe
"C:\Users\Admin\Desktop\XWorm V5.2\test2.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XWorm V5.2\test2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'test2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:6096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:624
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1036

C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4196,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4688 /prefetch:1
1⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4080,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4084 /prefetch:1
1⤵
PID:5600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5440,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:1
1⤵
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5604,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=5620 /prefetch:8
1⤵
PID:5984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5628,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:8
1⤵
PID:5992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5996,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=6104 /prefetch:1
1⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6284,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=6276 /prefetch:8
1⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5584,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:1
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4e3975ba4e3ed30a8f726f8f32ca530b

SHA1
182f1918bba613235965a1e30414dfa4463752f3

SHA256
8d814919783cc50512abb1e763be01d0c7abdc9b350893df62f6db5c3e1669ee

SHA512
c5a8e1d968e97396898ddfe5267df087a05d33e9032e6879a58c799c32a5d308bbbf2a41dd7e67358dfab3018dfa5cb35d93e82fb11b21976b68ea35a885e58a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
347e82610d880d66f6c5eec98d7d2b26

SHA1
4627517dd4f029918c52c5c93bb219680ce26c46

SHA256
00777a937b7c3bda301083fbc45492822a4a45768218fbd7757e202b3e060576

SHA512
e3d586aa3e9384652a0995516986302790ded9098e20b91300a7c2c35296656c2f1f1051e9584495c8a2ff1dae69aa44246d631c28adedc26897309da1ce68c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
1ffa2cadd19b53dfaabaed682d0a22a4

SHA1
164b614a6fafd9782eeff11918f5a015c23b1532

SHA256
3941c27c40914ce238814ddf2cd632bff9ffa4285e05e667e556c3103ae03295

SHA512
3845ab51ca840c123ab31cee0e6ff4ae932fc55fff1d7ffa66b11af031a7e066a7741bef1982d1ab43043e671d45ef562bbc3f36d817b19b20f4bb574980fb80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6f41b335bfee16bc348fbc6be375bf1b

SHA1
d4e9c5d648c387b8ddd1a6f2dad6235e455973b6

SHA256
16381a242ffa8c3a677481bfaa45e725afbef1cce41a41af268df4ac3926e61e

SHA512
22b90b5be0ce3bed81cf66c3f6d1bb5eb7febf9916ae6638fdefaa4470b2b9d51ac7188af3122abf5044447464ce940bfaeb3e041740d9ec18b8c00f458d5936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d13d352238e95eda7dcf509982dd07aa

SHA1
a947f143f71920a3d0ad232fe823a2a75e18afa8

SHA256
58a9bddc44365c5455d67329f8a1e43a40b43eeb2ae50e4822398b17fc8faee9

SHA512
a2e75ba549759f64ef7347e96b37dfa724385d4d002e29e154b45031ff34d0d3bbbe518ffd66efac640a2a0851994d81ae0f0baa5adeafceb8e533b92eb59c71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7ec272f9be4fa35c817e8bbc5a27a9ac

SHA1
fe51a7cb11b898a4893f0819bb46c5a903a7a307

SHA256
a9e946c87f6fe04da934275f0194c6bdce1f0037e207e45a97aa0cb5975592af

SHA512
df705b2b5a5161ba08a94bfb45070a5dbd27b669f720b0da0a2c1a1c1c576bf9db0d3c7a59154915fe2c7b0497ffe9f8b6646d4e9670d1320e78367a45470870

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4dc5b16f7067822e4b48c193b2eafc5d

SHA1
bf455f4ba98c1418bc13713acf208caf4168d4d9

SHA256
0fa66c71024b551bcc462d01199730bc391b8d081e60d16d023414ed4ad8acbc

SHA512
3429a9be8dc131415169ada437181562e6170737a4328b4470496ec7b2cc5fcfbf1932e52a56e9acc211952bd222e1a89e3787c9a617abad2cd5260233a06c35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d21eafd39ebe7055d080c06a2282859f

SHA1
968da4abb890843d68fe67f00224f13ad414399b

SHA256
dce18930ddb2c0a799814263f907ca901c72f2adbb377bfc0dbbe2164a24683c

SHA512
d2849517de74f8623c7530b6920eb8b8e9a251d7b1d39f76b1ea58a5d5436bf64408037d7316dc5af6975cf2369607188239abae3c2ab0e2c8351d2ef56dec43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7dfb947e7238e9679dd9b4fe41ddf84c

SHA1
a096272ea23e1a0dc097cc3035f5938cad401ab1

SHA256
7573ec8d872ca3f8986c05c6b56e5fb6a58fe52a09684b35930a67f9d98d815d

SHA512
d5e472dddb7b6978097962ac32cd61a921dc3fd5d588bf55b70c093c5fa031d9732e5ec5460b6263977c61a9f8896b6e69f58b579ffc7c495ddbdc242f8b830e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bb865fdc57b52e0b4a6fb372762318bb

SHA1
0ac737dc2365fa292e769e80ac98185ae2259342

SHA256
dc01f66d73a8ca66265c0c0a5ca74d0fdb07a8e49a9ff34e5d175e59cbeb5f7d

SHA512
76856fc55d5ab2c389a91f03c05fd6020e26f40bee8251715a54fdc6e0a9bde357e9db74965e76b52c6c6202dba208c8c7e498486cea1624e7816d8247df05f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed4c8240bc1ea92d83c44831f6cc2508

SHA1
6d49a4f5f10a0a01fbf153f3977e2de098661720

SHA256
c1c8945fe401c2c5a4460a16af6178b48e850d450a99a60e5aac8feeffd3329e

SHA512
32fb7c8639e81bb7cfce5c77a323cdf58a53391fc92f2d3fc0d41769258dad34027e5e2b6c4f86ec0da05ca7ac6fe40245773fd1cb19d822461100134a1da0f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
acee77f9fc7e9040f5353f75f2950a00

SHA1
e7052c0fa8a8a31b762a90a6eac5466c3d6913af

SHA256
eb1b1bd3264589b25765c5558f2cbc190731ac3636b23640467e9dcace7f8032

SHA512
0fa7499b744521372b5587337d5107366d74b81ab2ef326ff9e16013a0a957b60af4a847008f0af49f41dc0d31d8c42eb4343677653a10573a1ded0c4d9aa5aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5da935d4ff50eddd92b3a2559499568b

SHA1
ec98a5d6c7e850742881d7783ef4108847f273fb

SHA256
0709e3a85d0955c90c54678c44cbf314071770c46c72b569c64bd102ba5549b4

SHA512
2dfcb2eb5ff755537a2d4425cf49c6addec17ba82c0e49fc9cd28c1ddd8ed0ec2ff458a700116436a2bcb934a97e2f0ffe6802eca2e55404efae7c4aa8feea66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
c1ed2986ed782b835e851ba4745c5405

SHA1
a194bd6a7c506cd44be738d06c1a8292a7dbb072

SHA256
c07988b824ceefffe72da58ec7cccf8c0afb3f125412ffe4dcce9c6dff79b9de

SHA512
ab93475cbf130eb3d3a1e636d25c41d475ee309b488fcbb38148d5abb8ca3496f57ad9c003df1abccdf852d2daad9ce4d4c60eae37ceae6b1c0b3317b1c5de18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
c6e41ba714cfc1afb621d69296f0b7d8

SHA1
74d83768817990053cf922163e9812e4187a600e

SHA256
a12e7f406b03c777c64f2c048a7ea8354f5e4aa28e4074460c5d3dce4520cf89

SHA512
83d38d5c2443b212b889e723ecec48066e97cd6729ebd1edc45110b51a667eff0a6da92fee588b635542c0bf3ef40aaa7f85edb24b33f896fbeee30b5120d5a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
59e7d6e3f10fe8a7e0448a6f42b5c2b5

SHA1
4496b03b0fe6cac6c78572da59db786e0d6bb6ac

SHA256
af20c633ea2fe9136994beadf513adb00d9cf6dfc549b96404aae59f8e948535

SHA512
74d331572dc3289269cd41b891e1448d766a2d2b793ae6128d91582e6b658bb7ff349bc7c90ebbb44bda5502714025915390347d898379bae4b906db0b9c14c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
110b59ca4d00786d0bde151d21865049

SHA1
557e730d93fdf944a0cad874022df1895fb5b2e2

SHA256
77f69011c214ea5a01fd2035d781914c4893aee66d784deadc22179eadfdf77f

SHA512
cb55ac6eca50f4427718bace861679c88b2fdfea94d30209e8d61ca73a6ce9f8c4b5334922d2660a829b0636d20cbdf3bae1497c920e604efe6c636019feb10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ea40386e93203f2f2712bd0bf029cfa4

SHA1
e3e27a3dbda20298f4f93fa14b6a07cee649bd61

SHA256
c031090ef773b0453a97ab7aaa94dfe4f2bb4a35cc369c41933c20bdd666c72c

SHA512
e7590d696a53c97b955092637a14c3b691ecf2dd15701d9ef05ba2973d0cbbbc7439f0e180c0244960be2db7160f97519783f6fa71b2503aa963b25dd39fa121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
50d3033f2bc3a3774c469d03e71a79a9

SHA1
22027b1d52085de99b3bffa276530fea5d961471

SHA256
2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

SHA512
ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4DE6FBE8\XWorm V5.2\ClientsFolder\A069D511BDE4EC299785\Recovery\RecoveryData\cookies.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4DE6FBE8\XWorm V5.2\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_palr1dop.w5t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Filesize
771B

MD5
4647c1e0844592155f86003d816f779d

SHA1
02b8f6e926d1e3d80690b9cdef6fc269c82fc19d

SHA256
466a57c71b1ddf6f3285258ff58120eab7f0f00bac2b67ff7e49fbe3f884d5e0

SHA512
20478a10ee8b04f252a6995daab647c761b26f2e309b3bacaa2fd43dbcb08aee70b5a434c8315fe553de3953cc64165ce67a29830801e6397423e78b8661baa7

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.Backports.dll

Filesize
138KB

MD5
dd43356f07fc0ce082db4e2f102747a2

SHA1
aa0782732e2d60fa668b0aadbf3447ef70b6a619

SHA256
e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6

SHA512
284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.Core.dll

Filesize
216KB

MD5
b808181453b17f3fc1ab153bf11be197

SHA1
bce86080b7eb76783940d1ff277e2b46f231efe9

SHA256
da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd

SHA512
a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.ILHelpers.dll

Filesize
6KB

MD5
6512e89e0cb92514ef24be43f0bf4500

SHA1
a039c51f89656d9d5c584f063b2b675a9ff44b8e

SHA256
1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0

SHA512
9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.Utils.dll

Filesize
319KB

MD5
79f1c4c312fdbb9258c2cdde3772271f

SHA1
a143434883e4ef2c0190407602b030f5c4fdf96f

SHA256
f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a

SHA512
b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\RVGLib.dll

Filesize
241KB

MD5
d34c13128c6c7c93af2000a45196df81

SHA1
664c821c9d2ed234aea31d8b4f17d987e4b386f1

SHA256
aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7

SHA512
91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2.exe

Filesize
12.2MB

MD5
8b7b015c1ea809f5c6ade7269bdc5610

SHA1
c67d5d83ca18731d17f79529cfdb3d3dcad36b96

SHA256
7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

SHA512
e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe

Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\test.exe

Filesize
82KB

MD5
02c3a59e8f1e963f0ebaa503e490e057

SHA1
8ca26e32d8025d5fd46625ad4cbec280f092a494

SHA256
9613ea86092f0595f59adfd0dfa0187b29ab0f45bdfaafa31aaeae012551b2ab

SHA512
10e79eb760735be5b77c42da885447719879a49c49c78b9221149b215e817175e02b78ab3eacbc7a7158d3ab84b027f6627f8449d4616b9364e563d20365f34b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\test2.exe

Filesize
84KB

MD5
db306542d676d22982d6a92571ea09cd

SHA1
7f676381df8863c05795ee8c258c3dea80ef09a9

SHA256
8ac22df94291b3e48fbd7e787f7528d9a5b899eb44ac6ecfe14294eb1a66d725

SHA512
825f3d4e5eaa9c925634f6617fab541de5c2b5bb92a44ac3251f49cc83ae7d3a7353e51236899603b6d2958b53a8629569b3cd17675423a83cfc34e3c3ac34b4

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\test3.exe

Filesize
80KB

MD5
1543e621c88ced2686f04a7b324bd335

SHA1
c833c48bbbad7b7d30629d36f66e4176f58c2e1a

SHA256
6fbda9d556602c3ac086d4782cf50924ed1e2a33d38da46a347dd9589c4b8018

SHA512
ab91f397317eb0fb5e7abecb3b86950957e9e51a8fa99d8f93f971e19a7ce658ef9d87efb8e92811e298c464acb3f54d0553d96f537387316af528d68133a5a4

Download Submit
memory/404-429-0x00000000006E0000-0x00000000006FA000-memory.dmp

Filesize
104KB

Download
memory/556-448-0x0000025D3BA10000-0x0000025D3BA32000-memory.dmp

Filesize
136KB

Download
memory/1240-444-0x0000000000B80000-0x0000000000B9A000-memory.dmp

Filesize
104KB

Download
memory/3188-447-0x0000000000AE0000-0x0000000000AFC000-memory.dmp

Filesize
112KB

Download
memory/4840-430-0x000001B57D4A0000-0x000001B57E08C000-memory.dmp

Filesize
11.9MB

Download
memory/4840-419-0x000001B5792D0000-0x000001B579F08000-memory.dmp

Filesize
12.2MB

Download
memory/4840-432-0x000001B57E400000-0x000001B57E5F4000-memory.dmp

Filesize
2.0MB

Download
memory/5028-499-0x000002CFF0C00000-0x000002CFF1838000-memory.dmp

Filesize
12.2MB

Download
memory/5028-485-0x000002CFEF470000-0x000002CFEF476000-memory.dmp

Filesize
24KB

Download
memory/5028-463-0x0000000000D30000-0x0000000000D50000-memory.dmp

Filesize
128KB

Download
memory/5028-486-0x000002CFEF480000-0x000002CFEF486000-memory.dmp

Filesize
24KB

Download
memory/5028-498-0x000002CFEFE60000-0x000002CFEFE7A000-memory.dmp

Filesize
104KB

Download
memory/5028-469-0x000002CFEFE10000-0x000002CFEFE16000-memory.dmp

Filesize
24KB

Download
memory/5028-471-0x000002CFEFEA0000-0x000002CFEFEFE000-memory.dmp

Filesize
376KB

Download
memory/5028-488-0x000002CFEFF60000-0x000002CFEFF9C000-memory.dmp

Filesize
240KB

Download
memory/5028-467-0x000002CFEFDE0000-0x000002CFEFE08000-memory.dmp

Filesize
160KB

Download
memory/5028-465-0x000002CFEF5C0000-0x000002CFEF602000-memory.dmp

Filesize
264KB

Download
memory/5028-474-0x000002CFEFF00000-0x000002CFEFF56000-memory.dmp

Filesize
344KB

Download