xworm | eed75f0edf37bdd0d0a64ac8723672dbfe64288fb3845b89cc3596d0511f67d1

Resubmissions

21-10-2024 14:09

241021-rgcgnawhjd 10

21-10-2024 14:05

241021-rd8qpawglh 10

21-10-2024 13:52

241021-q6ms9awdqf 10

Analysis

max time kernel
446s
max time network
443s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-10-2024 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-5.6-main.zip
Size

24.8MB
MD5

98af17dc86622b292d58fbba45d51309
SHA1

44a7d9423ce00ddda8000f9d18e3fe5693b5776f
SHA256

eed75f0edf37bdd0d0a64ac8723672dbfe64288fb3845b89cc3596d0511f67d1
SHA512

b3b9c67e373bcba5bd039088953400a3296b374f29f5de00f56c0702da7f9eccf0c452586d486c17ab1ea5ab16240112fda8457ec258d2ba9735b17959db4b05
SSDEEP

786432:3vngbHGYI0DuXXEDgfI+tjIdubuu0SVww6vZqwffr:fgbHGY2hfI8yuxV7oswXr

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:8888

10.127.0.53:8888

Mutex

knywcLZq7NOLWNPU

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

127.0.0.1:8888

10.127.0.53:8888

Attributes

install_file
USB.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\Options.dll	disable_win_def

Detect Xworm Payload 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\i4uft3jm\i4uft3jm.0.vb	family_xworm
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClienttest1.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\zhejr4mk\zhejr4mk.0.vb	family_xworm
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClienttest2.exe	family_xworm
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClienttest1.exe	family_xworm
behavioral1/memory/4820-403-0x0000000000550000-0x0000000000566000-memory.dmp	family_xworm
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClienttest2.exe	family_xworm
behavioral1/memory/1720-440-0x00000000006E0000-0x00000000006F8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1120 powershell.exe
4560 powershell.exe
2136 powershell.exe
1360 powershell.exe

pid	process
1120	powershell.exe
4560	powershell.exe
2136	powershell.exe
1360	powershell.exe

Drops startup file 2 IoCs

Processes:

XClienttest2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClienttest2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClienttest2.exe

Executes dropped EXE 6 IoCs

Processes:

Xworm V5.6.exeXClienttest1.exeXClienttest2.exeXClient.exeXClient.exeXClient.exe

pid process

4608 Xworm V5.6.exe
4820 XClienttest1.exe
1720 XClienttest2.exe
3632 XClient.exe
3712 XClient.exe
3800 XClient.exe
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClienttest2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClienttest2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Xworm V5.6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1844 ipconfig.exe

pid	process
1844	ipconfig.exe

Modifies registry class 32 IoCs

Processes:

Xworm V5.6.exeMiniSearchHost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xworm V5.6.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4716 schtasks.exe

pid	process
4716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

Xworm V5.6.exepowershell.exepowershell.exepowershell.exepowershell.exeXClienttest2.exe

pid	process
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
1360	powershell.exe
1360	powershell.exe
1120	powershell.exe
1120	powershell.exe
4560	powershell.exe
4560	powershell.exe
2136	powershell.exe
2136	powershell.exe
1720	XClienttest2.exe
1720	XClienttest2.exe
1720	XClienttest2.exe
1720	XClienttest2.exe
1720	XClienttest2.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exeXworm V5.6.exe

pid process

4076 7zFM.exe
4608 Xworm V5.6.exe

pid	process
4076	7zFM.exe
4608	Xworm V5.6.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

7zFM.exeAUDIODG.EXEXClienttest1.exeXClienttest2.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exeXClient.exeXClient.exe

description	pid	process
Token: SeRestorePrivilege	4076	7zFM.exe
Token: 35	4076	7zFM.exe
Token: SeSecurityPrivilege	4076	7zFM.exe
Token: 33	1888	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1888	AUDIODG.EXE
Token: SeDebugPrivilege	4820	XClienttest1.exe
Token: SeDebugPrivilege	1720	XClienttest2.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	1720	XClienttest2.exe
Token: SeDebugPrivilege	3632	XClient.exe
Token: SeDebugPrivilege	3712	XClient.exe
Token: SeDebugPrivilege	3800	XClient.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zFM.exeXworm V5.6.exe

pid process

4076 7zFM.exe
4076 7zFM.exe
4608 Xworm V5.6.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Xworm V5.6.exe

pid process

4608 Xworm V5.6.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MiniSearchHost.exeXworm V5.6.exeXClienttest2.exe

pid process

3156 MiniSearchHost.exe
4608 Xworm V5.6.exe
4608 Xworm V5.6.exe
1720 XClienttest2.exe

pid	process
4076	7zFM.exe
4076	7zFM.exe
4608	Xworm V5.6.exe

pid	process
3156	MiniSearchHost.exe
4608	Xworm V5.6.exe
4608	Xworm V5.6.exe
1720	XClienttest2.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Xworm V5.6.exevbc.execmd.exevbc.exeXClienttest2.exe

description	pid	process	target process
PID 4608 wrote to memory of 2376	4608	Xworm V5.6.exe	vbc.exe
PID 4608 wrote to memory of 2376	4608	Xworm V5.6.exe	vbc.exe
PID 2376 wrote to memory of 784	2376	vbc.exe	cvtres.exe
PID 2376 wrote to memory of 784	2376	vbc.exe	cvtres.exe
PID 1264 wrote to memory of 1844	1264	cmd.exe	ipconfig.exe
PID 1264 wrote to memory of 1844	1264	cmd.exe	ipconfig.exe
PID 4608 wrote to memory of 4724	4608	Xworm V5.6.exe	vbc.exe
PID 4608 wrote to memory of 4724	4608	Xworm V5.6.exe	vbc.exe
PID 4724 wrote to memory of 2572	4724	vbc.exe	cvtres.exe
PID 4724 wrote to memory of 2572	4724	vbc.exe	cvtres.exe
PID 1720 wrote to memory of 1360	1720	XClienttest2.exe	powershell.exe
PID 1720 wrote to memory of 1360	1720	XClienttest2.exe	powershell.exe
PID 1720 wrote to memory of 1120	1720	XClienttest2.exe	powershell.exe
PID 1720 wrote to memory of 1120	1720	XClienttest2.exe	powershell.exe
PID 1720 wrote to memory of 4560	1720	XClienttest2.exe	powershell.exe
PID 1720 wrote to memory of 4560	1720	XClienttest2.exe	powershell.exe
PID 1720 wrote to memory of 2136	1720	XClienttest2.exe	powershell.exe
PID 1720 wrote to memory of 2136	1720	XClienttest2.exe	powershell.exe
PID 1720 wrote to memory of 4716	1720	XClienttest2.exe	schtasks.exe
PID 1720 wrote to memory of 4716	1720	XClienttest2.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4076

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4560

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i4uft3jm\i4uft3jm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES640F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc524C4D423A41479DBAE2A53A1E5B833.TMP"
    3⤵
    PID:784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zhejr4mk\zhejr4mk.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1818.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc426F2244AC9E4CFB9570D9BA33AFFDFA.TMP"
    3⤵
    PID:2572

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2768

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F8 0x00000000000004F0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:1844

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClienttest1.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClienttest1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClienttest2.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClienttest2.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClienttest2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClienttest2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4716

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
55f30089624be31af328ba4e012ae45a

SHA1
121c28de7a5afe828ea395d94be8f5273817b678

SHA256
28e49da06bd64f06a4cf1a9caead354b94b4d11d5dc916a92da0ed96bad00473

SHA512
ef13cc5b22c754c7816e08b421de64bc8df527d7166e970454139410b2d381b53ebf288ec73013cdce92f0ac226d9ed5b342341db52a8cb0b85b5ad4d3090787

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
ad7a569bafd3a938fe348f531b8ef332

SHA1
7fdd2f52d07640047bb62e0f3d3c946ddd85c227

SHA256
f0e06109256d5577e9f62db2c398974c5002bd6d08892f20517760601b705309

SHA512
b762bae338690082d817b3008144926498a1bd2d6d99be33e513c43515808f9a3184bd10254e5c6a1ff90a9211653f066050249030ad9fe0460ec88335b3d423

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
18ebbe9c5b9d1f57828cb23f70ee4358

SHA1
3bffe5a39ea4b5dff89e2e051911dc366d6d517f

SHA256
32feacc1e37265de0ea41d7113a91ec4ea7a697d92941d747adf814039111df7

SHA512
99ea34ce3b016720a2c5d651e68eb4bca122f8cd05d9b18e4e0225b836a576517a691914c00472977570a24a9360a2049d7150d8392abbab76cd5a3d6e3fa01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1818.tmp

Filesize
1KB

MD5
68fa31b7b7ef69523a91b368e5a966d4

SHA1
3fa7d6e48bb3cb99dea5671c922ad3d880e506d8

SHA256
c59f1b91f1847960aeceb4242631f37c0bc733492712e0b43b7b4c5f02672398

SHA512
02a434a0ee28a7c84f6eaa24bb0577b098abb31d681cb4b3e9a90025206b56a060861b67ea7ef2b66d523bb069878be803fe609c18caf5969bce1fd7fbcf8883

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES640F.tmp

Filesize
1KB

MD5
589122f479c33f414c8b3cbeb5418d74

SHA1
ec85215bd527880e6e31613edc1f9086ad84c2c2

SHA256
1ed312e2142c2b045130ff9cdb10150d6494d7b71ee74978f255f3d4dc7f5893

SHA512
221f881966e759a49a61112383e526c658c343b743df1910badf9d6d0987663e534a1eb9bbe076ff31c437ed50cad83391a73f1c558821af1cc82f1aa47f5e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xcnh0qsq.hjs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4uft3jm\i4uft3jm.0.vb

Filesize
78KB

MD5
cebe414cbfe63f8985036785b1c5ad9f

SHA1
eb9cb91d3fe519f940c21035f9846cc40c766174

SHA256
72ff6aecaa319d52a22c80fbac6de0e297aa8b241c7f1f5f652763830a18f9d0

SHA512
afbec16e01f2adb569f4e0998e87be2dfc1a798561e5583dfc79e30073bb5e7041f225466b1351c3cfcaf9d99a1d076b810ce1b0f53d9b4cccacef32d66d4450

Download Submit
C:\Users\Admin\AppData\Local\Temp\i4uft3jm\i4uft3jm.cmdline

Filesize
327B

MD5
8ec3e8cb1bcaf3a4e7b5ed8746acc3ea

SHA1
497c2f1e59c26470d858f3c47a687eb40bc144a6

SHA256
e8f11815767e56333ab98b47932ab026784ccb4a760942ec276827ed28863dee

SHA512
31cf09775b701083e559467a66ad58c6127cd76e0f10972491ac84bd0d76d53c41f02f79153dbeee81aefcdc7f86f2d50213d7d6b81a7c5f41848d93c74f438b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc426F2244AC9E4CFB9570D9BA33AFFDFA.TMP

Filesize
1KB

MD5
b1242e41a90d362c853095c70cfcfd9a

SHA1
c649fbe41cd145cc91caffa559865fca3378ed5b

SHA256
605dc51536f922467f6da12c0a6bb26f326d8883a6db610ac46d8a6b0c9cd6cf

SHA512
52503db4ec9d4c3cba5c7c7dde52a7b1a5852700a8482a6fab0007e29ae07a6f18010b16ef074b10a59b2a9d92c6ea01c1f804969b7f878b9df4b4e18ee8ef2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc524C4D423A41479DBAE2A53A1E5B833.TMP

Filesize
1KB

MD5
47bd7c0ad3bd57f7519ba82c0df2b13c

SHA1
ab679180f0b424e246f16a3cd5750deaf8f33f40

SHA256
e9db2c928da9d2a89a7acfecb029df7cb5f067e66d41132468d67f01db56e013

SHA512
9446b9ea775a949b55c387252cfe7209ec38cba7d5492d8cf056f9672fac6178b8eff385630fd0a1c3f67b3c48944135c36ba3c5fe61562975fb45698cd28123

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhejr4mk\zhejr4mk.0.vb

Filesize
78KB

MD5
4164bb6545bad07c7a22ede3a9e2117a

SHA1
5e13d5b56dc2c33cd3c5181b916c77cbb12f7d41

SHA256
6493963b5364f67e0293aa4538323688d11d55675bb471d51888efd5d3ed8d15

SHA512
b9df258c44c387a70d8a90443a1cef2f283bbd880d9cd34910f899ed0f1ce50dd026e742545cf93c13d55527e479af54fbde1d1fb3c7df120c469613537be743

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhejr4mk\zhejr4mk.cmdline

Filesize
327B

MD5
e84a9c3231b5d8450ed2bd68c092372d

SHA1
606cd3dc97146950dbfe4025cd3294773409f6b6

SHA256
53e5e98730b2d4733373f0fdbc9b9c383b6ad930396f0e7fb910d4e342af9b79

SHA512
15d434bc5e0fcc47c356f2eaec047b61d2b174cca7bbd75c4bcf7343d7e3e0447875ab07aaee96e46a63f7f9b3c5e7bd65c0bdc06b0e0373396431d9335ee990

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Background.png

Filesize
924KB

MD5
c93ee3abeff4ac24936471f80b36ec7a

SHA1
0120649571a4b692ff5d10aae8dd87dffd3a0f81

SHA256
2f691caff7e1980cfb069d2608b6470b3a06cdb90467ce47820e8602115a0c5b

SHA512
dd319d1eea708284588ff67268cb23bd7b5cde505f3a8a1e7a27a587920ee5877efa4c1d8264cae48de343cabbf11bbe457b49f348b46288765eeff45d20cab5

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\GMap.NET.Core.dll

Filesize
2.9MB

MD5
819352ea9e832d24fc4cebb2757a462b

SHA1
aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

SHA256
58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

SHA512
6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\GMap.NET.WindowsForms.dll

Filesize
147KB

MD5
32a8742009ffdfd68b46fe8fd4794386

SHA1
de18190d77ae094b03d357abfa4a465058cd54e3

SHA256
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

SHA512
22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\NAudio.dll

Filesize
502KB

MD5
3b87d1363a45ce9368e9baec32c69466

SHA1
70a9f4df01d17060ec17df9528fca7026cc42935

SHA256
81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451

SHA512
1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\ActiveWindows.dll

Filesize
14KB

MD5
5a766a4991515011983ceddf7714b70b

SHA1
4eb00ae7fe780fa4fe94cedbf6052983f5fd138b

SHA256
567b9861026a0dbc5947e7515dc7ab3f496153f6b3db57c27238129ec207fc52

SHA512
4bd6b24e236387ff58631207ea42cd09293c3664468e72cd887de3b3b912d3795a22a98dcf4548fb339444337722a81f8877abb22177606d765d78e48ec01fd8

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\Chat.dll

Filesize
18KB

MD5
59f75c7ffaccf9878a9d39e224a65adf

SHA1
46b0f61a07e85e3b54b728d9d7142ddc73c9d74b

SHA256
aab20f465955d77d6ec3b5c1c5f64402a925fb565dda5c8e38c296cb7406e492

SHA512
80056163b96ce7a8877874eaae559f75217c0a04b3e3d4c1283fe23badfc95fe4d587fd27127db4be459b8a3adf41900135ea12b0eeb4187adbcf796d9505cb8

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\Chromium.dll

Filesize
32KB

MD5
edb2f0d0eb08dcd78b3ddf87a847de01

SHA1
cc23d101f917cad3664f8c1fa0788a89e03a669c

SHA256
b6d8bccdf123ceac6b9642ad3500d4e0b3d30b9c9dd2d29499d38c02bd8f9982

SHA512
8f87da834649a21a908c95a9ea8e2d94726bd9f33d4b7786348f6371dfae983cc2b5b5d4f80a17a60ded17d4eb71771ec25a7c82e4f3a90273c46c8ee3b8f2c3

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\Clipboard.dll

Filesize
14KB

MD5
831eb0de839fc13de0abab64fe1e06e7

SHA1
53aad63a8b6fc9e35c814c55be9992abc92a1b54

SHA256
e31a1c2b1baa2aa2c36cabe3da17cd767c8fec4c206bd506e889341e5e0fa959

SHA512
2f61bcf972671d96e036b3c99546cd01e067bef15751a87c00ba6d656decb6b69a628415e5363e650b55610cf9f237585ada7ce51523e6efc0e27d7338966bee

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\Cmstp-Bypass.dll

Filesize
11KB

MD5
cf15259e22b58a0dfd1156ab71cbd690

SHA1
3614f4e469d28d6e65471099e2d45c8e28a7a49e

SHA256
fa420fd3d1a5a2bb813ef8e6063480099f19091e8fa1b3389004c1ac559e806b

SHA512
7302a424ed62ec20be85282ff545a4ca9e1aecfe20c45630b294c1ae72732465d8298537ee923d9e288ae0c48328e52ad8a1a503e549f8f8737fabe2e6e9ad38

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\FileManager.dll

Filesize
679KB

MD5
641a8b61cb468359b1346a0891d65b59

SHA1
2cdc49bcd7428fe778a94cdcd19cabf5ece8c9c0

SHA256
b58ed3ebbcd27c7f4b173819528ff4db562b90475a5e304521ed5c564d39fffd

SHA512
042702d34664ea6288e891c9f7aa10a5b4b07317f25f82d6c9fa9ba9b98645c14073d0f66637060b416a30c58dec907d9383530320a318523c51f19ebd0a4fee

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\FilesSearcher.dll

Filesize
478KB

MD5
6f8f1621c16ac0976600146d2217e9d2

SHA1
b6aa233b93aae0a17ee8787576bf0fbc05cedde4

SHA256
e66e1273dc59ee9e05ce3e02f1b760b18dd296a47d92b3ce5b24efb48e5fb21b

SHA512
eb55acdea8648c8cdefee892758d9585ff81502fc7037d5814e1bd01fee0431f4dde0a4b04ccb2b0917e1b11588f2dc9f0bfe750117137a01bbd0c508f43ef6a

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\HBrowser.dll

Filesize
25KB

MD5
f0e921f2f850b7ec094036d20ff9be9b

SHA1
3b2d76d06470580858cc572257491e32d4b021c0

SHA256
75e8ff57fa6d95cf4d8405bffebb2b9b1c55a0abba0fe345f55b8f0e88be6f3c

SHA512
16028ae56cd1d78d5cb63c554155ae02804aac3f15c0d91a771b0dcd5c8df710f39481f6545ca6410b7cd9240ec77090f65e3379dcfe09f161a3dff6aec649f3

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\HRDP.dll

Filesize
1.7MB

MD5
f27b6e8cf5afa8771c679b7a79e11a08

SHA1
6c3fcf45e35aaf6b747f29a06108093c284100da

SHA256
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de

SHA512
0d84966bbc9290b04d2148082563675ec023906d58f5ba6861c20542271bf11be196d6ab24e48372f339438204bd5c198297da98a19fddb25a3df727b5aafa33

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\HVNC.dll

Filesize
58KB

MD5
30eb33588670191b4e74a0a05eecf191

SHA1
08760620ef080bb75c253ba80e97322c187a6b9f

SHA256
3a287acb1c89692f2c18596dd4405089ac998bb9cf44dd225e5211923d421e96

SHA512
820cca77096ff2eea8e459a848f7127dc46af2e5f42f43b2b7375be6f4778c1b0e34e4aa5a97f7fbabe0b53dcd351d09c231bb9afedf7bcec60d949918a06b97

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\HVNCMemory.dll

Filesize
39KB

MD5
065f0830d1e36f8f44702b0f567082e8

SHA1
724c33558fcc8ecd86ee56335e8f6eb5bfeac0db

SHA256
285b462e3cd4a5b207315ad33ee6965a8b98ca58abb8d16882e4bc2d758ff1a4

SHA512
bac0148e1b78a8fde242697bff1bbe10a18ffab85fdced062de3dc5017cd77f0d54d8096e273523b8a3910fe17fac111724acffa5bec30e4d81b7b3bd312d545

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\HiddenApps.dll

Filesize
45KB

MD5
ba2141a7aefa1a80e2091bf7c2ca72db

SHA1
9047b546ce9c0ea2c36d24a10eb31516a24a047d

SHA256
6a098f5a7f9328b35d73ee232846b13e2d587d47f473cbc9b3f1d74def7086ea

SHA512
91e43620e5717b699e34e658d6af49bba200dcf91ac0c9a0f237ec44666b57117a13bc8674895b7a9cac5a17b2f91cdc3daa5bcc52c43edbabd19bc1ed63038c

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\Informations.dll

Filesize
22KB

MD5
67a884eeb9bd025a1ef69c8964b6d86f

SHA1
97e00d3687703b1d7cc0939e45f8232016d009d9

SHA256
cba453460be46cfa705817abbe181f9bf65dca6b6cea1ad31629aa08dbeaf72b

SHA512
52e852021a1639868e61d2bd1e8f14b9c410c16bfca584bf70ae9e71da78829c1cada87d481e55386eec25646f84bb9f3baee3b5009d56bcbb3be4e06ffa0ae7

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\Keylogger.dll

Filesize
17KB

MD5
246f7916c4f21e98f22cb86587acb334

SHA1
b898523ed4db6612c79aad49fbd74f71ecdbd461

SHA256
acfe5c3aa2a3bae3437ead42e90044d7eee972ead25c1f7486bea4a23c201d3a

SHA512
1c256ca9b9857e6d393461b55e53175b7b0d88d8f3566fd457f2b3a4f241cb91c9207d54d8b0867ea0abd3577d127835beb13157c3e5df5c2b2b34b3339bd15d

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\Maps.dll

Filesize
15KB

MD5
806c3802bfd7a97db07c99a5c2918198

SHA1
088393a9d96f0491e3e1cf6589f612aa5e1df5f8

SHA256
34b532a4d0560e26b0d5b81407befdc2424aacc9ef56e8b13de8ad0f4b3f1ab6

SHA512
ed164822297accd3717b4d8e3927f0c736c060bb7ec5d99d842498b63f74d0400c396575e9fa664ad36ae8d4285cfd91e225423a0c77a612912d66ea9f63356c

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\MessageBox.dll

Filesize
14KB

MD5
7db8b7e15194fa60ffed768b6cf948c2

SHA1
3de1b56cc550411c58cd1ad7ba845f3269559b5c

SHA256
bc09b671894c9a36f4eca45dd6fbf958a967acea9e85b66c38a319387b90dd29

SHA512
e7f5430b0d46f133dc9616f9eeae8fb42f07a8a4a18b927dd7497de29451086629dfc5e63c0b2a60a4603d8421c6570967c5dbde498bb480aef353b3ed8e18a1

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\Microphone.dll

Filesize
540KB

MD5
9c3d90ccf5d47f6eef83542bd08d5aeb

SHA1
0c0aa80c3411f98e8db7a165e39484e8dae424c7

SHA256
612898afdf9120cfef5843f9b136c66ecc3e0bb6f3d1527d0599a11988b7783c

SHA512
0786f802fbd24d4ab79651298a5ba042c275d7d01c6ac2c9b3ca1e4ee952de7676ec8abf68d226b72696e9480bd4d4615077163efbcda7cff6a5f717736cbdfe

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\Ngrok-Installer.dll

Filesize
400KB

MD5
3e19341a940638536b4a7891d5b2b777

SHA1
ca6f5b28e2e54f3f86fd9f45a792a868c82e35b5

SHA256
b574aabf02a65aa3b6f7bfff0a574873ce96429d3f708a10f87bc1f6518f14aa

SHA512
06639892ea4a27c8840872b0de450ae1a0dac61e1dcb64523973c629580323b723c0e9074ff2ddf9a67a8a6d45473432ffc4a1736c0ddc74e054ae13b774f3e2

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\Options.dll

Filesize
30KB

MD5
97193fc4c016c228ae0535772a01051d

SHA1
f2f6d56d468329b1e9a91a3503376e4a6a4d5541

SHA256
5c34aee5196e0f8615b8d1d9017dd710ea28d2b7ac99295d46046d12eea58d78

SHA512
9f6d7da779e8c9d7307f716d4a4453982bb7f090c35947850f13ec3c9472f058fc11e1120a9641326970b9846d3c691e0c2afd430c12e5e8f30abadb5dcf5ed2

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\Pastime.dll

Filesize
17KB

MD5
6430ab4458a703fb97be77d6bea74f5b

SHA1
59786b619243d4e00d82b0a3b7e9deb6c71b283c

SHA256
a46787527ac34cd71d96226ddfc0a06370b61e4ad0267105be2aec8d82e984c1

SHA512
7b6cf7a613671826330e7f8daddc4c7c37b4d191cf4938c1f5b0fb7b467b28a23fb56e412dc82192595cfa9d5b552668ef0aaa938c8ae166029a610b246d3ecc

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\Performance.dll

Filesize
16KB

MD5
1841c479da7efd24521579053efcf440

SHA1
0aacfd06c7223b988584a381cb10d6c3f462fc6a

SHA256
043b6a0284468934582819996dbaa70b863ab4caa4f968c81c39a33b2ac81735

SHA512
3005e45728162cc04914e40a3b87a1c6fc7ffde5988d9ff382d388e9de4862899b3390567c6b7d54f0ec02283bf64bcd5529319ca32295c109a7420848fa3487

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\ProcessManager.dll

Filesize
19KB

MD5
3d4ec14005a25a4cb05b1aa679cf22bf

SHA1
6f4a827d94ad020bc23fbd04b7d8ca2995267094

SHA256
7cf1921a5f8429b2b9e8197de195cfae2353fe0d8cb98e563bdf1e782fe2ee4e

SHA512
0ee72d345d5431c7a6ffc71cf5e37938b93fd346e5a4746f5967f1aa2b69c34ca4ba0d0abd867778d8ca60b56f01e2d7fc5e7cf7c5a39a92015d4df2d68e382e

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Plugins\Programs.dll

Filesize
13KB

MD5
a6734a047b0b57055807a4f33a80d4dd

SHA1
0b3a78b2362b0fd3817770fdc6dd070e3305615c

SHA256
953a8276faa4a18685d09cd9187ed3e409e3cccd7daf34b6097f1eb8d96125a4

SHA512
7292eab25f0e340e78063f32961eff16bb51895ad46cfd09933c0c30e3315129945d111a877a191fc261ad690ad6b02e1f2cabc4ff2fdac962ee272b41dd6dfa

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClienttest1.exe

Filesize
32KB

MD5
5d9fa6cced67f6137592afe968c1adff

SHA1
03a29075a6ed9106342f92a686a3fe894d703a90

SHA256
fca2302ed13ebebd818974c3ed5443847cea6e5d050c49b8d804a3b7dc1003e8

SHA512
9619f8c7620e73e2fe476f610271159d8244c2ec54e1583c8e39e9e9bc0c65408ca46b85c9667c136e586e4c1289af0cd329c6013e7d3e17bc9b46b0ea6d5a95

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClienttest1.exe

Filesize
64KB

MD5
53909200e7ccaad6be49a032322eaa32

SHA1
5cb1cfadc67042e31863fe14b7ea6b058238d331

SHA256
f10a3c45db3c9c8158321e1ca2ebc2dbc9aa2546120e3cc59c7cd6f1db7b616a

SHA512
e38696e8922119586969690462d61567efea88acb7c7e834f69e72e2d7bec4ee87d3ae52e31f93184fd9b15a813c2144123a505d118d5f05b35017fd393ab3da

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClienttest2.exe

Filesize
43KB

MD5
800c495320bdbab3bbc99164e8d97764

SHA1
becb254d7a9a0a3534a74e115185ee73d96a579f

SHA256
22224ce1337ff2f5cd959780547b615f56d254f267f1a8bedfd71906ff01d1e7

SHA512
4f0a55cad622b0a1d049fcab7f1e03f54eb4bf95bac6cda938c5dbf2e9a7eeb4dddc30109295b13ce578afe71ce02bc75ed170ccd0275b398f6830211e5c1a5a

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClienttest2.exe

Filesize
72KB

MD5
29bf0d91b7c3a7a6a5a37e7e6a247a3a

SHA1
947ecbe6d1a01a88ed575c48fc87ccbd4f8fa31d

SHA256
07a1b44968b8c5c3f444f37fde6419998d734548394c47a9e7125d8e51908baf

SHA512
c4c5e4452007693a98ffa48a3fe4a5ba058c8ec3e6332a8b7a58c7d345caf9174cd6233e21d8af3d61123bf8531acda2042dda3e0c70484ddb65919f7d714b66

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
memory/1360-446-0x00000154FE9D0000-0x00000154FE9F2000-memory.dmp

Filesize
136KB

Download
memory/1720-576-0x0000000001080000-0x000000000108A000-memory.dmp

Filesize
40KB

Download
memory/1720-440-0x00000000006E0000-0x00000000006F8000-memory.dmp

Filesize
96KB

Download
memory/4608-415-0x000001C2EC5C0000-0x000001C2EC642000-memory.dmp

Filesize
520KB

Download
memory/4608-267-0x000001C2ECC10000-0x000001C2ECC56000-memory.dmp

Filesize
280KB

Download
memory/4608-264-0x000001C2ECD70000-0x000001C2ECF64000-memory.dmp

Filesize
2.0MB

Download
memory/4608-417-0x000001C2EC560000-0x000001C2EC58C000-memory.dmp

Filesize
176KB

Download
memory/4608-269-0x000001C2EBC60000-0x000001C2EBC6D000-memory.dmp

Filesize
52KB

Download
memory/4608-270-0x000001C2EBE70000-0x000001C2EBE8E000-memory.dmp

Filesize
120KB

Download
memory/4608-271-0x000001C2EBC90000-0x000001C2EBC9B000-memory.dmp

Filesize
44KB

Download
memory/4608-262-0x000001C2CFE40000-0x000001C2D0D28000-memory.dmp

Filesize
14.9MB

Download
memory/4608-299-0x000001C2F3FE0000-0x000001C2F4148000-memory.dmp

Filesize
1.4MB

Download
memory/4608-268-0x000001C2EB580000-0x000001C2EB589000-memory.dmp

Filesize
36KB

Download
memory/4608-272-0x000001C2ECC10000-0x000001C2ECC56000-memory.dmp

Filesize
280KB

Download
memory/4608-419-0x000001C2F4150000-0x000001C2F4432000-memory.dmp

Filesize
2.9MB

Download
memory/4608-421-0x000001C2F3D10000-0x000001C2F3DC2000-memory.dmp

Filesize
712KB

Download
memory/4820-403-0x0000000000550000-0x0000000000566000-memory.dmp

Filesize
88KB

Download