stormkitty | eed75f0edf37bdd0d0a64ac8723672dbfe64288fb3845b89cc3596d0511f67d1

Analysis

max time kernel
1050s
max time network
955s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-10-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-5.6-main.zip
Size

24.8MB
MD5

98af17dc86622b292d58fbba45d51309
SHA1

44a7d9423ce00ddda8000f9d18e3fe5693b5776f
SHA256

eed75f0edf37bdd0d0a64ac8723672dbfe64288fb3845b89cc3596d0511f67d1
SHA512

b3b9c67e373bcba5bd039088953400a3296b374f29f5de00f56c0702da7f9eccf0c452586d486c17ab1ea5ab16240112fda8457ec258d2ba9735b17959db4b05
SSDEEP

786432:3vngbHGYI0DuXXEDgfI+tjIdubuu0SVww6vZqwffr:fgbHGY2hfI8yuxV7oswXr

Score

10^/10

stormkitty xworm discovery execution persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:8888

Mutex

Ytuq3ImrRukuy0zi

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

xworm

127.0.0.1:8888

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 12 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nay5qu1i\nay5qu1i.0.vb	family_xworm
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe	family_xworm
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe	family_xworm
behavioral1/memory/1392-267-0x0000000000AE0000-0x0000000000AFA000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\pgvbvlt1\pgvbvlt1.0.vb	family_xworm
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe	family_xworm
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe	family_xworm
behavioral1/memory/1520-2041-0x0000000000BF0000-0x0000000000C08000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\paopaign\paopaign.0.vb	family_xworm
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe	family_xworm
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe	family_xworm
behavioral1/memory/916-2254-0x0000000000260000-0x000000000027C000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1520-2183-0x000000001D2D0000-0x000000001D3F0000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3100	powershell.exe
1780	powershell.exe
4944	powershell.exe
2968	powershell.exe
792	powershell.exe
3980	powershell.exe
944	powershell.exe
1540	powershell.exe

Deletes itself 1 IoCs

Processes:

XClient.exe

pid process

916 XClient.exe

pid	process
916	XClient.exe

Drops startup file 4 IoCs

Processes:

XClient.exeXClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 16 IoCs

Processes:

XClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exe

pid	process
1392	XClient.exe
640	XClient.exe
1520	XClient.exe
4316	XClient.exe
3524	XClient.exe
4228	XClient.exe
1016	XClient.exe
1096	XClient.exe
5076	XClient.exe
916	XClient.exe
1260	XClient.exe
3348	XClient.exe
2992	XClient.exe
3392	XClient.exe
1032	XClient.exe
3244	XClient.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient.exeXClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Drops file in System32 directory 12 IoCs

Processes:

lodctr.exe

description	ioc	process
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	XClient.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

XClient.exe

description pid process target process

PID 1520 set thread context of 4092 1520 XClient.exe cvtres.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 1520 set thread context of 4092	1520	XClient.exe	cvtres.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exepowershell.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2092 timeout.exe

pid	process
2092	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeXworm V5.6.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exeXworm V5.6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\TypedURLs	Xworm V5.6.exe

Modifies registry class 49 IoCs

Processes:

Xworm V5.6.exeexplorer.exeOpenWith.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "7"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Xworm V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xworm V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xworm V5.6.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3340 schtasks.exe
2324 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

3656 explorer.exe

pid	process
3340	schtasks.exe
2324	schtasks.exe

pid	process
3656	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Xworm V5.6.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exepowershell.exe

pid	process
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
1780	powershell.exe
1780	powershell.exe
4944	powershell.exe
4944	powershell.exe
2968	powershell.exe
2968	powershell.exe
792	powershell.exe
792	powershell.exe
1520	XClient.exe
1432	powershell.exe
1432	powershell.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

7zFM.exeXworm V5.6.exeexplorer.exeXClient.exeXClient.exe

pid process

2816 7zFM.exe
5036 Xworm V5.6.exe
3656 explorer.exe
1520 XClient.exe
916 XClient.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4172 msedge.exe
4172 msedge.exe
4172 msedge.exe
4172 msedge.exe
4172 msedge.exe
4172 msedge.exe

pid	process
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

7zFM.exeAUDIODG.EXEXClient.exeXClient.exeXClient.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exepowershell.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exe

description	pid	process
Token: SeRestorePrivilege	2816	7zFM.exe
Token: 35	2816	7zFM.exe
Token: SeSecurityPrivilege	2816	7zFM.exe
Token: 33	2072	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2072	AUDIODG.EXE
Token: SeDebugPrivilege	1392	XClient.exe
Token: SeDebugPrivilege	640	XClient.exe
Token: SeDebugPrivilege	1520	XClient.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	1520	XClient.exe
Token: SeDebugPrivilege	4316	XClient.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	3524	XClient.exe
Token: SeDebugPrivilege	4228	XClient.exe
Token: SeDebugPrivilege	1016	XClient.exe
Token: SeDebugPrivilege	1096	XClient.exe
Token: SeDebugPrivilege	5076	XClient.exe
Token: SeDebugPrivilege	916	XClient.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	916	XClient.exe
Token: SeDebugPrivilege	1260	XClient.exe
Token: SeDebugPrivilege	3348	XClient.exe
Token: SeDebugPrivilege	2992	XClient.exe
Token: SeDebugPrivilege	3392	XClient.exe
Token: SeDebugPrivilege	1032	XClient.exe
Token: SeDebugPrivilege	3244	XClient.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

7zFM.exeXworm V5.6.exeXClient.exemsedge.exe

pid	process
2816	7zFM.exe
2816	7zFM.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
5036	Xworm V5.6.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

Xworm V5.6.exeXClient.exemsedge.exe

pid	process
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
1520	XClient.exe
1520	XClient.exe
1520	XClient.exe
5036	Xworm V5.6.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe
4172	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

Xworm V5.6.exeXClient.exeexplorer.exeXClient.exeOpenWith.exe

pid	process
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
1520	XClient.exe
3656	explorer.exe
3656	explorer.exe
5036	Xworm V5.6.exe
5036	Xworm V5.6.exe
916	XClient.exe
3244	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Xworm V5.6.exevbc.execmd.exevbc.exeXClient.execvtres.exepowershell.execmd.exevbc.exeXClient.exemsedge.exe

description	pid	process	target process
PID 5036 wrote to memory of 4680	5036	Xworm V5.6.exe	vbc.exe
PID 5036 wrote to memory of 4680	5036	Xworm V5.6.exe	vbc.exe
PID 4680 wrote to memory of 3012	4680	vbc.exe	cvtres.exe
PID 4680 wrote to memory of 3012	4680	vbc.exe	cvtres.exe
PID 4068 wrote to memory of 4772	4068	cmd.exe	lodctr.exe
PID 4068 wrote to memory of 4772	4068	cmd.exe	lodctr.exe
PID 5036 wrote to memory of 948	5036	Xworm V5.6.exe	vbc.exe
PID 5036 wrote to memory of 948	5036	Xworm V5.6.exe	vbc.exe
PID 948 wrote to memory of 3576	948	vbc.exe	cvtres.exe
PID 948 wrote to memory of 3576	948	vbc.exe	cvtres.exe
PID 1520 wrote to memory of 1780	1520	XClient.exe	powershell.exe
PID 1520 wrote to memory of 1780	1520	XClient.exe	powershell.exe
PID 1520 wrote to memory of 4944	1520	XClient.exe	powershell.exe
PID 1520 wrote to memory of 4944	1520	XClient.exe	powershell.exe
PID 1520 wrote to memory of 2968	1520	XClient.exe	powershell.exe
PID 1520 wrote to memory of 2968	1520	XClient.exe	powershell.exe
PID 1520 wrote to memory of 792	1520	XClient.exe	powershell.exe
PID 1520 wrote to memory of 792	1520	XClient.exe	powershell.exe
PID 1520 wrote to memory of 3340	1520	XClient.exe	schtasks.exe
PID 1520 wrote to memory of 3340	1520	XClient.exe	schtasks.exe
PID 1520 wrote to memory of 4092	1520	XClient.exe	cvtres.exe
PID 1520 wrote to memory of 4092	1520	XClient.exe	cvtres.exe
PID 1520 wrote to memory of 4092	1520	XClient.exe	cvtres.exe
PID 1520 wrote to memory of 4092	1520	XClient.exe	cvtres.exe
PID 1520 wrote to memory of 4092	1520	XClient.exe	cvtres.exe
PID 1520 wrote to memory of 4092	1520	XClient.exe	cvtres.exe
PID 1520 wrote to memory of 4092	1520	XClient.exe	cvtres.exe
PID 1520 wrote to memory of 4092	1520	XClient.exe	cvtres.exe
PID 4092 wrote to memory of 1432	4092	cvtres.exe	powershell.exe
PID 4092 wrote to memory of 1432	4092	cvtres.exe	powershell.exe
PID 4092 wrote to memory of 1432	4092	cvtres.exe	powershell.exe
PID 1432 wrote to memory of 4912	1432	powershell.exe	explorer.exe
PID 1432 wrote to memory of 4912	1432	powershell.exe	explorer.exe
PID 1432 wrote to memory of 4912	1432	powershell.exe	explorer.exe
PID 1520 wrote to memory of 4392	1520	XClient.exe	schtasks.exe
PID 1520 wrote to memory of 4392	1520	XClient.exe	schtasks.exe
PID 1520 wrote to memory of 4984	1520	XClient.exe	cmd.exe
PID 1520 wrote to memory of 4984	1520	XClient.exe	cmd.exe
PID 4984 wrote to memory of 2092	4984	cmd.exe	timeout.exe
PID 4984 wrote to memory of 2092	4984	cmd.exe	timeout.exe
PID 5036 wrote to memory of 2576	5036	Xworm V5.6.exe	vbc.exe
PID 5036 wrote to memory of 2576	5036	Xworm V5.6.exe	vbc.exe
PID 2576 wrote to memory of 640	2576	vbc.exe	cvtres.exe
PID 2576 wrote to memory of 640	2576	vbc.exe	cvtres.exe
PID 916 wrote to memory of 3980	916	XClient.exe	powershell.exe
PID 916 wrote to memory of 3980	916	XClient.exe	powershell.exe
PID 916 wrote to memory of 944	916	XClient.exe	powershell.exe
PID 916 wrote to memory of 944	916	XClient.exe	powershell.exe
PID 916 wrote to memory of 1540	916	XClient.exe	powershell.exe
PID 916 wrote to memory of 1540	916	XClient.exe	powershell.exe
PID 916 wrote to memory of 3100	916	XClient.exe	powershell.exe
PID 916 wrote to memory of 3100	916	XClient.exe	powershell.exe
PID 916 wrote to memory of 2324	916	XClient.exe	schtasks.exe
PID 916 wrote to memory of 2324	916	XClient.exe	schtasks.exe
PID 916 wrote to memory of 4172	916	XClient.exe	msedge.exe
PID 916 wrote to memory of 4172	916	XClient.exe	msedge.exe
PID 4172 wrote to memory of 3804	4172	msedge.exe	msedge.exe
PID 4172 wrote to memory of 3804	4172	msedge.exe	msedge.exe
PID 4172 wrote to memory of 4512	4172	msedge.exe	msedge.exe
PID 4172 wrote to memory of 4512	4172	msedge.exe	msedge.exe
PID 4172 wrote to memory of 4512	4172	msedge.exe	msedge.exe
PID 4172 wrote to memory of 4512	4172	msedge.exe	msedge.exe
PID 4172 wrote to memory of 4512	4172	msedge.exe	msedge.exe
PID 4172 wrote to memory of 4512	4172	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3204

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nay5qu1i\nay5qu1i.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE93.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3C8FFC303E054F99BB101E745BDE7E2.TMP"
    3⤵
    PID:3012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pgvbvlt1\pgvbvlt1.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4708.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBD98ADBFC8D543EDA479815AFB77FCEB.TMP"
    3⤵
    PID:3576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\paopaign\paopaign.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5794D26068E04756A0811CB085F0C383.TMP"
    3⤵
    PID:640

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3576

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x0000000000000480
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Fixer.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:4772

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 127.0.0.1 8888 test CE611C4B0753FF122709
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text
      4⤵
      System Location Discovery: System Language Discovery
      PID:4912
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
  2⤵
  PID:4392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB016.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2092

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"
1⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3100
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffdc19d3cb8,0x7ffdc19d3cc8,0x7ffdc19d3cd8
    3⤵
    PID:3804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
    3⤵
    PID:4512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    PID:4076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
    3⤵
    PID:2980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
    3⤵
    PID:2516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    PID:3848
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
    3⤵
    PID:2872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
    3⤵
    PID:1424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
    3⤵
    PID:4396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
    3⤵
    PID:3856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
    3⤵
    PID:536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
    3⤵
    PID:2500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,993373167564902778,10682092062408949035,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3712 /prefetch:2
    3⤵
    PID:1712

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2032

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3244

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d91478312beae099b8ed57e547611ba2

SHA1
4b927559aedbde267a6193e3e480fb18e75c43d7

SHA256
df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

SHA512
4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7145ec3fa29a4f2df900d1418974538

SHA1
1368d579635ba1a53d7af0ed89bf0b001f149f9d

SHA256
efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

SHA512
5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
898bc3071b2d538511ca0c9d3cb3ced9

SHA1
3dd89fed2f5e48b199264f9ca593120ecaa0d86f

SHA256
c067d86fd7810f417ccd6a7eba13fc00ab3d20a1da5a4315cd63dea859035479

SHA512
45ad9480d57b5d98b59d49959157f399d62bc0d3c44ce21e5941734e176afb140795917c846164587732cf4d557c835b61735dc3c1dbccf22fff7c4c7fffb707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
09cefc54487672f7aeb9f9e981b9f1f4

SHA1
ea6498fe65ede71322535f2a86a0eee5a493eb12

SHA256
8801817ce0a35b8b7ce28276814c0694081855ac0a11f0b891df3479cb1a4801

SHA512
d521d0a606395b1dd5b02c6b2a749213e60132e02d1a8df24d40078edb085b665ba40d27a536018a03258ae59022630cbb1439b85ffe4e2564dccaa2562a4dc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
469e67866a69de6a4213d55d8d33d332

SHA1
d8adc63d4d88c764b4116d001a721c6eec0d199e

SHA256
097e7da2dca6eb6822ff16180dac9f1e334be93ecd9b55c20206401d2c156d92

SHA512
89dc103cd846544de11ad756ac84c858ea6018555046056c2774e8b3b2f555f847447e61cb5c61f658a8a55105340a63f8699bde0b80051d4d3942186a00d69e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8ed19c6e4e60c6a3416b51ae95fe4d47

SHA1
2137b64f309e6e894a543f74e17df3ef1d39da4e

SHA256
b3142a8360ba8999d1863892ff396465573ecfb77a08925a4d2c83779584efbc

SHA512
6c9025b4e94b5527f83127737ed316113a2a5ddf00a5b0a10e6b75ea23cfde15a145a5f3dac849adf7bc3b77611b50e017012ad7ba94aca42da1de2f80d7e4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b3cd21c1ec02f04caba773186ee8d0

SHA1
39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

SHA256
911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

SHA512
e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1189a72e42e2321edf1ed3a8d5568687

SHA1
a2142fc754d6830de107d9d46f398483156f16a6

SHA256
009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea

SHA512
b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4ae54c3a00d1d664f74bfd4f70c85332

SHA1
67f3ed7aaea35153326c1f907c0334feef08484c

SHA256
1e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c

SHA512
b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
55f30089624be31af328ba4e012ae45a

SHA1
121c28de7a5afe828ea395d94be8f5273817b678

SHA256
28e49da06bd64f06a4cf1a9caead354b94b4d11d5dc916a92da0ed96bad00473

SHA512
ef13cc5b22c754c7816e08b421de64bc8df527d7166e970454139410b2d381b53ebf288ec73013cdce92f0ac226d9ed5b342341db52a8cb0b85b5ad4d3090787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
ed1b0e00fd83b0358c2b39b801f6b3cf

SHA1
ad20a274a21401c2d74bb9d4b0a01f8885465457

SHA256
624f9ecae9487408c12ac5feb5eec9af8556e451ef4c6b73c1b44a9935a6771c

SHA512
b5c578dff80f3f9957d4e62379299c34c1b770e83153573b4ad7bf4fce367f492b7fc268c818ce81d8b6d6839f176a7eb76aaf39491d4f5aa786edd4d96e5bcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6344564097353c8e7e68991fffa80d88

SHA1
2ac4d108a30ec3fbd2938b0563eb912415ea7c62

SHA256
d0af6d69f8bc0c98e9fb61dead6327bbc8b4f5292529313515382d8f883de0da

SHA512
e2b37a9001a91cb05483d72f88bd70a61ca5655939c2290fd1580710eec9d8d26a5fedbcb5223f5413b5dcc46f1d8b6b408e57be0e4ad4b37b55cbce9023a303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
85a856d138f6fec5b2d64d1b6658a61e

SHA1
a42398c085485601e3fc915f2d0c2fbd7046ad55

SHA256
737694fb0ef78d16514fe65ec4013400f3ceaa54c1e63121a228247d5cd2b3bf

SHA512
dd9b92f6bb47e7e9b927ff7d2d39aef4427b2574eed365b1f4e5944093377791742b08d5b726c76f5c47231985346541d149b4c59320193ebc7d83775a36f3f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
052b734e3d0b49bccde40def527c10df

SHA1
2ac7c9bd7dc7bd54699fd06252a89a963e1c1ec0

SHA256
d51b94b595a5bee567d89011dc8d97f6210a7911828e5a24172708d5a177f65f

SHA512
bbe94350f51a4029f44631e5bb6658d9583d46011db3ca3159a21b179ab7dc7b200a27ccdf34897fdcba890acec2cdb84a2c1ba0cd95360478e38e911f56f4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
156B

MD5
5bc65b142d36f2ecb21ebc423b858697

SHA1
7a7d528f45738c0f74ccf6dd83845e5dc447c93c

SHA256
1da9c3992c1727535a233a0c83d4299d0983bfaaae0fa80977b824db4e17064f

SHA512
7947e1df46261df57c03e0c9b6b164695317e47443bdebde9056c77f6a7e10e1060d902d7631b13ed7373ff6a33533230c411927ec619616d2bc1e4ede5fae6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES34EA.tmp

Filesize
1KB

MD5
c90ca972b01ff3fc245e58765f33c260

SHA1
8a783d32f1125352312b85e4c66b5faa5aa26954

SHA256
2c1ecdd7cb5788a42a1cb4329953f0b7cf6d146d3b4b52633cf7697d2c35ab66

SHA512
a29d8040690a2bc22b56a6ee7e359b2e555aa40f556c7f26d6d112892f65cf9d328fb3bf3104f45ea1dc7bd9b8bf0b2c69f3afd7df45a7a78e0d0fa31c16548e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4708.tmp

Filesize
1KB

MD5
5cb49b81e4d9fdcd50ca9ebacfb64649

SHA1
51c94bc7d7af97eb794e20041b3ca14dc7b0a88a

SHA256
81310b698325056a5b4beac5c9a7afec1fbe6f3de7f5a896ca3c53f1af59c26b

SHA512
db75e9efb92f0c04d527e4912d8680c733171ba66fea1925ae17c915e99c9c2352a6723d8d5f90afe64213a94455bed4c6c2262286558f43937b7952e7406e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBE93.tmp

Filesize
1KB

MD5
1d007e26a7fb3fd771b03139721a1069

SHA1
b3685ad84845e40c93f36b98532e24528b01d403

SHA256
5854da8c1e29adf03ff536c81ba53e257c6d41b024e1a34a397a61a66926bca8

SHA512
00f74fb0e408ea2df74a12ea310042db44fccc3c1e4d8af6bae3b7740649074ce474c68f700136f2ad8c913db5029e281180d09ed4943d7c834f8c91ea307cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hkxqgnc.hac.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nay5qu1i\nay5qu1i.0.vb

Filesize
78KB

MD5
0bc404edeb6130e2e3f02a0fd349585a

SHA1
2059d99876574508ab07928255cf32da044a0b81

SHA256
dd46fa282fa9f9edb11e245d28640ab3a7cb03e0a58485b8e233dcc0bf7aae5d

SHA512
8ac38121ecb4de0b95c0f540a810f3025ac7e7cf89141e1043ef40340cb8a9da364370aa4c13c5c375e0829682f09c910bdbefdd52423e0bc2ff0c5af9fc9dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nay5qu1i\nay5qu1i.cmdline

Filesize
322B

MD5
f4c5b7793d0bd17232894f566252f24c

SHA1
79eb587bb56ed792258dec213277efa9cae94afa

SHA256
7d930d9daa399113a18c097d60e4985302c01fde0a5b96b547a3200800e0364f

SHA512
8eebb5d157f8ce08697142b4fe8dad2bdb95651e1a40df7fedc9d4f3119fd989949ee04e6caeea7bee88c5152defd987b2ba6731a8533f6073647efa21e970fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\paopaign\paopaign.0.vb

Filesize
78KB

MD5
07f6b5b21ac34d0d3c75de5fb9711708

SHA1
5741038d11a1828874eecf3a7031589733236662

SHA256
3f01c8a610dad889ad5cc569245edb15aa4b9fc73c2f6d843f33adf212185460

SHA512
09c409122b542aec4663e6257b827f1ea224e318eca4e6e846c7644b3030aedf8b420ec9a638d7a9e5f0fe24572567d0a44cbd922c1d8e0725e6323683a62d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\paopaign\paopaign.cmdline

Filesize
322B

MD5
36f7af05c23d383c8eb18cce94789410

SHA1
6f25d1d4c1b6816bcc2b7ca81af21d1036395a14

SHA256
19b66161965dd42e8529a72bb28d341f48a0947e5d3f018e2e66767d47770f43

SHA512
40e08d9b691e584ebddd955bda4530fc2ef50cc74946db39108cb562b8a21ff375a36dcec7b4923748c8db12ff665c2a1c17e2eacb3e0c9b9567a73063b58df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgvbvlt1\pgvbvlt1.0.vb

Filesize
78KB

MD5
64f04ab6b59d57baf48890a8a4ce4592

SHA1
e8a3a001bd7b25ea2c94bdf99626d15bdb4c4364

SHA256
96ab90789f8a1011132a27ec52bf4016e3ddf6009c3f31d50a32d5255109ab78

SHA512
36d69c3579f1140f8524584cec9a30a6b13bb46b6b387174e7eda8bc370fe32f1495b80099b959e3d4a2ab41582cecb7990fbc1dd5582d66781f5bfbd0c9314d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgvbvlt1\pgvbvlt1.cmdline

Filesize
322B

MD5
7a69a5aa14c3a5668a05063c89b63457

SHA1
207e29b7925b8983c67c5c34b6b09e54cf7c3f5f

SHA256
ce410b7448c78470370c61af58f974793005c3645f68f1e54c49e478a5fe7d27

SHA512
1abc6eee08c6c1808d3118e0f3a4ac275da8b2fbd9dd9b0a3a3356d762110c1121163a06e4c59d979f41513594ef3507fc8554baa7f4f54a7eba0cf330be768d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB016.tmp.bat

Filesize
180B

MD5
71492ed8330f6510f2090e449d03b855

SHA1
f6e54d501f87c89a43b03d0208f53888ba9e2eca

SHA256
d240c00e5e41859688b8513f2899f21d75c5ef94eec35ccd928382afcd6917d7

SHA512
7d50718f6c3aae3627c7b0f04dd08c0dd2e809ab706a9d37c962122ff35174e8dc44ad0eee36c0b364dca345d94d611972ba52861b7023c7787131b94ac8eacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3C8FFC303E054F99BB101E745BDE7E2.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Icons\icon (14).ico.ENC

Filesize
361KB

MD5
dbf9f0c04bc49859568938f5448d64f8

SHA1
ab09e5f2ddbc316a4af58744d81c7f7c38301db3

SHA256
ec0d7b20ae6aade9330a120ce99cd9044a2b8a622ba5ead82d644863af790bed

SHA512
c16f533f53537e7b3f8f262a9b34a12b794b1c409f6e81f491360cc7fcc5a5ebf4bed3aa5b7e01c75c9b1ea9edcd7e791e5871def124a4169e10892ea67677c7

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe

Filesize
45KB

MD5
151fe26e67d4199afc63e301b2bd25b2

SHA1
065a5dd2b84dbe4f58f86d22b3a637bb658895d4

SHA256
826b0cbfcaf99c3d68fdb3279d2559afcaf3c34c29339d633493804f44f30fc1

SHA512
d13ebfb23cfef9c922294cf963768f58b6d3edacf7c8da3c78e09e95b48751642d3be96643e1a9ab362845c8d5ac6c5705b560283ff522c8897f628474b53d8c

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe

Filesize
78KB

MD5
db811222a049ecb4f12532405101459d

SHA1
b582a1c32ef696c83c8651f90f3397301bfccab6

SHA256
ababdbbd391e7117a574601635ba9070fd0d6a4aaa6993ce13a1456c3fc42085

SHA512
7782d5f75d292efa51e449508bca8df4a54d2d958540ad30999f2f0bc695da7e15123441d4ec2575785336b32072a59d9718ddb0d74441d2ad4296db60960753

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe

Filesize
43KB

MD5
1016f7be626ddce56693e01772a83e37

SHA1
1f138481b8a26e8b20e2fe3daa6b1c2e3c9311e1

SHA256
30818f3f2a2ac59bb484288a3afbbb658d16911444690d5c822c3d084296614f

SHA512
e22f83ca2d765f05b9a25d9a313344b8546b9312540c2a21b7ec4f27fcb81ff8b369ccf5104b1c82dfbd237eaee061049b34f74d50061556fc971da969b9ae3d

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe

Filesize
70KB

MD5
bc69a86107ba51daa06c38404d8babe1

SHA1
a7568e83e385afe0ef2f1139e55d0bf370c68a9d

SHA256
2fd8e6798f3d28e09db0569fed9bfe2d501c2ba66591a155187bef736b1fd4df

SHA512
0d69bd04387cfbe511629c7e461be06966772c641ca1e67c18a02ac7f20055c495b5dface9da0571c286542c55795d453a428616d81e1bc63878a98c35bd7345

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe

Filesize
43KB

MD5
3e4bc05b76e8c81e3812d86ea5b540b1

SHA1
0991551ad0165e2ae2d3ee878fbf1873df07de51

SHA256
2770a2cec69243dfa461c7bcb15cb8de87d09087ec4c04224d50f6941f228856

SHA512
8ecf59aba963ed9c9b5dac950faa05eda8e888234bf56428f3b4d32491fc2b89bc28925f69496053b8243de57a4c77d4fba9f2c603e8f78f48f59ed7162c8e0b

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe

Filesize
89KB

MD5
ff94b2956336fd6f03e968743751de46

SHA1
539536cec2b6291bbac777a738ff05687f93fc9d

SHA256
9ad695b1d47a79b845218e8413508302d099c75387afb4f98784ca9215030933

SHA512
60a2b3ece5ef21ff2fd1c57359488e49ce1e721569ff82d6f8353a8b94c08d7912b7a5e8c6432aff1270d393bb534f92467cd8dd896955b8e38d73588f350997

Download Submit
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
f45fe582f513ecbd33f88346370b9dbe

SHA1
db304d5e889573bad86b90efaf8ccd0ca1a6c0c9

SHA256
6a82147ef0cf1f162b91e9748e7cc0e320bba5a0f9dde0de54c0240cd25bcabb

SHA512
46dafed5b02d549e725c7e814a5c95bb464fc83502a2d8223fb128dc386561c17372f9236b3b5689f01ba442ae6e0c219c8bb595c6b588fe08da15c988fceedd

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\Background.png

Filesize
924KB

MD5
c93ee3abeff4ac24936471f80b36ec7a

SHA1
0120649571a4b692ff5d10aae8dd87dffd3a0f81

SHA256
2f691caff7e1980cfb069d2608b6470b3a06cdb90467ce47820e8602115a0c5b

SHA512
dd319d1eea708284588ff67268cb23bd7b5cde505f3a8a1e7a27a587920ee5877efa4c1d8264cae48de343cabbf11bbe457b49f348b46288765eeff45d20cab5

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\FastColoredTextBox.dll

Filesize
333KB

MD5
b746707265772b362c0ba18d8d630061

SHA1
4b185e5f68c00bef441adb737d0955646d4e569a

SHA256
3701b19ccdac79b880b197756a972027e2ac609ebed36753bd989367ea4ef519

SHA512
fd67f6c55940509e8060da53693cb5fbac574eb1e79d5bd8f9bbd43edbd05f68d5f73994798a0eed676d3e583e1c6cde608b54c03604b3818520fa18ad19aec8

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\Fixer.bat

Filesize
122B

MD5
2dabc46ce85aaff29f22cd74ec074f86

SHA1
208ae3e48d67b94cc8be7bbfd9341d373fa8a730

SHA256
a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55

SHA512
6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\GMap.NET.Core.dll

Filesize
2.9MB

MD5
819352ea9e832d24fc4cebb2757a462b

SHA1
aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

SHA256
58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

SHA512
6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\GMap.NET.WindowsForms.dll

Filesize
147KB

MD5
32a8742009ffdfd68b46fe8fd4794386

SHA1
de18190d77ae094b03d357abfa4a465058cd54e3

SHA256
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

SHA512
22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\IconExtractor.dll

Filesize
10KB

MD5
640d8ffa779c6dd5252a262e440c66c0

SHA1
3252d8a70a18d5d4e0cc84791d587dd12a394c2a

SHA256
440912d85d2f98bb4f508ab82847067c18e1e15be0d8ecdcff0cc19327527fc2

SHA512
e12084f87bd46010aded22be30e902c5269a6f6bc88286d3bef17c71d070b17beada0fe9e691a2b2f76202b5f9265329f6444575f89aff8551c486eafe4d5f32

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\Icons\icon (1).ico

Filesize
97KB

MD5
4f409511e9f93f175cd18187379e94cb

SHA1
598893866d60cd3a070279cc80fda49ee8c06c9b

SHA256
115f0db669b624d0a7782a7cfaf6e7c17282d88de3a287855dbd6fe0f8551a8f

SHA512
0d1f50243a3959968174aa3fd8f1a163946e9f7e743cbb2c9ef2492073f20da97949bf7d02c229096b97482ff725c08406e2e9aa72c820489535758470cf604f

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\Icons\icon (10).ico

Filesize
115KB

MD5
ad1740cb3317527aa1acae6e7440311e

SHA1
7a0f8669ed1950db65632b01c489ed4d9aba434e

SHA256
7a97547954aaad629b0563cc78bca75e3339e8408b70da2ed67fa73b4935d878

SHA512
eee7807b78d4dd27b51cee07a6567e0d022180e007e1241266f4c53f1192c389be97332fcd9f0b8fda50627b40b8cf53027872304a68a210f4d754aa0243b0c2

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\Icons\icon (11).ico

Filesize
9KB

MD5
1c2cea154deedc5a39daec2f1dadf991

SHA1
6b130d79f314fa9e4015758dea5f331bbe1e8997

SHA256
3b64b79e4092251ebf090164cd2c4815390f34849bbd76fb51085b6a13301b6d

SHA512
dceebc1e6fdfe67afebaef1aff11dd23eda6fae79eb6b222de16edebdfebd8e45de896e501608254fb041824080cb41c81ac972032638407efc6bfeb930bfd00

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\Icons\icon (12).ico

Filesize
9KB

MD5
4ea9ab789f5ae96766e3f64c8a4e2480

SHA1
423cb762ce81fab3b2b4c9066fe6ea197d691770

SHA256
84b48ca52dfcd7c74171cf291d2ef1247c3c7591a56b538083834d82857fee50

SHA512
f917059b6f85e4a25909a27cad38b1ef0659161c32df54860226ff3d858127d8da592ea9072ad41d5a9986dd8c04a37e9ad34e2251883a8c2f0933e6aa201414

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\Icons\icon (13).ico

Filesize
361KB

MD5
e6fec4185b607e01a938fa405e0a6c6c

SHA1
565e72809586e46700b74931e490e2dc1e7e3db1

SHA256
2e2f17b7dd15007192e7cbbd0019355f8be58068dc5042323123724b99ae4b44

SHA512
13daeb2bf124e573590359f18a1d962157dc635a88319c9ed1a2e8ccad6322fb081579e1e8fbe62ffe55c8286c2bc8acb251d572a4beb00641ad5009a380e513

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\Icons\icon (14).ico

Filesize
361KB

MD5
0c24edec606abda7c6570b7dcf439298

SHA1
4478a102892e5eb4bb1da8e9c62d17724965691a

SHA256
8fc693238afc49a8098dac1762bfae891e818bb84749c6eef5f1b0c6c8ffddb2

SHA512
f8de3ffb8f9fe1394b3626ae5616213d4612b43f0635fa9053d74ac6fe536657e796289487f245b8abff74f1de8368c0df8e56bf21f540366ed86a378649ea24

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\NAudio.dll

Filesize
502KB

MD5
3b87d1363a45ce9368e9baec32c69466

SHA1
70a9f4df01d17060ec17df9528fca7026cc42935

SHA256
81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451

SHA512
1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\README.md

Filesize
833B

MD5
3df649ecaad6d64de9b4cc8bc8b23651

SHA1
e427566ab2bd4c6d85bf4cd6882748e1588aed99

SHA256
0eb3b1b999047c79f180dc730a1e86444c2ed8817b8ef7b8b66430581ea46ce7

SHA512
5522f66e4061eba10411e7d499da9b3daf403dbd34d158a99021dd305a54df4ea00066b043b0e6e035d95aaacc92be8e51919f19dbe80ac1ed2d2eb5afc425e0

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\XWorm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Users\Admin\downlaods\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
39KB

MD5
c6a00700213a4cdfac7b02faabc2fa10

SHA1
d1fab1803050a67c59dfce442c1f1dacb166d0dc

SHA256
987d276742eba82260ac1509adc8678651d30103162b44d4e62fbde1b2f28559

SHA512
e3c879502f91b7e4ccbd300372108ffe0cfd2e49070c54f1b27fb83d3c0a7344ea7393b619f1fd6b21314915e32c50fb93f5a1511a383098107c57f1a14faf1d

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
51KB

MD5
9abcc480d2a0cede7fd7393e50c0333c

SHA1
de6d9114c9632e4683fd7a03251d0de34893f64e

SHA256
2ddbd04182af159fbd282610381b9a265ebced2338fcafccba93556ac710f09f

SHA512
4be9e6a999a89188b0bf20849f6663914a44c67acd382514fd554d87fb72bff3ca1cdc9a11e163085e5638ef8c16d35383bf9611e409aa07b249dcd9c2dfdc49

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
47KB

MD5
391168ff06e8d68c7a6f90c1ccb088be

SHA1
c3f8c12481c9d3559e8df93ade8f5bfefd271627

SHA256
7f2847cbf10a70dec0bfb78ca1bf2e548caa8de43deb290cc21d4d1a47bd7525

SHA512
71fe34a07a2107c03fc4735ca78814adc1c55ee3362ce01d6b9983b0ac52315485135b58edecbcd67252c1e27a451138a765bdf3f746e1241834cf35106520c6

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
46KB

MD5
9c127d90b405f6e4e98e60bb83285a93

SHA1
358b36827fb8dbfd9f268d7278961ae3309baaa1

SHA256
878a012b076c81d7b46068109d9b9e1a86aa8527d87d0baee47b59b07502c578

SHA512
bd80bb82e6f2375107153b7da67ce4a3ab3d457103a8371f93e130edece21791d8a716ab9793b74c6b5ab10166ccb52aee430bc4b63403b7e4749d7db9929e73

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
32KB

MD5
50681b748a019d0096b5df4ebe1eab74

SHA1
0fa741b445f16f05a1984813c7b07cc66097e180

SHA256
33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a

SHA512
568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
328KB

MD5
c7ad9f8721cac9822ad70f2e1737b070

SHA1
7cc4133e5e092aa117291dd2b310572b2c2f7bdd

SHA256
7f17488d24e106804d8cce2c342a170e3e32d503b4af5417b25ecbbb80be2b5c

SHA512
fc8c98e07f9e4398a619c5f0e064b5e5c0883db638c2b494aaa5394d80bf60d39dd5f9c1df7f4bf966a24819408ec465fd3db064021896c9f86c81c030ca67ca

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
314KB

MD5
6132d850a2cc939d338f3cb699b87aaa

SHA1
553366e320c574030dc996d608cc0b6e0dede672

SHA256
8c61d67e0f6eb8f2b378bd6a5688e2e8bc9f5756da163e5236a0656bf8ccd25b

SHA512
590230014be668343dfc8f0b44c68841f5acaa9685ac7cfec1e346c052835747141265008b6602cf8c8f7d6a441acb34f560243b4e4c354fd471046103c06a34

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
365KB

MD5
fbf09be5a4b447d06479adf39a90c57f

SHA1
8f0311b2bc5f14b23f6823e515b633cb87c5fcd2

SHA256
578a9897f5449e19dac75c3dae6ab13abf6af78c4bda0aa02a1a804771ac960b

SHA512
029f7c79f5965bdad2619821cc672b44d7351ae69cc4c2e7791f34fc9ba5b7887f28c7eb4f2f4ca0b63c34a69e5df47c642971432f142041b298470cadad65a1

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
367KB

MD5
188927d8245b4a76b814f959f99d3bda

SHA1
d69758a0e54e3c7b169331332dc779d5281e3870

SHA256
183c609fb27b3410afe44b985fe6819ff56920ddd250345dfa50d9c29a4a3b92

SHA512
0094bfde6a4814bdb0f5143b189b9fe6c8a90644c98c40de6e8489e12a623fb9239e3f7183e6dbfd982eef230809f0eb7ff7d18f287d5f91a532a4966a303702

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
362KB

MD5
17fca415b7e48c2c2fdd19f6d6e8d963

SHA1
14ae5776de719e91dbebc1d3b6b99e58d54d78f3

SHA256
805f0eb289ee420b282882c66eba1bb1e335f260b517a99c263f23717d04fda5

SHA512
ba7479f9b641da6824867e449b3398124d3d13da8cc182f3e6bb6db74d8b8e900143119a12563d6947db652f33edad1ce391b529ce828ef6fc36e341b3f3be29

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
159KB

MD5
ab6f8e83a55fadfc107060ed8311e0a4

SHA1
55a39474b14b6600543080268d41e8732ba0edad

SHA256
8647f007d314a30ae0760a8b70c6c42b4cf0e7da321795dbf1d254377a70ff18

SHA512
f5be5c78e9d10dd69c8b21ab4d5702a3a24e2ff4cec19ae56a9d58e6ceb9edc40e17b548373b7db5ce58b6759ef3ce361e8514c774fda9a7d988d330a7944732

Download Submit
memory/792-2087-0x00000273FCFF0000-0x00000273FD13F000-memory.dmp

Filesize
1.3MB

Download
memory/916-2337-0x000000001ADF0000-0x000000001ADFC000-memory.dmp

Filesize
48KB

Download
memory/916-2254-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/944-2276-0x000001E545230000-0x000001E54537F000-memory.dmp

Filesize
1.3MB

Download
memory/1392-267-0x0000000000AE0000-0x0000000000AFA000-memory.dmp

Filesize
104KB

Download
memory/1432-2122-0x0000000005DF0000-0x0000000005E3C000-memory.dmp

Filesize
304KB

Download
memory/1432-2108-0x0000000005230000-0x000000000585A000-memory.dmp

Filesize
6.2MB

Download
memory/1432-2109-0x0000000004F00000-0x0000000004F22000-memory.dmp

Filesize
136KB

Download
memory/1432-2110-0x00000000050A0000-0x0000000005106000-memory.dmp

Filesize
408KB

Download
memory/1432-2119-0x00000000058E0000-0x0000000005C37000-memory.dmp

Filesize
3.3MB

Download
memory/1432-2107-0x00000000028F0000-0x0000000002926000-memory.dmp

Filesize
216KB

Download
memory/1432-2121-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

Filesize
120KB

Download
memory/1520-2131-0x0000000001470000-0x000000000147A000-memory.dmp

Filesize
40KB

Download
memory/1520-2041-0x0000000000BF0000-0x0000000000C08000-memory.dmp

Filesize
96KB

Download
memory/1520-2101-0x0000000001440000-0x0000000001456000-memory.dmp

Filesize
88KB

Download
memory/1520-2098-0x0000000002E00000-0x0000000002E0A000-memory.dmp

Filesize
40KB

Download
memory/1520-2182-0x00000000013E0000-0x00000000013EA000-memory.dmp

Filesize
40KB

Download
memory/1520-2183-0x000000001D2D0000-0x000000001D3F0000-memory.dmp

Filesize
1.1MB

Download
memory/1540-2287-0x000001EAB4ED0000-0x000001EAB501F000-memory.dmp

Filesize
1.3MB

Download
memory/1780-2053-0x000001DBCB890000-0x000001DBCB9DF000-memory.dmp

Filesize
1.3MB

Download
memory/1780-2042-0x000001DBB31C0000-0x000001DBB31E2000-memory.dmp

Filesize
136KB

Download
memory/2968-2076-0x00000263ED540000-0x00000263ED68F000-memory.dmp

Filesize
1.3MB

Download
memory/3100-2298-0x00000218E6580000-0x00000218E66CF000-memory.dmp

Filesize
1.3MB

Download
memory/3980-2265-0x000001843CE40000-0x000001843CF8F000-memory.dmp

Filesize
1.3MB

Download
memory/4092-2106-0x0000000005530000-0x0000000005596000-memory.dmp

Filesize
408KB

Download
memory/4092-2105-0x0000000005980000-0x0000000005F26000-memory.dmp

Filesize
5.6MB

Download
memory/4092-2104-0x0000000005330000-0x00000000053CC000-memory.dmp

Filesize
624KB

Download
memory/4092-2103-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/4092-2102-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4944-2065-0x000002715BBA0000-0x000002715BCEF000-memory.dmp

Filesize
1.3MB

Download
memory/5036-2092-0x00000258B77A0000-0x00000258B7822000-memory.dmp

Filesize
520KB

Download
memory/5036-2093-0x00000258B1AE0000-0x00000258B1B0C000-memory.dmp

Filesize
176KB

Download
memory/5036-2094-0x00000258BDA20000-0x00000258BDD02000-memory.dmp

Filesize
2.9MB

Download
memory/5036-2095-0x00000258BCE60000-0x00000258BCF12000-memory.dmp

Filesize
712KB

Download
memory/5036-248-0x00000258BD220000-0x00000258BD388000-memory.dmp

Filesize
1.4MB

Download
memory/5036-247-0x00007FFDAF6E0000-0x00007FFDB01A2000-memory.dmp

Filesize
10.8MB

Download
memory/5036-246-0x00007FFDAF6E3000-0x00007FFDAF6E5000-memory.dmp

Filesize
8KB

Download
memory/5036-245-0x00000258B2DC0000-0x00000258B2FB4000-memory.dmp

Filesize
2.0MB

Download
memory/5036-244-0x00007FFDAF6E0000-0x00007FFDB01A2000-memory.dmp

Filesize
10.8MB

Download
memory/5036-243-0x0000025895EA0000-0x0000025896D88000-memory.dmp

Filesize
14.9MB

Download
memory/5036-242-0x00007FFDAF6E3000-0x00007FFDAF6E5000-memory.dmp

Filesize
8KB

Download