xworm | 24ea380b035e8768f116f4e20aa1bede85c070c5511b439a020a700ac94b7723

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.6.zip
Size

24.5MB
MD5

547e575e76fe43feed2f97b0a6b68b3e
SHA1

631dcbd8db53d6275b6236d766a72ad31f5079d4
SHA256

24ea380b035e8768f116f4e20aa1bede85c070c5511b439a020a700ac94b7723
SHA512

630f72520ff9dae8d7cbe4237d1cc6964397867fedf3ca154b9c5bff443bcbad3d574a38ac06af3bf4e280fc9538e0c0bbe54ab90fb333d208193f35342b6ec5
SSDEEP

393216:VyavqxXFeuBc9Q+Fdt6ieJS9xCZGb7kjjJ6AKbKrbdcjXo50Ko+Y2ToxYP:Vy5xXDBYQwn63qkjBKego5Ho+x

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

peoAXNPX6mlWOuLu

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0005000000000715-827.dat	family_xworm
behavioral2/files/0x0003000000000747-846.dat	family_xworm
behavioral2/memory/4972-848-0x0000000000830000-0x000000000083E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
748	Xworm V5.6.exe
4972	XClient.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757648769274916"	chrome.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xworm V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 60003100000000005b597d87100058574f524d567e312e360000460009000400efbe6b59ce116b59ce112e0000005de7010000000200000000000000000000000000000000000000580057006f0072006d002000560035002e00360000001a000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xworm V5.6.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
916	chrome.exe
916	chrome.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
748	Xworm V5.6.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1840	7zFM.exe
Token: 35	1840	7zFM.exe
Token: SeSecurityPrivilege	1840	7zFM.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe
Token: SeCreatePagefilePrivilege	916	chrome.exe
Token: SeShutdownPrivilege	916	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
1840	7zFM.exe
1840	7zFM.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
748	Xworm V5.6.exe
748	Xworm V5.6.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
916	chrome.exe
748	Xworm V5.6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
748	Xworm V5.6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 4932	916	chrome.exe	110
PID 916 wrote to memory of 4932	916	chrome.exe	110
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 2612	916	chrome.exe	111
PID 916 wrote to memory of 4488	916	chrome.exe	112
PID 916 wrote to memory of 4488	916	chrome.exe	112
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113
PID 916 wrote to memory of 2576	916	chrome.exe	113

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff743ecc40,0x7fff743ecc4c,0x7fff743ecc58
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1992,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2216,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2320,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2420 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3352,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4580,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4944,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4988,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5128,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5144,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4928,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5320,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5148,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5248 /prefetch:2
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5312,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3228,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3512,i,10730007481429163935,6967362062916023003,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:2272

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2860

C:\Users\Admin\Desktop\XWorm V5.6\Xworm V5.6.exe
"C:\Users\Admin\Desktop\XWorm V5.6\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:748
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a23gdm5j\a23gdm5j.cmdline"
  2⤵
  PID:1084
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB62.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1B4C756BFDF74055A2923B0B0BB6378.TMP"
    3⤵
    PID:3964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:544

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x418
1⤵
PID:4968

C:\Users\Admin\Desktop\XWorm V5.6\XClient.exe
"C:\Users\Admin\Desktop\XWorm V5.6\XClient.exe"
1⤵
- Executes dropped EXE
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
436fe26d421c93c9c5ea9adfda1924e5

SHA1
c1850a6e43391ff468f5f5165dd83084ffe85064

SHA256
7e6fc30835cf0cc78e870769362dd5c7e722d6d3d3172ba65dd065c8a6e4ff92

SHA512
26295d08e9b04aa7be600130bc3c3b459fd28cd700c99a1ba4ed310be0094ca712154220732c367b093fdefb6152ca044548018973dfa3f440d0a9e34782c8de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
73465a1c41376031433b98976c0cf30e

SHA1
750dfd23b11c187f44dd8d757b37c0f662656364

SHA256
bcbbf6756dee5fea29a16ee36e4ee44958a8cef776ebc65a430fa97d8fd4f24f

SHA512
82090f3e121d462002780aa850940e5f7fa2b230c6f07c2c0da8aa69d69922f5544212abf337888bc4b425005cb3d5e979d38a3690a3220b9fa32775b4d4fea1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\4f64e4d8-a215-4601-bcda-709c112a1924.tmp

Filesize
858B

MD5
2fddb0445534739eecd4c1f38ce65e41

SHA1
cd534b20970cf885dc98805d6d22530cf816a731

SHA256
6680647a85da668d2e074eed19263156a74b6a3f7a3fc7e2b0d981418befb0fb

SHA512
ec8db404e310b955b5ae304945e28f12158c182d85e7af568ec965fe11fb54ffff3152e1a06baba112f7ae52a71c339e7a398f7fe6e0f3750e676e9fd70e46c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
249f3a102bfc1db0387c307c3656c264

SHA1
a3c625da0d6298ce8a24274ac9a2a09a9931a97f

SHA256
b8e57e1a99dc1a265b90c5c73f4c324e822e3ca68c6b79620b2a984e7b2b5c23

SHA512
5df7b709d15149f470502c3e33f45317cfffe657851a06ddea9318ee6465a9302043ebe2029d46b4f8a92474467f2a4d3b8060b0b48b9293b850d03633f92b08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0a12e27cbd5a724abea65bfcc35735ff

SHA1
ba4c584fa70929c9148329c0adc0981985dc3122

SHA256
ed0e90f9fd64de3fc2c51b1b8524b8647b57a6b2e05b50380ed5bc2bfe48e985

SHA512
94143de3f6fe70a916eef07de7c090a56dc38398cdf40835a16053b4c2ea7cb8ab9f3f9379380bd538abcceb305696fd6be6534bdabdcbc3eca3db4f85c7de67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b42f03cdf4b96d41b2c3f210458a699e

SHA1
a62eb9454b5d38b896cdd3ed12a63f5a6981c169

SHA256
a7cb7ded76c68998a210240bd92a36175b771449cda65ef675e9517ae6bb2c9c

SHA512
5fa628798e9824e1b076df5ff22fc1f75ca68646d3c45aee679c0b66c9a4e3c2a5435d5b1981cd875f7d1f566021313d977f4ac07aa6aa5c7f86f5fd4e5e2057

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e31bd3397ce676c2baf30b69d6734825

SHA1
32b43d9552f843b1f22d76b322e8e220bfacf815

SHA256
dbe54098a58dbee9122f9fe0f65e57dbc39196fc681d956ddaa60273e0804bde

SHA512
dddaba503285b30f295f652c5cce0aec1028ba01b45a8b50a1792be9858f076914a8ca8f4d74d9bcdecabbb593832ef8b14b0225a9a15f48edb0c4ebc5c62189

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7d2bbe793eb4665971fd629a7ba134aa

SHA1
45b4f943c44d7da6b5bd68d7ee54c5e8beeacdcb

SHA256
f1f7f9970c3d21eda0ef74c413c95ac151e0bb1f14949e25d1eac6b313ed269a

SHA512
5e797531047a6fe2f3b32f2ffe8bd9245fdfec8e94f10dc7bd1fedd3b759d1fddb9476068fa21a82c9cedf380a453adc716cdc5294fc185feab9be94c669e1c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5e24563cbcfac5b76cf4b3790fae9bd8

SHA1
58cc21a09642bc885bd05e475f14e7cd304f9baa

SHA256
36ebd1e704aa8460779bc4f4b6bb09b6ed3e2d8bb343fee619caaffd548e898b

SHA512
b22a15efe83552b982d4781b435b68641ea94a02d6be1c855ba2ed46f72185288b2763b31c01749a7a75e69667fe5c3ff7bbce41742b075211c5d705ff83ca35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
102b333c95ad75fe5efcd3a07d3d9df9

SHA1
db67f5397d20790a87be1afaeb43fa7c7be2e22a

SHA256
50ee849742c606b8a79d7258f44bc42896d2b07d197d331e258162f3ecaf764a

SHA512
0cce2cc5d822f5af820412cddc80763cb8a07d1b59ee0e65b5a0b8dbfd5c223233a1ff8c0bd6dd5d7d64ed9ef60549bf14046acef023b7925edd7202007931b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5e47e8e3da2977f98bd6adfd7c43cee7

SHA1
d01c246c6b68c32ef03373a0d7a30abc13ebcafd

SHA256
8d2365289e1201276aa349775a6d65fab0476058aa3afb9179b2a38ce84032da

SHA512
c40eb80df2a18d9a770483f516832527803229d4bd2108e0dc362b02393160a5a8d049f84148ae846e5f266b47c44195bf673bcfd280a18681676b0221439b9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
02a104c79c8f00fcb869ca9bae4882c7

SHA1
2c946d3f1e092887d6618871a9a3d8b30338570b

SHA256
109267e98f81304529c6bb1e70e41713f6e6d74dbdfe33eede30f070346bdf07

SHA512
aa28c9b24bade1937e3fdd0b61a5e5a6574921d377480a909799e6cc91fd66f99e3de0a4f8788be5a986a65555f6ca8133028fcd60c83acabd3ef3fb005f02de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
8e5cbd9d613cfe9eb451637ef497b9e1

SHA1
0c33873e9609af2d53ea30e39a65e3ad14df5918

SHA256
adf21cb97f6570eda66ab6457b834cfba96ef07be30e132212f167ae99fe03da

SHA512
adcf21f09ccf90c71df1a322fe8e7c180d7faa0c0e56db3f04d66d1404777cdefec7d3c7d3ce43d56a50776139ffea89b36a3883549c54eb02ec59388da6fd29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
3e330a1d6aa20e5d7aeda37b830dc391

SHA1
619ea5bc41dd0d23aa5be3031fc9ecafcd3089a1

SHA256
ceac76de6a93fdb77d9e849134b1009b89872b3542c644b4ea326c0506925883

SHA512
bce429bc3da72345a8171b7e76af889cbd9ed39ee6f27a9f96eacf1d9c2e81da95ec703d9fd045f5652104506ca3b659d40ee8e6f33ed89621ad8b38390d8ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE037AA838\XWorm V5.6\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDB62.tmp

Filesize
1KB

MD5
e8cee5f2fa315dd8e0bc7c0cc39a5115

SHA1
d3ef7a2dadcd07f98bb274540ce38035cd77a06d

SHA256
d2b55f9bcab73da57681baa7da4c0f93444336a17168c0dfbfc1f4c372851ddb

SHA512
23da65d9066da1ae4425687e4097b0fb6f31ca3bbdff1ae11a7a5073e69e654c2c00292be04f4df12144241e5cab93b5af8d214b53abf157485c668346ad0478

Download Submit
C:\Users\Admin\AppData\Local\Temp\a23gdm5j\a23gdm5j.0.vb

Filesize
78KB

MD5
869e477d11912bd112b4a3802a408842

SHA1
c74ba7dc01f6a91ac2d3597f61ec431876230668

SHA256
c6426dd1f8e861edbbde0cccd8cb46c6dc196bcc53789b0279cdd3e09513dbb8

SHA512
52d31f606d668e771c86970f2130f37f343714d3666d896283389a71766e106ca3b2c07c068da2d8aa558edfeb91c1be86dc43b2b2ad8c927040fb36f4f12d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a23gdm5j\a23gdm5j.cmdline

Filesize
301B

MD5
e420ea461b0482c5cea27bd05d09a175

SHA1
d1bed329cae96c173548595b46323a49ff3af9ae

SHA256
1d0a3971a3505c37550c39741a6596a3252b12b2a7cb67e42dcb9e45c7f1fb06

SHA512
1c86ea8378d95b6e899db125e3317bd5a63056cba4f348feaeff6ab491078d545aaa8d0b10a72939e7a28a6ff18f9e83f778485faf5f3a5c0ac528287a772eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir916_759652440\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir916_759652440\c6be6075-ec3b-4c7a-89cc-9b6f3f4320fe.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc1B4C756BFDF74055A2923B0B0BB6378.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\XClient.exe

Filesize
32KB

MD5
3ebb806cb73645e98d94a47c23cbd36b

SHA1
7ff8f07bdfb2d82ce730755614a97189325a8b60

SHA256
7316ac61b1bb90fb29cfae33b8479b2e0fa692fd98f9a9a71c5924cefba1c70f

SHA512
2357fd39f9894d0c829cf07abc517d6a0e3097bc4501725c730d92165a11fe71a8b89a826057c8d18f7fc81069a24b0758ce209c021c52548715524f16c8c19f

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Xworm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
memory/748-822-0x000001907CFD0000-0x000001907D138000-memory.dmp

Filesize
1.4MB

Download
memory/748-755-0x00000190760D0000-0x00000190762C4000-memory.dmp

Filesize
2.0MB

Download
memory/748-753-0x00000190589A0000-0x0000019059888000-memory.dmp

Filesize
14.9MB

Download
memory/4972-848-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download