stormkitty | 24ea380b035e8768f116f4e20aa1bede85c070c5511b439a020a700ac94b7723

Analysis

max time kernel
514s
max time network
516s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
11-11-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.6.zip
Size

24.5MB
MD5

547e575e76fe43feed2f97b0a6b68b3e
SHA1

631dcbd8db53d6275b6236d766a72ad31f5079d4
SHA256

24ea380b035e8768f116f4e20aa1bede85c070c5511b439a020a700ac94b7723
SHA512

630f72520ff9dae8d7cbe4237d1cc6964397867fedf3ca154b9c5bff443bcbad3d574a38ac06af3bf4e280fc9538e0c0bbe54ab90fb333d208193f35342b6ec5
SSDEEP

393216:VyavqxXFeuBc9Q+Fdt6ieJS9xCZGb7kjjJ6AKbKrbdcjXo50Ko+Y2ToxYP:Vy5xXDBYQwn63qkjBKego5Ho+x

Score

10^/10

stormkitty xworm discovery rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

TkJRvHxfMiP7R1fs

Attributes

install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x001900000002ab5d-324.dat	disable_win_def

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x001900000002abc4-263.dat	family_xworm
behavioral1/files/0x001a00000002abca-283.dat	family_xworm
behavioral1/memory/4108-285-0x0000000000140000-0x000000000014E000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab63-330.dat	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
1724	Xworm V5.6.exe
4108	XClient.exe
4744	Xworm V5.6.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 60003100000000005b597d87100058574f524d567e312e360000460009000400efbe6b5930126b5930122e0000006aa8020000000600000000000000000000000000000000000000580057006f0072006d002000560035002e00360000001a000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2"	Xworm V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
2404	msedge.exe
2404	msedge.exe
3260	msedge.exe
3260	msedge.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4428	7zFM.exe
1724	Xworm V5.6.exe
4744	Xworm V5.6.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3260	msedge.exe
3260	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	4428	7zFM.exe
Token: 35	4428	7zFM.exe
Token: SeSecurityPrivilege	4428	7zFM.exe
Token: 33	4264	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4264	AUDIODG.EXE
Token: SeDebugPrivilege	4108	XClient.exe
Token: 33	2456	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2456	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4428	7zFM.exe
4428	7zFM.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
1724	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
1724	Xworm V5.6.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
1724	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe
4744	Xworm V5.6.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1724	Xworm V5.6.exe
1500	OpenWith.exe
1500	OpenWith.exe
1500	OpenWith.exe
1500	OpenWith.exe
1500	OpenWith.exe
1500	OpenWith.exe
1500	OpenWith.exe
1500	OpenWith.exe
1500	OpenWith.exe
1500	OpenWith.exe
1500	OpenWith.exe
1500	OpenWith.exe
1500	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2416	1724	Xworm V5.6.exe	91
PID 1724 wrote to memory of 2416	1724	Xworm V5.6.exe	91
PID 2416 wrote to memory of 1840	2416	vbc.exe	93
PID 2416 wrote to memory of 1840	2416	vbc.exe	93
PID 3260 wrote to memory of 640	3260	msedge.exe	118
PID 3260 wrote to memory of 640	3260	msedge.exe	118
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 3820	3260	msedge.exe	119
PID 3260 wrote to memory of 2404	3260	msedge.exe	120
PID 3260 wrote to memory of 2404	3260	msedge.exe	120
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121
PID 3260 wrote to memory of 1984	3260	msedge.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2960

C:\Users\Admin\Desktop\XWorm V5.6\Xworm V5.6.exe
"C:\Users\Admin\Desktop\XWorm V5.6\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bzzoby54\bzzoby54.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6731.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5516C44D1AA24BC6A12BF2987D37CF62.TMP"
    3⤵
    PID:1840

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2784

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Users\Admin\Desktop\XWorm V5.6\XClient.exe
"C:\Users\Admin\Desktop\XWorm V5.6\XClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3500

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2168

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3352

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1408

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4620

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ffd4e883cb8,0x7ffd4e883cc8,0x7ffd4e883cd8
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,12177118187665854255,5365614920579718028,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,12177118187665854255,5365614920579718028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,12177118187665854255,5365614920579718028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12177118187665854255,5365614920579718028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,12177118187665854255,5365614920579718028,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4180

C:\Users\Admin\Desktop\XWorm V5.6\Xworm V5.6.exe
"C:\Users\Admin\Desktop\XWorm V5.6\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4744

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1828

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xworm V5.6.exe.log

Filesize
1KB

MD5
8e0f23092b7a620dc2f45b4a9a596029

SHA1
58cc7c47602c73529e91ff9db3c74ff05459e4ea

SHA256
58b9918225aee046894cb3c6263687bfe4b5a5b8dff7196d72687d0f3f735034

SHA512
be458f811ad6a1f6b320e8d3e68e71062a8de686bae77c400d65091947b805c95024f3f1837e088cf5ecac5388d36f354285a6b57f91ea55567f19706128a043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
150174888958ffb259a89c39cf782213

SHA1
e83f048c1404e4880bdfb6cec9b1a28cfbee10c6

SHA256
ed6c3ee2da133e07527ea6e7b6b1bb1336299508acaec2d3806666a7c930158e

SHA512
549745fe82e5c399d1ae971f99360775853c4cce370ac7d2e26e3dd1086fbf00e90c061d0b240519ceaab589c5cf074b6c76114bce8b44685dd1cc25667e0286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b52a113648be275e8d07fe65dcd9a782

SHA1
101f06d39879452b4a0116b70bfed42590f2fdb3

SHA256
abe4b390ea86dd1b258769a55bb4b276a9bf5360a0789a28bf3602e4793ab661

SHA512
9e1624c1b2c033891674a21f53585d94112e1a8c60676a9537739d643d1e2ad186d627e84e12f82fac570d85099ae62c7491d002e93d990fabe71ca315037cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
919cc8a02daba8cfe3c8172af8dc71d7

SHA1
e9fb8238cc996d58c1df1a19dd020a8b71bd6e78

SHA256
642bd8d199f029bf545cf3c8126deb61c4501409fa0b3f665560aae5f4e49c87

SHA512
cf459066ff5f27a9d1a7631b46f80fa6bd9cbe3e2a8684d6d348beda49af70ffdf40906c2a9383055521f2b47d6c277c93e87b8af778e91070219a491d878f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-11.222.1408.1.odl

Filesize
706B

MD5
a11b0b9d23339c7944ce6170e5a2725e

SHA1
9ca4cd11089e6b003c0aa14c5317a4f8c9e61937

SHA256
17db159a909146e985982feccabd734eb16f6e875167e6e5069bd4b539d0820f

SHA512
478dda5756211e5c4197ff1f9b0dc003c32a21d6042309a5cb0f292f8d7c2b6fd48fbbd4d3d92fda3b39001e4f30f65f222b6e3a0de84c7ae03318676ea1336a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\15effd96-8b52-4ac8-ac47-4a4d6553b238.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC41E7397\XWorm V5.6\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6731.tmp

Filesize
1KB

MD5
33b614104b1b57c8e1cf9ca6008b69eb

SHA1
41e097c556c648700127b0e3e00b3fb7dd1180db

SHA256
018450633a9577518daa2c987f5ba606c35e9ee4292cf76db51ff4a6e79c3910

SHA512
fd2871b93693cc5b56499c152a9da8a285c5bd117ecbbdc14eae5ab25a708eecfacfc5b7d594b7af72f40d4fd96be0504991cb72ae9cb3c0bb22b3c51167370b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzzoby54\bzzoby54.0.vb

Filesize
78KB

MD5
6b7df8f7f6de0ead73afe1ba2681e275

SHA1
68eb6736165e7f19b842fd6dadfa2c4d2b2d0d28

SHA256
f58eb27726c81a5bf18862c4d23d6a73f46402ed62839bc48663b4f1d4010573

SHA512
8e3f5741327f34f3d44a1cf15d5d351b008f2bc36ddc79fc86298291d82b2ceff2fe0b519f163e4abfbe7165a000bd9875aa9462f886c9ed3774675625bd2cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzzoby54\bzzoby54.cmdline

Filesize
301B

MD5
dd372346888dd94b9dcedd641a8536cb

SHA1
ca4333aef1d209337beda29cb24f2c01fecea033

SHA256
c424c419a0042a4b750a6eeafe18d20d2d9f5b339d2643ee02c9e689c9e86bae

SHA512
ad9483b71541020c015956aa49a8e65d8cae238d0edde67fc03efd8041eaa3a4e46fad58129e5eda02a54dba9eb32ccf6e7421b7f2053d9deea7c9ac261fa922

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5516C44D1AA24BC6A12BF2987D37CF62.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\GMap.NET.Core.dll

Filesize
2.9MB

MD5
819352ea9e832d24fc4cebb2757a462b

SHA1
aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

SHA256
58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

SHA512
6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\GMap.NET.WindowsForms.dll

Filesize
147KB

MD5
32a8742009ffdfd68b46fe8fd4794386

SHA1
de18190d77ae094b03d357abfa4a465058cd54e3

SHA256
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

SHA512
22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\NAudio.dll

Filesize
502KB

MD5
3b87d1363a45ce9368e9baec32c69466

SHA1
70a9f4df01d17060ec17df9528fca7026cc42935

SHA256
81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451

SHA512
1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\ActiveWindows.dll

Filesize
14KB

MD5
5a766a4991515011983ceddf7714b70b

SHA1
4eb00ae7fe780fa4fe94cedbf6052983f5fd138b

SHA256
567b9861026a0dbc5947e7515dc7ab3f496153f6b3db57c27238129ec207fc52

SHA512
4bd6b24e236387ff58631207ea42cd09293c3664468e72cd887de3b3b912d3795a22a98dcf4548fb339444337722a81f8877abb22177606d765d78e48ec01fd8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Chat.dll

Filesize
18KB

MD5
59f75c7ffaccf9878a9d39e224a65adf

SHA1
46b0f61a07e85e3b54b728d9d7142ddc73c9d74b

SHA256
aab20f465955d77d6ec3b5c1c5f64402a925fb565dda5c8e38c296cb7406e492

SHA512
80056163b96ce7a8877874eaae559f75217c0a04b3e3d4c1283fe23badfc95fe4d587fd27127db4be459b8a3adf41900135ea12b0eeb4187adbcf796d9505cb8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Chromium.dll

Filesize
32KB

MD5
edb2f0d0eb08dcd78b3ddf87a847de01

SHA1
cc23d101f917cad3664f8c1fa0788a89e03a669c

SHA256
b6d8bccdf123ceac6b9642ad3500d4e0b3d30b9c9dd2d29499d38c02bd8f9982

SHA512
8f87da834649a21a908c95a9ea8e2d94726bd9f33d4b7786348f6371dfae983cc2b5b5d4f80a17a60ded17d4eb71771ec25a7c82e4f3a90273c46c8ee3b8f2c3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Clipboard.dll

Filesize
14KB

MD5
831eb0de839fc13de0abab64fe1e06e7

SHA1
53aad63a8b6fc9e35c814c55be9992abc92a1b54

SHA256
e31a1c2b1baa2aa2c36cabe3da17cd767c8fec4c206bd506e889341e5e0fa959

SHA512
2f61bcf972671d96e036b3c99546cd01e067bef15751a87c00ba6d656decb6b69a628415e5363e650b55610cf9f237585ada7ce51523e6efc0e27d7338966bee

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Cmstp-Bypass.dll

Filesize
11KB

MD5
cf15259e22b58a0dfd1156ab71cbd690

SHA1
3614f4e469d28d6e65471099e2d45c8e28a7a49e

SHA256
fa420fd3d1a5a2bb813ef8e6063480099f19091e8fa1b3389004c1ac559e806b

SHA512
7302a424ed62ec20be85282ff545a4ca9e1aecfe20c45630b294c1ae72732465d8298537ee923d9e288ae0c48328e52ad8a1a503e549f8f8737fabe2e6e9ad38

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\FileManager.dll

Filesize
679KB

MD5
641a8b61cb468359b1346a0891d65b59

SHA1
2cdc49bcd7428fe778a94cdcd19cabf5ece8c9c0

SHA256
b58ed3ebbcd27c7f4b173819528ff4db562b90475a5e304521ed5c564d39fffd

SHA512
042702d34664ea6288e891c9f7aa10a5b4b07317f25f82d6c9fa9ba9b98645c14073d0f66637060b416a30c58dec907d9383530320a318523c51f19ebd0a4fee

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\FilesSearcher.dll

Filesize
478KB

MD5
6f8f1621c16ac0976600146d2217e9d2

SHA1
b6aa233b93aae0a17ee8787576bf0fbc05cedde4

SHA256
e66e1273dc59ee9e05ce3e02f1b760b18dd296a47d92b3ce5b24efb48e5fb21b

SHA512
eb55acdea8648c8cdefee892758d9585ff81502fc7037d5814e1bd01fee0431f4dde0a4b04ccb2b0917e1b11588f2dc9f0bfe750117137a01bbd0c508f43ef6a

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\HBrowser.dll

Filesize
25KB

MD5
f0e921f2f850b7ec094036d20ff9be9b

SHA1
3b2d76d06470580858cc572257491e32d4b021c0

SHA256
75e8ff57fa6d95cf4d8405bffebb2b9b1c55a0abba0fe345f55b8f0e88be6f3c

SHA512
16028ae56cd1d78d5cb63c554155ae02804aac3f15c0d91a771b0dcd5c8df710f39481f6545ca6410b7cd9240ec77090f65e3379dcfe09f161a3dff6aec649f3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\HRDP.dll

Filesize
1.7MB

MD5
f27b6e8cf5afa8771c679b7a79e11a08

SHA1
6c3fcf45e35aaf6b747f29a06108093c284100da

SHA256
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de

SHA512
0d84966bbc9290b04d2148082563675ec023906d58f5ba6861c20542271bf11be196d6ab24e48372f339438204bd5c198297da98a19fddb25a3df727b5aafa33

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\HVNC.dll

Filesize
58KB

MD5
30eb33588670191b4e74a0a05eecf191

SHA1
08760620ef080bb75c253ba80e97322c187a6b9f

SHA256
3a287acb1c89692f2c18596dd4405089ac998bb9cf44dd225e5211923d421e96

SHA512
820cca77096ff2eea8e459a848f7127dc46af2e5f42f43b2b7375be6f4778c1b0e34e4aa5a97f7fbabe0b53dcd351d09c231bb9afedf7bcec60d949918a06b97

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\HVNCMemory.dll

Filesize
39KB

MD5
065f0830d1e36f8f44702b0f567082e8

SHA1
724c33558fcc8ecd86ee56335e8f6eb5bfeac0db

SHA256
285b462e3cd4a5b207315ad33ee6965a8b98ca58abb8d16882e4bc2d758ff1a4

SHA512
bac0148e1b78a8fde242697bff1bbe10a18ffab85fdced062de3dc5017cd77f0d54d8096e273523b8a3910fe17fac111724acffa5bec30e4d81b7b3bd312d545

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\HiddenApps.dll

Filesize
45KB

MD5
ba2141a7aefa1a80e2091bf7c2ca72db

SHA1
9047b546ce9c0ea2c36d24a10eb31516a24a047d

SHA256
6a098f5a7f9328b35d73ee232846b13e2d587d47f473cbc9b3f1d74def7086ea

SHA512
91e43620e5717b699e34e658d6af49bba200dcf91ac0c9a0f237ec44666b57117a13bc8674895b7a9cac5a17b2f91cdc3daa5bcc52c43edbabd19bc1ed63038c

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Informations.dll

Filesize
22KB

MD5
67a884eeb9bd025a1ef69c8964b6d86f

SHA1
97e00d3687703b1d7cc0939e45f8232016d009d9

SHA256
cba453460be46cfa705817abbe181f9bf65dca6b6cea1ad31629aa08dbeaf72b

SHA512
52e852021a1639868e61d2bd1e8f14b9c410c16bfca584bf70ae9e71da78829c1cada87d481e55386eec25646f84bb9f3baee3b5009d56bcbb3be4e06ffa0ae7

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Keylogger.dll

Filesize
17KB

MD5
246f7916c4f21e98f22cb86587acb334

SHA1
b898523ed4db6612c79aad49fbd74f71ecdbd461

SHA256
acfe5c3aa2a3bae3437ead42e90044d7eee972ead25c1f7486bea4a23c201d3a

SHA512
1c256ca9b9857e6d393461b55e53175b7b0d88d8f3566fd457f2b3a4f241cb91c9207d54d8b0867ea0abd3577d127835beb13157c3e5df5c2b2b34b3339bd15d

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Maps.dll

Filesize
15KB

MD5
806c3802bfd7a97db07c99a5c2918198

SHA1
088393a9d96f0491e3e1cf6589f612aa5e1df5f8

SHA256
34b532a4d0560e26b0d5b81407befdc2424aacc9ef56e8b13de8ad0f4b3f1ab6

SHA512
ed164822297accd3717b4d8e3927f0c736c060bb7ec5d99d842498b63f74d0400c396575e9fa664ad36ae8d4285cfd91e225423a0c77a612912d66ea9f63356c

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\MessageBox.dll

Filesize
14KB

MD5
7db8b7e15194fa60ffed768b6cf948c2

SHA1
3de1b56cc550411c58cd1ad7ba845f3269559b5c

SHA256
bc09b671894c9a36f4eca45dd6fbf958a967acea9e85b66c38a319387b90dd29

SHA512
e7f5430b0d46f133dc9616f9eeae8fb42f07a8a4a18b927dd7497de29451086629dfc5e63c0b2a60a4603d8421c6570967c5dbde498bb480aef353b3ed8e18a1

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Microphone.dll

Filesize
540KB

MD5
9c3d90ccf5d47f6eef83542bd08d5aeb

SHA1
0c0aa80c3411f98e8db7a165e39484e8dae424c7

SHA256
612898afdf9120cfef5843f9b136c66ecc3e0bb6f3d1527d0599a11988b7783c

SHA512
0786f802fbd24d4ab79651298a5ba042c275d7d01c6ac2c9b3ca1e4ee952de7676ec8abf68d226b72696e9480bd4d4615077163efbcda7cff6a5f717736cbdfe

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Ngrok-Installer.dll

Filesize
400KB

MD5
3e19341a940638536b4a7891d5b2b777

SHA1
ca6f5b28e2e54f3f86fd9f45a792a868c82e35b5

SHA256
b574aabf02a65aa3b6f7bfff0a574873ce96429d3f708a10f87bc1f6518f14aa

SHA512
06639892ea4a27c8840872b0de450ae1a0dac61e1dcb64523973c629580323b723c0e9074ff2ddf9a67a8a6d45473432ffc4a1736c0ddc74e054ae13b774f3e2

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Options.dll

Filesize
30KB

MD5
97193fc4c016c228ae0535772a01051d

SHA1
f2f6d56d468329b1e9a91a3503376e4a6a4d5541

SHA256
5c34aee5196e0f8615b8d1d9017dd710ea28d2b7ac99295d46046d12eea58d78

SHA512
9f6d7da779e8c9d7307f716d4a4453982bb7f090c35947850f13ec3c9472f058fc11e1120a9641326970b9846d3c691e0c2afd430c12e5e8f30abadb5dcf5ed2

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Pastime.dll

Filesize
17KB

MD5
6430ab4458a703fb97be77d6bea74f5b

SHA1
59786b619243d4e00d82b0a3b7e9deb6c71b283c

SHA256
a46787527ac34cd71d96226ddfc0a06370b61e4ad0267105be2aec8d82e984c1

SHA512
7b6cf7a613671826330e7f8daddc4c7c37b4d191cf4938c1f5b0fb7b467b28a23fb56e412dc82192595cfa9d5b552668ef0aaa938c8ae166029a610b246d3ecc

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Performance.dll

Filesize
16KB

MD5
1841c479da7efd24521579053efcf440

SHA1
0aacfd06c7223b988584a381cb10d6c3f462fc6a

SHA256
043b6a0284468934582819996dbaa70b863ab4caa4f968c81c39a33b2ac81735

SHA512
3005e45728162cc04914e40a3b87a1c6fc7ffde5988d9ff382d388e9de4862899b3390567c6b7d54f0ec02283bf64bcd5529319ca32295c109a7420848fa3487

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\ProcessManager.dll

Filesize
19KB

MD5
3d4ec14005a25a4cb05b1aa679cf22bf

SHA1
6f4a827d94ad020bc23fbd04b7d8ca2995267094

SHA256
7cf1921a5f8429b2b9e8197de195cfae2353fe0d8cb98e563bdf1e782fe2ee4e

SHA512
0ee72d345d5431c7a6ffc71cf5e37938b93fd346e5a4746f5967f1aa2b69c34ca4ba0d0abd867778d8ca60b56f01e2d7fc5e7cf7c5a39a92015d4df2d68e382e

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Programs.dll

Filesize
13KB

MD5
a6734a047b0b57055807a4f33a80d4dd

SHA1
0b3a78b2362b0fd3817770fdc6dd070e3305615c

SHA256
953a8276faa4a18685d09cd9187ed3e409e3cccd7daf34b6097f1eb8d96125a4

SHA512
7292eab25f0e340e78063f32961eff16bb51895ad46cfd09933c0c30e3315129945d111a877a191fc261ad690ad6b02e1f2cabc4ff2fdac962ee272b41dd6dfa

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Ransomware.dll

Filesize
20KB

MD5
ccc9ea43ead4aa754b91e2039fe0ac1c

SHA1
f382635559045ac1aeb1368d74e6b5c6e98e6a48

SHA256
14c2bbccdabb8408395d636b44b99de4b16db2e6bf35181cb71e7be516d83ad9

SHA512
5d05254ba5cd7b1967a84d5b0e6fd23c54766474fb8660a001bf3d21a3f5c8c20fcdb830fb8659a90da96655e6ee818ceefb6afa610cc853b7fba84bb9db4413

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Recovery.dll

Filesize
1.1MB

MD5
776193701a2ed869b5f1b6e71970a0ac

SHA1
2f973458531aaa283cdc835af4e24f5f709cbad1

SHA256
66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303

SHA512
a41f981c861e8d40487a9cd0863f9055165427e10580548e972a47ef47cf3e777aab2df70dc6f464cc3077860e86eda7462e9754f9047a1ecc0ed9721663aeb9

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Regedit.dll

Filesize
15KB

MD5
53a2cfe273c311b64cf5eaca62f8c2fd

SHA1
4ec95ec4777a0c5b4acde57a3490e1c139a8f648

SHA256
2f73dc0f3074848575c0408e02079fd32b7497f8816222ae3ce8c63725a62fe6

SHA512
992b37d92157ae70a106a9835de46a4ac156341208cfe7fb0477dc5fc3bc9ddae71b35e2336fc5c181630bac165267b7229f97be436912dfd9526a020d012948

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\RemoteDesktop.dll

Filesize
18KB

MD5
e6367d31cf5d16b1439b86ae6b7b31c3

SHA1
f52f1e73614f2cec66dab6af862bdcb5d4d9cf35

SHA256
cc52384910cee944ddbcc575a8e0177bfa6b16e3032438b207797164d5c94b34

SHA512
8bc78a9b62f4226be146144684dc7fcd085bcf4d3d0558cb662aacc143d1438b7454e8ac70ca83ebeedc2a0fcea38ad8e77a5d926a85254b5a7d420a5605538a

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\ReverseProxy.dll

Filesize
16KB

MD5
a22d11379e413cf832b3943ce46f2463

SHA1
99b9552e8a25bff29678aff828901edbc23eaba5

SHA256
8c4efe2c8702141ffa8ff8f55d248dc4220231ae8d12ecea1f22906a9285b32b

SHA512
cc1eccb29135acd35804b44f73447bd8dedc8ea085dee3670cf49120baa905aa7ca512c14a3f4df6aeb5a70347bd214865f9dc8b709a00abbb0c745164d87074

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\RunPE.dll

Filesize
11KB

MD5
224be01635cff2dca827fbdeaddb983c

SHA1
11fa00c5e172c9cd1c81acaef52934f785f91374

SHA256
7adfe849345edd76aa975b0647fed2ccaa5f4a6aaf7d55f488af939c0dbef153

SHA512
1a4915b7b21e8166a6ddb6460c77e02c306a460c08fc7ee574832b0576c827db343eda9533959298819ee443790769328ad580fc67fe4817110b63d49248c736

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\ServiceManager.dll

Filesize
14KB

MD5
2e5f127cb0a69cdd46aa4fd9e603f982

SHA1
994a6ab276c417301ed9208aaaf6719bf9594bc6

SHA256
c552d11db168a4f64db584283a617a6ec51ab6095c20ba4b706c3138beb68a22

SHA512
4455cb3b9d4a9c69abec7180e9a60e16e6be0ae2290f48aa09c5d926370de5512ced4d37b6e6e49515d5f51999211eff6f751c4594db936882fb7f40ee5bf97e

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\Shell.dll

Filesize
14KB

MD5
04609b39e656e297db73be0d02c7e35e

SHA1
f8abd484e7703a4d9629b033e8ec39c82eaf4654

SHA256
6c69b4d45638097e31169d94914e4acb6a8cc7f46788ffa4f241e4c1efb213bb

SHA512
11a88d55497fedeeb05b146ebd3135755aeb08c4596e9379eec83501e734aa6ba926d9bbda1c5f50e361836d65ea88d2c018f0b4b4b668c82ff2163730eaaf27

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Plugins\StartupManager.dll

Filesize
188KB

MD5
3d76ef15ab712b93eabd4b68ea0111d5

SHA1
0f309663fae17c4ccae983e1fabb16a1e5f77d9b

SHA256
1802e16379d96021fee05f583633c8091bb669350b7d32064179a8944d45a5a6

SHA512
6c0d0291abb696bee33b6e42392b07028c82bcffc8fb7934ba234f178f011ab14fde38cdccb322c8dba058ae66fc023349de5db1c587d3417709bf263cfd28f3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\XClient.exe

Filesize
32KB

MD5
0eec29afd3874e0f1159a618f78b13b1

SHA1
1855e772f6618f26f46b65bd0f2424467774497b

SHA256
0407eab46a926dae65b720fa506020ba54787a7c711fa43194a0741004e91c25

SHA512
c80d7ed4ccace43a3f1ea9cbcf423785e6e4c1c06ca3017c805bbf2ef6d4ebb7d9c8ebf949f39317ec5028e7894014adf4eaae3588639efc031ab275a668ec93

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6\Xworm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
memory/1724-255-0x00000201ED2C0000-0x00000201ED2DE000-memory.dmp

Filesize
120KB

Download
memory/1724-244-0x00000201E83F0000-0x00000201E92D8000-memory.dmp

Filesize
14.9MB

Download
memory/1724-299-0x00000201F7100000-0x00000201F71B2000-memory.dmp

Filesize
712KB

Download
memory/1724-248-0x00007FFD53DF3000-0x00007FFD53DF5000-memory.dmp

Filesize
8KB

Download
memory/1724-249-0x00007FFD53DF0000-0x00007FFD548B2000-memory.dmp

Filesize
10.8MB

Download
memory/1724-293-0x00000201ECC80000-0x00000201ECD02000-memory.dmp

Filesize
520KB

Download
memory/1724-252-0x00000201F1B20000-0x00000201F1B66000-memory.dmp

Filesize
280KB

Download
memory/1724-254-0x00000201EC5D0000-0x00000201EC5DD000-memory.dmp

Filesize
52KB

Download
memory/1724-630-0x00007FFD53DF0000-0x00007FFD548B2000-memory.dmp

Filesize
10.8MB

Download
memory/1724-256-0x00000201EC5E0000-0x00000201EC5EB000-memory.dmp

Filesize
44KB

Download
memory/1724-258-0x00000201F74B0000-0x00000201F7618000-memory.dmp

Filesize
1.4MB

Download
memory/1724-295-0x00000201ECC20000-0x00000201ECC4C000-memory.dmp

Filesize
176KB

Download
memory/1724-297-0x00000201F7C00000-0x00000201F7EE2000-memory.dmp

Filesize
2.9MB

Download
memory/1724-253-0x00000201EBCE0000-0x00000201EBCE9000-memory.dmp

Filesize
36KB

Download
memory/1724-247-0x00000201ED3E0000-0x00000201ED5D4000-memory.dmp

Filesize
2.0MB

Download
memory/1724-245-0x00007FFD53DF0000-0x00007FFD548B2000-memory.dmp

Filesize
10.8MB

Download
memory/1724-243-0x00007FFD53DF3000-0x00007FFD53DF5000-memory.dmp

Filesize
8KB

Download
memory/4108-337-0x000000001AF70000-0x000000001AFA6000-memory.dmp

Filesize
216KB

Download
memory/4108-350-0x000000001C620000-0x000000001CB48000-memory.dmp

Filesize
5.2MB

Download
memory/4108-349-0x000000001BE40000-0x000000001BEF0000-memory.dmp

Filesize
704KB

Download
memory/4108-285-0x0000000000140000-0x000000000014E000-memory.dmp

Filesize
56KB

Download