xworm | hxxps://send[.]exploit[.]in/download/d894d8bdb8497e2c/#L676-jNqTSmdgLe0zZnuAg

Analysis

max time kernel
231s
max time network
233s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
16-11-2024 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://send.exploit.in/download/d894d8bdb8497e2c/#L676-jNqTSmdgLe0zZnuAg

Score

10^/10

xworm discovery evasion execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

QYhLTRjsjemp6OXH

Attributes

install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x001900000002ac89-676.dat	disable_win_def
behavioral1/memory/3060-695-0x0000000002920000-0x000000000292E000-memory.dmp	disable_win_def

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x001900000002acfa-564.dat	family_xworm
behavioral1/memory/2004-572-0x00000000003C0000-0x00000000003EA000-memory.dmp	family_xworm
behavioral1/files/0x001900000002ad0b-655.dat	family_xworm
behavioral1/files/0x001d00000002ad15-665.dat	family_xworm
behavioral1/memory/3060-667-0x0000000000670000-0x000000000067E000-memory.dmp	family_xworm

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	XClient.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4016	powershell.exe
2732	powershell.exe
1464	powershell.exe
4928	powershell.exe
4368	powershell.exe
4016	powershell.exe
4172	powershell.exe
2700	powershell.exe

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x001900000002acef-558.dat	net_reactor
behavioral1/files/0x001900000002acfa-564.dat	net_reactor
behavioral1/memory/2004-572-0x00000000003C0000-0x00000000003EA000-memory.dmp	net_reactor

Executes dropped EXE 7 IoCs

pid	Process
2500	XwormLoader.exe
2004	svchost.exe
3320	Xworm V5.6.exe
3512	svchost.exe
4636	svchost.exe
3060	XClient.exe
2212	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4256	timeout.exe
5052	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Xworm V5.6.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XWormV5.6.rar:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2220	schtasks.exe
2408	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2004	svchost.exe
2212	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4556	msedge.exe
4556	msedge.exe
3740	msedge.exe
3740	msedge.exe
3012	msedge.exe
3012	msedge.exe
480	identity_helper.exe
480	identity_helper.exe
1616	msedge.exe
1616	msedge.exe
4368	powershell.exe
4368	powershell.exe
4016	powershell.exe
4016	powershell.exe
4172	powershell.exe
4172	powershell.exe
2700	powershell.exe
2700	powershell.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
2004	svchost.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe
3320	Xworm V5.6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3320	Xworm V5.6.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeRestorePrivilege	4236	7zG.exe
Token: 35	4236	7zG.exe
Token: SeSecurityPrivilege	4236	7zG.exe
Token: SeSecurityPrivilege	4236	7zG.exe
Token: SeDebugPrivilege	2500	XwormLoader.exe
Token: SeDebugPrivilege	2004	svchost.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	3512	svchost.exe
Token: 33	3284	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3284	AUDIODG.EXE
Token: SeDebugPrivilege	4636	svchost.exe
Token: SeDebugPrivilege	3060	XClient.exe
Token: SeDebugPrivilege	2212	svchost.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
4236	7zG.exe
3320	Xworm V5.6.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3740	msedge.exe
3320	Xworm V5.6.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4776	OpenWith.exe
4776	OpenWith.exe
4776	OpenWith.exe
2004	svchost.exe
3320	Xworm V5.6.exe
2460	vbc.exe
2212	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 5068	3740	msedge.exe	79
PID 3740 wrote to memory of 5068	3740	msedge.exe	79
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4436	3740	msedge.exe	80
PID 3740 wrote to memory of 4556	3740	msedge.exe	81
PID 3740 wrote to memory of 4556	3740	msedge.exe	81
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82
PID 3740 wrote to memory of 4444	3740	msedge.exe	82

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system	XClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	XClient.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://send.exploit.in/download/d894d8bdb8497e2c/#L676-jNqTSmdgLe0zZnuAg
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdd9393cb8,0x7ffdd9393cc8,0x7ffdd9393cd8
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,1211491128882901057,13306280333883328009,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,1211491128882901057,13306280333883328009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,1211491128882901057,13306280333883328009,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1211491128882901057,13306280333883328009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1211491128882901057,13306280333883328009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,1211491128882901057,13306280333883328009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,1211491128882901057,13306280333883328009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,1211491128882901057,13306280333883328009,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,1211491128882901057,13306280333883328009,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3304

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:768

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\xworm\" -spe -an -ai#7zMap9103:70:7zEvent31011
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4236

C:\Users\Admin\Downloads\xworm\XWorm V5.6\XwormLoader.exe
"C:\Users\Admin\Downloads\xworm\XWorm V5.6\XwormLoader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2500
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2408
- C:\Users\Admin\Downloads\xworm\XWorm V5.6\Xworm V5.6.exe
  "C:\Users\Admin\Downloads\xworm\XWorm V5.6\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3320
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4xuqcchj\4xuqcchj.cmdline"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2460
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF88F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc99ACB6AF3AAB4BFB92C8C7E725EE17DF.TMP"
      4⤵
      PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE2CA.tmp.bat""
  2⤵
  PID:3468
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4256

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4688

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x000000000000047C
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3CD7.tmp.bat""
  2⤵
  PID:3736
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:5052

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
0db38e8757faf31e71a069d249481751

SHA1
da20a769e5b15a79f2b32ab89c1f9431642bab8b

SHA256
c0d0ab7b4a30826ab691ca44568702df4f5c7228e0440d8d78cbbb2c5316e89c

SHA512
0b0b728db486fe079abd88389620dc79e5504069782688a84d00f582fa12258178d316d42ad8f75b8559080a2879e23319335c153cc60ea409991bccabde1b34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
183B

MD5
f70a70c8adce6dae01db7c8afb3c1280

SHA1
5a8e5859069be43ab5c99fad187a4ad91e2c0c71

SHA256
b84c9d7a1f4af35d51d893f5cc89d3a794cb7432c5449b3d3c29e23710079b05

SHA512
ca9e908a6d902b5f578dd2f661bebdf38ee336205e2e021dd52070123ac44f8e5d0b9ec89f0644dfc2042f97f42f1e83bf0263fc5392c16f9f6a579744dd3d47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b45b83461c1d82455101dd859438916

SHA1
53a2229d05677d1d273cbb327c4891e3d9b9aa0d

SHA256
29108c370973e226da5511c8f5bdc04da0a6c12d5ab16211723f348572ddf61f

SHA512
06f49a917d5a99bf9eb401a4459b1053d9e7a4a2764d7a3908420e6527653334dc20e37c6ff005138b9254699ccb2f53f0b6df7916e9329fd215ca582f1e3eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
506e1158240f6a051828f0f7a1d971ae

SHA1
cdd7408c521a9ca84a0ae6ef6ecc05ddd1e72b9b

SHA256
a18383e8a90d6e5063299b9553b7764ceb1808bae4efa2aa54fb76baf08a7696

SHA512
56bb78cd8929e2013bb8bc0cd5f580febf37d0fd92dbef49169fd3b208952a82ff2c35e86eb113f09764f0df38563b048a44f45d1ffe0f2b9ffa73d6c6f892f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
31f6e08f87a3fa4143a43174c9a5e4e3

SHA1
9451c718641ae5069a7f2f4b1f1072845ac0aae3

SHA256
460e68f6bf08ccf3e80c334e034cdd10b98b537f588dc6fff7b8418a1ac4afa0

SHA512
a4ddf6817fc19826150bfc44f9734eec67ac97ba24713ae8253b9b082a1ebcc8933db867cf82bd8ec556e1a06fb78f5535d618cf928c168771321cabb36eacb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4ea6e46be70cd0500d27031dfb874d8aa52aadfa\12b13415-56d4-4e04-b2ea-221511c429cd\index-dir\the-real-index

Filesize
168B

MD5
81a43c1fa2bf0f77dab8cd13e0bbd194

SHA1
c35cf7506ea6b49722337df3435a78ea8efc045a

SHA256
d4043c3c98dfac61d437420e30728dad4d81af87ec924f468388202cf289a6e4

SHA512
52531f2714b45f838d636514c9f44bfcd523901bf5836ad0b2a9a78ce8fbc48f3e61e5b7366d1c5cdd394f4c9b7c030cc42a6bbed4a1600731722211fe294ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4ea6e46be70cd0500d27031dfb874d8aa52aadfa\12b13415-56d4-4e04-b2ea-221511c429cd\index-dir\the-real-index~RFe582a09.TMP

Filesize
48B

MD5
19e4f5826826fe838bc04181f75bc845

SHA1
2593d0c0220546c8095e72ee4f6b360478fe1567

SHA256
00702a5229d138f48c1db3dd0ccf569580177c33508f9aee5dc93d26e74a8ce4

SHA512
7b1626a0cdda6cbdd0b2be1f4309ac6352429fe35746f57c2fcf890e0859e123e75bd00f2da03dc125e959e0145278e12034ce446292dd0a55f849e265fff77b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4ea6e46be70cd0500d27031dfb874d8aa52aadfa\index.txt

Filesize
87B

MD5
51d10964beb40afc5a84de0e67e53000

SHA1
efb23f4ebea2c9c045371e4f93e29063e56720e1

SHA256
859b5a228768874113de3e241cb99cdf7f1905659a954dfcb6e5531562ca4054

SHA512
2adc81e72b0f333aa31c7403a88d7b03ba8c5a2e0d21dec8cb269682b49a2a72991b76ec16ede2390e73a971b573d7009ccbc21a7456bb4e28d63f617c498eb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4ea6e46be70cd0500d27031dfb874d8aa52aadfa\index.txt

Filesize
82B

MD5
f4966f3666035209cf5e900819dedf78

SHA1
e78f374203605793f3bca98d6d2093d86fad6dab

SHA256
f79d87f3510bb3998ff4a8e87627170213be8f708eb44ea23bf67d1af0f4f541

SHA512
fa57a4d58e2c3016af848011234d43c7cedf8b40193c77655a69508969209c6bb971b4ddd3d321b16579362e73e5cd2b0fe4fa0e141a179eb35100ea85c502dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d7c29fe6344844e8a3662fc78a19f5f3

SHA1
13c0c410bbca1e6a2b7c9fdaa030735d2917c861

SHA256
8e1c5160c97e3dfdf0e1861be0ca46c033d423a4e8cb0db4f2758c290250bd25

SHA512
ea5739aa4406c8fe3020c99e4dc686fc8ee7e76e80014c09b39f1a51ad46b7ec7f98848b363b60d22f2226499a94ac0cdd3ebbadc039bf590087add39cae0561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5829e9.TMP

Filesize
48B

MD5
731bfe0fec574b65586523986a166993

SHA1
71ecc1f13aa881cf8f14f3c5cfde6def5f07bb47

SHA256
d419e7a9b43b963e0a94e5817ec2299b9e9c5957ad64b133533e817ecf0b466f

SHA512
54d28764122693b34f70aedd9b452dae1b34ae8c69efcdddb890b2a008bdba7466a1407d647f49799a29ae2309abd24e1bfa71cf94e7d2ac87ede1fa1794c1e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
6b85916dfde6376d8c1de90483473945

SHA1
7451ccf537ba7887d4802b17ef23871e203e8410

SHA256
a1b67fd930264ea9bbdb8cc98543e5f6e3de6c899d4628c72fefca2af91b03ed

SHA512
e0e7805532bc9a62ab7bbaa6930c1ccaa86bf5a58a4fcaef7132caaaca586baa134e96010fbf4f90c494e3a5f040adcff7715db5516e7355822956af21d3d9ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5823ee.TMP

Filesize
203B

MD5
0b0a013758eb70ebd17ac7907d97dc8e

SHA1
403072e67540a02fc0fad510ea305a2d9088f2c4

SHA256
5f1d406b5fd4b5cf5b32e1e8c4d2f7d591101de7a6870f9125d838b8657ef1a0

SHA512
326bd2c509f80ddac7e6e6a44be47eff801b69c144c322fedbff0af1daebb79241e1f2513b629075c3e808773286957aecd622325354c4352fc37a9f2ed9e5bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8f5ca7cffc86a39635cd6414f8cafaed

SHA1
97a07e913683500b216216b649ac794f0ea44113

SHA256
a920722b75e8422f985b38a4a92675db1db279f274fb42c289d0b784e054914d

SHA512
f8a47381cdec85b0d87cb09183f4c4c4615f46e4ed4fe40fc847f09c6f1d3fdc7addc52252f1bb65432919f6095728645722475b4c6a8ec95ac18e2ee0242a36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0ff74b1f1485b3b3bd9f40bf8fe27b99

SHA1
fd68d1af5ee16020be53bab38e075a1c9abbb996

SHA256
fbfcfdabd9b5248bd7b393de563795e9267cb83797312e8c1f10f805cbbf86af

SHA512
3e7a2e19cc14b63e2a8cefd6582dfe66031acbbe65ba194bf235d9b9f87a9cc72c8e3c570a1b8e4baa2d00267bff85c6c23f67ca00494e57396b1c69d22d41b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
58ab20cff028cb288a8920dfe692292f

SHA1
322aa0a6b058dacf8c5bcd943b8a2083d7c70a9b

SHA256
6f0f7d3cee21e532e037b653ee2188f268bfa478af66454da9170e2e06e79361

SHA512
94f33077e0b81553a76420b541f4eab7bdf97404f046b737b532c3d02604a637c11fdb8f20a807faca2231fae88ce9c3694f511dcafc119d3fa9515b434636c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e0391d00f5bfbc34be70790f14d5edf

SHA1
fcb04d8599c23967de4f154a101be480933ab0d0

SHA256
1c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136

SHA512
231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4c74bac17371b0782661cb218b50749d

SHA1
71b9f9556dd3f3d733e1c5c24900a7492ab5073f

SHA256
301cbf8672fe3d672268300b5778fa909de8c1a89dc642ad45bcadfae06a4b47

SHA512
f9eba28fb606e8df39787c6a4a394c194976445e9c844c5dcee10147146019a07d972a1febee9fc4c66ef04094961954be23dff303502a6fa019681d88dea745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f8c40f7624e23fa92ae2f41e34cfca77

SHA1
20e742cfe2759ac2adbc16db736a9e143ca7b677

SHA256
c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b

SHA512
f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a6fd880727c33eecf647ae84676e4e58

SHA1
cfa2fdbebc5a03a72dfc0f459756e8cd6d1c6eee

SHA256
b88e8080b4d143980a9155e91f6172683201682b182d8e334d2055cd67aa8ad1

SHA512
95e8b89089960af8297580df5ca662d51d8f711ec863fd93502921992842ca3e1343f18ba07f4eb8b34bcc942aeffc9928668ad4cc1aa88344995d2f69f56aef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4xuqcchj\4xuqcchj.0.vb

Filesize
78KB

MD5
e8310f4f812fa4bf33e33b8f2680918c

SHA1
206d85d8556024bec7d66cceae839c5cae83c056

SHA256
e4e3fd533090868b910b5178aac5d23a92563303e4b3a7f6c15056f0d453f258

SHA512
e7cafe40f83dfdf8be4b150265fdf57ce5d04f55a53607cc7c6312fc087f731cb354370e291bf5d24483eced826d7a537a981609dd99f2fa4441cbd7b3e6829e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4xuqcchj\4xuqcchj.cmdline

Filesize
292B

MD5
47b19cd6f6010d15e0123d8431c54536

SHA1
91d2d128d8eea412de2289c3e0e33f9983ad4a27

SHA256
88afdbeac03bb6d63ad5424436c6b014f4e5c556147f90e02f8069dc342b8579

SHA512
2f72d8506986cbf2b10720cbb87b936b68e8722a242742247caf57500c455a569b3f9b4b8668a7480bc5120e28b4e2509f6dfd006988d5c2ac6cc1523d23bac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF88F.tmp

Filesize
1KB

MD5
1655fa33207433a4683766466debd496

SHA1
2d0fd591dfe124cdf9f2fb03a692e92ded75f8c7

SHA256
5e9af69715a51ab174d3b684c9a25b2b21d1cc2d84cf327013ee13c91ec6636c

SHA512
36c44f41d82921b35bd0317544fcbf7b9c47d0a7ac285fb59c4ede2b49cf4bdb41f9931f7d569bdd9500df17c65d732dbb51c2c1a4436ba38f5ed3b2ac11c113

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f1ws52fa.uet.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
144KB

MD5
4b90399888a12fb85ccc3d0190d5a1d3

SHA1
3326c027bac28b9480b0c7f621481a6cc033db4e

SHA256
cede03d0ef98d200bd5b68f6ca4e0d74e2a62fc430a38083663c3031dbb1c77f

SHA512
899ec2df2f5d70716ad5d0686bfe0a6c66ccbcf7f0485efbdfc0615f90b3526cd3d31069fa66c7c6ae8bba6ce92200836c50da40a3731888b7326b970d93216a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE2CA.tmp.bat

Filesize
171B

MD5
f6fb00cc55c759dbfd8731c90ac121e5

SHA1
79ad00de0c0c343b6373eb5df8444ba556d81604

SHA256
92f6e86f9693fec0185433f25ee376bc2e3b8dc2bfe42fe5eb7237d14064caf1

SHA512
a94ccd411ed5c3b6854e568f51d79e7383faa29795d89b0a407e871c164cbbd189555a8e7b0b08c0358805913b0d9a50b1fa3ae3f511af537cb22f6d33d111fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc99ACB6AF3AAB4BFB92C8C7E725EE17DF.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\Downloads\XClient.exe

Filesize
32KB

MD5
d1190c1d7de486d08d0558700fecbb2b

SHA1
b4efb4fb34618567d03ff489d07cf8a46650722f

SHA256
a6b5af7beeffa501a7f8f16b3546f3215371fee8f138faac3c6c2ec72ef8a31f

SHA512
1e4a70b62ed983a262e90a38eec6b7e232e0f54ce9353d39d3f99eff819c12a54e49f08022771ed3a565a09a258986cc3e5b8e9b080184b81539ff7925dd6c33

Download Submit
C:\Users\Admin\Downloads\XWormV5.6.rar

Filesize
22.7MB

MD5
bf2914828889b9f53f5dca3d9bda6f17

SHA1
7155e7938a6474d637a83c692eb60d34a8c6e94b

SHA256
0a10a2d40d0d1af7fe2d6c90e6ec033bebac388c247845459c59a6cb3e1f1350

SHA512
304b612339c0698c4ced92672eb559be4bcdfcdf94c16621430d8822939b970ee9491a7686aa36c3e14527bf0137728c57462e5bbc2107aab32bdce2f929727f

Download Submit
C:\Users\Admin\Downloads\XWormV5.6.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\GMap.NET.Core.dll

Filesize
2.9MB

MD5
819352ea9e832d24fc4cebb2757a462b

SHA1
aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

SHA256
58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

SHA512
6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\GMap.NET.WindowsForms.dll

Filesize
147KB

MD5
32a8742009ffdfd68b46fe8fd4794386

SHA1
de18190d77ae094b03d357abfa4a465058cd54e3

SHA256
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

SHA512
22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\NAudio.dll

Filesize
502KB

MD5
3b87d1363a45ce9368e9baec32c69466

SHA1
70a9f4df01d17060ec17df9528fca7026cc42935

SHA256
81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451

SHA512
1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\ActiveWindows.dll

Filesize
14KB

MD5
5a766a4991515011983ceddf7714b70b

SHA1
4eb00ae7fe780fa4fe94cedbf6052983f5fd138b

SHA256
567b9861026a0dbc5947e7515dc7ab3f496153f6b3db57c27238129ec207fc52

SHA512
4bd6b24e236387ff58631207ea42cd09293c3664468e72cd887de3b3b912d3795a22a98dcf4548fb339444337722a81f8877abb22177606d765d78e48ec01fd8

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\Chat.dll

Filesize
18KB

MD5
59f75c7ffaccf9878a9d39e224a65adf

SHA1
46b0f61a07e85e3b54b728d9d7142ddc73c9d74b

SHA256
aab20f465955d77d6ec3b5c1c5f64402a925fb565dda5c8e38c296cb7406e492

SHA512
80056163b96ce7a8877874eaae559f75217c0a04b3e3d4c1283fe23badfc95fe4d587fd27127db4be459b8a3adf41900135ea12b0eeb4187adbcf796d9505cb8

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\Chromium.dll

Filesize
32KB

MD5
edb2f0d0eb08dcd78b3ddf87a847de01

SHA1
cc23d101f917cad3664f8c1fa0788a89e03a669c

SHA256
b6d8bccdf123ceac6b9642ad3500d4e0b3d30b9c9dd2d29499d38c02bd8f9982

SHA512
8f87da834649a21a908c95a9ea8e2d94726bd9f33d4b7786348f6371dfae983cc2b5b5d4f80a17a60ded17d4eb71771ec25a7c82e4f3a90273c46c8ee3b8f2c3

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\Clipboard.dll

Filesize
14KB

MD5
831eb0de839fc13de0abab64fe1e06e7

SHA1
53aad63a8b6fc9e35c814c55be9992abc92a1b54

SHA256
e31a1c2b1baa2aa2c36cabe3da17cd767c8fec4c206bd506e889341e5e0fa959

SHA512
2f61bcf972671d96e036b3c99546cd01e067bef15751a87c00ba6d656decb6b69a628415e5363e650b55610cf9f237585ada7ce51523e6efc0e27d7338966bee

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\Cmstp-Bypass.dll

Filesize
11KB

MD5
cf15259e22b58a0dfd1156ab71cbd690

SHA1
3614f4e469d28d6e65471099e2d45c8e28a7a49e

SHA256
fa420fd3d1a5a2bb813ef8e6063480099f19091e8fa1b3389004c1ac559e806b

SHA512
7302a424ed62ec20be85282ff545a4ca9e1aecfe20c45630b294c1ae72732465d8298537ee923d9e288ae0c48328e52ad8a1a503e549f8f8737fabe2e6e9ad38

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\FileManager.dll

Filesize
679KB

MD5
641a8b61cb468359b1346a0891d65b59

SHA1
2cdc49bcd7428fe778a94cdcd19cabf5ece8c9c0

SHA256
b58ed3ebbcd27c7f4b173819528ff4db562b90475a5e304521ed5c564d39fffd

SHA512
042702d34664ea6288e891c9f7aa10a5b4b07317f25f82d6c9fa9ba9b98645c14073d0f66637060b416a30c58dec907d9383530320a318523c51f19ebd0a4fee

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\FilesSearcher.dll

Filesize
478KB

MD5
6f8f1621c16ac0976600146d2217e9d2

SHA1
b6aa233b93aae0a17ee8787576bf0fbc05cedde4

SHA256
e66e1273dc59ee9e05ce3e02f1b760b18dd296a47d92b3ce5b24efb48e5fb21b

SHA512
eb55acdea8648c8cdefee892758d9585ff81502fc7037d5814e1bd01fee0431f4dde0a4b04ccb2b0917e1b11588f2dc9f0bfe750117137a01bbd0c508f43ef6a

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\HBrowser.dll

Filesize
25KB

MD5
f0e921f2f850b7ec094036d20ff9be9b

SHA1
3b2d76d06470580858cc572257491e32d4b021c0

SHA256
75e8ff57fa6d95cf4d8405bffebb2b9b1c55a0abba0fe345f55b8f0e88be6f3c

SHA512
16028ae56cd1d78d5cb63c554155ae02804aac3f15c0d91a771b0dcd5c8df710f39481f6545ca6410b7cd9240ec77090f65e3379dcfe09f161a3dff6aec649f3

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\HRDP.dll

Filesize
1.7MB

MD5
f27b6e8cf5afa8771c679b7a79e11a08

SHA1
6c3fcf45e35aaf6b747f29a06108093c284100da

SHA256
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de

SHA512
0d84966bbc9290b04d2148082563675ec023906d58f5ba6861c20542271bf11be196d6ab24e48372f339438204bd5c198297da98a19fddb25a3df727b5aafa33

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\HVNC.dll

Filesize
58KB

MD5
30eb33588670191b4e74a0a05eecf191

SHA1
08760620ef080bb75c253ba80e97322c187a6b9f

SHA256
3a287acb1c89692f2c18596dd4405089ac998bb9cf44dd225e5211923d421e96

SHA512
820cca77096ff2eea8e459a848f7127dc46af2e5f42f43b2b7375be6f4778c1b0e34e4aa5a97f7fbabe0b53dcd351d09c231bb9afedf7bcec60d949918a06b97

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\HVNCMemory.dll

Filesize
39KB

MD5
065f0830d1e36f8f44702b0f567082e8

SHA1
724c33558fcc8ecd86ee56335e8f6eb5bfeac0db

SHA256
285b462e3cd4a5b207315ad33ee6965a8b98ca58abb8d16882e4bc2d758ff1a4

SHA512
bac0148e1b78a8fde242697bff1bbe10a18ffab85fdced062de3dc5017cd77f0d54d8096e273523b8a3910fe17fac111724acffa5bec30e4d81b7b3bd312d545

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\HiddenApps.dll

Filesize
45KB

MD5
ba2141a7aefa1a80e2091bf7c2ca72db

SHA1
9047b546ce9c0ea2c36d24a10eb31516a24a047d

SHA256
6a098f5a7f9328b35d73ee232846b13e2d587d47f473cbc9b3f1d74def7086ea

SHA512
91e43620e5717b699e34e658d6af49bba200dcf91ac0c9a0f237ec44666b57117a13bc8674895b7a9cac5a17b2f91cdc3daa5bcc52c43edbabd19bc1ed63038c

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\Informations.dll

Filesize
22KB

MD5
67a884eeb9bd025a1ef69c8964b6d86f

SHA1
97e00d3687703b1d7cc0939e45f8232016d009d9

SHA256
cba453460be46cfa705817abbe181f9bf65dca6b6cea1ad31629aa08dbeaf72b

SHA512
52e852021a1639868e61d2bd1e8f14b9c410c16bfca584bf70ae9e71da78829c1cada87d481e55386eec25646f84bb9f3baee3b5009d56bcbb3be4e06ffa0ae7

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\Keylogger.dll

Filesize
17KB

MD5
246f7916c4f21e98f22cb86587acb334

SHA1
b898523ed4db6612c79aad49fbd74f71ecdbd461

SHA256
acfe5c3aa2a3bae3437ead42e90044d7eee972ead25c1f7486bea4a23c201d3a

SHA512
1c256ca9b9857e6d393461b55e53175b7b0d88d8f3566fd457f2b3a4f241cb91c9207d54d8b0867ea0abd3577d127835beb13157c3e5df5c2b2b34b3339bd15d

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\Maps.dll

Filesize
15KB

MD5
806c3802bfd7a97db07c99a5c2918198

SHA1
088393a9d96f0491e3e1cf6589f612aa5e1df5f8

SHA256
34b532a4d0560e26b0d5b81407befdc2424aacc9ef56e8b13de8ad0f4b3f1ab6

SHA512
ed164822297accd3717b4d8e3927f0c736c060bb7ec5d99d842498b63f74d0400c396575e9fa664ad36ae8d4285cfd91e225423a0c77a612912d66ea9f63356c

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\MessageBox.dll

Filesize
14KB

MD5
7db8b7e15194fa60ffed768b6cf948c2

SHA1
3de1b56cc550411c58cd1ad7ba845f3269559b5c

SHA256
bc09b671894c9a36f4eca45dd6fbf958a967acea9e85b66c38a319387b90dd29

SHA512
e7f5430b0d46f133dc9616f9eeae8fb42f07a8a4a18b927dd7497de29451086629dfc5e63c0b2a60a4603d8421c6570967c5dbde498bb480aef353b3ed8e18a1

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\Microphone.dll

Filesize
540KB

MD5
9c3d90ccf5d47f6eef83542bd08d5aeb

SHA1
0c0aa80c3411f98e8db7a165e39484e8dae424c7

SHA256
612898afdf9120cfef5843f9b136c66ecc3e0bb6f3d1527d0599a11988b7783c

SHA512
0786f802fbd24d4ab79651298a5ba042c275d7d01c6ac2c9b3ca1e4ee952de7676ec8abf68d226b72696e9480bd4d4615077163efbcda7cff6a5f717736cbdfe

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\Ngrok-Installer.dll

Filesize
400KB

MD5
3e19341a940638536b4a7891d5b2b777

SHA1
ca6f5b28e2e54f3f86fd9f45a792a868c82e35b5

SHA256
b574aabf02a65aa3b6f7bfff0a574873ce96429d3f708a10f87bc1f6518f14aa

SHA512
06639892ea4a27c8840872b0de450ae1a0dac61e1dcb64523973c629580323b723c0e9074ff2ddf9a67a8a6d45473432ffc4a1736c0ddc74e054ae13b774f3e2

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Plugins\Options.dll

Filesize
30KB

MD5
97193fc4c016c228ae0535772a01051d

SHA1
f2f6d56d468329b1e9a91a3503376e4a6a4d5541

SHA256
5c34aee5196e0f8615b8d1d9017dd710ea28d2b7ac99295d46046d12eea58d78

SHA512
9f6d7da779e8c9d7307f716d4a4453982bb7f090c35947850f13ec3c9472f058fc11e1120a9641326970b9846d3c691e0c2afd430c12e5e8f30abadb5dcf5ed2

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\Xworm V5.6.exe

Filesize
14.9MB

MD5
db51a102eab752762748a2dec8f7f67a

SHA1
194688ec1511b83063f7b0167ae250764b7591d1

SHA256
93e5e7f018053c445c521b010caff89e61f61743635db3500aad32d6e495abb2

SHA512
fb2fb6605a17fedb65e636cf3716568e85b8ea423c23e0513eb87f3a3441e2cabc4c3e6346225a9bf7b81e97470f3ab516feea649a7afb5cdf02faff8d7f09a5

Download Submit
C:\Users\Admin\Downloads\xworm\XWorm V5.6\XwormLoader.exe

Filesize
7.9MB

MD5
5b757c6d0af650a77ba1bf7edea18b36

SHA1
c2ee4e12ff4b70511dbcab25dbf8b0d45f2d52b3

SHA256
c2a9fefda9159dd2712510c1c9077a1885d0ebc45251285dad95ba7184b98856

SHA512
93ca04887c63c3a0a4a5d42c48d0f4f7cc7fe7f6dad4dd45136ac048639d2edab66a2d2459779b9a2a075fa8981ea40567b34e5ed0535c1deecfe5e838385960

Download Submit
memory/2004-572-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/2500-584-0x000000001E5A0000-0x000000001EA6E000-memory.dmp

Filesize
4.8MB

Download
memory/2500-559-0x000000001BA20000-0x000000001BAC6000-memory.dmp

Filesize
664KB

Download
memory/3060-695-0x0000000002920000-0x000000000292E000-memory.dmp

Filesize
56KB

Download
memory/3060-667-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download
memory/3320-673-0x000001DF80840000-0x000001DF80B22000-memory.dmp

Filesize
2.9MB

Download
memory/3320-648-0x000001DF803E0000-0x000001DF80548000-memory.dmp

Filesize
1.4MB

Download
memory/3320-671-0x000001DF65CF0000-0x000001DF65D1C000-memory.dmp

Filesize
176KB

Download
memory/3320-669-0x000001DF7FFE0000-0x000001DF80062000-memory.dmp

Filesize
520KB

Download
memory/3320-675-0x000001DF80550000-0x000001DF80602000-memory.dmp

Filesize
712KB

Download
memory/3320-634-0x000001DF801E0000-0x000001DF803D4000-memory.dmp

Filesize
2.0MB

Download
memory/3320-589-0x000001DF648E0000-0x000001DF657C8000-memory.dmp

Filesize
14.9MB

Download
memory/4368-590-0x0000025519FD0000-0x0000025519FF2000-memory.dmp

Filesize
136KB

Download