Malware Analysis Report

2025-01-03 06:17

Sample ID 241124-tqc6natncm
Target XWorm-5.6-main.zip
SHA256 7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27
Tags
stormkitty xworm lumma discovery rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27

Threat Level: Known bad

The file XWorm-5.6-main.zip was found to be: Known bad.

Malicious Activity Summary

stormkitty xworm lumma discovery rat stealer trojan

Lumma Stealer, LummaC

Detect Xworm Payload

Xworm

Xworm family

Contains code to disable Windows Defender

Lumma family

StormKitty payload

Stormkitty family

Uses the VBS compiler for execution

Executes dropped EXE

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 16:15

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 16:15

Reported

2024-11-24 16:18

Platform

win11-20241007-en

Max time kernel

111s

Max time network

100s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main.zip"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Xworm

trojan rat xworm

Xworm family

xworm

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 50003100000000004759cd66100041646d696e003c0009000400efbe4759d35e785904822e0000002c570200000001000000000000000000000000000000d3451c01410064006d0069006e00000014000000 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 6a00310000000000ca58d945100058574f524d2d7e312e362d4d00004e0009000400efbe78590582785905822e000000c4aa020000001c00000000000000000000000000000000000000580057006f0072006d002d0035002e0036002d006d00610069006e0000001c000000 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "4" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 5000310000000000ca58d945100049636f6e73003c0009000400efbe78590582785905822e000000d1aa020000001900000000000000000000000000000000000000490063006f006e007300000014000000 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 7e003100000000007859058211004465736b746f7000680009000400efbe4759d35e785905822e000000365702000000010000000000000000003e0000000000e9efdb004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\NodeSlot = "3" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Pictures" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe

"C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe"

C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe

"C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe"

C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe

"C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004B8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vdpjj512\vdpjj512.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14E6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6C4F29C8E54A48849DCD75C647E734BE.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sideindexfollowragelrew.pw udp

Files

C:\Users\Admin\AppData\Local\Temp\7zECB0522B7\XWorm-5.6-main\Icons\icon (15).ico

MD5 e3143e8c70427a56dac73a808cba0c79
SHA1 63556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256 b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA512 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

C:\Users\Admin\Desktop\XWorm-5.6-main\XwormLoader.exe

MD5 9c9245810bad661af3d6efec543d34fd
SHA1 93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d
SHA256 f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478
SHA512 90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767

memory/4904-246-0x00000000012F0000-0x000000000133B000-memory.dmp

memory/4904-251-0x00000000011E0000-0x00000000011E1000-memory.dmp

memory/4904-254-0x00000000011E0000-0x00000000011E1000-memory.dmp

memory/4904-253-0x00000000011E0000-0x00000000011E1000-memory.dmp

memory/4904-252-0x00000000011E0000-0x00000000011E1000-memory.dmp

memory/4904-255-0x00000000012F0000-0x000000000133B000-memory.dmp

C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe

MD5 56ccb739926a725e78a7acf9af52c4bb
SHA1 5b01b90137871c3c8f0d04f510c4d56b23932cbc
SHA256 90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
SHA512 2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

C:\Users\Admin\Desktop\XWorm-5.6-main\Xworm V5.6.exe.config

MD5 66f09a3993dcae94acfe39d45b553f58
SHA1 9d09f8e22d464f7021d7f713269b8169aed98682
SHA256 7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512 c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

memory/3224-259-0x00007FF9EA4C3000-0x00007FF9EA4C5000-memory.dmp

memory/3224-260-0x00000246C1BF0000-0x00000246C2AD8000-memory.dmp

C:\Users\Admin\Desktop\XWorm-5.6-main\Guna.UI2.dll

MD5 bcc0fe2b28edd2da651388f84599059b
SHA1 44d7756708aafa08730ca9dbdc01091790940a4f
SHA256 c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA512 3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

memory/3224-262-0x00000246DEAF0000-0x00000246DECE4000-memory.dmp

memory/3224-263-0x00007FF9EA4C3000-0x00007FF9EA4C5000-memory.dmp

memory/636-265-0x0000000000900000-0x000000000094B000-memory.dmp

memory/636-270-0x0000000000900000-0x000000000094B000-memory.dmp

C:\Users\Admin\Desktop\XWorm-5.6-main\GeoIP.dat

MD5 8ef41798df108ce9bd41382c9721b1c9
SHA1 1e6227635a12039f4d380531b032bf773f0e6de0
SHA256 bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA512 4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

C:\Users\Admin\Desktop\XWorm-5.6-main\Sounds\Intro.wav

MD5 ad3b4fae17bcabc254df49f5e76b87a6
SHA1 1683ff029eebaffdc7a4827827da7bb361c8747e
SHA256 e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf
SHA512 3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (1).ico

MD5 4f409511e9f93f175cd18187379e94cb
SHA1 598893866d60cd3a070279cc80fda49ee8c06c9b
SHA256 115f0db669b624d0a7782a7cfaf6e7c17282d88de3a287855dbd6fe0f8551a8f
SHA512 0d1f50243a3959968174aa3fd8f1a163946e9f7e743cbb2c9ef2492073f20da97949bf7d02c229096b97482ff725c08406e2e9aa72c820489535758470cf604f

C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (8).ico

MD5 af1739a9b1a1bf72e7072ad9551c6eea
SHA1 8da0a34c3a8040c4b7c67d7143c853c71b3d208d
SHA256 a65cbbdc2ca671a9edd7edac0c6737b3b116e357727e003e5fdeff163c6c21ab
SHA512 eeeac307371c38b75e256083c55a3fe4ab096c1c7520a4b7acb40fad3af5a0d6c88aaf85f2c3e418034abee422c2a3ba13731adf7ee6078016da4dd2e989b120

C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (2).ico

MD5 f1463f4e1a6ef6cc6e290d46830d2da1
SHA1 bda0d74a53c3f7aaf0da0f375d0c1b5aca2a7aaf
SHA256 142b529799268a753f5214265c53a26a7a6f8833b31640c90a69a4ff94cee5ec
SHA512 0fa93d009cc2f007d19e6fdda7ebe44c7ed77f30b49a6ef65c319133c0570ab84f2d86e8282b5069d7f2e238547722ac3966d2fa2fae4504133f0001a0387ae2

C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (16).ico

MD5 14465d8d0f4688a4366c3bf163ba0a17
SHA1 9f1fa68a285db742e4834f7d670cae415ce6b3b6
SHA256 3f3c5ce486e5b9fa88dc60b60916053e8808c69167df1a11287fd3cd6db1ca6e
SHA512 01db4fac75136baf9c162265785877b21fba9c4b8d9dbe4e495191f15aa9c914e3d5baf1c4606041279a7138c7e5c8f4ccf6e64689354fc3fb3fa66ab3b1da2d

C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (6).ico

MD5 d7c9666d30936e29ce156a2e04807863
SHA1 845e805d55156372232e0110e5dc80380e2cb1e5
SHA256 6ea04cf08751a2f6bb2f0e994258a44d5183b6cdb1471a0ee285659eada045b5
SHA512 3cfd7a41f65c5a0dc23a90c6af358179efb3ae771f50534c3d76c486fe2d432ea3128a46b4b367c4714e86e8c0862a7385bd80662fe6ea82d7048f453570ed56

C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (10).ico

MD5 ad1740cb3317527aa1acae6e7440311e
SHA1 7a0f8669ed1950db65632b01c489ed4d9aba434e
SHA256 7a97547954aaad629b0563cc78bca75e3339e8408b70da2ed67fa73b4935d878
SHA512 eee7807b78d4dd27b51cee07a6567e0d022180e007e1241266f4c53f1192c389be97332fcd9f0b8fda50627b40b8cf53027872304a68a210f4d754aa0243b0c2

C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (12).ico

MD5 4ea9ab789f5ae96766e3f64c8a4e2480
SHA1 423cb762ce81fab3b2b4c9066fe6ea197d691770
SHA256 84b48ca52dfcd7c74171cf291d2ef1247c3c7591a56b538083834d82857fee50
SHA512 f917059b6f85e4a25909a27cad38b1ef0659161c32df54860226ff3d858127d8da592ea9072ad41d5a9986dd8c04a37e9ad34e2251883a8c2f0933e6aa201414

C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (7).ico

MD5 7891c91d1761dc8a8846d362e6e31869
SHA1 0229bb01b7b4a0fca305eb521ec5dfbaa53674ea
SHA256 29d38c75af79aa0554f34cdfecb311f88f8dd02b02facaa299b9700841806ab8
SHA512 ed14614a706da985566853dc13df0d1128a718f39ec9957320813803fe07e59de337d51033970e2f57d9f56da3546c506f5f0f3becfa91ce741576855be14ba7

C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (11).ico

MD5 1c2cea154deedc5a39daec2f1dadf991
SHA1 6b130d79f314fa9e4015758dea5f331bbe1e8997
SHA256 3b64b79e4092251ebf090164cd2c4815390f34849bbd76fb51085b6a13301b6d
SHA512 dceebc1e6fdfe67afebaef1aff11dd23eda6fae79eb6b222de16edebdfebd8e45de896e501608254fb041824080cb41c81ac972032638407efc6bfeb930bfd00

C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (3).ico

MD5 a512719efc9e6ecc5e2375abceb1669a
SHA1 51fae98edfab7cd6b6baac6df5ecbda082eeb1db
SHA256 b2f7fb22cd5b935cf19a2f58f7fef9db99db40772ff4bb331a73c345161c2574
SHA512 e0153dbc8f3fdda8d1a7082bc30a3895d7f4b3bc2982b4b4ece55653d1b4c293eba3ba6d4a0a581f0f7db95ab287d6616ef7bf03af4485904111798bf9d9e625

C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (4).ico

MD5 9c053bef57c4a7b575a0726af0e26dae
SHA1 47148d30bc9a6120a1d92617bf1f3e1ba6ca1a2c
SHA256 5bb21d6c04ed64a1368dace8f44aff855860e69f235492a5dc8b642a9ea88e41
SHA512 482d639ba60f57827d8a343f807f4f914289c45643307efaa666b584a085fe01ac7892252f41b7756fde93d215b4f3fed16e608bc45102d320d77239fa93146a

C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (5).ico

MD5 9dbdd6972e129d31568661a89c81d8f9
SHA1 747399af62062598120214cef29761c367cfd28a
SHA256 45c85bdaaf0e0c30678d8d77e2585871ea6d1298ee0d30037745bacea6338484
SHA512 e52572de3f0d57d24a24d65eca4ff638890ccc9c5aca3f213ff885eda3c40de115849eb64c341f557d601f566ce21f8fc0df25cc4b13aaad5e941449a6b7f87d

C:\Users\Admin\Desktop\XWorm-5.6-main\Icons\icon (9).ico

MD5 3e24e40b41ecc59750c9231d8f8da40b
SHA1 91a701cf25aea2984f75846b6c83865d668ccad6
SHA256 bd1c33a67244801e828035904882ec53bd2ea8a1db9265a06d1aa08cf444ca80
SHA512 fe62edddb62dd4b695f1ef40ffb7a0119d480d1c176f0254acee19a45d6433ef6c308acbe567c721018390626c71f7a0f7bcd195d59d54c19cf019f13c4f7572

C:\Users\Admin\Desktop\XWorm-5.6-main\SimpleObfuscator.dll

MD5 9043d712208178c33ba8e942834ce457
SHA1 e0fa5c730bf127a33348f5d2a5673260ae3719d1
SHA256 b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c
SHA512 dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

memory/3224-288-0x00000246E67A0000-0x00000246E6908000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vdpjj512\vdpjj512.cmdline

MD5 1229939cd0957896ec026b6955c8e5e3
SHA1 86ced7fc71a0eda342e156a4593be5827ccaf610
SHA256 a0a649bc263881c0047a8fadc3631dd69f75aba55f485b12064768ad41445c51
SHA512 0bd5057ee8f1a71bcf21b076094ccf215c96b6e46b211da6d039f6ae01f1a7f0156a9dd5e1e919d81e6942317487e9876ee04d906820243bd2c84d2ea0869c3c

C:\Users\Admin\AppData\Local\Temp\vdpjj512\vdpjj512.0.vb

MD5 75bff422eebbd58e95adf79a75b7566c
SHA1 34f96b9e57a8a146fbe22e02b7945ec1be9feb81
SHA256 9782fed5bb9267c1c6f6cc224fc6255a9e8522543d3dc3a94867fe59b67928c6
SHA512 b050fd85974846fbf27ef1990ba0b58cd1cea1833edc1ea2e9bee010fbb83c783a99aa607afdce0a066729fcdfa6074a76a795e0dea4b3631ed8038bfd2361d2

C:\Users\Admin\AppData\Local\Temp\RES14E6.tmp

MD5 8f97a3e3df1e4996b4cd1477d38e4449
SHA1 87cba0d85df2fd1b69494c37b28113ce1251dcbd
SHA256 7f3df48f5c88abb5927fb767f795e41c3e65f254769cbae21e0574611a647b14
SHA512 640743629a382a9a3976dae1a90cf7da216c34b2818747359e5fe8a7bbad81db8b686073aeac09f9737217f83f299b889cbcefe05876713f53d6b0802b5c5175

C:\Users\Admin\AppData\Local\Temp\vbc6C4F29C8E54A48849DCD75C647E734BE.TMP

MD5 d40c58bd46211e4ffcbfbdfac7c2bb69
SHA1 c5cf88224acc284a4e81bd612369f0e39f3ac604
SHA256 01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca
SHA512 48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

C:\Users\Admin\Desktop\XClient.exe

MD5 752c483e93afbf1c176b90c663654971
SHA1 9f321784a6634380d2ada5e43619db1b6c3ee8a9
SHA256 4d0af067c932ebf7375bc9973e613452d0d01002d10aacdc3c82a82ee1ee7303
SHA512 5ac56f452fe4c74015751961f517bffd57e8231bd2d3a2550b9a8770c712dafb1bf7685a83ee425ef2f82dc362bf481d62a7e73252034ab676ca28e7f1296843