Malware Analysis Report

2025-01-03 06:20

Sample ID 241127-c6v8qszjdq
Target XWorm V5.6 BypChat.zip
SHA256 20d451a0dfdbe692e40dd450812ebb94e7b04430acc0de77cecfa4daf1a99e95
Tags
stormkitty xworm evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20d451a0dfdbe692e40dd450812ebb94e7b04430acc0de77cecfa4daf1a99e95

Threat Level: Known bad

The file XWorm V5.6 BypChat.zip was found to be: Known bad.

Malicious Activity Summary

stormkitty xworm evasion rat stealer trojan

Xworm

StormKitty

Contains code to disable Windows Defender

Detect Xworm Payload

Stormkitty family

StormKitty payload

UAC bypass

Xworm family

Disables RegEdit via registry modification

Executes dropped EXE

Checks computer location settings

Uses the VBS compiler for execution

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 02:42

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 02:41

Reported

2024-11-27 02:50

Platform

win7-20240903-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6 BypChat.zip"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6 BypChat.zip"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 02:41

Reported

2024-11-27 02:50

Platform

win10v2004-20241007-en

Max time kernel

281s

Max time network

256s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6 BypChat.zip"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" C:\Users\Admin\Desktop\XWorm V5.6 BypChat\XClient.exe N/A

Xworm

trojan rat xworm

Xworm family

xworm

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" C:\Users\Admin\Desktop\XWorm V5.6 BypChat\XClient.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\XWorm V5.6 BypChat\XClient.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\XClient.exe N/A

Uses the VBS compiler for execution

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2" C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 72003100000000005b597d87100058574f524d567e312e3642590000560009000400efbe7b5907167b5907162e0000004507000000000300000000000000000000000000000000000000580057006f0072006d002000560035002e0036002000420079007000430068006100740000001c000000 C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\XClient.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system C:\Users\Admin\Desktop\XWorm V5.6 BypChat\XClient.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" C:\Users\Admin\Desktop\XWorm V5.6 BypChat\XClient.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6 BypChat.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe

"C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2ec 0x2f4

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\juiixu2w\juiixu2w.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BEA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc43FA3854E1BA495DB2D951BD7A0BB8D.TMP"

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\XClient.exe

"C:\Users\Admin\Desktop\XWorm V5.6 BypChat\XClient.exe"

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" config wuauserv start=auto

C:\Windows\System32\sc.exe

"C:\Windows\System32\sc.exe" start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zE4900A4A9\XWorm V5.6 BypChat\Icons\icon (15).ico

MD5 e3143e8c70427a56dac73a808cba0c79
SHA1 63556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256 b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA512 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe

MD5 56ccb739926a725e78a7acf9af52c4bb
SHA1 5b01b90137871c3c8f0d04f510c4d56b23932cbc
SHA256 90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
SHA512 2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe.config

MD5 66f09a3993dcae94acfe39d45b553f58
SHA1 9d09f8e22d464f7021d7f713269b8169aed98682
SHA256 7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512 c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

memory/2344-243-0x00007FFA06293000-0x00007FFA06295000-memory.dmp

memory/2344-244-0x000002000E2D0000-0x000002000F1B8000-memory.dmp

memory/2344-245-0x00007FFA06290000-0x00007FFA06D51000-memory.dmp

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Guna.UI2.dll

MD5 bcc0fe2b28edd2da651388f84599059b
SHA1 44d7756708aafa08730ca9dbdc01091790940a4f
SHA256 c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA512 3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

memory/2344-247-0x000002002BC80000-0x000002002BE74000-memory.dmp

memory/2344-248-0x00007FFA06293000-0x00007FFA06295000-memory.dmp

memory/2344-249-0x00007FFA06290000-0x00007FFA06D51000-memory.dmp

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\GeoIP.dat

MD5 8ef41798df108ce9bd41382c9721b1c9
SHA1 1e6227635a12039f4d380531b032bf773f0e6de0
SHA256 bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA512 4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Sounds\Intro.wav

MD5 ad3b4fae17bcabc254df49f5e76b87a6
SHA1 1683ff029eebaffdc7a4827827da7bb361c8747e
SHA256 e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf
SHA512 3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

memory/2344-253-0x0000020035310000-0x0000020035478000-memory.dmp

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\SimpleObfuscator.dll

MD5 9043d712208178c33ba8e942834ce457
SHA1 e0fa5c730bf127a33348f5d2a5673260ae3719d1
SHA256 b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c
SHA512 dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

C:\Users\Admin\AppData\Local\Temp\juiixu2w\juiixu2w.cmdline

MD5 5d762df67ce971d166a4a82e72d87b7f
SHA1 f545045ece66b6e22afdc4a36570eab240406bc0
SHA256 3b08ad4201ea8bf141d8a659201bc679184b6d82a51fa37d21e2592c289bb70a
SHA512 3fcbabc846b84a990c5dd35f800e8d7612a77a2ce77d1db0cfb4e982eea3840e16f9cba96b8d146cc81eb143737a34bedc0f339f2bf3395d89758bb18b588f96

C:\Users\Admin\AppData\Local\Temp\juiixu2w\juiixu2w.0.vb

MD5 5cd17dc519922ec4675dba61dcb53cd0
SHA1 6d399ecbc02348fa53b26ed92d7a0e648340ddba
SHA256 fa9bfcf286264cf4707cb4bd876114be2718be97ba4782812a08cad1edf61b65
SHA512 7757696f23cdbde22b5dee2d34ee282c62921a09ccf35a17e22d4330e6276c423dc831638099edaa799a6a9194b55c13cec7a21cf1e8afd5437d331d0126eb65

C:\Users\Admin\AppData\Local\Temp\vbc43FA3854E1BA495DB2D951BD7A0BB8D.TMP

MD5 d40c58bd46211e4ffcbfbdfac7c2bb69
SHA1 c5cf88224acc284a4e81bd612369f0e39f3ac604
SHA256 01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca
SHA512 48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

C:\Users\Admin\AppData\Local\Temp\RES6BEA.tmp

MD5 564eac9dc86da1766a7321ac9d6df86d
SHA1 1f425a60950624924a88976df42383b41856413f
SHA256 9b2724c871ce8e6fa5d194ef57ea0129f31e54e324a766b1dd49905027baa467
SHA512 ef5528ab5bd10fbdb6f49ea802ef10fbfd7f5d71f65bdbab99cd7b69ab861bf6c92a0dd46608b55e74298392f61398a5ec15443fec8b7f1997b75e6322c763cf

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\XClient.exe

MD5 38b75fef1a6cf916412ec2a9526aaced
SHA1 306c2454fb1b3f258b09e0d744f9b9e83688797a
SHA256 0804e158201b4bf5e5874122156fc1a17ebed3d94bc2fd862a0fa6b167c8dc21
SHA512 88505ba233f08bd8cc19418e439672f098a2004846b03abb66ac4f74d7e05f23196687f669fe33facdf5edf3ceec5670da8b3c824249856d2843e61ce7814979

memory/1896-270-0x0000000000C30000-0x0000000000C3E000-memory.dmp

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\NAudio.dll

MD5 3b87d1363a45ce9368e9baec32c69466
SHA1 70a9f4df01d17060ec17df9528fca7026cc42935
SHA256 81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451
SHA512 1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7

memory/2344-272-0x000002002AA10000-0x000002002AA92000-memory.dmp

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\GMap.NET.WindowsForms.dll

MD5 32a8742009ffdfd68b46fe8fd4794386
SHA1 de18190d77ae094b03d357abfa4a465058cd54e3
SHA256 741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365
SHA512 22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

memory/2344-274-0x000002002A9B0000-0x000002002A9DC000-memory.dmp

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\GMap.NET.Core.dll

MD5 819352ea9e832d24fc4cebb2757a462b
SHA1 aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11
SHA256 58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86
SHA512 6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

memory/2344-276-0x0000020035770000-0x0000020035A52000-memory.dmp

memory/2344-278-0x0000020035480000-0x0000020035532000-memory.dmp

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Newtonsoft.Json.dll

MD5 195ffb7167db3219b217c4fd439eedd6
SHA1 1e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256 e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA512 56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\StartupManager.dll

MD5 3d76ef15ab712b93eabd4b68ea0111d5
SHA1 0f309663fae17c4ccae983e1fabb16a1e5f77d9b
SHA256 1802e16379d96021fee05f583633c8091bb669350b7d32064179a8944d45a5a6
SHA512 6c0d0291abb696bee33b6e42392b07028c82bcffc8fb7934ba234f178f011ab14fde38cdccb322c8dba058ae66fc023349de5db1c587d3417709bf263cfd28f3

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\ActiveWindows.dll

MD5 5a766a4991515011983ceddf7714b70b
SHA1 4eb00ae7fe780fa4fe94cedbf6052983f5fd138b
SHA256 567b9861026a0dbc5947e7515dc7ab3f496153f6b3db57c27238129ec207fc52
SHA512 4bd6b24e236387ff58631207ea42cd09293c3664468e72cd887de3b3b912d3795a22a98dcf4548fb339444337722a81f8877abb22177606d765d78e48ec01fd8

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Chromium.dll

MD5 edb2f0d0eb08dcd78b3ddf87a847de01
SHA1 cc23d101f917cad3664f8c1fa0788a89e03a669c
SHA256 b6d8bccdf123ceac6b9642ad3500d4e0b3d30b9c9dd2d29499d38c02bd8f9982
SHA512 8f87da834649a21a908c95a9ea8e2d94726bd9f33d4b7786348f6371dfae983cc2b5b5d4f80a17a60ded17d4eb71771ec25a7c82e4f3a90273c46c8ee3b8f2c3

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\FileManager.dll

MD5 641a8b61cb468359b1346a0891d65b59
SHA1 2cdc49bcd7428fe778a94cdcd19cabf5ece8c9c0
SHA256 b58ed3ebbcd27c7f4b173819528ff4db562b90475a5e304521ed5c564d39fffd
SHA512 042702d34664ea6288e891c9f7aa10a5b4b07317f25f82d6c9fa9ba9b98645c14073d0f66637060b416a30c58dec907d9383530320a318523c51f19ebd0a4fee

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Cmstp-Bypass.dll

MD5 cf15259e22b58a0dfd1156ab71cbd690
SHA1 3614f4e469d28d6e65471099e2d45c8e28a7a49e
SHA256 fa420fd3d1a5a2bb813ef8e6063480099f19091e8fa1b3389004c1ac559e806b
SHA512 7302a424ed62ec20be85282ff545a4ca9e1aecfe20c45630b294c1ae72732465d8298537ee923d9e288ae0c48328e52ad8a1a503e549f8f8737fabe2e6e9ad38

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Clipboard.dll

MD5 831eb0de839fc13de0abab64fe1e06e7
SHA1 53aad63a8b6fc9e35c814c55be9992abc92a1b54
SHA256 e31a1c2b1baa2aa2c36cabe3da17cd767c8fec4c206bd506e889341e5e0fa959
SHA512 2f61bcf972671d96e036b3c99546cd01e067bef15751a87c00ba6d656decb6b69a628415e5363e650b55610cf9f237585ada7ce51523e6efc0e27d7338966bee

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Chat.dll

MD5 59f75c7ffaccf9878a9d39e224a65adf
SHA1 46b0f61a07e85e3b54b728d9d7142ddc73c9d74b
SHA256 aab20f465955d77d6ec3b5c1c5f64402a925fb565dda5c8e38c296cb7406e492
SHA512 80056163b96ce7a8877874eaae559f75217c0a04b3e3d4c1283fe23badfc95fe4d587fd27127db4be459b8a3adf41900135ea12b0eeb4187adbcf796d9505cb8

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\FilesSearcher.dll

MD5 6f8f1621c16ac0976600146d2217e9d2
SHA1 b6aa233b93aae0a17ee8787576bf0fbc05cedde4
SHA256 e66e1273dc59ee9e05ce3e02f1b760b18dd296a47d92b3ce5b24efb48e5fb21b
SHA512 eb55acdea8648c8cdefee892758d9585ff81502fc7037d5814e1bd01fee0431f4dde0a4b04ccb2b0917e1b11588f2dc9f0bfe750117137a01bbd0c508f43ef6a

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\HBrowser.dll

MD5 f0e921f2f850b7ec094036d20ff9be9b
SHA1 3b2d76d06470580858cc572257491e32d4b021c0
SHA256 75e8ff57fa6d95cf4d8405bffebb2b9b1c55a0abba0fe345f55b8f0e88be6f3c
SHA512 16028ae56cd1d78d5cb63c554155ae02804aac3f15c0d91a771b0dcd5c8df710f39481f6545ca6410b7cd9240ec77090f65e3379dcfe09f161a3dff6aec649f3

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\HiddenApps.dll

MD5 ba2141a7aefa1a80e2091bf7c2ca72db
SHA1 9047b546ce9c0ea2c36d24a10eb31516a24a047d
SHA256 6a098f5a7f9328b35d73ee232846b13e2d587d47f473cbc9b3f1d74def7086ea
SHA512 91e43620e5717b699e34e658d6af49bba200dcf91ac0c9a0f237ec44666b57117a13bc8674895b7a9cac5a17b2f91cdc3daa5bcc52c43edbabd19bc1ed63038c

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\HRDP.dll

MD5 f27b6e8cf5afa8771c679b7a79e11a08
SHA1 6c3fcf45e35aaf6b747f29a06108093c284100da
SHA256 4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de
SHA512 0d84966bbc9290b04d2148082563675ec023906d58f5ba6861c20542271bf11be196d6ab24e48372f339438204bd5c198297da98a19fddb25a3df727b5aafa33

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Ngrok-Installer.dll

MD5 3e19341a940638536b4a7891d5b2b777
SHA1 ca6f5b28e2e54f3f86fd9f45a792a868c82e35b5
SHA256 b574aabf02a65aa3b6f7bfff0a574873ce96429d3f708a10f87bc1f6518f14aa
SHA512 06639892ea4a27c8840872b0de450ae1a0dac61e1dcb64523973c629580323b723c0e9074ff2ddf9a67a8a6d45473432ffc4a1736c0ddc74e054ae13b774f3e2

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Microphone.dll

MD5 9c3d90ccf5d47f6eef83542bd08d5aeb
SHA1 0c0aa80c3411f98e8db7a165e39484e8dae424c7
SHA256 612898afdf9120cfef5843f9b136c66ecc3e0bb6f3d1527d0599a11988b7783c
SHA512 0786f802fbd24d4ab79651298a5ba042c275d7d01c6ac2c9b3ca1e4ee952de7676ec8abf68d226b72696e9480bd4d4615077163efbcda7cff6a5f717736cbdfe

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Programs.dll

MD5 a6734a047b0b57055807a4f33a80d4dd
SHA1 0b3a78b2362b0fd3817770fdc6dd070e3305615c
SHA256 953a8276faa4a18685d09cd9187ed3e409e3cccd7daf34b6097f1eb8d96125a4
SHA512 7292eab25f0e340e78063f32961eff16bb51895ad46cfd09933c0c30e3315129945d111a877a191fc261ad690ad6b02e1f2cabc4ff2fdac962ee272b41dd6dfa

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Shell.dll

MD5 04609b39e656e297db73be0d02c7e35e
SHA1 f8abd484e7703a4d9629b033e8ec39c82eaf4654
SHA256 6c69b4d45638097e31169d94914e4acb6a8cc7f46788ffa4f241e4c1efb213bb
SHA512 11a88d55497fedeeb05b146ebd3135755aeb08c4596e9379eec83501e734aa6ba926d9bbda1c5f50e361836d65ea88d2c018f0b4b4b668c82ff2163730eaaf27

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\ServiceManager.dll

MD5 2e5f127cb0a69cdd46aa4fd9e603f982
SHA1 994a6ab276c417301ed9208aaaf6719bf9594bc6
SHA256 c552d11db168a4f64db584283a617a6ec51ab6095c20ba4b706c3138beb68a22
SHA512 4455cb3b9d4a9c69abec7180e9a60e16e6be0ae2290f48aa09c5d926370de5512ced4d37b6e6e49515d5f51999211eff6f751c4594db936882fb7f40ee5bf97e

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\RunPE.dll

MD5 224be01635cff2dca827fbdeaddb983c
SHA1 11fa00c5e172c9cd1c81acaef52934f785f91374
SHA256 7adfe849345edd76aa975b0647fed2ccaa5f4a6aaf7d55f488af939c0dbef153
SHA512 1a4915b7b21e8166a6ddb6460c77e02c306a460c08fc7ee574832b0576c827db343eda9533959298819ee443790769328ad580fc67fe4817110b63d49248c736

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\ReverseProxy.dll

MD5 a22d11379e413cf832b3943ce46f2463
SHA1 99b9552e8a25bff29678aff828901edbc23eaba5
SHA256 8c4efe2c8702141ffa8ff8f55d248dc4220231ae8d12ecea1f22906a9285b32b
SHA512 cc1eccb29135acd35804b44f73447bd8dedc8ea085dee3670cf49120baa905aa7ca512c14a3f4df6aeb5a70347bd214865f9dc8b709a00abbb0c745164d87074

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\RemoteDesktop.dll

MD5 e6367d31cf5d16b1439b86ae6b7b31c3
SHA1 f52f1e73614f2cec66dab6af862bdcb5d4d9cf35
SHA256 cc52384910cee944ddbcc575a8e0177bfa6b16e3032438b207797164d5c94b34
SHA512 8bc78a9b62f4226be146144684dc7fcd085bcf4d3d0558cb662aacc143d1438b7454e8ac70ca83ebeedc2a0fcea38ad8e77a5d926a85254b5a7d420a5605538a

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Regedit.dll

MD5 53a2cfe273c311b64cf5eaca62f8c2fd
SHA1 4ec95ec4777a0c5b4acde57a3490e1c139a8f648
SHA256 2f73dc0f3074848575c0408e02079fd32b7497f8816222ae3ce8c63725a62fe6
SHA512 992b37d92157ae70a106a9835de46a4ac156341208cfe7fb0477dc5fc3bc9ddae71b35e2336fc5c181630bac165267b7229f97be436912dfd9526a020d012948

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Recovery.dll

MD5 776193701a2ed869b5f1b6e71970a0ac
SHA1 2f973458531aaa283cdc835af4e24f5f709cbad1
SHA256 66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303
SHA512 a41f981c861e8d40487a9cd0863f9055165427e10580548e972a47ef47cf3e777aab2df70dc6f464cc3077860e86eda7462e9754f9047a1ecc0ed9721663aeb9

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Ransomware.dll

MD5 ccc9ea43ead4aa754b91e2039fe0ac1c
SHA1 f382635559045ac1aeb1368d74e6b5c6e98e6a48
SHA256 14c2bbccdabb8408395d636b44b99de4b16db2e6bf35181cb71e7be516d83ad9
SHA512 5d05254ba5cd7b1967a84d5b0e6fd23c54766474fb8660a001bf3d21a3f5c8c20fcdb830fb8659a90da96655e6ee818ceefb6afa610cc853b7fba84bb9db4413

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\ProcessManager.dll

MD5 3d4ec14005a25a4cb05b1aa679cf22bf
SHA1 6f4a827d94ad020bc23fbd04b7d8ca2995267094
SHA256 7cf1921a5f8429b2b9e8197de195cfae2353fe0d8cb98e563bdf1e782fe2ee4e
SHA512 0ee72d345d5431c7a6ffc71cf5e37938b93fd346e5a4746f5967f1aa2b69c34ca4ba0d0abd867778d8ca60b56f01e2d7fc5e7cf7c5a39a92015d4df2d68e382e

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Performance.dll

MD5 1841c479da7efd24521579053efcf440
SHA1 0aacfd06c7223b988584a381cb10d6c3f462fc6a
SHA256 043b6a0284468934582819996dbaa70b863ab4caa4f968c81c39a33b2ac81735
SHA512 3005e45728162cc04914e40a3b87a1c6fc7ffde5988d9ff382d388e9de4862899b3390567c6b7d54f0ec02283bf64bcd5529319ca32295c109a7420848fa3487

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Pastime.dll

MD5 6430ab4458a703fb97be77d6bea74f5b
SHA1 59786b619243d4e00d82b0a3b7e9deb6c71b283c
SHA256 a46787527ac34cd71d96226ddfc0a06370b61e4ad0267105be2aec8d82e984c1
SHA512 7b6cf7a613671826330e7f8daddc4c7c37b4d191cf4938c1f5b0fb7b467b28a23fb56e412dc82192595cfa9d5b552668ef0aaa938c8ae166029a610b246d3ecc

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Options.dll

MD5 97193fc4c016c228ae0535772a01051d
SHA1 f2f6d56d468329b1e9a91a3503376e4a6a4d5541
SHA256 5c34aee5196e0f8615b8d1d9017dd710ea28d2b7ac99295d46046d12eea58d78
SHA512 9f6d7da779e8c9d7307f716d4a4453982bb7f090c35947850f13ec3c9472f058fc11e1120a9641326970b9846d3c691e0c2afd430c12e5e8f30abadb5dcf5ed2

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\MessageBox.dll

MD5 7db8b7e15194fa60ffed768b6cf948c2
SHA1 3de1b56cc550411c58cd1ad7ba845f3269559b5c
SHA256 bc09b671894c9a36f4eca45dd6fbf958a967acea9e85b66c38a319387b90dd29
SHA512 e7f5430b0d46f133dc9616f9eeae8fb42f07a8a4a18b927dd7497de29451086629dfc5e63c0b2a60a4603d8421c6570967c5dbde498bb480aef353b3ed8e18a1

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Maps.dll

MD5 806c3802bfd7a97db07c99a5c2918198
SHA1 088393a9d96f0491e3e1cf6589f612aa5e1df5f8
SHA256 34b532a4d0560e26b0d5b81407befdc2424aacc9ef56e8b13de8ad0f4b3f1ab6
SHA512 ed164822297accd3717b4d8e3927f0c736c060bb7ec5d99d842498b63f74d0400c396575e9fa664ad36ae8d4285cfd91e225423a0c77a612912d66ea9f63356c

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Keylogger.dll

MD5 246f7916c4f21e98f22cb86587acb334
SHA1 b898523ed4db6612c79aad49fbd74f71ecdbd461
SHA256 acfe5c3aa2a3bae3437ead42e90044d7eee972ead25c1f7486bea4a23c201d3a
SHA512 1c256ca9b9857e6d393461b55e53175b7b0d88d8f3566fd457f2b3a4f241cb91c9207d54d8b0867ea0abd3577d127835beb13157c3e5df5c2b2b34b3339bd15d

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\Informations.dll

MD5 67a884eeb9bd025a1ef69c8964b6d86f
SHA1 97e00d3687703b1d7cc0939e45f8232016d009d9
SHA256 cba453460be46cfa705817abbe181f9bf65dca6b6cea1ad31629aa08dbeaf72b
SHA512 52e852021a1639868e61d2bd1e8f14b9c410c16bfca584bf70ae9e71da78829c1cada87d481e55386eec25646f84bb9f3baee3b5009d56bcbb3be4e06ffa0ae7

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\HVNCMemory.dll

MD5 065f0830d1e36f8f44702b0f567082e8
SHA1 724c33558fcc8ecd86ee56335e8f6eb5bfeac0db
SHA256 285b462e3cd4a5b207315ad33ee6965a8b98ca58abb8d16882e4bc2d758ff1a4
SHA512 bac0148e1b78a8fde242697bff1bbe10a18ffab85fdced062de3dc5017cd77f0d54d8096e273523b8a3910fe17fac111724acffa5bec30e4d81b7b3bd312d545

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Plugins\HVNC.dll

MD5 30eb33588670191b4e74a0a05eecf191
SHA1 08760620ef080bb75c253ba80e97322c187a6b9f
SHA256 3a287acb1c89692f2c18596dd4405089ac998bb9cf44dd225e5211923d421e96
SHA512 820cca77096ff2eea8e459a848f7127dc46af2e5f42f43b2b7375be6f4778c1b0e34e4aa5a97f7fbabe0b53dcd351d09c231bb9afedf7bcec60d949918a06b97

memory/1896-311-0x00000000015C0000-0x00000000015F6000-memory.dmp

memory/1896-313-0x0000000002EE0000-0x0000000002EEE000-memory.dmp

memory/1896-314-0x0000000002EF0000-0x0000000002EFA000-memory.dmp

memory/1896-315-0x000000001DA20000-0x000000001DAD0000-memory.dmp

memory/1896-316-0x000000001E850000-0x000000001ED78000-memory.dmp