20d451a0dfdbe692e40dd450812ebb94e7b04430acc0de77cecfa4daf1a99e95

Analysis

max time kernel
1396s
max time network
1393s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.6 BypChat.zip
Size

24.5MB
MD5

5116c90421cd33a0f65ddb7db5b375a8
SHA1

cc64c23d3499d281ff4157196cb6cf767ce81b16
SHA256

20d451a0dfdbe692e40dd450812ebb94e7b04430acc0de77cecfa4daf1a99e95
SHA512

b9ed3129540e815d24df87a81af4bcd32a27e8585d43059abd073a39ef4349df538ec5b2d61b5705ea167084eb45a16d8edac5fe584eaf40e6a67d3eb7965e11
SSDEEP

393216:LyavqkXFeuBc9Q+FMIZeL859fCGcJ7kj3HHAKbTmbubKXo50Ko+Y2ToxYC:LyxkXDBYQwNZK5kjQKRIo5Ho+0

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	procexp64.exe
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	PROCEXP64.EXE

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	procexp64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "\"C:\\USERS\\ADMIN\\DOWNLOADS\\PROCESSEXPLORER\\PROCEXP64.EXE\""	procexp64.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	PROCEXP64.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "\"C:\\USERS\\ADMIN\\DOWNLOADS\\PROCESSEXPLORER\\PROCEXP64.EXE\""	PROCEXP64.EXE

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	PROCEXP64.EXE
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	procexp64.exe

Executes dropped EXE 5 IoCs

pid	Process
3672	Xworm V5.6.exe
5420	procexp64.exe
920	Xworm V5.6.exe
748	PROCEXP64.EXE
2376	Xworm V5.6.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	procexp64.exe
File opened (read-only)	\??\N:	procexp64.exe
File opened (read-only)	\??\E:	PROCEXP64.EXE
File opened (read-only)	\??\H:	PROCEXP64.EXE
File opened (read-only)	\??\L:	PROCEXP64.EXE
File opened (read-only)	\??\U:	PROCEXP64.EXE
File opened (read-only)	\??\V:	PROCEXP64.EXE
File opened (read-only)	\??\X:	PROCEXP64.EXE
File opened (read-only)	\??\M:	procexp64.exe
File opened (read-only)	\??\K:	PROCEXP64.EXE
File opened (read-only)	\??\M:	PROCEXP64.EXE
File opened (read-only)	\??\W:	PROCEXP64.EXE
File opened (read-only)	\??\Z:	PROCEXP64.EXE
File opened (read-only)	\??\L:	procexp64.exe
File opened (read-only)	\??\O:	procexp64.exe
File opened (read-only)	\??\R:	procexp64.exe
File opened (read-only)	\??\S:	procexp64.exe
File opened (read-only)	\??\W:	procexp64.exe
File opened (read-only)	\??\E:	procexp64.exe
File opened (read-only)	\??\H:	procexp64.exe
File opened (read-only)	\??\I:	PROCEXP64.EXE
File opened (read-only)	\??\N:	PROCEXP64.EXE
File opened (read-only)	\??\T:	PROCEXP64.EXE
File opened (read-only)	\??\A:	procexp64.exe
File opened (read-only)	\??\G:	procexp64.exe
File opened (read-only)	\??\J:	procexp64.exe
File opened (read-only)	\??\K:	procexp64.exe
File opened (read-only)	\??\Q:	procexp64.exe
File opened (read-only)	\??\V:	procexp64.exe
File opened (read-only)	\??\B:	PROCEXP64.EXE
File opened (read-only)	\??\Q:	PROCEXP64.EXE
File opened (read-only)	\??\F:	PROCEXP64.EXE
File opened (read-only)	\??\P:	procexp64.exe
File opened (read-only)	\??\Z:	procexp64.exe
File opened (read-only)	\??\J:	PROCEXP64.EXE
File opened (read-only)	\??\R:	PROCEXP64.EXE
File opened (read-only)	\??\S:	PROCEXP64.EXE
File opened (read-only)	\??\U:	procexp64.exe
File opened (read-only)	\??\X:	procexp64.exe
File opened (read-only)	\??\A:	PROCEXP64.EXE
File opened (read-only)	\??\P:	PROCEXP64.EXE
File opened (read-only)	\??\B:	procexp64.exe
File opened (read-only)	\??\T:	procexp64.exe
File opened (read-only)	\??\Y:	procexp64.exe
File opened (read-only)	\??\G:	PROCEXP64.EXE
File opened (read-only)	\??\O:	PROCEXP64.EXE
File opened (read-only)	\??\Y:	PROCEXP64.EXE

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Delete value	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger	PROCEXP64.EXE

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	PROCEXP64.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	PROCEXP64.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	PROCEXP64.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	PROCEXP64.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\Control	PROCEXP64.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	PROCEXP64.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	PROCEXP64.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	PROCEXP64.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	PROCEXP64.EXE

Checks processor information in registry 2 TTPs 17 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	PROCEXP64.EXE
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	PROCEXP64.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	PROCEXP64.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	procexp64.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	PROCEXP64.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	PROCEXP64.EXE

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133776440735794994"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	msedge.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	procexp64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	PROCEXP64.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	PROCEXP64.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	procexp64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	PROCEXP64.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2204	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5024	Taskmgr.exe
5420	procexp64.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
5420	procexp64.exe
748	PROCEXP64.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

pid	Process
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
4696	chrome.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1388	7zFM.exe
Token: 35	1388	7zFM.exe
Token: SeSecurityPrivilege	1388	7zFM.exe
Token: SeDebugPrivilege	5024	Taskmgr.exe
Token: SeSystemProfilePrivilege	5024	Taskmgr.exe
Token: SeCreateGlobalPrivilege	5024	Taskmgr.exe
Token: 33	1836	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1836	AUDIODG.EXE
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1388	7zFM.exe
1388	7zFM.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
3672	Xworm V5.6.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
3672	Xworm V5.6.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe
5024	Taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5420	procexp64.exe
5420	procexp64.exe
748	PROCEXP64.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 5024	2044	cmd.exe	115
PID 2044 wrote to memory of 5024	2044	cmd.exe	115
PID 4696 wrote to memory of 2604	4696	chrome.exe	133
PID 4696 wrote to memory of 2604	4696	chrome.exe	133
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 2152	4696	chrome.exe	134
PID 4696 wrote to memory of 1620	4696	chrome.exe	135
PID 4696 wrote to memory of 1620	4696	chrome.exe	135
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136
PID 4696 wrote to memory of 2016	4696	chrome.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6 BypChat.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1388

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\a.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\a.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\system32\Taskmgr.exe
  taskmgr
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1152

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe
"C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3672

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2616

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x2c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffeec68cc40,0x7ffeec68cc4c,0x7ffeec68cc58
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,4397771670226603691,10772955574469607043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2008,i,4397771670226603691,10772955574469607043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2084,i,4397771670226603691,10772955574469607043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,4397771670226603691,10772955574469607043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,4397771670226603691,10772955574469607043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,4397771670226603691,10772955574469607043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4896,i,4397771670226603691,10772955574469607043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,4397771670226603691,10772955574469607043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4716,i,4397771670226603691,10772955574469607043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:3064

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffeeba446f8,0x7ffeeba44708,0x7ffeeba44718
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,14620365673018590054,16516839657560923569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:5920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4168

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ProcessExplorer\" -spe -an -ai#7zMap2057:92:7zEvent11243
1⤵
PID:5172

C:\Users\Admin\Downloads\ProcessExplorer\procexp64.exe
"C:\Users\Admin\Downloads\ProcessExplorer\procexp64.exe"
1⤵
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of SetWindowsHookEx
PID:5420

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe
"C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:920

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\a.bat" "
1⤵
PID:3524
- C:\USERS\ADMIN\DOWNLOADS\PROCESSEXPLORER\PROCEXP64.EXE
  "C:\USERS\ADMIN\DOWNLOADS\PROCESSEXPLORER\PROCEXP64.EXE" taskmgr
  2⤵
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Sets service image path in registry
  - Executes dropped EXE
  - Enumerates connected drives
  - Indicator Removal: Clear Persistence
  - Checks system information in the registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: LoadsDriver
  - Suspicious use of SetWindowsHookEx
  PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\a.bat" "
1⤵
PID:6016
- C:\Windows\system32\Taskmgr.exe
  taskmgr
  2⤵
  - Checks SCSI registry key(s)
  PID:5312

C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe
"C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:2376

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
bf68751855ce6ebd88cae6e11d58b95e

SHA1
ef5065093a09b44ff4539ce5d4c721d63b332aa8

SHA256
7e353ac2b731725b8ab9d55c6ceb5d3f8a48e708ff981717766df86c3eb0f0ac

SHA512
c87e771254f43ade0be4c8f89f13907470147ee4ce31e3668cdb7ce70c700acc947d5d0c72e8b31d5fe6ee13f865d3f4929d1be3d29241e19a015f41bc93e7e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
b6102b47f3d2450f02c1167e5b337e9b

SHA1
91a6e5d7b3540556c971bcd6cdf52abd2cffcbfe

SHA256
e0c2d57c8661d444666ae009725ee84cd33a29ac48738277ea37bfd56b3cf8c4

SHA512
62bb67b325b56c41544956928ef0991262df019a470fc5792ba5abb7096e419f7ea3c8326560ffbe2b50ed0612fbc968fdf7564793a4d550b2465b799cbfcedf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D

Filesize
727B

MD5
33503b2b7874d7e87766886ea643af5e

SHA1
87845080639f4b0a240f34aa623a57547ce09ca9

SHA256
c600517ad388873e6908180c9eb3413f4cb39ffc79eacae0a4a739d700565b3e

SHA512
f418821c8e205bba8bcad73cda3c302496ee95a4dd8e5e30171fc019cd3ed7da0e1ecbc880632615a3cfbbb71da7730cca8feda1a330c01557c7488e91246c99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9EC3B71635F8BA3FC68DE181A104A0EF_10CFC0D4C45D2E76B7EA49C8C22BEDFE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
1dc1121e24814ab2e9102c631f6368e5

SHA1
55f7935319102e893d0df7ba28c35343456300ee

SHA256
8ed09687565336351ef88085dcf6cfc841af12a63433ecc12c2f13a9557c3c59

SHA512
132158f8f2bdf5d66cd4f3fed37405027d4233c79a365027e5d8d0ea20c5d23805bd298358df371b625486282867ba93a3ff5945dddf3ae8d91dd2630e477df4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
234fc3545987962ad357debbccd88a22

SHA1
85759b8e94f67cb2c7395dc736b691cdb2024565

SHA256
7ef5818630d181ab05958806b3621ae03e36165aa91b83c9286d781581880aeb

SHA512
dc670f19d638db1c8a34e6cae386a02f2c3ce01c35eeeadb06de7969dda3f4138a90c4974513d77a33a4858ef6211618fc7805285d3e225e66b26dc8707fd69d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_0D0888CE7AC1F2D5AD77780722B1FE14

Filesize
404B

MD5
a94c880c036215bba1cdae01327c5af1

SHA1
48f48945e262b1496373f42d27e9433f66a0cd20

SHA256
abf240cdfa6e2ddd8eea9598ae519186790be3b745f5417e062767feb43e480e

SHA512
57ccef3dd3f3250f7c3473596aeea44c5afe7e0c821aed3d442009c93187f79ba11487b970e079486e41669b0619d8c3365d5a04fd19324c737c75a61003d223

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
b3b2245911a0a7b361a6597c148d477c

SHA1
eb7637520732a55177a370e41565b2096a291d8e

SHA256
b7bf853a0fc0a7186ae78b6fafe40c9708649aa06461500a2385708c797bb15d

SHA512
f2245783bcd76f91ca3de45556bb048d205fe250b1d1aec48d7255ef649adcf432e5bdcbea21ee7481b6de207b284464321a3cf931cb262953288e4180454dd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D

Filesize
404B

MD5
a46c2fb60e248b86a6c22c5f95f6333d

SHA1
4f6ffbd24ddb408b9ba613cea99315e406116960

SHA256
a6ad736e6fa389bc8e0d2fe57af3f0e3c6c539900b35e50f65e87610faf1618e

SHA512
6350c7b00906f3e8c0b0df2072b74a5ca4290378533fff098072c4e84be64ece8c1ebc87ce123bc00e16646985897a3ee336bac85f3418b0bef0e8fbd7ec6374

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
deb86c4df0af4821c9463956b1beafc9

SHA1
81ce525424f0f734a6c8cd415bb78b09071c4d97

SHA256
23fed57eff50b9bca9335a590219b81af4f8ec074415ec85df711d05954c25ee

SHA512
6ac2bfd69fb4d044cae1dae8c5685a6b55dd5948b4460fef2c0291e70050e9d05eee374217d0c4010d99c58742124f2c1d1956c2768e502b1fc2f9bbbbf2c84c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b44349e77e0eab39ac660d2116902beb

SHA1
f6d02a21899d73f8ee33b87e5b8d655d29b0db11

SHA256
6c4aa9b5b710779d2279b5d2516ffcfbeaf5039ba9b8c12e8b5b7d8dd2c869ad

SHA512
b67b2a90e2c068466e4fa0440dbc962d69d9ee1ef1f88052194573534debd31e4c6e3cb139d12f5237975c05cedc946d2a8cad4f79ec9495de6f034e01e11730

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
e35523cac604a58a297d19f3b5e9f894

SHA1
39076fab160576bafed26159cd043fcfe48726d7

SHA256
559244281b51f4d0d6a18135ddf22402676c0c8d83c4a8e05a661f71897329af

SHA512
32281655063f1097b6088bd33c074150713dd793537bd6d0e42e7e024863daa08b3e6b5ee2de850225ba21689743c01bcb8abb9787f468117df17a486e6dd251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e498394e9784a543d4e8e4d69f1a444a

SHA1
9e114871a89f8bc7f2eae5d822afefb1c843f16d

SHA256
d753a202c0b9494a0aad82d8294875449ae9df0c05a9dea98ba4a483e18cd7f4

SHA512
d8103333bac0324db49a6409c26832cdb75951a021546ba133005883703280c0db5e465b6c5b88054b321adbf852c3fb35bcae0715a45d2ac582ddf769e12461

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
321a397945c671fe2e341acf811c32f5

SHA1
4c5c72b80016d729195e265d3bb634e037e09ff8

SHA256
7c37df3dbeaae3781a910ff5cd16b22376d2b5f6ba2c2c86a552c1a9d29ff33c

SHA512
0f7830027261bfb8d82f20e422b3b30ef60f3617d05c763056981db978cd1f47b18f5eb3a548f9a03893bda3c1528e0d06de6310c689d1ca487869378f0f4fdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1a42f6ae3d46b892325c002a2f262687

SHA1
393274598e5a2883796668ac5af4677e3a04dff3

SHA256
debaa07458f29e8df38e760e22788e10f255eaa6e30f57825e6ef1bd2664d256

SHA512
087808d18b407e5d28ccef1fa06b567d143c1baaf36eede4d122e1262ea40b51a0f1a8f6d11cfb0192c6bccfe9065c7f4a8357420493694e0ad02f21ef154085

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca2a0faf8ea800d6062c7d8e14054193

SHA1
4987382b723e668a843e42c581bc9cb5ad343770

SHA256
81c8573bb73cee91fdf5f8d786d7a9c1a19a8d159e9f32941c0faa080e8c5b98

SHA512
b03144bdf23acbc7c3e77b7030819e8b2ee1bff1be880ed991832f11f90e56f8ca2a5eeabeb9a7f504880a045863568af6381db6eb31d22ebbef8d24fb241d6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d1bf4558d5379b9087579845b95f01d

SHA1
50d1a1497a7cc627dba925658e8ec14bf5c9d201

SHA256
1102252758ecc03ea7923b53ca692d6dd0ce4f7183e4f78fd82817cc6a9c5c04

SHA512
724de197358a42645b3819bbe48e97779f87204bdc388882a698c82684dea711aa9b0e7c99c525886b3e9cf0f2016e6b46a91a8e8844fb70a5ac33b251e2873a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bfdef3d70b711e54fec4114c702101b1

SHA1
773279b4b841a571201d5d3222dd567768445b0c

SHA256
eddd5134b02528b11d37e15816e4091d6e12d8fb5706a9e15f69ee76049812ee

SHA512
864c7e2cabc6204d951ad371bdc33370d2fcc50a6366b7d7c4eb77eb730a2de3931758acfe15fff6e7f954d236d8d7b859ad54dfe208f45ab7881877bb7be7b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
5fd9bbd7d68a121dcc9915ff569c4776

SHA1
467c275aa697c674b32bf9bbd15a263dfde61066

SHA256
cda42ef66cd90fe2af58dc75266d0c94ed60c361f018f574ad4c0ce4dac14123

SHA512
d1bffabd81060dea59ec4307afcdfae1e1e54dfebf532525d90f00d4a173ffa919455f061f06920587d42c8b7f405491b6a25998d5f2d0d607f447067437a8b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
d4b1192149d207e0b5c1585c8e777187

SHA1
77401eb547139a1847222b628d9dbe59fad65575

SHA256
16935a276498529c7cf7b0f1af0fece5be5b89d630ecd16381d0a2a5eeb776c7

SHA512
dffdeab595fc3a90f2df8a8f505036c3a63b40577e3a7264e6c69065c694e150fcace6c815a032efe3f09612dbbcdae0bfaaf0293cae5d02aa8fdc38b9c414e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
810837a7610d4bafbf8a8dc51e3a4afd

SHA1
732810235de48cc7c793bbda2f27ee8d0d9d32a1

SHA256
3f712a7d9842d92f2acf71d8512de6581e00fd35a977e04b9994d13d65a2a1e5

SHA512
f6b0a667bad5a016e2f1fb7d0ad584ae0a6d3e001136113d8a1946639662c30b8378c8f12290fea3220dee8b1670bfccbfe55bd500059d2469afb72f041a62b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
1bae8f4b47e0f419edac5b5c81ff251c

SHA1
a1a914ab6cbacf79a813f8769cec765e4d413759

SHA256
b7e4d5aefb137a7ad0984f1d70dc878bae1f8ba93e1ef3336f64a5f67e16d0a5

SHA512
fe86a52b4d817205ce44497c93ada36abe00c3601b31e9830b7d703a80bf1008a26c603a34eb544a6a76d34b38d39872a0d5b426247410e7566173558e30d974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xworm V5.6.exe.log

Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
366KB

MD5
e6940bda64389c1fa2ae8e1727abe131

SHA1
1568647e5acd7835321d847024df3ffdf629e547

SHA256
eef5dd06cf622fb43ea42872bc616d956de98a3335861af84d35dbaf2ab32699

SHA512
91c07e84e5188336464ae9939bfc974d26b0c55d19542527bdcd3e9cac56d8c07655dc921acaa487ed993977a22a0f128dc3c6111273273ff1f637b20bb56fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
93c7c4cde08758b40fe69dd744c8a4e7

SHA1
6175575c3980505f655e86016929255474c82a31

SHA256
a48d96392ef0cb9a4f7690feabea50def5987be83c285031a194f36e26b3e2f4

SHA512
e45c75fa5d0c6093ded1e8a62145f32f0767c1a9dde3a097082883022e65113cf04c604d7e9004cf102d252b0d49b6d2e8372cb973b3cde2092879abb370f316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
84f035e874e69373582bf65c7aad1d96

SHA1
6a16553c4e56519e03b53d3cbc0bdc55548b7690

SHA256
25ec0efcbeeea8446700667fb7c095f35c1d572170eb4f2a4471cd80350236df

SHA512
0fc4f5bd07ab612bfdd2c51b99de2556d3bf135a67c9d4b822db19e5b3ad8da7f014c25df9b119a03a605443c436e8c4702737aa7ed27f0e068f127fa05616b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
74023d937ba535e5e55207220099c67b

SHA1
2e8f29603d50d602b0618c2d0b564fbc13e66eec

SHA256
b4e193d8c055dc366695090c750a1d5668d52519262c218775be52276e37d863

SHA512
c27d4dcecf3b18b075682b667aba79e8cab348e97881903b77c2c65528261c3a7cb9992b35bf59ec3901bee438d00208c6a5093190a158507f8c1bc699b11b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e34a5159f4e2072204b1f2675a2d4600

SHA1
0ec951d02b486b829aad190a4307b1d2057a7075

SHA256
60d946ed08b7bf9b79be8ec1768f10eb35c2e5235ec81af01bba3304a65978d4

SHA512
d8844be6d23d986c0529c0c80a0f14c23bbf9dc3ffedd8327c7fcc8fefc3ef92005a1bfee37690805aa616f74be9eedb2ee4bea0047f348da3943b8996e5398c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d948ba50d0be5f089ea9ecb0e02805c0

SHA1
98056011d801596ff6f04647b4deb5790f47bfd6

SHA256
4f818cea78597a7d24ba67363e528b1aa7d14338608e85f31b52377cec6b1694

SHA512
82763d4537ac0bc0f0c2fe79c6f361345f70ce58b86a1425df3d5d1d2a200791f17c3489822ca4ede019674631d79f4e94e23d1349df8582cd7b93f414a99d92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
faaec156f0982a193a62e687b9fab521

SHA1
37522a7f8ab0506f23ee973f9056c8fc8962f612

SHA256
dbbd91ae63ebbb583d37f95c27f51fa0d20f469be7b0c647bcc19389455bc100

SHA512
20fddc1508721a3a9928c137dba2a2a92406f47f1fdf32996566a47dd84c5baafa33830c1e09f7e39648e9d38db07d950e6de6c983d792052a55220826678efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5537e08006cb6388ca08f7dc8b95b6af

SHA1
77c9fb383110886b6c173e7f55226bf5b1704b21

SHA256
dbcc645a5928fe77882d7a001ae8c238523eec719ed1d0b4fa2b103120f19ce7

SHA512
ce243699ea2f82269cdeefbe01ccafaee232cd099e577a3fad4021c2376e0a76465efaaae8710f08c121d2b79778cb40589bdc741124b9e71d4830502c9b1658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0313bc9ec528f3bbeeb62e5a82a0b661

SHA1
063990d7f5b384484e20fcabf3b9c82b2d359739

SHA256
664c77bd858b32060f68fffda55515f1e4402c56b96bf6fb3a188a1a80a37588

SHA512
dc6d22873e585a1f244dea897af736248c9f2d4309222eeda5876864944c2a49acd3cb4d83a4a24478d95ec7878c29b751c5fd4955ce989ae573448f3e01c12d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
32f99e1c7a5bda45e0e37ca66f07b3d4

SHA1
219eeb5d2f441510cef5f89a3e849ef9f4e289bd

SHA256
2c68224a9faa46daf7fbc9a4d3f9f71808323f0ba527df5b88c67b5ef9a28b76

SHA512
a69716d5e7ce895537d588b2f815459ed426bc8ad1a39daa781f3260f131ede224b1dfe86884935d47d9f143a57bf8ef6cf4fb7330ae86e1d0e4c0a653bfeaf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe69eaa7.TMP

Filesize
1KB

MD5
f75ae3348e8c0f1d4c5fb1ea6e1e09ee

SHA1
fa56bfe91a1fdae3aa398ab659b6aedb013a0310

SHA256
d6611cc5d678b847de6929ce2134b6e9dd08281d7df8f86d4fc49f79d1e836be

SHA512
20ea816692ad9176bfd5213f66b92af1b42e250a12ceeece3465de5a88f5e41f3b84ac45f49d328dc062626d665ab689686fcc47eb7cd342e51de5ae7bb25c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d80c3afcb10dc3af53e4072566c03093

SHA1
9dfafb1b0d7749d973c0636376cf38a846591fa5

SHA256
4f7a6dfed14db9a1f77657102d2d180db1f0ad02e07edfc13ffd144a63a238b7

SHA512
db9a14a532f9c214ce1ed442681479ba268cb064af1c11220c90b99413c75f8152e8edb2417bfd7e935fbe78fe7dd94e4d43025917ec8c81abe577d476aa0349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7179db5b75395e60f90e57cc94d2fc1f

SHA1
a6f0c3bb30b0debb27849d73b04c6fd74eff641e

SHA256
5866bcd79ef8ccd57d65342cff106317505ad1a83fd2c6845659cbdb56bc00d6

SHA512
14b37345c31a0a02b433eca5c8c87dd487e2f0205d7d70a1e167b73c9ec226d905011a5d5cc4b2642f088a614c4fec05374f002fa21ae861c60d2e5bbd94a945

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC65385D7\XWorm V5.6 BypChat\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6 BypChat\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\Desktop\XWorm V5.6 BypChat\Xworm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Users\Admin\Desktop\a.bat

Filesize
24B

MD5
61ae0dd1abad69e98ade1f1ca35f565b

SHA1
9b0389195890916def6f2f2317624198798abdf3

SHA256
d30f54b356a331760522f8dc809913a4ea7cd16c00bf67670392689108c6dcb5

SHA512
c7ffe7f92b3d62c0fe9076f66d3759d0ebf001fce0dd942f054f572dd95e5641226bc179b4a39c647a3f5205c2cba95720aad96f84f618beb2363451f811c6fb

Download Submit
C:\Users\Admin\Downloads\ProcessExplorer.zip

Filesize
3.3MB

MD5
6c33b4937c5ed3f19f44cda1a9fe0bfc

SHA1
09ac5309b4d112d7cdb275572c28e3513748ad8c

SHA256
54336cd4f4608903b1f89a43ca88f65c2f209f4512a5201cebd2b38ddc855f24

SHA512
de2d46289164c77e7e5815d011164b48fe3e7394228a4ac2dd97b58a9ec68e306e7d18b18c45913fda9b80fed47607ea7600004e5fdffcda5b1362e71ad68056

Download Submit
C:\Users\Admin\Downloads\ProcessExplorer\procexp64.exe

Filesize
2.3MB

MD5
dfeea73e421c76deb18d5ca0800dccf2

SHA1
0497eba0b24d0f4500faad5ae96dbebab9c64608

SHA256
8158dc0569972c10056f507cf9e72f4946600ce163c4c659a610480585cd4935

SHA512
23ddc9f28314d4cf3b05d88b9e0b6fd69f9804f5e9c3f7703258ff2c5786721061321379fde53e21048d3c7cce1ff71e2872d48dcc580d059397fa0692335630

Download Submit
memory/3672-258-0x000002A615480000-0x000002A616368000-memory.dmp

Filesize
14.9MB

Download
memory/3672-260-0x000002A632EE0000-0x000002A6330D4000-memory.dmp

Filesize
2.0MB

Download
memory/5024-252-0x0000022FCC030000-0x0000022FCC031000-memory.dmp

Filesize
4KB

Download
memory/5024-249-0x0000022FCC030000-0x0000022FCC031000-memory.dmp

Filesize
4KB

Download
memory/5024-250-0x0000022FCC030000-0x0000022FCC031000-memory.dmp

Filesize
4KB

Download
memory/5024-253-0x0000022FCC030000-0x0000022FCC031000-memory.dmp

Filesize
4KB

Download
memory/5024-254-0x0000022FCC030000-0x0000022FCC031000-memory.dmp

Filesize
4KB

Download
memory/5024-248-0x0000022FCC030000-0x0000022FCC031000-memory.dmp

Filesize
4KB

Download
memory/5024-244-0x0000022FCC030000-0x0000022FCC031000-memory.dmp

Filesize
4KB

Download
memory/5024-243-0x0000022FCC030000-0x0000022FCC031000-memory.dmp

Filesize
4KB

Download
memory/5024-242-0x0000022FCC030000-0x0000022FCC031000-memory.dmp

Filesize
4KB

Download
memory/5024-251-0x0000022FCC030000-0x0000022FCC031000-memory.dmp

Filesize
4KB

Download
memory/5312-1260-0x000001D9E3F20000-0x000001D9E3F21000-memory.dmp

Filesize
4KB

Download
memory/5312-1259-0x000001D9E3F20000-0x000001D9E3F21000-memory.dmp

Filesize
4KB

Download
memory/5312-1258-0x000001D9E3F20000-0x000001D9E3F21000-memory.dmp

Filesize
4KB

Download
memory/5312-1267-0x000001D9E3F20000-0x000001D9E3F21000-memory.dmp

Filesize
4KB

Download
memory/5312-1266-0x000001D9E3F20000-0x000001D9E3F21000-memory.dmp

Filesize
4KB

Download
memory/5312-1265-0x000001D9E3F20000-0x000001D9E3F21000-memory.dmp

Filesize
4KB

Download
memory/5312-1264-0x000001D9E3F20000-0x000001D9E3F21000-memory.dmp

Filesize
4KB

Download
memory/5312-1263-0x000001D9E3F20000-0x000001D9E3F21000-memory.dmp

Filesize
4KB

Download
memory/5312-1262-0x000001D9E3F20000-0x000001D9E3F21000-memory.dmp

Filesize
4KB

Download