xworm | ba02819b258dd8fb8d5a649d45535189d3dd19e15ca12aa2ccc83bc2162ad0c4

Resubmissions

30-12-2024 01:36

241230-b1b28stmdm 10

30-12-2024 01:29

241230-bwbkxatlaq 10

Analysis

max time kernel
299s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.2.rar
Size

30.2MB
MD5

d46700f59429076e678aa91993165c4d
SHA1

86e9e091021d1c87eb32a406261063362fc7aa0f
SHA256

ba02819b258dd8fb8d5a649d45535189d3dd19e15ca12aa2ccc83bc2162ad0c4
SHA512

b265ab5797b350bdee2798784eea56fa5d6ddccbc230ca3d8fb3874748a423a7ac292721a7259e03de1a055ad4bb1f381b32535882a4f52341184ec78baa636b
SSDEEP

786432:AyEdI35cJuWL9qeVCp3K7cLpeEJfi2I7auNJuaaJxyXzmn:AI35crZlVCphFrfi37HPnjmn

Score

10^/10

xworm agilenet rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

a0cFky9ZZ02qICjc

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000000739-245.dat	family_xworm
behavioral1/files/0x0003000000000749-255.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
1300	XWormLoader 5.2 x64.exe
2304	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe

Loads dropped DLL 3 IoCs

pid	Process
1300	XWormLoader 5.2 x64.exe
2304	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0007000000023c7a-191.dat	agile_net
behavioral1/memory/1300-192-0x00000233DD420000-0x00000233DE058000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 50003100000000006b57dc73100049636f6e73003c0009000400efbe9e59bd0b9e59bd0b2e0000009a3b020000000a000000000000000000000000000000eb5e0a01490063006f006e007300000014000000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 60003100000000006e571b80100058574f524d567e312e320000460009000400efbe9e59bd0b9e59bd0b2e000000913b020000000a000000000000000000000000000000e6397c00580057006f0072006d002000560035002e00320000001a000000	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 780031000000000047598b481100557365727300640009000400efbe874f77489e59bc0b2e000000c70500000000010000000000000000003a0000000000060bb30055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 7e003100000000009e59bd0b11004465736b746f7000680009000400efbe47598b489e59bd0b2e00000056e101000000010000000000000000003e0000000000225dd3004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = ffffffff	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 50003100000000004759f955100041646d696e003c0009000400efbe47598b489e59bc0b2e0000004ce101000000010000000000000000000000000000006b4a9b00410064006d0069006e00000014000000	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "4"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\NodeSlot = "2"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	XWormLoader 5.2 x64.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1392	XWormLoader 5.2 x64.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	3932	7zFM.exe
Token: 35	3932	7zFM.exe
Token: SeSecurityPrivilege	3932	7zFM.exe
Token: SeDebugPrivilege	1300	XWormLoader 5.2 x64.exe
Token: SeDebugPrivilege	2304	XWormLoader 5.2 x64.exe
Token: SeDebugPrivilege	1392	XWormLoader 5.2 x64.exe
Token: 33	3924	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3924	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3932	7zFM.exe
3932	7zFM.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe
1392	XWormLoader 5.2 x64.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 2188	1392	XWormLoader 5.2 x64.exe	120
PID 1392 wrote to memory of 2188	1392	XWormLoader 5.2 x64.exe	120
PID 2188 wrote to memory of 3060	2188	vbc.exe	121
PID 2188 wrote to memory of 3060	2188	vbc.exe	121

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:796

C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hkorlqoi\hkorlqoi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES570F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8DAE33C9F77D490E8B7AFBCCF04F18F2.TMP"
    3⤵
    PID:3060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:396

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWormLoader 5.2 x64.exe.log

Filesize
1KB

MD5
601373babf3e5b06dc0bcf79bcb408a2

SHA1
340b409a6774e67dc2d36b7d18f2faf41a315400

SHA256
6cf467dfa053cc07d9f68da0f6452c56a5ce06240c05fbac0ecb4950916eaa02

SHA512
e2bffcb60612017ee60329ca4ba4ae22ec2d97352631d7df5506d36af58561e7480dd54eea84ac23816e08e00a739fe9a17733ea31adfc87b50f249cafa3b335

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC5F49E87\XWorm V5.2\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES570F.tmp

Filesize
1KB

MD5
4ae1afbc9a5e0362779db947a2f667b3

SHA1
a31027f4912cee3dccbce101629bf0744c12eb52

SHA256
a6ecf16aea43a394fbf220cdddce8872fa9cee276b77c53b01ffd186e47123d1

SHA512
f6d7cebaa0e52b61acf4c6ae4877284610683a4cc702208e6afa536a5aee3df2c6d233c9ce1f3974fc7137de934b0cf994ce53a569a8a340f68d9f7b44d2b9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkorlqoi\hkorlqoi.0.vb

Filesize
77KB

MD5
e21f52b42f0f76f56eaec18692dde4ad

SHA1
71b3c86363496a5c09495669268bfce178228cf6

SHA256
35d6b27c2f478ee9adabda816cb029d13137bf257eb167594b9262e6312f8996

SHA512
e2ef100e382acfb4e82385b870f1f5b3c6ba5c7c079ecf019fe333c68772ef96f399f1eb78ff9779da49fc0b37fd0f1fbcc5dea5e7eb75a175017685d8afb295

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkorlqoi\hkorlqoi.cmdline

Filesize
290B

MD5
8613897d0bd2c0dac2b7ea52ad7d7c13

SHA1
4eaf6d58783f04ca941e63f8b2767c201396233d

SHA256
63a6f9a20a586938383597e1c9f8d87781c040e48cde136d630e5b4871d44a3d

SHA512
49a863feda0e674cbeb87bca695c96b8e844332690f7d131d631639d5fcc59dbd4914f701fd0aedbba94803cf6eb37eaa8756b7a676c0413c19098e8c14bc212

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc8DAE33C9F77D490E8B7AFBCCF04F18F2.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\Desktop\XClient.exe

Filesize
41KB

MD5
f3b06ea75d6a25fbee2bf6c2d47890d5

SHA1
42de87703d35c72a5056949feb913e61db24d408

SHA256
920feb4c6f8216a3f22f2e0cdf180b393b03d85307a56bdb7f52a95b33433318

SHA512
8f797610210edd578fac816aeffae4db55466e71484982a530230723bf8fd9698d5bfccca5d6115f81a47bc13c2182ab16cf161df8199f0f698cfae396de3548

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (1).ico

Filesize
97KB

MD5
4f409511e9f93f175cd18187379e94cb

SHA1
598893866d60cd3a070279cc80fda49ee8c06c9b

SHA256
115f0db669b624d0a7782a7cfaf6e7c17282d88de3a287855dbd6fe0f8551a8f

SHA512
0d1f50243a3959968174aa3fd8f1a163946e9f7e743cbb2c9ef2492073f20da97949bf7d02c229096b97482ff725c08406e2e9aa72c820489535758470cf604f

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (10).ico

Filesize
115KB

MD5
ad1740cb3317527aa1acae6e7440311e

SHA1
7a0f8669ed1950db65632b01c489ed4d9aba434e

SHA256
7a97547954aaad629b0563cc78bca75e3339e8408b70da2ed67fa73b4935d878

SHA512
eee7807b78d4dd27b51cee07a6567e0d022180e007e1241266f4c53f1192c389be97332fcd9f0b8fda50627b40b8cf53027872304a68a210f4d754aa0243b0c2

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (11).ico

Filesize
9KB

MD5
1c2cea154deedc5a39daec2f1dadf991

SHA1
6b130d79f314fa9e4015758dea5f331bbe1e8997

SHA256
3b64b79e4092251ebf090164cd2c4815390f34849bbd76fb51085b6a13301b6d

SHA512
dceebc1e6fdfe67afebaef1aff11dd23eda6fae79eb6b222de16edebdfebd8e45de896e501608254fb041824080cb41c81ac972032638407efc6bfeb930bfd00

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (12).ico

Filesize
9KB

MD5
4ea9ab789f5ae96766e3f64c8a4e2480

SHA1
423cb762ce81fab3b2b4c9066fe6ea197d691770

SHA256
84b48ca52dfcd7c74171cf291d2ef1247c3c7591a56b538083834d82857fee50

SHA512
f917059b6f85e4a25909a27cad38b1ef0659161c32df54860226ff3d858127d8da592ea9072ad41d5a9986dd8c04a37e9ad34e2251883a8c2f0933e6aa201414

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (13).ico

Filesize
361KB

MD5
e6fec4185b607e01a938fa405e0a6c6c

SHA1
565e72809586e46700b74931e490e2dc1e7e3db1

SHA256
2e2f17b7dd15007192e7cbbd0019355f8be58068dc5042323123724b99ae4b44

SHA512
13daeb2bf124e573590359f18a1d962157dc635a88319c9ed1a2e8ccad6322fb081579e1e8fbe62ffe55c8286c2bc8acb251d572a4beb00641ad5009a380e513

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (14).ico

Filesize
361KB

MD5
0c24edec606abda7c6570b7dcf439298

SHA1
4478a102892e5eb4bb1da8e9c62d17724965691a

SHA256
8fc693238afc49a8098dac1762bfae891e818bb84749c6eef5f1b0c6c8ffddb2

SHA512
f8de3ffb8f9fe1394b3626ae5616213d4612b43f0635fa9053d74ac6fe536657e796289487f245b8abff74f1de8368c0df8e56bf21f540366ed86a378649ea24

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (16).ico

Filesize
97KB

MD5
14465d8d0f4688a4366c3bf163ba0a17

SHA1
9f1fa68a285db742e4834f7d670cae415ce6b3b6

SHA256
3f3c5ce486e5b9fa88dc60b60916053e8808c69167df1a11287fd3cd6db1ca6e

SHA512
01db4fac75136baf9c162265785877b21fba9c4b8d9dbe4e495191f15aa9c914e3d5baf1c4606041279a7138c7e5c8f4ccf6e64689354fc3fb3fa66ab3b1da2d

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (2).ico

Filesize
112KB

MD5
f1463f4e1a6ef6cc6e290d46830d2da1

SHA1
bda0d74a53c3f7aaf0da0f375d0c1b5aca2a7aaf

SHA256
142b529799268a753f5214265c53a26a7a6f8833b31640c90a69a4ff94cee5ec

SHA512
0fa93d009cc2f007d19e6fdda7ebe44c7ed77f30b49a6ef65c319133c0570ab84f2d86e8282b5069d7f2e238547722ac3966d2fa2fae4504133f0001a0387ae2

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (3).ico

Filesize
131KB

MD5
a512719efc9e6ecc5e2375abceb1669a

SHA1
51fae98edfab7cd6b6baac6df5ecbda082eeb1db

SHA256
b2f7fb22cd5b935cf19a2f58f7fef9db99db40772ff4bb331a73c345161c2574

SHA512
e0153dbc8f3fdda8d1a7082bc30a3895d7f4b3bc2982b4b4ece55653d1b4c293eba3ba6d4a0a581f0f7db95ab287d6616ef7bf03af4485904111798bf9d9e625

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (4).ico

Filesize
125KB

MD5
9c053bef57c4a7b575a0726af0e26dae

SHA1
47148d30bc9a6120a1d92617bf1f3e1ba6ca1a2c

SHA256
5bb21d6c04ed64a1368dace8f44aff855860e69f235492a5dc8b642a9ea88e41

SHA512
482d639ba60f57827d8a343f807f4f914289c45643307efaa666b584a085fe01ac7892252f41b7756fde93d215b4f3fed16e608bc45102d320d77239fa93146a

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (5).ico

Filesize
100KB

MD5
9dbdd6972e129d31568661a89c81d8f9

SHA1
747399af62062598120214cef29761c367cfd28a

SHA256
45c85bdaaf0e0c30678d8d77e2585871ea6d1298ee0d30037745bacea6338484

SHA512
e52572de3f0d57d24a24d65eca4ff638890ccc9c5aca3f213ff885eda3c40de115849eb64c341f557d601f566ce21f8fc0df25cc4b13aaad5e941449a6b7f87d

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (6).ico

Filesize
106KB

MD5
d7c9666d30936e29ce156a2e04807863

SHA1
845e805d55156372232e0110e5dc80380e2cb1e5

SHA256
6ea04cf08751a2f6bb2f0e994258a44d5183b6cdb1471a0ee285659eada045b5

SHA512
3cfd7a41f65c5a0dc23a90c6af358179efb3ae771f50534c3d76c486fe2d432ea3128a46b4b367c4714e86e8c0862a7385bd80662fe6ea82d7048f453570ed56

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (7).ico

Filesize
164KB

MD5
7891c91d1761dc8a8846d362e6e31869

SHA1
0229bb01b7b4a0fca305eb521ec5dfbaa53674ea

SHA256
29d38c75af79aa0554f34cdfecb311f88f8dd02b02facaa299b9700841806ab8

SHA512
ed14614a706da985566853dc13df0d1128a718f39ec9957320813803fe07e59de337d51033970e2f57d9f56da3546c506f5f0f3becfa91ce741576855be14ba7

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (8).ico

Filesize
108KB

MD5
af1739a9b1a1bf72e7072ad9551c6eea

SHA1
8da0a34c3a8040c4b7c67d7143c853c71b3d208d

SHA256
a65cbbdc2ca671a9edd7edac0c6737b3b116e357727e003e5fdeff163c6c21ab

SHA512
eeeac307371c38b75e256083c55a3fe4ab096c1c7520a4b7acb40fad3af5a0d6c88aaf85f2c3e418034abee422c2a3ba13731adf7ee6078016da4dd2e989b120

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Icons\icon (9).ico

Filesize
264KB

MD5
3e24e40b41ecc59750c9231d8f8da40b

SHA1
91a701cf25aea2984f75846b6c83865d668ccad6

SHA256
bd1c33a67244801e828035904882ec53bd2ea8a1db9265a06d1aa08cf444ca80

SHA512
fe62edddb62dd4b695f1ef40ffb7a0119d480d1c176f0254acee19a45d6433ef6c308acbe567c721018390626c71f7a0f7bcd195d59d54c19cf019f13c4f7572

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.Backports.dll

Filesize
138KB

MD5
dd43356f07fc0ce082db4e2f102747a2

SHA1
aa0782732e2d60fa668b0aadbf3447ef70b6a619

SHA256
e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6

SHA512
284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.Core.dll

Filesize
216KB

MD5
b808181453b17f3fc1ab153bf11be197

SHA1
bce86080b7eb76783940d1ff277e2b46f231efe9

SHA256
da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd

SHA512
a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.ILHelpers.dll

Filesize
6KB

MD5
6512e89e0cb92514ef24be43f0bf4500

SHA1
a039c51f89656d9d5c584f063b2b675a9ff44b8e

SHA256
1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0

SHA512
9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.Utils.dll

Filesize
319KB

MD5
79f1c4c312fdbb9258c2cdde3772271f

SHA1
a143434883e4ef2c0190407602b030f5c4fdf96f

SHA256
f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a

SHA512
b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\RVGLib.dll

Filesize
241KB

MD5
d34c13128c6c7c93af2000a45196df81

SHA1
664c821c9d2ed234aea31d8b4f17d987e4b386f1

SHA256
aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7

SHA512
91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2.exe

Filesize
12.2MB

MD5
8b7b015c1ea809f5c6ade7269bdc5610

SHA1
c67d5d83ca18731d17f79529cfdb3d3dcad36b96

SHA256
7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

SHA512
e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe

Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
memory/1300-185-0x00007FFCD2A70000-0x00007FFCD3531000-memory.dmp

Filesize
10.8MB

Download
memory/1300-192-0x00000233DD420000-0x00000233DE058000-memory.dmp

Filesize
12.2MB

Download
memory/1300-173-0x00007FFCD2A73000-0x00007FFCD2A75000-memory.dmp

Filesize
8KB

Download
memory/1300-174-0x0000000000ED0000-0x0000000000EF0000-memory.dmp

Filesize
128KB

Download
memory/1300-176-0x00000233C3CA0000-0x00000233C3CE2000-memory.dmp

Filesize
264KB

Download
memory/1300-178-0x00000233C3E40000-0x00000233C3E68000-memory.dmp

Filesize
160KB

Download
memory/1300-208-0x00007FFCD2A70000-0x00007FFCD3531000-memory.dmp

Filesize
10.8MB

Download
memory/1300-206-0x00007FFCD2A70000-0x00007FFCD3531000-memory.dmp

Filesize
10.8MB

Download
memory/1300-205-0x00007FFCD2A70000-0x00007FFCD3531000-memory.dmp

Filesize
10.8MB

Download
memory/1300-204-0x00000233DF450000-0x00000233DF644000-memory.dmp

Filesize
2.0MB

Download
memory/1300-202-0x00000233DE860000-0x00000233DF44C000-memory.dmp

Filesize
11.9MB

Download
memory/1300-201-0x00007FFCD2A70000-0x00007FFCD3531000-memory.dmp

Filesize
10.8MB

Download
memory/1300-193-0x00007FFCD2A70000-0x00007FFCD3531000-memory.dmp

Filesize
10.8MB

Download
memory/1300-180-0x00000233C3E70000-0x00000233C3E76000-memory.dmp

Filesize
24KB

Download
memory/1300-190-0x00000233DC670000-0x00000233DC68A000-memory.dmp

Filesize
104KB

Download
memory/1300-187-0x00000233C3D00000-0x00000233C3D06000-memory.dmp

Filesize
24KB

Download
memory/1300-189-0x00000233DC7A0000-0x00000233DC7DC000-memory.dmp

Filesize
240KB

Download
memory/1300-186-0x00000233C3CF0000-0x00000233C3CF6000-memory.dmp

Filesize
24KB

Download
memory/1300-182-0x00000233DC6D0000-0x00000233DC72E000-memory.dmp

Filesize
376KB

Download
memory/1300-184-0x00000233DC740000-0x00000233DC796000-memory.dmp

Filesize
344KB

Download
memory/1392-240-0x000002257E350000-0x000002257E4B8000-memory.dmp

Filesize
1.4MB

Download
memory/1392-218-0x0000022562440000-0x0000022562446000-memory.dmp

Filesize
24KB

Download
memory/1392-217-0x0000022562430000-0x0000022562436000-memory.dmp

Filesize
24KB

Download
memory/2304-211-0x0000000000ED0000-0x0000000000EF0000-memory.dmp

Filesize
128KB

Download
memory/2304-212-0x0000019CBEBF0000-0x0000019CBEBF6000-memory.dmp

Filesize
24KB

Download
memory/2304-213-0x0000019CD74A0000-0x0000019CD74A6000-memory.dmp

Filesize
24KB

Download