lumma | hxxps://github[.]com/d00mt3l/XWorm-5[.]6

Analysis

max time kernel
271s
max time network
275s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2024, 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/d00mt3l/XWorm-5.6

Score

10^/10

lumma xworm discovery rat stealer trojan

Malware Config

Extracted

Family

lumma

https://pillowbrocccolipe.shop/api

https://communicationgenerwo.shop/api

https://diskretainvigorousiw.shop/api

https://affordcharmcropwo.shop/api

https://dismissalcylinderhostw.shop/api

https://enthusiasimtitleow.shop/api

https://worryfillvolcawoi.shop/api

https://cleartotalfisherwo.shop/api

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

DabfWf982AgYFBlh

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000300000000072f-328.dat	family_xworm
behavioral1/files/0x0003000000000743-338.dat	family_xworm
behavioral1/memory/1440-340-0x0000000000550000-0x000000000055E000-memory.dmp	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
1440	XClient.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
29	camo.githubusercontent.com
30	camo.githubusercontent.com
25	camo.githubusercontent.com
26	camo.githubusercontent.com
27	camo.githubusercontent.com
28	camo.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XwormLoader.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	XClient.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	XClient.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TypedURLs	Xworm V5.6.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133799988472225919"	chrome.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	Xworm V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Xworm V5.6.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe
4312	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4640	Xworm V5.6.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe
Token: SeShutdownPrivilege	3900	chrome.exe
Token: SeCreatePagefilePrivilege	3900	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
4640	Xworm V5.6.exe
4640	Xworm V5.6.exe
1440	XClient.exe
4640	Xworm V5.6.exe
1440	XClient.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
3900	chrome.exe
4640	Xworm V5.6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4640	Xworm V5.6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 2556	3900	chrome.exe	82
PID 3900 wrote to memory of 2556	3900	chrome.exe	82
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 3356	3900	chrome.exe	83
PID 3900 wrote to memory of 4380	3900	chrome.exe	84
PID 3900 wrote to memory of 4380	3900	chrome.exe	84
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85
PID 3900 wrote to memory of 2328	3900	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/d00mt3l/XWorm-5.6
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff88959cc40,0x7ff88959cc4c,0x7ff88959cc58
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,14833654510934271151,1406781088147853919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1856,i,14833654510934271151,1406781088147853919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,14833654510934271151,1406781088147853919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2396 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,14833654510934271151,1406781088147853919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,14833654510934271151,1406781088147853919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4328,i,14833654510934271151,1406781088147853919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4528 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=5080,i,14833654510934271151,1406781088147853919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,14833654510934271151,1406781088147853919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4716,i,14833654510934271151,1406781088147853919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4312

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2436

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XwormLoader.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XwormLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3088

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gtcd4tsq\gtcd4tsq.cmdline"
  2⤵
  PID:3220
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF406.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc97BEE9602BA042A7BC25B5ACF56E9.TMP"
    3⤵
    PID:2968

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3272

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x46c 0x4a0
1⤵
PID:4604

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9e186954-c08f-4214-b0b1-8c53acb94651.tmp

Filesize
10KB

MD5
d9bd68555a322d861f74aa9fd85362ba

SHA1
782a617228eec2737387221383d2d01af6a3f8c9

SHA256
34f21fc188aba6638329924c9e228bc82b8bd81188c3a12c47add0525144c110

SHA512
56c52c4bcb33e593d39801ab3a777d5668868b3efe9419cfb62fda52e4a7a33e9c0a9bbb30e790abbdbc7b1d58ce593f9b337929b73fac8da24c46d78156c5dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
59e609247d8d58311e83745904b96864

SHA1
05b60e2c6021efd5a74b3c551b6dda4d53b4b0fa

SHA256
94d0b46f6c9fb958701da082df0d55b6a2ae888bf40c98b84d6b6b2f52300919

SHA512
c7a494c3a95924af11f333071386dbf03c4058f951d0f9f303cbdefd0ef206479e93271a07da22c9257f6913e253c6cec6c6c79378797dbcc4341fa168725d97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2407e9f58a03aff683bc627fcce338d0

SHA1
5c9202c3f792df6b69a4c95db43c7eabcf785abb

SHA256
e015465f5384ed09115e77c0c72b5dfc6bccb570cd00d1ebbc5d42825aeec9a7

SHA512
1311355261a967e0e92df369041c6cc18f8f2b9308f9f2cac07593d06ba19585cf4569c36d474952db92133c010a2d6beae16db5909c3d1e9b4ae788bfdd398a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8b9be155057af455d4b6736b1d895ccf

SHA1
34f39d98d2d3881d396b3eeb41585b9dcd0bf462

SHA256
d2bf7acb7f9a86c44f0713d6fa8836a8297d713f04ec0e4519a33a646039cdab

SHA512
84acea827d8b703c1112c66b9a6e05f3a67b2ea94b59376d2d3a14faab26e83beca753b881c777d798f4393e96386fceaf01154c47d0295981a0cbfeece57aae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5b0b47f384f3a660ac285807e6a676fc

SHA1
bd878583f3778609164683e15531ccd5eb9fd5e4

SHA256
f104dd06d1c4e565475ba22699c9d3a733d5bcffb4dfb9d7e9d575d59d8f3e0d

SHA512
1b9f6ed1ca671a2c59ab30a331ad8ddcca158b11f19d86c135d4f090a4eec235f7df6665034c5d06fee348dffef9ed4e3464ce1625a0908c629f270251b02865

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d30d17f74e997227e4971b43533100d

SHA1
5ace7d3127b0abb4512e1a848ba968daba523ee9

SHA256
c4a9a02e9d921bf4f9e81cfe50b6a0f3512facbe1fed133c870bbcb53f773ac9

SHA512
e8a128e6948191fc2539d8ec79bcf5d128081cd75e267707908adfcf3904b6dc026b26315a48ea1ac0a4f518dce3eed65c40522c88279d7d3b2c0ced2b3ea9ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e05d895662f1faaa280a9f3fb759b2cc

SHA1
e26e833d243c9a4e09b67f816550e23aa0385a54

SHA256
a68b78c430fa22a57d2d159fab5f1373d3e29e1833fe5f7e1bcbd9ab06fe5185

SHA512
ed7e40f620e0700ebad7b4c57f18ba3ba59231faa72fc01a65ebad82e9a273ffdce904a2e5426c0715e504b1c3925ee58a5e3295fd50959dce3b1aa41d4bc4e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
676dca66dc71aa8ff99982a548e29d7a

SHA1
726b6110adb24b4864be5658761e5f7583a3aabe

SHA256
fe6f401ec5f1f4fa1cface9ff081d4d054f75a79ba2aed28cb2683831cbf8cee

SHA512
e92c133fda789d10d9828d7c1323921827626276c115701483a5083e89ceac29cf32f1f13c77bee138c1ae60da4ae0d327c336e89a4ef0b51791fbcce1a82c4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cd24b37360020f17e9215bbef282b5b5

SHA1
afb7a34e0758555aebd830f81c4cc3af236aa268

SHA256
c2d1ea78653946fe858517f5b1e96a706d349feeb0510efba7d754e897123050

SHA512
2278ba87b847f243dafa430da68e38654ea04a14b6e1a14a519ca998b0cddd573ba01ff61c8ccb635d8d628ac0f78ac3f8ce06613c8c2fa49b7ed9bd9682291d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
964eec1854996e7af8cd40433e0554b7

SHA1
6701cb2c3c1f2681af1288984f56b55680243281

SHA256
2776b7449a6660d7ba6e5baae36dd963b3cea9c04583a73c1f4a0dc198119881

SHA512
82cb4b2ce11fe880bfc0da65879d4c0b926ae67b5bdb9ea7a7a7f3ce45b6720d4d8d37c3f366de6da4710eee097c26830c5f935a1ab82af7e4faababaff2e133

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9afd48c30887916c803cc00c7eb27c28

SHA1
b5d62491cbff3c5521efb2a2c764b47673e3cf89

SHA256
73e33dd6d6ca38ad96b1181b814a13896b94b1b28f2b868eb87d609d8a057f18

SHA512
a6177d68f7f9e0eb797a98b06143b96b4efd8156677acec6eedc2888b2d712d688aaa5e83ab04288c3c80dd365c615f3ad737191943b12e1e99e59a2256d4b01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
20d295eeff4f371658d0e608ab156437

SHA1
bf5c687e74e7c84262fa5092f5b8006299527c21

SHA256
249ddf729bf6460cf8fb0309664e4e81ce7918d645cbd2d7b2b68a45d889cbf7

SHA512
d2c0837b26390f7899e395f55cc875fb8a55a04a422c32f66f600b60a538d2940eaf069a80a44c9c3e9007ecbea0e2b42c19093366601b3096177d9de99011d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0502cf31023c0a33de3a0c807f7edfc2

SHA1
a5222a5c659d652b11201994bf4bfdb4d7e6237e

SHA256
c388305b750d17a95ca7adc326ddb02a1ae563b8f7ebe49dd372d8bf51a3effb

SHA512
81966b7e3249aad0dbae9a9d214b7d2ea93e662ece6e767033234970ac67d8b656596fff01ca29c8e2fcb0f6cab9e94a199e7bc5204cc6db62580560b2a64783

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f2984d3fd77c529825551a55f6a38118

SHA1
92e70c9f11523b98e426cb25e0ecc1e16c1a41ff

SHA256
437d5a4c471909f1096650f7fa7b57a79afa6a6664d74bce164d880091e2e6c4

SHA512
992b069c3d2343829caa5fa3be6d63d0e5a62f01dba579ff0288e4424c6599a5bc7b10bf3d8fcd85cbe03317664c73d1fdc61b99a14153b90f5da0f34fbef55d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7785c435c57f56d797624b99b31da0c1

SHA1
929bf2232861d88f53c0a67d369c28b169664beb

SHA256
40383c312f3c9657a1c297ab2226bede8e689aeab3d3e1b0b2b1dbdff7ecca51

SHA512
5ba9377a9567e731fc28ee301219802b542406a2c597f1e02ecbe4e6da632070ed1f2ede9e89e4cb8cd34607814b5fd2aff25516d8d9518b80e3149713eb00de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ccf3d272873f1ecfeeaabf3a84564476

SHA1
9f52aa8efed7f94871f006c8fd816512d7e21259

SHA256
5b0e1b59b6e84fc45056b2275e5eea875b0613cb66bfc1b118cbc1909ed8821b

SHA512
4968358f1562a3256dfec1c8c30c3ffdeda1c9cb9cb39111e8871724b4e798af634c492dbfc10a7de41388ad6667f38e659c3ac78444507ea5799da68832a1cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
56064cc43eb1b9512b7c2cc61b265356

SHA1
55d6328038349bcd7ff1a09b3ab0b21765f1679d

SHA256
efb9ef372c4d15cc1b8faed6b71770b5271595f204e9580e06c16ed83514fe41

SHA512
f4a9283b11a236dcc79422554629d941cdca3f683ac96bdd9b026dfbd7cb5528c8d7c762b5b3b3b3d976f38750cf372ef829fc95f96cc815fc7e4d1207325762

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c643611cba64b4113dbb3e0fefa5a900

SHA1
21f6981228caefaa540c791623ae670845a7613d

SHA256
56363a4760358597e9c5fc7c5bee752da5cd7082a1df3b44881271b33f9910f3

SHA512
0f6aef15b7ae4b160eac614bdeed966294578bb9b3db0394de7bd40445a9934499e94ea51029ef2492f48062c4643df32fb2ba36fbb425294128037d178203a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6b8a85683ee2f3b7b848a392c663cf1b

SHA1
e5b0cdfcfbce9fa35e316e19245008f06ceb78d1

SHA256
aaecd495f0042ba46843178a2b37242db0d8cc7d67f295390e5b9985f4d4639b

SHA512
151d241f13c374ca2a800981a24f0efc7800a9d9c737c61e03ffa10fc80f170ee66045bbf3b23268d7f05f12c042cb6950bc4c437c76d6b52196b3d81f7435ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8dd67e794cc2479a80a8ad18cf3efc2a

SHA1
10f0e71fc1bfd28384d44082a72048c158d4d588

SHA256
49dfd0bbbafe431c9a3a2db73d06ce4c48b56ed16a094d1d7b485c98debb6531

SHA512
bc845a3999744c3b54eb5a02da7084918ea3e5780460918bef9f15a2236436deb14a33f31b0984d0997a2d92b87f1a400efa71d02eb0ff7d3a449d18338b4b09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
1968c7f0c4a7845abeba28cb40bce89c

SHA1
c041bb716705e85c8d294e8c0c373dd0dde2ffa6

SHA256
6ae73218fb0adf6fd6243b4e7f68ffa6ec767152b8e9e9fed9add0c53d3e4738

SHA512
e0323834b6707f8118d9c34cad3fa2172bab1765375ed64321d0f7f61d7b2c74327e1db43185eae74df572f4e0b9a85c0740e688d9153899ac22f1319b557bec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
222a2686364fba754685850d1230206c

SHA1
a5e3f8d6e9468a17edaabac2aae8832378ae61e8

SHA256
16a60ac91c28d4eb1f58454fc16f34812c935e32f8b7de2a2c594ce25d62d7fc

SHA512
28c96bc589ee26c5772bbdbe3f82da27b8b8a92733a6017f93cfae483e246c3236429a94b8f6f14d5b8641724ead6dae1b4126579a3c6f6b7b1fcff9533d4d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF406.tmp

Filesize
1KB

MD5
316225912ac02b59ee2a874775124593

SHA1
6ffbc7777dce2bc40635f36df53705edbe696ce7

SHA256
13ab3aa7e74a7fa08adf60588e752f90903246fe3745c36dd0801db69818f7d3

SHA512
143778990e46fab66c72f9d8f4b5b42bd76c7cc351184a7f4ce06d954d3a03f0836f4c51e1efb5e0ebf34bafa720ee5c482d566463586b15a6b5f86c6a15f0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtcd4tsq\gtcd4tsq.0.vb

Filesize
78KB

MD5
a122e66035f207e313af1f8ee14c1a5b

SHA1
60aab4f47fb1cb16a36c998efdc036c817d87644

SHA256
a043cee8d361ea00234991208179d6cff2e4f69889450e08f01b82dc6d0d0336

SHA512
2e86d89b9f02a80f3579e2e476b7c676b43ee99a8a725edd11c5f74a3ceaac4de25b177e89dd7f34957f8540bf6d1a113bf11c15fffcbe9cd42e3e0b54d6cf37

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtcd4tsq\gtcd4tsq.cmdline

Filesize
322B

MD5
04553e10a3476e087cc8b5a5a79c3acc

SHA1
bc5e1b19158aa500b89cfdf0eba6a0777bd7f00b

SHA256
89c7e5fc7b2234d1afd27099457355d9761e94caee0600a4ed5ee1fc4379b8bd

SHA512
2019e864add2ffd2ff04a028e3d4c1ae21423e8f690682b90518c01e52ac7d3c885047710a3eebc5bbaa0a24bee4f8a38b2ca1df78529945b6422a2da87016d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc97BEE9602BA042A7BC25B5ACF56E9.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main.zip.crdownload

Filesize
25.1MB

MD5
95c1c4a3673071e05814af8b2a138be4

SHA1
4c08b79195e0ff13b63cfb0e815a09dc426ac340

SHA256
7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27

SHA512
339a47ecfc6d403beb55d51128164a520c4bea63733be3cfd47aec47953fbf2792aa4e150f4122994a7620122b0e0fc20c1eeb2f9697cf5578df08426820fecd

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\XClient.exe

Filesize
32KB

MD5
971700e5d32cea89359f82e903e36da9

SHA1
768ab1f757493c47845386f0bfa0419f5cda6f18

SHA256
c879e609b28892a96769d677455dc9853c05c7d8efde01a952efc9b50a8363d6

SHA512
5c76650a23542ec44040e649b119fc8709c47f0038608f8a703f1e1b48c13008a8b87e7953f6e73236d877248b72df7f69a4aeac0fe52ac769fc5d3b4513f824

Download Submit
memory/1440-376-0x000000001C2B0000-0x000000001C2BA000-memory.dmp

Filesize
40KB

Download
memory/1440-365-0x000000001D0F0000-0x000000001D618000-memory.dmp

Filesize
5.2MB

Download
memory/1440-364-0x000000001C2A0000-0x000000001C2AC000-memory.dmp

Filesize
48KB

Download
memory/1440-354-0x0000000002750000-0x000000000275C000-memory.dmp

Filesize
48KB

Download
memory/1440-340-0x0000000000550000-0x000000000055E000-memory.dmp

Filesize
56KB

Download
memory/3088-210-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/3088-208-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/3088-211-0x0000000000F40000-0x0000000000F8B000-memory.dmp

Filesize
300KB

Download
memory/3088-209-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/3088-202-0x0000000000F40000-0x0000000000F8B000-memory.dmp

Filesize
300KB

Download
memory/3088-207-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/3088-206-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/4640-353-0x000002DA73F10000-0x000002DA73FC2000-memory.dmp

Filesize
712KB

Download
memory/4640-212-0x00007FF874DB3000-0x00007FF874DB5000-memory.dmp

Filesize
8KB

Download
memory/4640-233-0x00007FF874DB3000-0x00007FF874DB5000-memory.dmp

Filesize
8KB

Download
memory/4640-213-0x000002DA4F100000-0x000002DA4FFE8000-memory.dmp

Filesize
14.9MB

Download
memory/4640-323-0x000002DA738D0000-0x000002DA73A38000-memory.dmp

Filesize
1.4MB

Download
memory/4640-352-0x000002DA74100000-0x000002DA743E2000-memory.dmp

Filesize
2.9MB

Download
memory/4640-214-0x000002DA6C900000-0x000002DA6CAF4000-memory.dmp

Filesize
2.0MB

Download
memory/4640-351-0x000002DA6E040000-0x000002DA6E06C000-memory.dmp

Filesize
176KB

Download
memory/4640-350-0x000002DA73CF0000-0x000002DA73D72000-memory.dmp

Filesize
520KB

Download