stormkitty | ba02819b258dd8fb8d5a649d45535189d3dd19e15ca12aa2ccc83bc2162ad0c4

Resubmissions

03-01-2025 02:42

250103-c7grqsyqer 10

30-12-2024 01:42

241230-b4sjdstneq 10

Analysis

max time kernel
899s
max time network
877s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.2.rar
Size

30.2MB
MD5

d46700f59429076e678aa91993165c4d
SHA1

86e9e091021d1c87eb32a406261063362fc7aa0f
SHA256

ba02819b258dd8fb8d5a649d45535189d3dd19e15ca12aa2ccc83bc2162ad0c4
SHA512

b265ab5797b350bdee2798784eea56fa5d6ddccbc230ca3d8fb3874748a423a7ac292721a7259e03de1a055ad4bb1f381b32535882a4f52341184ec78baa636b
SSDEEP

786432:AyEdI35cJuWL9qeVCp3K7cLpeEJfi2I7auNJuaaJxyXzmn:AI35crZlVCphFrfi37HPnjmn

Score

10^/10

stormkitty xworm agilenet discovery ransomware rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

HhhrUnHCvzp13wXW

Attributes

install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0007000000023ce7-268.dat	disable_win_def

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000300000000070f-226.dat	family_xworm
behavioral1/files/0x000400000000073b-236.dat	family_xworm
behavioral1/memory/3000-238-0x0000000000B90000-0x0000000000B9E000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ced-274.dat	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
4776	XWormLoader 5.2 x64.exe
3000	XClient.exe

Loads dropped DLL 4 IoCs

pid	Process
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0007000000023d01-191.dat	agile_net
behavioral1/memory/4776-192-0x0000028E56360000-0x0000028E56F98000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	XClient.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4920	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 56 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "3"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 60003100000000006e571b80100058574f524d567e312e320000460009000400efbe235a7c15235a7c152e000000ae3c0200000007000000000000000000000000000000e6397c00580057006f0072006d002000560035002e00320000001a000000	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWormLoader 5.2 x64.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1896	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
3000	XClient.exe
4956	msedge.exe
4956	msedge.exe
2440	msedge.exe
2440	msedge.exe
4500	identity_helper.exe
4500	identity_helper.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
4676	chrome.exe
4676	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4776	XWormLoader 5.2 x64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	5096	7zFM.exe
Token: 35	5096	7zFM.exe
Token: SeSecurityPrivilege	5096	7zFM.exe
Token: SeDebugPrivilege	4776	XWormLoader 5.2 x64.exe
Token: 33	4384	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4384	AUDIODG.EXE
Token: SeDebugPrivilege	3000	XClient.exe
Token: 33	2484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2484	AUDIODG.EXE
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5096	7zFM.exe
5096	7zFM.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe
3000	XClient.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
4776	XWormLoader 5.2 x64.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4776	XWormLoader 5.2 x64.exe
3980	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 4960	4776	XWormLoader 5.2 x64.exe	101
PID 4776 wrote to memory of 4960	4776	XWormLoader 5.2 x64.exe	101
PID 4960 wrote to memory of 4664	4960	vbc.exe	102
PID 4960 wrote to memory of 4664	4960	vbc.exe	102
PID 3000 wrote to memory of 2440	3000	XClient.exe	109
PID 3000 wrote to memory of 2440	3000	XClient.exe	109
PID 2440 wrote to memory of 2144	2440	msedge.exe	110
PID 2440 wrote to memory of 2144	2440	msedge.exe	110
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 3404	2440	msedge.exe	111
PID 2440 wrote to memory of 4956	2440	msedge.exe	112
PID 2440 wrote to memory of 4956	2440	msedge.exe	112
PID 2440 wrote to memory of 4472	2440	msedge.exe	113
PID 2440 wrote to memory of 4472	2440	msedge.exe	113
PID 2440 wrote to memory of 4472	2440	msedge.exe	113
PID 2440 wrote to memory of 4472	2440	msedge.exe	113
PID 2440 wrote to memory of 4472	2440	msedge.exe	113
PID 2440 wrote to memory of 4472	2440	msedge.exe	113
PID 2440 wrote to memory of 4472	2440	msedge.exe	113
PID 2440 wrote to memory of 4472	2440	msedge.exe	113
PID 2440 wrote to memory of 4472	2440	msedge.exe	113
PID 2440 wrote to memory of 4472	2440	msedge.exe	113
PID 2440 wrote to memory of 4472	2440	msedge.exe	113
PID 2440 wrote to memory of 4472	2440	msedge.exe	113
PID 2440 wrote to memory of 4472	2440	msedge.exe	113
PID 2440 wrote to memory of 4472	2440	msedge.exe	113

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3140

C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ueq03dpy\ueq03dpy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC668.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc963B4680ECEB4D7A86E0DB581FC6A7D6.TMP"
    3⤵
    PID:4664

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3972

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x344 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc04c046f8,0x7ffc04c04708,0x7ffc04c04718
    3⤵
    PID:2144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,5399130112537198400,14596155381217394256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
    3⤵
    PID:3404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,5399130112537198400,14596155381217394256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,5399130112537198400,14596155381217394256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5399130112537198400,14596155381217394256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5399130112537198400,14596155381217394256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
    3⤵
    PID:2096
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5399130112537198400,14596155381217394256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 /prefetch:8
    3⤵
    PID:2360
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,5399130112537198400,14596155381217394256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5399130112537198400,14596155381217394256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
    3⤵
    PID:728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5399130112537198400,14596155381217394256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
    3⤵
    PID:2516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5399130112537198400,14596155381217394256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
    3⤵
    PID:4508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,5399130112537198400,14596155381217394256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
    3⤵
    PID:3088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,5399130112537198400,14596155381217394256,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5128 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2953.tmp.bat""
  2⤵
  PID:4832
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x344 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbfbcacc40,0x7ffbfbcacc4c,0x7ffbfbcacc58
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,10973224292919222676,2205141987510316255,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,10973224292919222676,2205141987510316255,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,10973224292919222676,2205141987510316255,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2496 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,10973224292919222676,2205141987510316255,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3416,i,10973224292919222676,2205141987510316255,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3688,i,10973224292919222676,2205141987510316255,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:4280

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4596

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1264
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ConfirmBackup.xml.ENC
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x64\System.Data.SQLite.DLL

Filesize
1.6MB

MD5
1b1a6d076bbde5e2ac079ef6dbc9d5f8

SHA1
6aa070d07379847f58adcab6b5739fc97b487a28

SHA256
eaadfbcafd981ec51c9c039e3adb4963b5a9d85637e27fd4c8cfca5f07ff8471

SHA512
05b0cb3d343a5706434390fe863e41852019aa27797fe5d1b80d13b8e24e0de0c2cb6e23d15e89a0f427aaeaf04bf0239f90feb95bfc6913ca4dc59007e6659e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
89890d7aec9c6fca0c2e44934c522cac

SHA1
cf4050d80ede12243116672b4ec22288d3767c0c

SHA256
1634a07d34940b1f806d60f47858449700fbc0a3ee76bb25e464c92d47c5d66c

SHA512
792183162fad52b8accb01d2e042a3ee182b61393fb3985ad5174e3ee163a65c4349ebec7dc77f2a425ed3805a572e634ece6aced75e3ae8e0d0c57cd9d385d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ee8939602df6604f875dd8c51ff7013f

SHA1
17427b19e303af9750127b2be65254cfbd4cf11c

SHA256
985c1cd7f30f878e689871f4c63794756ef9d70a6049685ef795f680cabad008

SHA512
b9fbc23f0dabe8d51f70c87413105968398ce95fe22c293c8ff20be6c61488eaa229b9b6db4b7ec6f335e5c0d95b624125225f56ce92ea7ea5a1a5a85dd6597d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8650a875a72aa405110d65a160157f5a

SHA1
0b2f010ce70539e5ec383ce1e43b7dd4b0b82304

SHA256
7754f747ab18aafce4490872384a6b194a7bf764acb9026eee857382d812035f

SHA512
e463743788653d8a087afbc10e4e6e5559b493fb2b5bb8f10987072baef3010cf9e5a211192cda03452457bfaebeb7b4bc2a71a0a6712a312a4683f8da758487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
10cafc760ea1b264b8591fb02eb48930

SHA1
45c7336ccdddad2b511b39cd276539bc0e829684

SHA256
7cdb30d8e5311d3f15fad8326744ad99fd2e114532ead5726a2ae87a17246921

SHA512
8060d118fe0dc8d6b6ead3126ff897e0863f800a8ea6cd0ec4bd36158b254fb1061ac03bc1f222fb4530e235ae0e339026561eb312a4de622353586ed4001e88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
20e5316e55d745602e025e96df2fc8b7

SHA1
bf038d476014bd06ba88f2456d12b60eedd2fd58

SHA256
2e025dec17f10e6496309d845d8b119eac557c5a832a65ab80e9f19541f08aa5

SHA512
9a8a739bd6006190669d592fed255f233e3ec44d596683996ef18f20e83bd16fc0c0de501f2a7f4376c328d69c1d708df23eade44bdf2e4208aba9e4363fb277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
30c7edac0eb0e02a4cb39743e789771b

SHA1
43caf4f225bc5d2dbc9e277206570ecaf89b564e

SHA256
5f9a4e8bd3b6c65141fdb6b437feca8b1ed1c65836437fb9eb77a7cdb0132835

SHA512
9872a3a95460f4e0384ff6edbad95d7bf381529101509dfe2454ad1387c17f4a678fc1d5e05b707d56f7d4eae421e2b493c3c69ff4527e4f1549f2ff5709424a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
958c60aa1c6858208b192de6601a2709

SHA1
33cb563aa2f082353d27e4f2b6cfad5cda2832a1

SHA256
4ee2fccc7203fa7543371fde75fa55f36afad5fb672f834b6137c55ae957d63d

SHA512
09043c6cc05b8fe54bb9e5b4331511c881c2b0909f10eecf907d1e69a0915a2aaa0397e882b431f67587e1bcae6238fe93c662bef81c94be7e952c1336092e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a14f56cc279abe1d5838a16240125c92

SHA1
1c7a3c4f8f7269ff9aeef0c9d55d0614ebb8e98f

SHA256
6687724e5d812354b607b00ff443d252586407a59bd11136c6b7a6dfeaa21ece

SHA512
5c7b85459e5fa9935d700b08852bc7d335f4a2af8c413d3333d32d95523ed60e537708afc6e7c787675e4a11eb5fcd90058de47691b4a2eec9abb88417a89bd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
26b32e272566469aa43ee34c24e05a98

SHA1
006a89c373a6fcfb5bbca11e25d1d46c51767a1a

SHA256
df42dbac1d8002dc9deaecca32c8aa92c31027700eff0f70f5043738e665af50

SHA512
cd059e23a34cfee5de0ad5faa8cf6922967b938b6a0c3271db9a2c88fe9522905aaae1ce2c177199b04f9b1113399ffe02faf5579f04ab7535345116e24dd8a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
71de76a89b812e8bbdc6c812d56e62ab

SHA1
087a5969df116e45f279f73caa00287a7b8ac85b

SHA256
3f4eee0a3f54c92d9b498735c38edd585fb138cb9724229f9487c04b72c25e31

SHA512
d979e2f2974485f94ede788c71d43b7b4d069447f4284ae9818d09df1f560ada1f23aabbd1f8d2afc923cd545d71d0199ffd151accc0153638b8a79759cac40e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b6e07123645d60852f3532226db4222a

SHA1
82cacea87238b72df032f27ebe00010bcc297a11

SHA256
e0ace7befd5d9efe8c6def5afd4418a2eb64a9af11fd3bfdc5ccbd3aed60e131

SHA512
2990c72fbae60bf7ea3b2029cc2b866c93d34975a83ea99d551f172ff30681ba68de764ad53ac1445c81cead0ab490002a7dc2297b76fc14b4252b042f115867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7482beea68c98d362dc24828629e83e9

SHA1
efb9aaaaa90d5c3f7f52d9cf503c0b137e7af135

SHA256
2a639f7a12afde3f55243e2d5d1db91d4111731d18a1ba544c0fef52a8705ef1

SHA512
206c52dd60ed2196bfeaf8e1a8e284336e526f95a9424a5bb5b65419ad7f1cb59f35baa73cc7b6f37eac19b723dfead2b82533cc85b74374a803fe79b72cf5d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e7eb4dabea8f0c95ba433a4e687766c0

SHA1
0051a108b6ed84dba31744633779d974cd141963

SHA256
72ddbc332207cfd918d19b878a80ea5809c7fa6fd1f59ed9792221ce13e14fc0

SHA512
4e9ea785f28eaaa9f03776559c15d35ad347517d467f760c93e393ef31f569a74572f18f38f3f6cad3827370e709767e7e41e9c19b936c8385011553bbc14bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE8E3AE997\XWorm V5.2\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC668.tmp

Filesize
1KB

MD5
1e4476c5114df18b4117905a5a7e7bd8

SHA1
c3cc9ccbcc77414ac871be31d80e800e2af42d2b

SHA256
78b094915140e295c4ad40ab7ea54506be78589f818d4e1f15ac608bab50ccc8

SHA512
c39298805075dbdf432a28db41a3e29abb51830171ecf80232f4fdfaa871ccec8f6d8495cf40e82da4975b92f958095a427d8f24671dea6c8ecf98afa29c5bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ueq03dpy\ueq03dpy.0.vb

Filesize
77KB

MD5
aaf851dd012fe5028bf406917096e695

SHA1
e93179b1aef0e87bc20bce8b42dc7d2ad3f26654

SHA256
94ca0845c07eccc39e709a837f11726be6849346daa3caaea81de7dd396e438f

SHA512
9100edd134a8956837634021be52d9cc6f495eedbf4f4fba9cdcaa843001b13e95eabc87545982fb017e28df0798cba30cbccf5e7c5aa11f40e32f8e2d263eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ueq03dpy\ueq03dpy.cmdline

Filesize
290B

MD5
6aaef245900b6696cf66d38b10c4d8ee

SHA1
6d89169b766e82aea43c999dddae6579c5d2f1d3

SHA256
f7dee164dba5439c849cec5a87700b669bbab437c3c5ca50b15f843173cd8bef

SHA512
c26f7bcbeb34d2a5afc38d183d17caa53e2fc469f6ccf88a627165ed352427efe8a8213214916a31aab4115ac26b02840b9f985eeaf963998fcb19f8bead33fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc963B4680ECEB4D7A86E0DB581FC6A7D6.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\Desktop\XClient.exe

Filesize
33KB

MD5
6e1b9eefecc44d742b8013885f728325

SHA1
929ba418ef471e87eaa3986d7449b2592df75eb1

SHA256
2d661c58c2b0cedd57ea6c5741fe06d62779388dff52d5db05cee7fd5ba9473f

SHA512
3406ef4225a2ffa379e041968c24740c81326fde636ef3be229949c040d2b811323532cc865beea81b37c0aa08f874946334a7419752cab5c15faa852398f118

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\GMap.NET.Core.dll

Filesize
2.9MB

MD5
819352ea9e832d24fc4cebb2757a462b

SHA1
aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

SHA256
58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

SHA512
6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\GMap.NET.WindowsForms.dll

Filesize
147KB

MD5
32a8742009ffdfd68b46fe8fd4794386

SHA1
de18190d77ae094b03d357abfa4a465058cd54e3

SHA256
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

SHA512
22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.Backports.dll

Filesize
138KB

MD5
dd43356f07fc0ce082db4e2f102747a2

SHA1
aa0782732e2d60fa668b0aadbf3447ef70b6a619

SHA256
e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6

SHA512
284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.Core.dll

Filesize
216KB

MD5
b808181453b17f3fc1ab153bf11be197

SHA1
bce86080b7eb76783940d1ff277e2b46f231efe9

SHA256
da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd

SHA512
a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.ILHelpers.dll

Filesize
6KB

MD5
6512e89e0cb92514ef24be43f0bf4500

SHA1
a039c51f89656d9d5c584f063b2b675a9ff44b8e

SHA256
1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0

SHA512
9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\MonoMod.Utils.dll

Filesize
319KB

MD5
79f1c4c312fdbb9258c2cdde3772271f

SHA1
a143434883e4ef2c0190407602b030f5c4fdf96f

SHA256
f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a

SHA512
b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\NAudio.dll

Filesize
502KB

MD5
3b87d1363a45ce9368e9baec32c69466

SHA1
70a9f4df01d17060ec17df9528fca7026cc42935

SHA256
81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451

SHA512
1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\ActiveWindows.dll

Filesize
14KB

MD5
eea1f284c21e67f9ae71822798793c28

SHA1
ce3187b35a736a3c18f10f449dfcb793c95dca26

SHA256
77ec3eee197d5c4b9ed3d6c059061c52615276360fe11f13f8a6bb6ce429f42b

SHA512
5b3f72d803f250668b9ada77b1a03ecd8662787b8e51c01a4e334503a5f1545ac9dc341804d0d1552e9c35596443e1a610553e3d1ab80aaef6e0f5283384def4

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\All-In-One.dll

Filesize
4.8MB

MD5
f24552f5f604c80ba4cf7afd2143df05

SHA1
98883b7bf9b996c788bb501336e388177b9b19c2

SHA256
e050a91599f3e6a89dc84a4825fdea6c4d66e970472aabf48ff586d79b67898c

SHA512
1edb1f6cc4bdb3b69204fa724b2f8a5205b3251f475ae7cf8cb015220a26e9a976c1baa3c938e8fb9df1470795ff579e21b339b58c79f96af96cfdd17eba6c15

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Chat.dll

Filesize
18KB

MD5
66e4c3a843b1076b96c48cfa0b467bcd

SHA1
2768257ff7ddc6107a576c4b739eeb09689772eb

SHA256
6b5beda1f2423aedaf83f210f8cb719d3f61f9d2cd489690fb0066ff0895ab80

SHA512
7912e5806b169a1da88ebf92842ec410ce3dd8d98578054e77cc4381e90ee174a497ea1f38a54c5c65c8475a7928cfc79ae8dd58b979c18f7133c5c83e145879

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Clipboard.dll

Filesize
14KB

MD5
6ea5b16696c2f2d265c9f864d0c727ba

SHA1
030a0bf757767869428b0a7e11cd40df7a0cfe5a

SHA256
301ab3fe52f974dc5bab98bd127c93d755597fb58a0756539cde7ad4580725b1

SHA512
2426b43886ddf9896d9f27862de08ba9eada25b432c715259b71b000a2b474bcf29ba224ac0f3fad3224ef36b17b250d593f907ce0c18703cc37e152a7321203

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Cmstp-Bypass.dll

Filesize
11KB

MD5
cf15259e22b58a0dfd1156ab71cbd690

SHA1
3614f4e469d28d6e65471099e2d45c8e28a7a49e

SHA256
fa420fd3d1a5a2bb813ef8e6063480099f19091e8fa1b3389004c1ac559e806b

SHA512
7302a424ed62ec20be85282ff545a4ca9e1aecfe20c45630b294c1ae72732465d8298537ee923d9e288ae0c48328e52ad8a1a503e549f8f8737fabe2e6e9ad38

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\FileManager.dll

Filesize
679KB

MD5
b9dea988042c4d9878931cac41d61fb8

SHA1
82885bd2d01d27f4ce3741885256d7db418038b7

SHA256
29b44c17c85f05ced52004db716a156fc9e50b52debc8e061e2ea96957cc0d07

SHA512
81192c5b1f2e67787b569218c03e4c274a2184fb0e762afed6e3608995e3e1d1987306f32f64f28bc287fb09746476b4c7c60479fe0a5cefa186e5b208d8bacd

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\FileSeacher.dll

Filesize
478KB

MD5
fe625a7c51e699336f9acc3108437134

SHA1
50099ae8c3679930400261c80ade073157fe4f80

SHA256
68e4e6f42ffdf5ed18f1849e30f83b1baed1cfa57c68f57178bfa875e247c2b7

SHA512
26b9bf3c0b31fe029201c884f7d220b0bfe589d33dd6aa0dfd665c38af07c2352e89859198e0e9b18339c0e6c8f1e9c44358b222106531659aeb0d6f6c6c0c44

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\HBrowser.dll

Filesize
25KB

MD5
79f13be3582c42df73033819d093e1f8

SHA1
45c25633bfd0ab3c4f95b7137eb9671b911ea595

SHA256
f38e74a4bee2cf29d710d7c58eb83e548d92604621a8fb076bdc1e79714b9938

SHA512
e6e4331d26f35ac52d3524da0c6cdbb4bb36af54b57c61bce564bfec8663245bc7e5ff192c44a3c731e9ce7b83fdff40f274347a5241f6322833a92df944adb5

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\HRDP.dll

Filesize
1.7MB

MD5
4f16882639fc029fc367503eb820c298

SHA1
1e6b1314507e954649604dd9f80b4c45a93d7e89

SHA256
ef238f294111804c44f465d090a1634b6529d1eba85720b2e373d57cd59f75d6

SHA512
1fc02358b8347fac1acf751f7fe9c5d4d17cc35ee3df2052b69fdd518939092b54b8d29ecbf112d53604c087b01728d8961005d3946880df896998526a578ebf

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\HVNC.dll

Filesize
58KB

MD5
b5ea6d82ec2d4127124eb9467eb5ce16

SHA1
0a27f08f94a80024854721c73c7715af95581da7

SHA256
ecb1a845bc2e813193e628eea48738f2354eb1ce8902a092118aa48ea2ff4bc7

SHA512
ab459d26ce689d5c7fb533fb754b875896c214e0001ecc6e8b061f7cdaf1aec06400f66f506822775337a42b80f4e1e9ab008a658cfacc873cfa83eaab6f1880

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\HVNCMemory.dll

Filesize
39KB

MD5
14ca9b8f7993924b77078e08ec0d5df5

SHA1
fb2b5717da357f6d13bb1127980c22bada68836a

SHA256
8ab3391fa5880be5991133416bae0d5b76daa2d43c8ff92ff44d6dda23386e57

SHA512
64aac1a872666bce5bb86144a6f96bb6905a2d900d76e8d2d6f1cf8b499baefd35c7fb4d6b5150d5717451c5ad632d677ae6f85737d334a7cebbd9d725c9964f

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\HiddenApps.dll

Filesize
45KB

MD5
c5efa70a04a026b9a2fa97b1ea43e840

SHA1
aab2de0ab74c12e04256ff2b113b062dc93179e6

SHA256
f9ef7709f34e944d99ca5bef6af1524d7cf3889894084b7ae61e9202f267a728

SHA512
1348d4ebd3ac5b56eb32820ee14f9aee20a43b7dc3d06dd7fd62c8f227b12a27d0c0376c7d858e78315cd92d17e588bc2e37648c04d146530db706e8b3c4ff1d

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Informations.dll

Filesize
22KB

MD5
310ba7a07953ed7f783e89bcff6197e3

SHA1
147aa53e0d7cb027e6c67fa50fcb0dc0c770e157

SHA256
b10616eb3f5e4b0ceffc696179cdb616c78ef970dedbac10845a39985c91a38a

SHA512
554ead0f700dd617eed6055a84ecad288c4779ab20206e7434a8f3443a03a95a501014cd52390eb57570c25ea2bd7a298b96e88e8550d10b2a5db4f9633af529

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Keylogger.dll

Filesize
17KB

MD5
40ba99b80654259d0428c7e4f3645948

SHA1
8fa93e0f035694cd8e420aa2232aca859b3a2a6b

SHA256
3361bb2309e4ee31f14081bc170ac530e2ae9d1336026e736190a0304e2e77e4

SHA512
fc1deb29eea114e5a472102a51d49fa253a5c79821acffa930b30089ebecec4312437d4720b46e92149be2ce69aed57dc3939621a596ed6c413397363fa44ee7

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Maps.dll

Filesize
15KB

MD5
b74f037f6c6de44e817660922a3044fc

SHA1
eb5acc30d3f607193bd819e8c0cdaaf70295c5b4

SHA256
ccb32961b904a22c2531313ed7c3733d7288daab181074f034eb4c73a0958a65

SHA512
a547961b87ecdbc0f9bf02381f16e03795dc73eda744a86da2cc07c97d7f1b65642971347d1ca69f36ead63c3b9078b6e0f2ecb4b6f2178a3b9a62f3ffb76579

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\MessageBox.dll

Filesize
15KB

MD5
bde9c12607827e21c64e1d64033043b5

SHA1
d980614dda65f1f4c3a73d1f9c8162e597fcac4e

SHA256
2170fe155b56e362500ece32013bbf8d45d5dc93e689ab33d3612066c7450f75

SHA512
e015d9b915b748d1683c18621919161f9d495221c9bf788b661e3eeab60320ee0b0d9d64a393fafa47b521b484f0af2c9948f6dac0a9b7ef1e8910571e7e98eb

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Microphone.dll

Filesize
540KB

MD5
747554e4ca902a8d18b797c2edcb43ed

SHA1
508d7c9f0b031a352a1a1f25d4c6abf4167392d5

SHA256
1f135bc57ea4f44bf8a37d66b42788bed5aba753c5cbd0b4d3349ede64abfc59

SHA512
deb3f480dc7febb1d9ff4ccdb1dd04d83e9fbe7e74fb0dd39d103dbe85fa0c434407ab032e9bca027e38a0f482d08308513cd821b09dc08aafafd905e97126fd

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Ngrok-Disk.dll

Filesize
7.0MB

MD5
4443f2173682ef836df2f89e1b44296e

SHA1
1b0db6530eb5c5404af614143f464d663382c2e4

SHA256
01e170bc479dc22cec4658a39067e001a72a974a4e562aca01162f82decd20b6

SHA512
7bb8df753fc3636d3b01f2145c1df553b34a427a9e07d4c563a1fb2e23480ba2d609658d6ca2c4deaa386feff8af741397a3cbdb15c28157c4cf4ba8244fb61f

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Options.dll

Filesize
30KB

MD5
b0ebfc762fd2a7511e819336524551ea

SHA1
b3657c8edc6b9231d16b49bec11f01983d965495

SHA256
bf2978e31b7a1612255ff79217481374ea2ae976c2b8c270ec3eb5324251d8d7

SHA512
2adfff3089ac551ba057f2b4b2d208255a4558abb2761b39fd9cc10f37313386fdc1307fffb80777e0a1b6c1d1dbabf61b26cbff8592e77f982453679145822d

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Pastime.dll

Filesize
17KB

MD5
178627a4b30c54d20e5a59049b5af211

SHA1
5ae226eb92df19cb693764509b953bf1dbfeffcd

SHA256
c3ffa5aedbfe2c83e68d7b70afd1adb590801da429c3a5d4fd6da18116ab0cc9

SHA512
75e9684378f5155f228a75c03cb517257e7e04cddf9762e7e5b348f7b30482a9c750cb0285e28279dc9ef740c3ce759e4ebfb4e3efddd094daab7eb3bdf713c8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Performance.dll

Filesize
16KB

MD5
d447b98bf277020e48a04d2771b190ba

SHA1
a9b312d1d858e06156eecab2cd97d246a37822e8

SHA256
57af9bb212361e2dbfe97a784beb2f978426b42f9ea0986f74c8fbfebb630f13

SHA512
8c58bf90c5433005d7e3c8a871171dd5fbc558947d5ce387351fa7625ed6bf2a6b72afa91f8d3c7243c5e950467855838f27b6356266074321204347cded15a1

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\ProcessManager.dll

Filesize
17KB

MD5
12630688eb6538b34e5a392cde76ec09

SHA1
add2c24ef79657f47693995b1ddb2c760520670a

SHA256
8dbffc8d2928cc2fe3dc67b071619419bd4e21506bf8d8b66bbdef54101953d3

SHA512
24da487f34fbad245f64f86b88db8c61041e80956c2befe859903ece46905ded09e90e08f2d148316947dde8a4990bd1c944ad36a96930b197769dab025689e0

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Programs.dll

Filesize
13KB

MD5
c730d22a23fb8ec58f51116e54ac4cc4

SHA1
45c4b19479d6e58736630db5405dd58450a601dc

SHA256
4bfe2b70271956dbcf08086ff04bc36a23928d974469ffeaca97ed5ad5b6dcfb

SHA512
da5d553e1e470958db4565699f0d2a58c9ab8a653b34003fd33758ed85f1a4f3c027064fcd0c24dae3ba88f7adc22f9b45ff55c22e2b29cbc0cf8f0b7293f7db

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Ransomware.dll

Filesize
20KB

MD5
e55dfe70871fb442f8b8eea790875a7c

SHA1
0f659147ad89de0dadca9d74abb0854ec64ae403

SHA256
b0ccb9a2bef7fd24d7f31bb70a8516129a099b47d2564f9f18cb0d87144fc5da

SHA512
daf5fc4a89d841a04b2b6fd8e516d7efa3baa08710af6ff85c57771d99a2ee07da4c2482baed9ecdae54e3eca2d840341ee3371a826cf26fb180dfba864e63a8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Recovery.dll

Filesize
1.1MB

MD5
be590ee7d8c0366cc28c200308ba0823

SHA1
0fa6c6ca44893c45f115e446566f0d4dcf5168d6

SHA256
a81e4efc2c85a4f8fed46b9b0f3bd3c2a750a3047ae7ce5b29f21df52d85dfbb

SHA512
cbbb4c62d703bf8dd0e0e34b438401710c1bd62c82f71060483f4a84dfaa802a9b0d39b904d6f77cf4ef0b630f173f66f349497d53a6039c640e0f4301e26041

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Regedit.dll

Filesize
15KB

MD5
d92b2e7472ec9cb8b803bc039558c828

SHA1
0ca9e950b5ef64e3cdd23a31a2b51ad2b82581de

SHA256
1989885e6f4f459b4ef37ab11e97ffe8c1598a8189eb3a4110f259357af2414f

SHA512
ef4ded6ae8349a58a0745aa55ad96530d028f8137437124b02a80b332e2801447dde2e6e908e48151ee7102868676ef435fe5ecf0ebd980f497435e58e599171

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\RemoteDesktop.dll

Filesize
18KB

MD5
f4e00005c72b4331eb0e9243346d3e1d

SHA1
f8afb37fc362430b4045cd2f22e5a5cdaca43ace

SHA256
9bcf8dfc92bc643b9414a446da4632050de1b7577fedf4f7711d3b4b3d46e06d

SHA512
7e9be2c2a247a7ee067b156062098a2494113ca935c83a6c8723ee2fe3b7ae15ce5addac5630b8aaba9b12d52896127609f8d7974bb622b79d9a8dddd6c7a155

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\ReverseProxy.dll

Filesize
16KB

MD5
a4bd2edda7e214bc50ec559c15cf81c1

SHA1
1f268ba761ef9dd38d74d3eead9289a2a35d21a4

SHA256
9fd3621ffec11e0ad254b37ce4fe527f82461b67cc8d8827532d3573a011e2e3

SHA512
b3d8857b0fc31c5fafc8552e54c34b2e463f5dba2d167ecf41e5c22aca8a36ea352a4aa1baac73278c409f975e4c68ecc55e0c085280c62151e7898b59a4bbff

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\RunPE.dll

Filesize
11KB

MD5
e8f0b68716a0bc4459601623c5c3c757

SHA1
261e11edb2ec5b14d8feaf80d6a8e966da1817f8

SHA256
0f075f2dd5a41d601329c4bff57ff38302e1da2ad149399f7f2776e640063502

SHA512
5539be32acecb59e43eb35ef9971b82764ed6bb5cc50b02ca0921ec30ccbb4d49a743262350ec9860bc669000e6511d3b3dcba0a37a5360f3f6ff4af2bc420bf

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\ServiceManager.dll

Filesize
14KB

MD5
539b869c8fde6159f832e9b851bab6c7

SHA1
1e5b134d538d9c2eef53e4ecd04b806f4990cc74

SHA256
79ae4fdfc5edc08cea5520fe1e8fc448991903c493a02e9fda407bc825b330e9

SHA512
47dc3e66b4e32cb3bc1e2583e852cad7c211defe529d2ed7fce18587b4c1515bd5b5c5720f9ba0c1d9d022ff537abf827ed483e09fe63dfcf05bee4c07434631

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Shell.dll

Filesize
15KB

MD5
cb3bd9515eeccc9042757756ab7dd962

SHA1
c562da19fdc78c12685a0b1913bdf74067612b25

SHA256
e1cd982074254a8290fac19cd6d657dea80e4e70fb2742dae1137d895c3a09d8

SHA512
b1f5b6bea6ec21ae855c92871d396ae5139d028fd9f8e6d23706fc2abb97e3810b5b90ce70f2f399040436d5c4e47d64c5506464b26081fcfcb99dd91d1ac33f

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\StartupManager.dll

Filesize
189KB

MD5
cc42a1c35fa6857707755c4b7eebaade

SHA1
ddc1db3a8571e1d5da140f3500e26bf1a03acc03

SHA256
28533cf4dc5b93d9ec547c2a7649958e6c3b2906ddc43175af0a94439596bee9

SHA512
120c1481566b2c341cb9ffc90c821b1823870b9a671913ff5db9b8802f3fd120570dfe7c9928a038f3bf8a838a63a9ea5b3819a47bdbd9827f1024d79a70cbcb

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Plugins\Stealer.dll

Filesize
3.3MB

MD5
6cf3156c057817473d7d2239f71d2403

SHA1
36f45d7a326054e231b77b6021392d35898096ec

SHA256
3257ac3031047fcb719a8f82bd54ce42a6d542a97dd0149da08957a0c479e7fc

SHA512
3828f10081ef476cce1832ae8b3f68d7efaf539903f9d4f4e6fc4ef19feb87cb2d63409d5057e5d6d4b46e229d9ca10e39917a5c1902c55a3ce01cf18d67526d

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\RVGLib.dll

Filesize
241KB

MD5
d34c13128c6c7c93af2000a45196df81

SHA1
664c821c9d2ed234aea31d8b4f17d987e4b386f1

SHA256
aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7

SHA512
91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2.exe

Filesize
12.2MB

MD5
8b7b015c1ea809f5c6ade7269bdc5610

SHA1
c67d5d83ca18731d17f79529cfdb3d3dcad36b96

SHA256
7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

SHA512
e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2.exe.Config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x32.exe

Filesize
109KB

MD5
f3b2ec58b71ba6793adcc2729e2140b1

SHA1
d9e93a33ac617afe326421df4f05882a61e0a4f2

SHA256
2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae

SHA512
473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe

Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit
C:\Users\Admin\Desktop\XWorm V5.2\XWormLoader 5.2 x64.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
db11d0f1cfa068b6e9e446ad575e19a5

SHA1
2a231b1b0e2d96e3df3a48d5f1578f0af6444c21

SHA256
46ca0aaa44cee88be393eb445e970f9849ded8fb99b4f8cf707e12358ff2eaa8

SHA512
e59c233fc47a44c9303c90a427cdf645348eb74c62e64284dad01665289c01f90cd7677c9b101f0855329cd7d29547a0443d253a6effdb1393fcb24f1549e14b

Download Submit
memory/3000-304-0x000000001BC40000-0x000000001BC4C000-memory.dmp

Filesize
48KB

Download
memory/3000-238-0x0000000000B90000-0x0000000000B9E000-memory.dmp

Filesize
56KB

Download
memory/3000-303-0x000000001BC30000-0x000000001BC3A000-memory.dmp

Filesize
40KB

Download
memory/3000-302-0x000000001DFA0000-0x000000001DFB2000-memory.dmp

Filesize
72KB

Download
memory/3000-276-0x0000000002D40000-0x0000000002D4C000-memory.dmp

Filesize
48KB

Download
memory/3000-285-0x000000001BC20000-0x000000001BC2A000-memory.dmp

Filesize
40KB

Download
memory/3000-284-0x000000001BC00000-0x000000001BC0A000-memory.dmp

Filesize
40KB

Download
memory/3000-305-0x000000001DFC0000-0x000000001DFCC000-memory.dmp

Filesize
48KB

Download
memory/3000-283-0x000000001DB50000-0x000000001DEA0000-memory.dmp

Filesize
3.3MB

Download
memory/4776-211-0x00007FFC03200000-0x00007FFC03CC1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-221-0x0000028E67470000-0x0000028E675D8000-memory.dmp

Filesize
1.4MB

Download
memory/4776-205-0x0000028E56100000-0x0000028E562F4000-memory.dmp

Filesize
2.0MB

Download
memory/4776-203-0x0000028E58850000-0x0000028E5943C000-memory.dmp

Filesize
11.9MB

Download
memory/4776-207-0x00007FFC03200000-0x00007FFC03CC1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-208-0x00007FFC03203000-0x00007FFC03205000-memory.dmp

Filesize
8KB

Download
memory/4776-209-0x00007FFC03200000-0x00007FFC03CC1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-202-0x00007FFC03200000-0x00007FFC03CC1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-290-0x0000028E675E0000-0x0000028E6777B000-memory.dmp

Filesize
1.6MB

Download
memory/4776-210-0x00007FFC03200000-0x00007FFC03CC1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-244-0x0000028E61B10000-0x0000028E61B92000-memory.dmp

Filesize
520KB

Download
memory/4776-212-0x00007FFC03200000-0x00007FFC03CC1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-214-0x00007FFC03200000-0x00007FFC03CC1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-216-0x00007FFC03200000-0x00007FFC03CC1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-201-0x00007FFC03200000-0x00007FFC03CC1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-193-0x00007FFC03200000-0x00007FFC03CC1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-192-0x0000028E56360000-0x0000028E56F98000-memory.dmp

Filesize
12.2MB

Download
memory/4776-206-0x00007FFC03200000-0x00007FFC03CC1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-190-0x0000028E555D0000-0x0000028E555EA000-memory.dmp

Filesize
104KB

Download
memory/4776-187-0x0000028E3CBF0000-0x0000028E3CBF6000-memory.dmp

Filesize
24KB

Download
memory/4776-189-0x0000028E55600000-0x0000028E5563C000-memory.dmp

Filesize
240KB

Download
memory/4776-186-0x0000028E3CBE0000-0x0000028E3CBE6000-memory.dmp

Filesize
24KB

Download
memory/4776-185-0x00007FFC03200000-0x00007FFC03CC1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-184-0x0000028E556C0000-0x0000028E55716000-memory.dmp

Filesize
344KB

Download
memory/4776-182-0x0000028E55660000-0x0000028E556BE000-memory.dmp

Filesize
376KB

Download
memory/4776-180-0x0000028E55450000-0x0000028E55456000-memory.dmp

Filesize
24KB

Download
memory/4776-178-0x0000028E55470000-0x0000028E55498000-memory.dmp

Filesize
160KB

Download
memory/4776-176-0x0000028E3CC10000-0x0000028E3CC52000-memory.dmp

Filesize
264KB

Download
memory/4776-240-0x0000028E59D70000-0x0000028E59D9C000-memory.dmp

Filesize
176KB

Download
memory/4776-174-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/4776-173-0x00007FFC03203000-0x00007FFC03205000-memory.dmp

Filesize
8KB

Download
memory/4776-242-0x0000028E67E00000-0x0000028E680E2000-memory.dmp

Filesize
2.9MB

Download
memory/4776-246-0x0000028E67970000-0x0000028E67A22000-memory.dmp

Filesize
712KB

Download