xworm | f26803b764a54a90852b7fd274d5ced7a8a58f1715d3ab4b96900ad4f9dd0410

Resubmissions

06-01-2025 17:11

250106-vqr59askhz 10

06-01-2025 17:01

250106-vjs4zatqbp 10

Analysis

max time kernel
420s
max time network
410s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-01-2025 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm.V5.3.Optimized.Bin.7z
Size

29.5MB
MD5

187b25b9e02c2b5d01a70d9d1855dd7c
SHA1

d0c7d39012ad0507239a3b060ea42cc13b22eb65
SHA256

f26803b764a54a90852b7fd274d5ced7a8a58f1715d3ab4b96900ad4f9dd0410
SHA512

bea5cec59d0ebee26a71c78dc38da47a25ea7932d119868caf82b5e4bbbcecd8969abea80ad41b65352f264ced33c457a041c0d9f321c272a8f913802ee254ed
SSDEEP

786432:ILW4dBG6KKNtxT6xewFcJbnYrFWNbqjnZ5M5od:3wT6xhqRsubq15bd

Score

10^/10

xworm agilenet discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:64935

Mutex

cdkkR0Jevya0kA0b

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

xworm

127.0.0.1:64935

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00280000000462ef-587.dat	family_xworm
behavioral1/files/0x00280000000462f6-597.dat	family_xworm
behavioral1/files/0x00280000000462f6-599.dat	family_xworm
behavioral1/memory/3412-601-0x0000000000FB0000-0x0000000000FCA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 2 IoCs

pid	Process
2996	XWormLoader 5.2 x64.exe
3412	XClient.exe

Loads dropped DLL 1 IoCs

pid	Process
2996	XWormLoader 5.2 x64.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x00280000000461ae-187.dat	agile_net
behavioral1/memory/2996-188-0x000001FB72420000-0x000001FB731FE000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7330be21-46d4-42bd-9001-7711e3ccf5ee.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250106170335.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Software\Microsoft\Internet Explorer\TypedURLs	XWormLoader 5.2 x64.exe

Modifies registry class 53 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\NodeSlot = "3"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "4"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 7e003100000000003c589b55100058574f524d567e312e334f500000620009000400efbe265a4b88265a51882e0000002e610400000028000000000000000000000000000000e6901801580057006f0072006d002000560035002e00330020004f007000740069006d0069007a00650064002000420069006e0000001c000000	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = ffffffff	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	XWormLoader 5.2 x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWormLoader 5.2 x64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWormLoader 5.2 x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	XWormLoader 5.2 x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWormLoader 5.2 x64.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
4328	msedge.exe
4328	msedge.exe
3984	msedge.exe
3984	msedge.exe
4124	identity_helper.exe
4124	identity_helper.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
1760	msedge.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
400	7zFM.exe
2996	XWormLoader 5.2 x64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	400	7zFM.exe
Token: 35	400	7zFM.exe
Token: SeSecurityPrivilege	400	7zFM.exe
Token: SeDebugPrivilege	2996	XWormLoader 5.2 x64.exe
Token: 33	220	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	220	AUDIODG.EXE
Token: SeDebugPrivilege	3412	XClient.exe
Token: SeDebugPrivilege	4424	taskmgr.exe
Token: SeSystemProfilePrivilege	4424	taskmgr.exe
Token: SeCreateGlobalPrivilege	4424	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
400	7zFM.exe
400	7zFM.exe
400	7zFM.exe
3984	msedge.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe
2996	XWormLoader 5.2 x64.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
2996	XWormLoader 5.2 x64.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe
4424	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2996	XWormLoader 5.2 x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 3984	2996	XWormLoader 5.2 x64.exe	98
PID 2996 wrote to memory of 3984	2996	XWormLoader 5.2 x64.exe	98
PID 3984 wrote to memory of 5044	3984	msedge.exe	99
PID 3984 wrote to memory of 5044	3984	msedge.exe	99
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 2380	3984	msedge.exe	100
PID 3984 wrote to memory of 4328	3984	msedge.exe	101
PID 3984 wrote to memory of 4328	3984	msedge.exe	101
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102
PID 3984 wrote to memory of 4132	3984	msedge.exe	102

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm.V5.3.Optimized.Bin.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1476

C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x11c,0x148,0x120,0x14c,0x7ff859cd46f8,0x7ff859cd4708,0x7ff859cd4718
    3⤵
    PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:2380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
    3⤵
    PID:4132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
    3⤵
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
    3⤵
    PID:4644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
    3⤵
    PID:4648
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3180 /prefetch:8
    3⤵
    PID:864
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:2084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff6bd7b5460,0x7ff6bd7b5470,0x7ff6bd7b5480
      4⤵
      PID:2416
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3180 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
    3⤵
    PID:392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
    3⤵
    PID:1156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
    3⤵
    PID:1632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
    3⤵
    PID:4652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
    3⤵
    PID:4284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
    3⤵
    PID:412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
    3⤵
    PID:1880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
    3⤵
    PID:2076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1068 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
    3⤵
    PID:2584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9991118051572565651,12845426493203748286,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
    3⤵
    PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  PID:1400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff859cd46f8,0x7ff859cd4708,0x7ff859cd4718
    3⤵
    PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  PID:2452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff859cd46f8,0x7ff859cd4708,0x7ff859cd4718
    3⤵
    PID:5012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bm2su3wo\bm2su3wo.cmdline"
  2⤵
  PID:2008
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5B23A05A3D044A83B5C3A18ABD8A32B4.TMP"
    3⤵
    PID:4780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3196

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4976

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x488
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
77fe0ce7e1f9c9ec2f198ad2536bf753

SHA1
2a366472f227a24f3c0fba0af544676ea58438d7

SHA256
c69ca7653724e1e9e52518de8f4f030813e1431223d5b6ad3270531d8df89f00

SHA512
e8d4e17b93fb19364eeeffc5b1016fdbe566a8b8d702005291ff263367840b8ccc76290d8a3ad457d40fb5d1c2204bdaa5acba9374236c77935ebb0fe597a095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d57a449c855203411a38d5ae80bc24c

SHA1
b361032efa556fc4557bbad595ce89c4b0c13dba

SHA256
bb59bab10e406cd91bdfe4fc0e8ce2817a6ca32fc731ccb3f90b6b79c1a46c21

SHA512
8d4244dc9c0e9518cd71aacaa54d43c1e2d74519e3e692160b2b040d00aac25c4ba7a5705391e50957d46c8c711dc07604effea3bc06c8956ecf717f61008da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
47b85cb68afaa0d8799c2ca52837081a

SHA1
625beb796af60d315feada1271934d08e1a55442

SHA256
4483f93f107e9eca43c552d8d3d070572c249578fba12224b6df60d98dda7b5a

SHA512
5e8bbb8fbe83fe31c9fa0df1855c8cef9fd6ecf164f5d8bae9497f54858a95fe1f6228361953ef2b99063d204142046872991450c94540c913bf530521ce76ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
28KB

MD5
38614225a098def99a788a2a1a3f1fd9

SHA1
8567fc94d204cfd2066654a0df7167d56f9952c8

SHA256
cda88367d92e5a05490b66cb01fdea12da6817067d1cbc21f42435052552ea1b

SHA512
926143d804a571fb4a0bf14e3c54204f2000039bd783a37e98339441c1451ac851a187cad5265540478e70e0f001513540fe8216a070b7c79a833754e8717e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
80KB

MD5
14e39be019da848a73da7658165674cb

SHA1
e016473c4189a8cc3dbff754a48b3e42d68af25a

SHA256
39595a1806156cfcadf3cc4e20c5c3f3eec721386a0551790a15f025ba9402bd

SHA512
828a383de549871aa80ec960a7e371ef47da96d01ebb9628d1484ceed9eb698aec5109b3de0b24ff8000610a2c2d633616c9fd28d380656fecbaa930cffed029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
72B

MD5
18542ea788542926161d8cc93a1b828d

SHA1
641b92c1c6cfbd3dc8130ab8334a51de217f2684

SHA256
b570eca66d24b999e79803328701582cb4f82b74763865ce9edff06ff431ebc4

SHA512
8f54b57f74f202b04a41d64e2abd04c90650aa6bd3ba9d07c0c5adc16c35f05b30c95e7a9dfd7d091472c4caa67ddca2a76bbb0339c810b6ed93944e4bc4ccde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
a77e21bedad9c99ba8599721c9b9748a

SHA1
ac040db072935542346dc018d137c1e555e11fac

SHA256
9c304ee615defd16276c3dd6fea9ceb243011f1fb768390573a42d6e0ca1e40a

SHA512
2fa946849c9fa8fc031f00d074e8429968c3786105b12084c17c5d6fcb7ab372389009cea78a5010827fa7e75c02e7b8f4cf7f943e99d59b4ed124b125a7d864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
442B

MD5
75589c53e477bbf98c7e75d0df7fc88b

SHA1
2c821aa877f7c11ea51930fbfb2c2a571552a3ec

SHA256
41a37afd461bb2bc342a2f90ea751ef7e9f2da06d8f378079690396ef48ab7a3

SHA512
4ea9052a1b4d9376957e5db7a5e55d60e7b886e1eb6aabe2ffeeeb6a8f7a26df831c372add0ae565876a6c63dbc1ced3a04edd6a7ab182cd77f3291c8e4436ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe59a212.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7359ac25f7d42085a7f2058e4c9dccb1

SHA1
c542ab7e927ca6118f7a47e8ac7741ec4969febb

SHA256
41c1bdaf4385f71addb327e20d031f137e12b63b0f2cea88a9cba696ffcfad8d

SHA512
dea77d0a3c42f57cd0ac14875074374ee857c2ede21dc089e95f0421ebfc862bf4a6ec4f78e40992f289b3469919a4c5cea6c7fb48cbf7fbd66437970e61bede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c2d21b6a0a2700f3b2e4bcc20188ebb3

SHA1
8b11baff55090625a625c13be23748c5747161fe

SHA256
65e200f0931d6fc0779f27cc9a16ea8ac7366636171cbfca1804ee74fee2d87c

SHA512
251659705809b37e6f72d0a370550a9be1bd43301ab5fe8e5f4c85f9cf22d0f836fcc996b453bddce68577b0f916c6360b2b50d8dc03f520c421bc1d926fb5f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
4ac75eea5ea4a130f7d49775ed273b4d

SHA1
e00997ea629efdc6991ea58a81b9c66e345d9508

SHA256
2e11ac07108ad24bf1a84fbb71d80d956d5a13e1659cbeb39bd9970e3626418b

SHA512
671e05db3f1aa2eea339b6684cbea1f081a4677e04957b2e2e8753bd035821227e890161dfc51443cdee7bcf66570c2e81c344d2a65087251c8f582628166538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
564e04034ea4c307bba2aafce60d46b4

SHA1
609acae5ded873b04c0095aaa2624ef8b984c5d5

SHA256
fddb58b1a1e4c34b51c4620a5a8f2898657af544507fa53f9c7ab5bac96361b6

SHA512
94f8b20fd041d9a7a62d49da822d6640dc929ed1760bd16f84543a4eccf92290a4d8743791add7f3a1ba220e92c47087f0dd714620e21dc110e1f082fc257539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8bfdb7b3bd7dabd9c310f9999d695972

SHA1
b01656785a2b87a7959265abe4bbea05bd89e7d2

SHA256
070574d36dbe918bea484320010b38da0b0b1b35ed640f3965c1eef537e87f51

SHA512
52f22cc72a18d28de42f299b9cb2ec7c9553d3a8d974868fa6147053745d092b50c6d23306f7ab4f3e03c45acba0139158fc2d0bf9ddda26d34105116e2fefe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9b2345e425acf05ffaa1dee20d4fdbe7

SHA1
aecf86c5a5d24b77aea68f6bc99e7f42c9048bc3

SHA256
1eb6cc0eab0b222c1111dba69db74281366b9f5dc9f8707ff215b09155c58d14

SHA512
647fc97d693b709ef3b0877b6de1d4f9f4e1085d35b809d27360ede1be52b37f9a967fb80ce43be35d60b52409c7e4036376d7d931c96f0660a2eeffa58a8208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
77006dacd174a80aa9b867f95d5df337

SHA1
7078db638c72ee5cf4ede7911e4421cc4ae103c7

SHA256
5e22af33da2ed3f3197d9c899a8fec5e2716b54be019c484cd59960da8f143d9

SHA512
e8268ed24af38eaebda4cd864e5580ed1bb63e3e4b72a27fe3404baeb7c8c944a7e79282712ac9d0b33f0123654dedb1984633d6ae2a5b412d6536e2b0389bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
8cd1566c51e599d9a4ddfae8c7bf5c6c

SHA1
afb22c30ecb81564bb4aa2e6f9e59492b38a268f

SHA256
ce6dd17c1d3e346a0d91a6b3b7568ac18da3f7aaecdf9c435b63cbce7936eaea

SHA512
9a205e043a8495295d3623c1de7e50ddec3aff284a360757418103bb84df068b6c607696c43a983362bf144ff5817117ad0c422e1948698630338ee0ee42bd41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
e36ea8f6d7168078855dd539a7cc5b78

SHA1
23659d4738c37141051ad997b15ad6e2e99eedc3

SHA256
bc0323c553923c53a9bcd6c7cb590d35e98250b17992235790e8beb074229d9e

SHA512
c4ad61c900e427729fa3b486070ef1feb518116d48ae609bf299ebacf93ec4ec09a9df0a86b7bf2d068776958004ee43d67ab42d94cd43d3cd1c42a563a0ae00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58fb14.TMP

Filesize
538B

MD5
daf5e3d0fdc28f2032a08f9918ed3a98

SHA1
b423a86cd52673882fc843b842a58a8d21069852

SHA256
4d8acdb1391fa46520cdc52c552fc2e1b3cec588639097406a9cc6c214f40c24

SHA512
946156416c2e0f27a528ab1125004eab713a8be1ffec47ac63059ab3de4dc1e9f1062636cf6f3ae3b3383eae4263280e37ef7494ae5940c5def5a3438d75a304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a3e99f9ee14a46fa95fc9e850b27762d

SHA1
706a59df7eb9ccdaef5ccf5f62ef4001417921cb

SHA256
1443baeaca5119d99b0341e1e2c296da759a63b8aba40dfd773ad8ad82cd267f

SHA512
2644e881a9271d74e68be6940c694beee3dcbdb02212810f0606c6437f6ed614b274037b2aa97b7acfa9b3826c2cfce8aac4ebc3fe9862c156b3274135740933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7e728b4109aba8d29c8c520f950dca70

SHA1
be676f1e00a0b124a288b724cc753e30da198ba6

SHA256
200c7929d85accb0564c9032add53d3c0cfbebca7f6117474a1d7f5f759ecd44

SHA512
6816e8bf35b106e6dc8a6727ad50a23fcaf80e4bb505303799e07c37d80922cbf39f17c524bcb8ca4e86e20f3d690840a8d8d7fb48a831a5aa7d3dcfef72e25c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c68c318cec7674f1449cabac8db930aa

SHA1
dc1a94289cc728d855980f1654eaca2238da737b

SHA256
f0fb2a09822a25055257c499399660a2d181a54815dd578e24a5e674f5422a34

SHA512
4e1ecb82e778aec91bf36f0ba80a40991e9fb9333a261ddc6e8095c07f3400abdbe22a56bc7ddcb3797bd36509a79ab74c7fa9d71e5e40da78febb06813fa939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4c442631515f9fe7ad6ca65a56156751

SHA1
9b8e76e58ea4356fbb4157329bff435861471a43

SHA256
8d05bdf44507e1de1c1f4041f1c7887887890bc801d02e73316800d778d0d22b

SHA512
48af0ceae26f08700bdd596a54ef4c104104574eb96f9c376a90f5fb008bf1d745b413ac85db49909ac8bb7e6d2fa6d76f92a4fb9ce399ee76b7c5626b0fe1bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
389c0de8f3e2052f581e5936e670c8b8

SHA1
3fc4a69286ca415e4613ec4d2c097c557c6d2a58

SHA256
b37a7c7c7282a66234449cb1fc384c8fdd88fbf59d67e73d575c550e674f3396

SHA512
343a11ecf926ae78cebe13bc6653f3bd870a47fba56bc0d5f99e449a69cd4275a7203174b716c9ab551f8bd1db80a17bd5c78e3aa5c59b9d5ebc30860214f57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0917C657\XWorm V5.3 Optimized Bin\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES65C.tmp

Filesize
1KB

MD5
0cdda4e5ffafdba4f88259b5e752b4ee

SHA1
c6bb3e5ec571ea99b7ba8617976e3e9b65494fd9

SHA256
d9c3b718f2ca1631772e7bc651fe31ecc776bc4d161c3e2bed169361ca62ab95

SHA512
180fcb619d561ab7d643f584abdef4d4b340be6d62ef27782cdef69010c9e170df71bfa60401c429e7651b79f858b27146ac54e0ef2ce539e4b4300468af74af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFZzY\RFZzY.dll

Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bm2su3wo\bm2su3wo.0.vb

Filesize
78KB

MD5
744c025f4d91f21b38779fbf3498cbde

SHA1
fb609188263e3d7a1e05ba92382454b2557e32d6

SHA256
b14967ccfe99eea04a2d6f9c6d39ce3c57282b04cb971054544c2027f677cc78

SHA512
7e6b691ab68ce2c775ede028f6d014ba3828c5f13e6c0180f72e37e6f09d1da609c3a9444bf33eacb2aad5496cee6658471b98513976cd891cb71c812d53a646

Download Submit
C:\Users\Admin\AppData\Local\Temp\bm2su3wo\bm2su3wo.cmdline

Filesize
290B

MD5
9c569824f0b780fcf86399bb1a323bb3

SHA1
671021132578304038fae53705e231f2f6ea06db

SHA256
bd85d8a4df62262191b3741fc861fd1868cc1d4bde3c2bc4cd79a1d5383d43a0

SHA512
04a257273631499afdad09c8e1d323cfc5913075581e192b8573a802f5dff30679560a158e76993816f17bf6d51ee6f9bfa1d69eeba0c51699711e1ff4c1b97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5B23A05A3D044A83B5C3A18ABD8A32B4.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
102f0c162a792071f3f0220fe6aa5e2a

SHA1
09dd70b1348e5e81b1ac0e0aecc9ef567307a537

SHA256
6c59f3096f6dec5c639da19507ada812f0bee92ba19fd8baaf5751f1ad4855dd

SHA512
85aa46e686ff4810e86188d77a7209a6a5c4512c67a9f1c07444b7cde9bbdb24493e2bb31ce4c3d2ddeb1610583222fc3db7b8dd8c6f7ebbc7ab375f97daaed2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
fb25bed084b76b667e5058fec59c4b18

SHA1
b4c56bc74165654966023312795cb6a998c943af

SHA256
eb25bca06f37db9c2716730e7758b0d213e5f376a056ce51598288c2f1b3f347

SHA512
5f495f27daba1a1ffe33c8f4f69d353e1ad266a3dd2b32bd94faec1d8d744b53b1950a4f11c34d7e155df04018f98763817c5ce0800ef1fe3760b8b01fc058cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Filesize
771B

MD5
56a3fff7bfada0b8b831e53ed0bb4a18

SHA1
3f64282bd81d80a2e4ac356fc97f0e56b7c24de4

SHA256
82a23a80c6e92d1e153db236e7de949ca5f8b581fda49953ff0d72fc6b75db69

SHA512
5deb4ab90d4b1074a8ac5f92a1c4724c6d0a066b7135fa522df4873f09d5ccf4acc567da83ca04229d7bade324eb49c14deb68da71009a312b4c684c9da2a687

Download Submit
C:\Users\Admin\Desktop\XClient.exe

Filesize
34KB

MD5
b15e1d85a3ce5eaf4237e1a84ae74088

SHA1
b627351749a24a48ecbbbca6252aacfd2dfe1ea9

SHA256
6ea73256a9ae5898f593299108309ff7f8ab0e8a0db4247b61278165e685ed3b

SHA512
11e2c35db019acdc0714bdd2c38401532471071cb52e6167ba4c4df602df34a80d5661f20a0542a40d4ddd0a24df79b9a84a81ee1b1b9db0a7018215366ebf66

Download Submit
C:\Users\Admin\Desktop\XClient.exe

Filesize
75KB

MD5
85db0812127879d1667f7dcb2ab83024

SHA1
bc145ce9c7e9c5dfa9b74836a38ee25f3575c144

SHA256
d5d42bd37fc32f9ab3d5a1d2cd0929b72b95fd3ebfa294fd858adcdbb0176d6d

SHA512
b9e7c23e6886d795e60971e07b78b3f1fecda28d5b561cd7a1aecfd499e1778ab4d4565cb8da75e71faf05036712857798057d89f54a5cd267a5dcfd974c55fc

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\GMap.NET.Core.dll

Filesize
2.9MB

MD5
819352ea9e832d24fc4cebb2757a462b

SHA1
aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

SHA256
58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

SHA512
6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\GMap.NET.WindowsForms.dll

Filesize
147KB

MD5
32a8742009ffdfd68b46fe8fd4794386

SHA1
de18190d77ae094b03d357abfa4a465058cd54e3

SHA256
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

SHA512
22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\MonoMod.Backports.dll

Filesize
138KB

MD5
dd43356f07fc0ce082db4e2f102747a2

SHA1
aa0782732e2d60fa668b0aadbf3447ef70b6a619

SHA256
e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6

SHA512
284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\MonoMod.Core.dll

Filesize
216KB

MD5
b808181453b17f3fc1ab153bf11be197

SHA1
bce86080b7eb76783940d1ff277e2b46f231efe9

SHA256
da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd

SHA512
a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\MonoMod.ILHelpers.dll

Filesize
6KB

MD5
6512e89e0cb92514ef24be43f0bf4500

SHA1
a039c51f89656d9d5c584f063b2b675a9ff44b8e

SHA256
1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0

SHA512
9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\MonoMod.Utils.dll

Filesize
319KB

MD5
79f1c4c312fdbb9258c2cdde3772271f

SHA1
a143434883e4ef2c0190407602b030f5c4fdf96f

SHA256
f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a

SHA512
b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\NAudio.dll

Filesize
502KB

MD5
3b87d1363a45ce9368e9baec32c69466

SHA1
70a9f4df01d17060ec17df9528fca7026cc42935

SHA256
81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451

SHA512
1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\RVGLib.dll

Filesize
241KB

MD5
d34c13128c6c7c93af2000a45196df81

SHA1
664c821c9d2ed234aea31d8b4f17d987e4b386f1

SHA256
aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7

SHA512
91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\XWorm V5.2.exe

Filesize
13.8MB

MD5
897201dc6254281404ab74aa27790a71

SHA1
9409ddf7e72b7869f4d689c88f9bbc1bc241a56e

SHA256
f41828bd13a3a85fdf7a1d688b21ce33d2015c3c5f46b4d92ab6ea8ea019e03a

SHA512
2673cd7b927ffc22f3a4b4fbfcb1b4f576c416d67168e486e6d79fdd132129c9e244e36d7b7883a4a1ed51e993cc4384bf24f2fa3129584f2bd43fd16042de20

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\XWorm V5.2.exe.Config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe

Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit
C:\Users\Admin\Desktop\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
memory/2996-183-0x000001FB572E0000-0x000001FB572E6000-memory.dmp

Filesize
24KB

Download
memory/2996-629-0x000001FB754E0000-0x000001FB75562000-memory.dmp

Filesize
520KB

Download
memory/2996-176-0x000001FB58C10000-0x000001FB58C16000-memory.dmp

Filesize
24KB

Download
memory/2996-582-0x000001FB77CD0000-0x000001FB77E38000-memory.dmp

Filesize
1.4MB

Download
memory/2996-178-0x000001FB71540000-0x000001FB7159E000-memory.dmp

Filesize
376KB

Download
memory/2996-180-0x000001FB715A0000-0x000001FB715F6000-memory.dmp

Filesize
344KB

Download
memory/2996-172-0x000001FB71320000-0x000001FB71362000-memory.dmp

Filesize
264KB

Download
memory/2996-170-0x00000000005B0000-0x00000000005D0000-memory.dmp

Filesize
128KB

Download
memory/2996-169-0x00007FF849273000-0x00007FF849275000-memory.dmp

Filesize
8KB

Download
memory/2996-181-0x00007FF849270000-0x00007FF849D32000-memory.dmp

Filesize
10.8MB

Download
memory/2996-182-0x000001FB572D0000-0x000001FB572D6000-memory.dmp

Filesize
24KB

Download
memory/2996-200-0x00007FF849270000-0x00007FF849D32000-memory.dmp

Filesize
10.8MB

Download
memory/2996-185-0x000001FB71600000-0x000001FB7163C000-memory.dmp

Filesize
240KB

Download
memory/2996-186-0x000001FB714A0000-0x000001FB714BA000-memory.dmp

Filesize
104KB

Download
memory/2996-188-0x000001FB72420000-0x000001FB731FE000-memory.dmp

Filesize
13.9MB

Download
memory/2996-631-0x000001FB77B60000-0x000001FB77C12000-memory.dmp

Filesize
712KB

Download
memory/2996-196-0x000001FB73A00000-0x000001FB745EC000-memory.dmp

Filesize
11.9MB

Download
memory/2996-174-0x000001FB71370000-0x000001FB71398000-memory.dmp

Filesize
160KB

Download
memory/2996-198-0x000001FB71F40000-0x000001FB72134000-memory.dmp

Filesize
2.0MB

Download
memory/2996-627-0x000001FB78130000-0x000001FB78412000-memory.dmp

Filesize
2.9MB

Download
memory/2996-625-0x000001FB75420000-0x000001FB7544C000-memory.dmp

Filesize
176KB

Download
memory/2996-199-0x00007FF849273000-0x00007FF849275000-memory.dmp

Filesize
8KB

Download
memory/3412-601-0x0000000000FB0000-0x0000000000FCA000-memory.dmp

Filesize
104KB

Download
memory/4424-634-0x0000026536E70000-0x0000026536E71000-memory.dmp

Filesize
4KB

Download
memory/4424-633-0x0000026536E70000-0x0000026536E71000-memory.dmp

Filesize
4KB

Download
memory/4424-632-0x0000026536E70000-0x0000026536E71000-memory.dmp

Filesize
4KB

Download
memory/4424-644-0x0000026536E70000-0x0000026536E71000-memory.dmp

Filesize
4KB

Download
memory/4424-643-0x0000026536E70000-0x0000026536E71000-memory.dmp

Filesize
4KB

Download
memory/4424-642-0x0000026536E70000-0x0000026536E71000-memory.dmp

Filesize
4KB

Download
memory/4424-641-0x0000026536E70000-0x0000026536E71000-memory.dmp

Filesize
4KB

Download
memory/4424-640-0x0000026536E70000-0x0000026536E71000-memory.dmp

Filesize
4KB

Download
memory/4424-639-0x0000026536E70000-0x0000026536E71000-memory.dmp

Filesize
4KB

Download
memory/4424-638-0x0000026536E70000-0x0000026536E71000-memory.dmp

Filesize
4KB

Download