Analysis
-
max time kernel
170s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2025, 14:46
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4348 XWorm V5.2.exe 4776 XWormLoader 5.2 x64.exe -
Loads dropped DLL 2 IoCs
pid Process 4348 XWorm V5.2.exe 4776 XWormLoader 5.2 x64.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x0007000000023d72-426.dat agile_net behavioral1/memory/4348-428-0x000001C1932F0000-0x000001C1940CE000-memory.dmp agile_net behavioral1/memory/4776-465-0x000002307B5A0000-0x000002307C37E000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWormLoader 5.2 x64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWormLoader 5.2 x64.exe -
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\config_auto_file\shell\edit\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\config_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\config_auto_file\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.config OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.config\ = "config_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\쨶戲촀蠀哀 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\\ = "config_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\쨴戰츀蠀⪰뿌翺 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\쨴戰츀蠀⪰뿌翺\ = "config_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\쨶戲촀蠀哀\ = "config_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\폠歒ǽ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\config_auto_file\shell\edit OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\폠歒ǽ\ = "config_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\config_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\config_auto_file\shell\open OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\config_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\config_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\\ = "config_auto_file" OpenWith.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 2180 NOTEPAD.EXE 4464 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 3956 msedge.exe 3956 msedge.exe 5064 msedge.exe 5064 msedge.exe 632 identity_helper.exe 632 identity_helper.exe 1064 msedge.exe 1064 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 616 msedge.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe 4776 XWormLoader 5.2 x64.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 1432 OpenWith.exe 2040 OpenWith.exe 4776 XWormLoader 5.2 x64.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 2852 7zG.exe Token: 35 2852 7zG.exe Token: SeSecurityPrivilege 2852 7zG.exe Token: SeSecurityPrivilege 2852 7zG.exe Token: SeDebugPrivilege 4348 XWorm V5.2.exe Token: SeDebugPrivilege 4776 XWormLoader 5.2 x64.exe Token: 33 1176 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1176 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 2852 7zG.exe 4348 XWorm V5.2.exe 4348 XWorm V5.2.exe 4348 XWorm V5.2.exe 4348 XWorm V5.2.exe 4348 XWorm V5.2.exe 4348 XWorm V5.2.exe 4348 XWorm V5.2.exe 4348 XWorm V5.2.exe 4348 XWorm V5.2.exe 4348 XWorm V5.2.exe 4348 XWorm V5.2.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 4776 XWormLoader 5.2 x64.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 1432 OpenWith.exe 2040 OpenWith.exe 2040 OpenWith.exe 2040 OpenWith.exe 2040 OpenWith.exe 2040 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5064 wrote to memory of 1764 5064 msedge.exe 83 PID 5064 wrote to memory of 1764 5064 msedge.exe 83 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 4592 5064 msedge.exe 84 PID 5064 wrote to memory of 3956 5064 msedge.exe 85 PID 5064 wrote to memory of 3956 5064 msedge.exe 85 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86 PID 5064 wrote to memory of 4516 5064 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/SmokeLoader/XWorm-V5.3/releases/tag/XWorm1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad15346f8,0x7ffad1534708,0x7ffad15347182⤵PID:1764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:82⤵PID:4516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:82⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5264 /prefetch:82⤵PID:3960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:12⤵PID:2920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:12⤵PID:1008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:12⤵PID:3348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:12⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:12⤵PID:4504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2728 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵PID:2728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13692296067602084284,8669946857821122488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:716
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:616
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1560
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4028
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\" -ad -an -ai#7zMap111:108:7zEvent13371⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2852
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1432 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe.config2⤵
- Opens file in notepad (likely ransom note)
PID:4464
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2040 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWorm V5.2.exe.config2⤵
- Opens file in notepad (likely ransom note)
PID:2180
-
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWorm V5.2.exe"C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWorm V5.2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4348 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵PID:1644
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffad15346f8,0x7ffad1534708,0x7ffad15347183⤵PID:2968
-
-
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4776 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵PID:1432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffad15346f8,0x7ffad1534708,0x7ffad15347183⤵PID:1468
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2152
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x338 0x4241⤵
- Suspicious use of AdjustPrivilegeToken
PID:1176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5fa5abf1e8ec03523f308d3e532622ca5
SHA1ea31d14397f6c50ef4bf1707dafb933776f3fa5c
SHA256337af46a11fd80e813b1d33015b005113abff7d1061f39f44daf99f9ae2e4b35
SHA5120400806a2e897dd65a024b299c5a9f92a65a1aa9d847c90fda51b67d0454d6f7d20f6221f01f3183ae829457dd9c25a8dca1167e78b0bee27cff780fbe0cc6fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD53a96e4d01ce30aa9103f76db6246cd6c
SHA10824c0071f87305af3cef5b6807f04e1dd84d31c
SHA2568a2ca0f48800712fb0e1eb965892642eacf0f979ed2e77677b9078d794f46a32
SHA512b9e85719f8efd2e77fcbbd3ccce5b4047818bbae6e0382839569efd28f5d0d5d015a90ba28ff394eda929837793b3f42a365bb9cc49e5f649322e645b3d3119e
-
Filesize
828B
MD53e5b4395a6fccaf418e4e3f0af52d835
SHA11c03499b9e3da2ab2b4b7f290ee1cf3a1e6cbe9a
SHA256fe8f8fe3c05dfb11e6c25e2920a26bd78484999ce5f1bd4d1b0254e374d962e7
SHA512b04cfcdc9c3f1b3eefbca163add2a3d4d801c8c219215c557b50d16985063809ed0a20f721f2bedb6236247de8d37a128a2d7411eab6b53777a17b82fc6d7ba0
-
Filesize
496B
MD51b92794633aaa7d8ca83e408ef516a36
SHA14ae0678d6cf8abedb3e9819fc9d7d715d3f72bb6
SHA2560ff76dc871bd6e59abe386781ef988b4c8d734bca726a4d1eb556d3d78f1e7e0
SHA512698bb4adf1932dd48fbffb344b0053b9dc753b97a92d88a26341e0c3b0fa2e03481c5193bd2b4a1caaa2aa2f00e41eae73c53aaadc1ac6bb8be17d0f229a61bb
-
Filesize
6KB
MD53384000b43621943b44bd8d71e1df228
SHA12c8b514de503be48efec393880fd3cc7fece781e
SHA256f054a06855c1ece3985476728d4ffe4427fb7bf0ee04ef0a7a624aa1dc4fd39d
SHA512a0557867dd69ff3b4b02d6447135729f26150190b132265c951e0c9d2271cb88f23ee496734d43272b3f43bc8a17c9b6c14f81e430110853297a4269fc9db87b
-
Filesize
7KB
MD5245f62d7ada8538bfacd839248c3f1e1
SHA1d1591eaa355019c31fadcae752e45ab2f266402c
SHA256eda63d8d99b2ffc3c50c3addbf209448f13ddd34da757733639bb02ecfafb2aa
SHA5127228bcd14fcb11d4dddc51a92ddc319527eb5c24b2a31964c0824c0954764f5ab7b9fcf29e6d4cb3d6bed54a0e94c050a0ce9a2c589c8c95606f135984b9dcaa
-
Filesize
5KB
MD5f80a0f3bae53cb9b6f55152f6d30acdb
SHA1711432688ecd2b3c48f11409779d36c5ecfec95d
SHA25626f3a9f3adcad9497ccdf5b6d13b3debfb030ec9a36d75bd679f1d5cfbea651f
SHA51234478e90b499f64549b2b8d370fd4abe85fb899488a7c099ff08dd6bfbe59c03cb609204c0d6a4e56f3552eea09717188d7791c7ae0eaabb445e19d2396f2d7a
-
Filesize
6KB
MD5985e3dab9f730fa37a76405d686a8a6f
SHA1a5df4f2e4ff91dd28444cc9ac49c131f9b6a83aa
SHA25673459d7c5a1957fd0325a0ec9b0c79fc23f2ba17166284999a6d3059a895e5eb
SHA512f6a3961ab451d1cec177105704213b2efc9351b8a2df34496c32c357cc4514b0be776f5c349e4734c629ae9df7c9092f76b36be7e5f3b5c59ef1d590511555f2
-
Filesize
874B
MD5f8a3007b545c4800932cfa88f991210d
SHA161285d8fdd657ae40d3473fc00aac42d1149e984
SHA2568856ec1b97793e77c8537ee57d99aa392989c06ae500a809e5ab07d0960ebac8
SHA51255befb0c69377b988a62f93bb49f162d42fe6382f0e2a47c31d3d7cd5e92093d9814a8ed82ceae2bcb19d70332c8f1ac003ce74f8e2a57a8ea985b7b2187f9f6
-
Filesize
1KB
MD5367fe907b632c5efe61a686a4d4d24f1
SHA143b6a0048c7f453c3c9291cdb6c149101d4d8e59
SHA256a825f5281c2f27fd33656f4eb15f98a17685b8cfe203d9b89aba9770362c7019
SHA5124ad210f7493128f48f82ef1150b0b55e67644fb2a57f5a7d0e3a652011deb6ec8cd37c6f767046b59c78d55926159456413f87a45c03baa9c8872401bbf76c76
-
Filesize
874B
MD5aecde5f96e56091fb426c0f2b8e2db2f
SHA11d380dc0b67d81c7762ad788afed2b7bdf239247
SHA2568e6a47672a361a71cc48dde38e174d3fca3e98449084cb1032e56883aa06c0ae
SHA51228a6f8e757bf9f2bea57bc59c6fb1515b616d9b721a3327aec2ad1e9846f7c3e1b6f8ed47d2cdba5cf8c012e3d0776e16d5eed34233a9d6dd6ed9a0c89351238
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5e4795344310e3f4a41c8c94c3fe6a866
SHA1aaed4d457d37a0bf585297692e19cd49d4579105
SHA256d3b0140ee46cdb6b83cb2a29904792dfc940e4a555af9c73fdb155dd4a34caa2
SHA512b81ce4e6013209bc013831e3281cabbc0296fe078a49fa12558a4ebbcb47e047ee43a1ec1bf63ad955ab0ae1ec03834001ca66e2ad9afc6a57217e97f027c766
-
Filesize
10KB
MD561a5ccfba4849c64d11c01d7162184bc
SHA1e412a1e0d2f5827d8865df21ada459670b780b9d
SHA2563682a05efcb994ef7d2f03330e1b563285be08a9c9612cb812674929f69b46ff
SHA51209eba6d6440c8f5b9bc615c139fa0a143ec7c4ee3c47a908c5b05d6e0894575a1cc698a84f7333a3b0267dbf8afc68dd21ccc680136b3e2889df7a56249ff950
-
Filesize
11KB
MD5b11528bb7960a6af328e50fd670a07b9
SHA1e4fde2816f82b46ca4eac01396373da4a8ab0320
SHA2561bc7272c202348028f82ef095cbc66d33d6d7c067091cad9962b04d734928e55
SHA5122983a880e504243e36edef153e84d5d50cff4da02091c981acc3dc4804bcf07b67aabbf3a45f028cf186fd821032ef9c7559e46fe4f259fe4499830fe1e44c5b
-
Filesize
10KB
MD50299f65a29cee5dbdb13cdbe313dba3a
SHA1788ae1114ef3e2e340c0f8dcee4443ff6930f99a
SHA256ece01a1a147917fe304e04a35eaacc5c0247c27de2696cc30649a538db8e4f3a
SHA512d7a26ea1386cee982365be9d015765bcddb819d0a6a477b9b32a7b21c9c87f5a23b2ad609ddd66f294cd1f3c010e2cb47d447db8e9662c1b9a61db835255629c
-
Filesize
11KB
MD5387e6569c89cf0bd1bb45958fb238df7
SHA16aeee8b8dfff5272d39d9a0697a80ae87adc99c5
SHA25604259cfd1ec45b0d9c8d27a3c94ad83d29f845724491c527c5fc5feb5b277df2
SHA512d3bbc3c8f201c3d18f36cc714b6b00d50b91900a4eb5509f4d26d7bc7f2600989b9ee73397467e6717485459c6ba3bb0afdbdbeecd362bf642c7253a171c016a
-
Filesize
10KB
MD5537e30bf5f3ab1bfbd95b39dafa194a4
SHA1d8a478881c2ed58928620f0d18425db58e22328f
SHA2560c5e35a3c786fd0fd5cc86003c16193b744a64c8ee3168503a75f1560607a9b1
SHA512ade679b6c9d95c3983edcd567de27eb952ac82a2168b6a09205335775794ee7f388e293e0ca8be8fc5e8798ad9eae83db272f78b7cb7ffd04d2fcca81e319989
-
Filesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
Filesize
29.5MB
MD5187b25b9e02c2b5d01a70d9d1855dd7c
SHA1d0c7d39012ad0507239a3b060ea42cc13b22eb65
SHA256f26803b764a54a90852b7fd274d5ced7a8a58f1715d3ab4b96900ad4f9dd0410
SHA512bea5cec59d0ebee26a71c78dc38da47a25ea7932d119868caf82b5e4bbbcecd8969abea80ad41b65352f264ced33c457a041c0d9f321c272a8f913802ee254ed
-
Filesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
Filesize
350KB
MD5de69bb29d6a9dfb615a90df3580d63b1
SHA174446b4dcc146ce61e5216bf7efac186adf7849b
SHA256f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc
SHA5126e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015
-
Filesize
138KB
MD5dd43356f07fc0ce082db4e2f102747a2
SHA1aa0782732e2d60fa668b0aadbf3447ef70b6a619
SHA256e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6
SHA512284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e
-
Filesize
216KB
MD5b808181453b17f3fc1ab153bf11be197
SHA1bce86080b7eb76783940d1ff277e2b46f231efe9
SHA256da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd
SHA512a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3
-
Filesize
6KB
MD56512e89e0cb92514ef24be43f0bf4500
SHA1a039c51f89656d9d5c584f063b2b675a9ff44b8e
SHA2561411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0
SHA5129ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b
-
Filesize
319KB
MD579f1c4c312fdbb9258c2cdde3772271f
SHA1a143434883e4ef2c0190407602b030f5c4fdf96f
SHA256f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a
SHA512b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9
-
Filesize
241KB
MD5d34c13128c6c7c93af2000a45196df81
SHA1664c821c9d2ed234aea31d8b4f17d987e4b386f1
SHA256aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7
SHA51291f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689
-
Filesize
238KB
MD5ad3b4fae17bcabc254df49f5e76b87a6
SHA11683ff029eebaffdc7a4827827da7bb361c8747e
SHA256e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf
SHA5123d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3
-
Filesize
13.8MB
MD5897201dc6254281404ab74aa27790a71
SHA19409ddf7e72b7869f4d689c88f9bbc1bc241a56e
SHA256f41828bd13a3a85fdf7a1d688b21ce33d2015c3c5f46b4d92ab6ea8ea019e03a
SHA5122673cd7b927ffc22f3a4b4fbfcb1b4f576c416d67168e486e6d79fdd132129c9e244e36d7b7883a4a1ed51e993cc4384bf24f2fa3129584f2bd43fd16042de20
-
Filesize
183B
MD566f09a3993dcae94acfe39d45b553f58
SHA19d09f8e22d464f7021d7f713269b8169aed98682
SHA2567ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
-
Filesize
109KB
MD5e6a20535b636d6402164a8e2d871ef6d
SHA1981cb1fd9361ca58f8985104e00132d1836a8736
SHA256b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2
SHA51235856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWormLoader 5.2 x64.exe.config
Filesize187B
MD515c8c4ba1aa574c0c00fd45bb9cce1ab
SHA10dad65a3d4e9080fa29c42aa485c6102d2fa8bc8
SHA256f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15
SHA51252baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4