xworm | 987af5ed785a0c412b8c4f829df902e82e62e21917aa7abdcc0d825b4a463c67

Analysis

max time kernel
592s
max time network
565s
platform
windows10-2004_x64
resource
win10v2004-20250129-it
resource tags

arch:x64arch:x86image:win10v2004-20250129-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
31/01/2025, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-5.6.rar
Size

21.5MB
MD5

4f57637d0aa8ed0d3055802c3a90a58d
SHA1

c8b298c0edea336ee4710a3c1da5cc7bce7467cf
SHA256

987af5ed785a0c412b8c4f829df902e82e62e21917aa7abdcc0d825b4a463c67
SHA512

5d7fae098076531f1af3447d03cfc1909cdc00cd3757132bee7d8ccb1b84d1e57d1c11066afa70c2d102fbcc5233a7e43c2ff017dc67a2cf7591a923032d54f7
SSDEEP

393216:D+N2F6y80fxdY24Xhf7QUECurlXcphU4SwUKidjxOfvP5AXyaLe39neZ:D+Nj6x+TlEUEhIXSwUbdF6pEyJ3UZ

Score

10^/10

xworm defense_evasion discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

zWBJQzaMFzSXPOWb

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

xworm

127.0.0.1:7000

Attributes

install_file
USB.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/4596-858-0x000000001B260000-0x000000001B26E000-memory.dmp	disable_win_def

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cef-276.dat	family_xworm
behavioral1/files/0x0008000000023cf7-286.dat	family_xworm
behavioral1/files/0x0008000000023cf7-685.dat	family_xworm
behavioral1/memory/4596-688-0x00000000002B0000-0x00000000002C0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 5 IoCs

pid	Process
4564	Xworm V5.6.exe
4596	onedrive.exe
876	Xworm V5.6.exe
2592	onedrive.exe
3276	Xworm V5.6.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Software\Microsoft\Internet Explorer\TypedURLs	Xworm V5.6.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133828237521274681"	chrome.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Xworm V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Xworm V5.6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
3084	msedge.exe
3084	msedge.exe
4284	msedge.exe
4284	msedge.exe
1104	identity_helper.exe
1104	identity_helper.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3480	7zFM.exe
4564	Xworm V5.6.exe
876	Xworm V5.6.exe
3276	Xworm V5.6.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3480	7zFM.exe
Token: 35	3480	7zFM.exe
Token: SeSecurityPrivilege	3480	7zFM.exe
Token: 33	2328	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2328	AUDIODG.EXE
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe
Token: SeCreatePagefilePrivilege	1912	chrome.exe
Token: SeShutdownPrivilege	1912	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3480	7zFM.exe
3480	7zFM.exe
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
876	Xworm V5.6.exe
876	Xworm V5.6.exe
4596	onedrive.exe
4596	onedrive.exe
4596	onedrive.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4564	Xworm V5.6.exe
4564	Xworm V5.6.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
1912	chrome.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
876	Xworm V5.6.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4564	Xworm V5.6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 2308	4564	Xworm V5.6.exe	98
PID 4564 wrote to memory of 2308	4564	Xworm V5.6.exe	98
PID 2308 wrote to memory of 4692	2308	vbc.exe	100
PID 2308 wrote to memory of 4692	2308	vbc.exe	100
PID 1912 wrote to memory of 4648	1912	chrome.exe	103
PID 1912 wrote to memory of 4648	1912	chrome.exe	103
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 4092	1912	chrome.exe	104
PID 1912 wrote to memory of 3160	1912	chrome.exe	105
PID 1912 wrote to memory of 3160	1912	chrome.exe	105
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106
PID 1912 wrote to memory of 3472	1912	chrome.exe	106

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm-5.6.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3480

C:\Users\Admin\Desktop\Xworm V5.6.exe
"C:\Users\Admin\Desktop\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pwml3xot\pwml3xot.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91DB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc676627F8E90C4D3890384EE3332218B0.TMP"
    3⤵
    PID:4692

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x294 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe0d8fcc40,0x7ffe0d8fcc4c,0x7ffe0d8fcc58
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2300,i,1022316344415040824,15437186251651251365,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2296 /prefetch:2
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1468,i,1022316344415040824,15437186251651251365,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2480 /prefetch:3
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1964,i,1022316344415040824,15437186251651251365,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2584 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,1022316344415040824,15437186251651251365,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3316,i,1022316344415040824,15437186251651251365,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3736,i,1022316344415040824,15437186251651251365,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4752,i,1022316344415040824,15437186251651251365,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4936,i,1022316344415040824,15437186251651251365,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3440,i,1022316344415040824,15437186251651251365,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4944,i,1022316344415040824,15437186251651251365,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4484,i,1022316344415040824,15437186251651251365,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:1004

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe0ab246f8,0x7ffe0ab24708,0x7ffe0ab24718
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --lang=it --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17329404378441120750,9561886207701028909,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2764 /prefetch:2
  2⤵
  PID:2600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5084

C:\Users\Admin\Desktop\onedrive.exe
"C:\Users\Admin\Desktop\onedrive.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4596

C:\Users\Admin\Desktop\Xworm V5.6.exe
"C:\Users\Admin\Desktop\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:876

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1812

C:\Users\Admin\Desktop\onedrive.exe
"C:\Users\Admin\Desktop\onedrive.exe"
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:552

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of SendNotifyMessage
PID:4492

C:\Users\Admin\Desktop\Xworm V5.6.exe
"C:\Users\Admin\Desktop\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:3276

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1364

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x294 0x404
1⤵
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
f62afacc235feb5830e2dd164b5a9270

SHA1
5cb7dbcbab35cdecf2d67f0234e751b9e0478562

SHA256
99ad02da7a3de65e14aa35f4379b891d601a04747a8ae71435ba1f21e9f67667

SHA512
e61bc0a93787049f1cfe47df923ed2ec4d57d9c138eab55fa099def6cd09b3145dca45e51910d4e00d255f2884991ab7809d922424c31cf38008eae388c1366d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2c110460e3ae5e27861148002abdf860

SHA1
0d7458f12b414ace3b0110f40d4837d75318bbf4

SHA256
7662232ac642befc9e3856f325cc5ed2bdbb65a5e84538347c5bf39c3dad6b7e

SHA512
03c90e2e76ed355c700b1d6674c447661030117452196916685b7d61f5216d5439967ccda6a7f40fc13c76da687aaddd61ca9a4d1aa73224f75700e3e7d8217a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ba78c2c6d2e6b5871a43270968ae2682

SHA1
8f18c266aaac4184d200615e9adc95f08743e6b9

SHA256
665b151f1ce154c4a1f243fdc260b2a5d3e5fd4d3ed35be5994f68e5795ab56b

SHA512
1b68bccd3316f63e5194e5eb1b1554e827fcc9f62818d755e82563799c8ebc9601987aa12b07f5167445ed8af0dac3480981af08a6861a98a4128bdba50a2188

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2b4e95c1c0fe2ab13a26be0417627ff4

SHA1
08dde2f7cc36a9aa2c4ec8bbcd6ae6ca927134df

SHA256
b80cb791302663f83909f1f11981d1823b683fd3157a4c1493a3a2a7bf3bffb2

SHA512
9203bdde099d89b0de74c132673e2d07fd3ce20738df06abcde63dba66477c10f0e4b182d151d0783d8b3d40b493529c78630792da3ed64e5dd46ff51636dc7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5d64c6be99318a1b2e8bcec9a965e087

SHA1
32701245bf8d416555a09a9963fecc9db9becf70

SHA256
985244a43b8226d5834ecfa75420d2c71071f86743f46c1334d578797e1a4096

SHA512
60bd65e1212ebc8a4223eff1bce5e9b729395418bc375966a26ef61c597ff3d273f0af8c88da3bf77039387be995c269f43fd4f28552d0d520a8d85ecef2478c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fcdbf1cc08e4a7ceae656bfd94245ee0

SHA1
c4f3149b52e3f47c1e30a2183043a408f65e7cb7

SHA256
bb9cd399225a234c3a90759d5203224dafaa6923a93c0416959af654871e9ad7

SHA512
ac201c884964472b28c9f739e1006b8dcb76ae38dc0673cecc11cfa5352272511e7efdfd5e65addf9962e218cef37dcbbe7a10adc7a4bfbe5a54418949d62c37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9a63d25bb396dd3f2be64b984b4caac8

SHA1
e72979fddb3044d846222fb726b10b9d9e4dbe0c

SHA256
8f6a0329de14a169648cd31ab3536ad973ca707f4a8cfe9690fc00669b3280e6

SHA512
62de8c887950249370e1c0adc8524b3e4e289cb74cf02744d7d4be87fc759ab669fca7290bbe1411f3fd9bfee8465d315ef42826f70f9e2007d977c9f49c1136

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
996482901f1ff7e4b648b173efe71f42

SHA1
676a6b1d86fc8f0ada5901eeb26d324450002d28

SHA256
14bf938b852e33784005cb12fcb5753c17e461b30c96f5f3d650991a8a4889e9

SHA512
40e932e002fdf2961ba1e283a0d86602f7d7a78477be67632eee9aef78d7a516e2716a6bbc4736522a5409b9634291bb4e883e6b055814f2d4cf3d977ba7d7d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
d8af5333500d4ae3a3b5d156c04d1e5e

SHA1
5856a3069ee866332b2505485d014cb5be9cfaf3

SHA256
ce35c55f0df49935d68a2d6fd58872ce173a0a9f8134712f216b6d8b9f050edf

SHA512
8ff043a1afc3ef14c163ba73d6fa9ba0797d5cc18d9b3f3fca6a5a0dd513eec5be1c71b00a68ee659b0e4b4e0bea356fb5e5dc7476c5f2ec4f477b43f765d7f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
243KB

MD5
dac1801f1d122cb104b5d6718863e439

SHA1
d3e3a59d36b5a5690cbf90cf65beb5f42287f42f

SHA256
26c486e8bfccbf3be4231787ad58e2b2a7a43ceac0c52ed9d42ee604404edf26

SHA512
783eb743b07dd3fd9ccf5204f37e3a920bce5f57e81da6c3e00b03f9ab75d9c35454cd8a140d0c9180807f6f6f624c1edab98ab06ac5ae00132d24c6ee0ffa52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
243KB

MD5
e7b219baece5f85911a86a9a08e6e69b

SHA1
c37071723ef1283440c7c01b2b385b662466a005

SHA256
d9684028dfec321bc62a5a714ef6aaba39ec298ce8092870474f546d7de2d8cc

SHA512
1b4dab25ece9ea5eca280de802f8df74fe7925d5fe4773e547cf4d1d21059da094afb26f8f512901f2e18ca52de83ce0d7ae9009cfb47f16af6f5a8cc999e486

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
243KB

MD5
c4bfd9243f1cffba4bcbb15cc023ddb1

SHA1
98c6e5e889b094a235f2b2427dd9c3c8aa555f2d

SHA256
5fc048eaab33eea01c65f3817fd70d804a95fb775d81e54f3780c9580d703124

SHA512
dd62fc0ca69a347d5e3d4f88383fa7c049c4b9cd1854dc2a52d4c3bafed16b57fc14fa013ee6cd6aa32dcd59fc08903068fdb87be9ced785aae3eff4f3a5c5fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
3bc292305153ed3819d4d094cfb5b01d

SHA1
fd1df18ccd820ed8b73a9a544671b17f8d742fe3

SHA256
6b15e20a058ffe2badcfb12d419793b7222eab797988b4c6edd362e4ee78ec85

SHA512
2ec4f8d5604ba2d4e45dc2720ad954831a0dadfed42d3d59f244124e422a2ae2b34d673d932b219ca0cb4f2860794611a69eb31af804da1613a433007d567dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xworm V5.6.exe.log

Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
709e5bc1c62a5aa20abcf92d1a3ae51c

SHA1
71c8b6688cd83f8ba088d3d44d851c19ee9ccff6

SHA256
aa718e97104d2a4c68a9dad4aae806a22060702177f836403094f7ca7f0f8d4e

SHA512
b9fc809fbb95b29336e5102382295d71235b0e3a54828b40380958a7feaf27c6407461765680e1f61d88e2692e912f8ec677a66ff965854bea6afae69d99cf24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ae36c286dd7e828b1ef8363cfa62077b

SHA1
c90e6159c14c825f443ca0c7e7155946d560f622

SHA256
7bcd24a534988e280585b667edb540b386aeea6ca49e3b63de2b44a37d05f85b

SHA512
4d10b406e00261aa4ca526cc089b82761a8c6b9ffd1b7846e07b5b9a83a44a373c06a5026e25755defd870c4a69dabc83be08cf0205b3fbb61c128a15bc3c665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
838B

MD5
1e58ff1cca23a477ae6bd637abc1b234

SHA1
75525843961b71f5c04c8e703457c4a071623e43

SHA256
801d9ccdb588618b824676cb4561c667216a6c93f903fc568ef2aafccc44cdc8

SHA512
3a7971e9ca74adb799f88930804fb4d21d82d4f524c6e0190f5b540c2207c1b4c212fb7043c2d46cc13598983a04597180facb21ef62dc40da98a49d2bef9700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
33eb459a3b9035bb8233bceb19b1d321

SHA1
570c093898ac7709b3704157e70c576d43d9585d

SHA256
79c5edb6db72addf7a2f99bd54ace86de4b4407a5343d1f14403d95a91d4652e

SHA512
3ae84eccbecff29a25b28bc878eefa41fc0b77c3cc2eaa23b67ba51574a69bba9d5e526dc9ff7f01e3e981940fa5b89195ececcee4d99c3fcb613cfbdd4fab2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
038d0300100fe296bdf9d9cb50b65c73

SHA1
9410c8dd8976a9ba6ca21329721e22786639ba4a

SHA256
a0a556857321512d5405359c65ac56510b6b8600756e9ea1ba49d960404f7a32

SHA512
d033719d5f313416d5e23b9fd177a36e37aa82c244d68a1eacb77415534698cb4b7f41f1f44b95649bd7ab6de057229c4ac2d0b7aabec001318e9dec7197c8dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e71a41197d0d3ef0aebf41dd96517756

SHA1
384749917d4df88cd6fcca9e38c0e896670c7321

SHA256
a2c2a875b439882a37b2a1b66642db00861b657504238d056d9cbf503a4922f1

SHA512
8b9b0622110d7f51bf4bead7f9be8e92056c4b5a618f4d6623e8c3fdd73091de3663a1c36d7d82796c43d3f35a8be087ad25b19361bde1365033024cb51d45ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6b9a1467a0965e071cc19cee59db2a8c

SHA1
85c411f4e4d46e46027210297352ea10b3f87107

SHA256
c4bf93b03b832ce176a73b9efbd3f95b09c842b16f67205af8768b4c30227371

SHA512
7f372fff44e3ef3bfbf26f6998455ef8bbd44056e211f02cf6c18005bf7ce9a059d4a05c33bfdac2f518fb104f1e6ed6cf0301eee287bcc75a462bb454d29dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f7ccc6e29d8cdf8f42d0de462bc07f87

SHA1
c02879a927a6e72bb9f39dd750c946661e101e50

SHA256
9fb4ce7a1f7c6dd79c76b9890feb57c7983273c52c506dc6b99274e2afee1915

SHA512
4cd10471500ff0fa907805ab34630dcd281b16ad09905e82eb123fe40c9bb43d3fee49b312c8591441fa2bdbaa1a854fc2a5ef5d1642f8e88b4166f0854891ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b6890c3486bf4ceb06df70fbd81178c5

SHA1
ef05fc996106ad09bd737d65987ea6c9e1528c2e

SHA256
1672e178038c7ab21b28d6590a2b4878c208812e1d5530b72bc0661ec6a8cef9

SHA512
c886e5c1e3534c968548f7f3b4efa5b1eb040cfaf3895e89e4cc13761171219f3da090dd6cace97e07259fa8036fb36e4d9a96efc03a69ea000ed43fdfe48f7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59d9fb.TMP

Filesize
872B

MD5
a9f6e7954c66cb6841e4b407df30f63a

SHA1
ef1fe45ec2927eea2e3049790c9791c03f7f1d5b

SHA256
1f39aea2cf89203b2089890f813b33587ab8cb91f73efccf71072ea26ffa0d85

SHA512
8b2651b4f4ac207b56082a3fb453ec373917d526d3403b98ce8679b9adcd68e6722dc580e2f146a564510411069fef601536b267603b03c30aabbe1206d8ca1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
deee5dbd52648f11a0ee86827d434d69

SHA1
6e092bcd4b0355805e3bdabbc9d1d0ebc96c7516

SHA256
994c2037417499ebc23568bbb318c0ab65215ba8f2439321c062f4887aa2d46c

SHA512
98fac11f11a826f94c9c11054e38a9d3246e535dff1d9c2b5acca79c3a8f22a189c52a9ac0c45eb7c802f0e487345126263a43be49228aa7386c5034b2eebd14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4d880262d78b846da071c3199ae8c1e3

SHA1
58b408c0ad735774ccf775905c20d8e6cfaa9baa

SHA256
000a42f0390adabad42e590940329127228f9a13a3f08ea16e3fbf967b3fdd7c

SHA512
70d01240d8b1610d9696001001509e48ed2fd068c69ea25e350c7e18c4f0152f54b9fba2614498f6a84955d399ef1dcba4108c485a5d6c0271738e170cc07257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d124f5198bcb372cbaa5664f9731be36

SHA1
1ba7bbce65b6dd1fe5e6f4f850c7df72931170c5

SHA256
5c2219239e433cbb9ea568210d6e2f9cbe1fc06da9f38c3e5ddc0b65fd900086

SHA512
ceaa4433a57db5d6a70a4b7dbbb9d769a8bfcd950e351b8930f2a4328e2c32d6da870ad84577484fe933351285422d6de8286e75f87b6df792ec1d4161d89da5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
add2c33110b5b9ff8e7e7248b3cfde72

SHA1
4f64d2930b2e44de9de7f37933973da021648523

SHA256
1faa2e19ec6005cfd73b9bc4a0bcb0402d31487a823be746d243dcec7dd4f548

SHA512
3618a6d5fe56e380fd6be4f0174a28a1ec4b5687e6bb6adf1faafba5f24023b55b967b0d450271ca576b7b1162f622e15d028ca4134c4114f6798a9c1f069614

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE89DD5C87\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91DB.tmp

Filesize
1KB

MD5
a5570832931df9717bef7c85da69a473

SHA1
96cb8a2069c2a3c7925408f1918cb5756fff2374

SHA256
2a5c36eecfdd7748b6b7a8a18acf3a592ffd89f6b3aaad7cee2caaf7e7425549

SHA512
e54260ed8257232e8c445d50a64d8ea00ea43cb7fb68890cf60f91dc1789d2a38d3dc23700f1a942e6ddb18c4437008561758544243cac4425c1ac80d3d8add9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwml3xot\pwml3xot.0.vb

Filesize
78KB

MD5
a3daf47693e4b902512bd853b04f308c

SHA1
5ac48b016aa6dec97ef454a0aa88b583573ae798

SHA256
4ab198779841b765562239029a5c45a03bba4428c18c6f3af7b51327cfcd94f7

SHA512
ccebdd7e2a494e81d7011b87800c90f279fcf63f583e4b00507393e3443c778bb75bc30ce70920d9f162475bad44cae7c19e0281700b75ddf3c49bdeaf25e84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwml3xot\pwml3xot.cmdline

Filesize
291B

MD5
6c091c0f5c9b749c3620d1539a826ef3

SHA1
9abe96c25043135a2ea79917738b20eb4860a07f

SHA256
9dec21f8a083be04b3baa90c90e98e0eca35a65f946c1700499d70081069fb9a

SHA512
d16b605ffabcd3846891a5dd9373d536f1cea92a0b0076769d7cf6b1c6e353e5a7329b736c18c47e12c0ade98c3becad8096375527d45d9d7796a98a26f21a51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc676627F8E90C4D3890384EE3332218B0.TMP

Filesize
1KB

MD5
fc07e7a2fde7316b2401ccda3a93937d

SHA1
0c24bc9ec821dbcb1eea4552d2ef260bf23dcaf3

SHA256
a4351deaa17a5de0ed162fa11571a14adcaa5903481c13707772f6100b52164c

SHA512
528ba9aeb3c72f3834109cf1ca5935cbbd2548b4177d909c39379309d81b5635809082acdad36eb1e28b53623d61bfac16b0614b9a8867245f128890b67114e0

Download Submit
C:\Users\Admin\Desktop\GMap.NET.Core.dll

Filesize
2.9MB

MD5
819352ea9e832d24fc4cebb2757a462b

SHA1
aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

SHA256
58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

SHA512
6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

Download Submit
C:\Users\Admin\Desktop\GMap.NET.WindowsForms.dll

Filesize
147KB

MD5
32a8742009ffdfd68b46fe8fd4794386

SHA1
de18190d77ae094b03d357abfa4a465058cd54e3

SHA256
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

SHA512
22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

Download Submit
C:\Users\Admin\Desktop\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\NAudio.dll

Filesize
502KB

MD5
3b87d1363a45ce9368e9baec32c69466

SHA1
70a9f4df01d17060ec17df9528fca7026cc42935

SHA256
81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451

SHA512
1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7

Download Submit
C:\Users\Admin\Desktop\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\Desktop\Plugins\ActiveWindows.dll

Filesize
14KB

MD5
5a766a4991515011983ceddf7714b70b

SHA1
4eb00ae7fe780fa4fe94cedbf6052983f5fd138b

SHA256
567b9861026a0dbc5947e7515dc7ab3f496153f6b3db57c27238129ec207fc52

SHA512
4bd6b24e236387ff58631207ea42cd09293c3664468e72cd887de3b3b912d3795a22a98dcf4548fb339444337722a81f8877abb22177606d765d78e48ec01fd8

Download Submit
C:\Users\Admin\Desktop\Plugins\Chat.dll

Filesize
18KB

MD5
59f75c7ffaccf9878a9d39e224a65adf

SHA1
46b0f61a07e85e3b54b728d9d7142ddc73c9d74b

SHA256
aab20f465955d77d6ec3b5c1c5f64402a925fb565dda5c8e38c296cb7406e492

SHA512
80056163b96ce7a8877874eaae559f75217c0a04b3e3d4c1283fe23badfc95fe4d587fd27127db4be459b8a3adf41900135ea12b0eeb4187adbcf796d9505cb8

Download Submit
C:\Users\Admin\Desktop\Plugins\Chromium.dll

Filesize
32KB

MD5
edb2f0d0eb08dcd78b3ddf87a847de01

SHA1
cc23d101f917cad3664f8c1fa0788a89e03a669c

SHA256
b6d8bccdf123ceac6b9642ad3500d4e0b3d30b9c9dd2d29499d38c02bd8f9982

SHA512
8f87da834649a21a908c95a9ea8e2d94726bd9f33d4b7786348f6371dfae983cc2b5b5d4f80a17a60ded17d4eb71771ec25a7c82e4f3a90273c46c8ee3b8f2c3

Download Submit
C:\Users\Admin\Desktop\Plugins\Clipboard.dll

Filesize
14KB

MD5
831eb0de839fc13de0abab64fe1e06e7

SHA1
53aad63a8b6fc9e35c814c55be9992abc92a1b54

SHA256
e31a1c2b1baa2aa2c36cabe3da17cd767c8fec4c206bd506e889341e5e0fa959

SHA512
2f61bcf972671d96e036b3c99546cd01e067bef15751a87c00ba6d656decb6b69a628415e5363e650b55610cf9f237585ada7ce51523e6efc0e27d7338966bee

Download Submit
C:\Users\Admin\Desktop\Plugins\Cmstp-Bypass.dll

Filesize
11KB

MD5
cf15259e22b58a0dfd1156ab71cbd690

SHA1
3614f4e469d28d6e65471099e2d45c8e28a7a49e

SHA256
fa420fd3d1a5a2bb813ef8e6063480099f19091e8fa1b3389004c1ac559e806b

SHA512
7302a424ed62ec20be85282ff545a4ca9e1aecfe20c45630b294c1ae72732465d8298537ee923d9e288ae0c48328e52ad8a1a503e549f8f8737fabe2e6e9ad38

Download Submit
C:\Users\Admin\Desktop\Plugins\FileManager.dll

Filesize
679KB

MD5
641a8b61cb468359b1346a0891d65b59

SHA1
2cdc49bcd7428fe778a94cdcd19cabf5ece8c9c0

SHA256
b58ed3ebbcd27c7f4b173819528ff4db562b90475a5e304521ed5c564d39fffd

SHA512
042702d34664ea6288e891c9f7aa10a5b4b07317f25f82d6c9fa9ba9b98645c14073d0f66637060b416a30c58dec907d9383530320a318523c51f19ebd0a4fee

Download Submit
C:\Users\Admin\Desktop\Plugins\FilesSearcher.dll

Filesize
478KB

MD5
6f8f1621c16ac0976600146d2217e9d2

SHA1
b6aa233b93aae0a17ee8787576bf0fbc05cedde4

SHA256
e66e1273dc59ee9e05ce3e02f1b760b18dd296a47d92b3ce5b24efb48e5fb21b

SHA512
eb55acdea8648c8cdefee892758d9585ff81502fc7037d5814e1bd01fee0431f4dde0a4b04ccb2b0917e1b11588f2dc9f0bfe750117137a01bbd0c508f43ef6a

Download Submit
C:\Users\Admin\Desktop\Plugins\HBrowser.dll

Filesize
25KB

MD5
f0e921f2f850b7ec094036d20ff9be9b

SHA1
3b2d76d06470580858cc572257491e32d4b021c0

SHA256
75e8ff57fa6d95cf4d8405bffebb2b9b1c55a0abba0fe345f55b8f0e88be6f3c

SHA512
16028ae56cd1d78d5cb63c554155ae02804aac3f15c0d91a771b0dcd5c8df710f39481f6545ca6410b7cd9240ec77090f65e3379dcfe09f161a3dff6aec649f3

Download Submit
C:\Users\Admin\Desktop\Plugins\HRDP.dll

Filesize
1.7MB

MD5
f27b6e8cf5afa8771c679b7a79e11a08

SHA1
6c3fcf45e35aaf6b747f29a06108093c284100da

SHA256
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de

SHA512
0d84966bbc9290b04d2148082563675ec023906d58f5ba6861c20542271bf11be196d6ab24e48372f339438204bd5c198297da98a19fddb25a3df727b5aafa33

Download Submit
C:\Users\Admin\Desktop\Plugins\HVNC.dll

Filesize
58KB

MD5
30eb33588670191b4e74a0a05eecf191

SHA1
08760620ef080bb75c253ba80e97322c187a6b9f

SHA256
3a287acb1c89692f2c18596dd4405089ac998bb9cf44dd225e5211923d421e96

SHA512
820cca77096ff2eea8e459a848f7127dc46af2e5f42f43b2b7375be6f4778c1b0e34e4aa5a97f7fbabe0b53dcd351d09c231bb9afedf7bcec60d949918a06b97

Download Submit
C:\Users\Admin\Desktop\Plugins\HVNCMemory.dll

Filesize
39KB

MD5
065f0830d1e36f8f44702b0f567082e8

SHA1
724c33558fcc8ecd86ee56335e8f6eb5bfeac0db

SHA256
285b462e3cd4a5b207315ad33ee6965a8b98ca58abb8d16882e4bc2d758ff1a4

SHA512
bac0148e1b78a8fde242697bff1bbe10a18ffab85fdced062de3dc5017cd77f0d54d8096e273523b8a3910fe17fac111724acffa5bec30e4d81b7b3bd312d545

Download Submit
C:\Users\Admin\Desktop\Plugins\HiddenApps.dll

Filesize
45KB

MD5
ba2141a7aefa1a80e2091bf7c2ca72db

SHA1
9047b546ce9c0ea2c36d24a10eb31516a24a047d

SHA256
6a098f5a7f9328b35d73ee232846b13e2d587d47f473cbc9b3f1d74def7086ea

SHA512
91e43620e5717b699e34e658d6af49bba200dcf91ac0c9a0f237ec44666b57117a13bc8674895b7a9cac5a17b2f91cdc3daa5bcc52c43edbabd19bc1ed63038c

Download Submit
C:\Users\Admin\Desktop\Plugins\Performance.dll

Filesize
16KB

MD5
1841c479da7efd24521579053efcf440

SHA1
0aacfd06c7223b988584a381cb10d6c3f462fc6a

SHA256
043b6a0284468934582819996dbaa70b863ab4caa4f968c81c39a33b2ac81735

SHA512
3005e45728162cc04914e40a3b87a1c6fc7ffde5988d9ff382d388e9de4862899b3390567c6b7d54f0ec02283bf64bcd5529319ca32295c109a7420848fa3487

Download Submit
C:\Users\Admin\Desktop\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Desktop\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Desktop\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\Desktop\Xworm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Users\Admin\Desktop\onedrive.exe

Filesize
32KB

MD5
1d85e76bfb248484e66ce9b691871bb4

SHA1
4966598c1cd175d68d8a2437b474d627dee47981

SHA256
1a93dea0cb53e84a7f8a13427c20c5b8a20f0bf21d25f4000beb4cd6af2a8e56

SHA512
17bdc6a7327d329d86fa2addb9c9a7eaeabe2b74adf57da54cf7c0b57110b40c6e7a11e08ea1fe58b9d98f784b00d347dafc6d42bb7fc4326c36561cb0b6e5f4

Download Submit
C:\Users\Admin\Desktop\onedrive.exe

Filesize
42KB

MD5
8595bc5e23a413b8e77908b08131c85f

SHA1
996b31e4e5868559fe42b555b33df0419747a000

SHA256
73c8be2cd24ce1fd40eb7726569908eb7a4554e4b00087c2cf55165b322364de

SHA512
c8a5f0ccb408a7c9ddea7d55390691edc1dcf2e0605243e7b709e886163d0b0e5f2cc632125751aed94f37b4154ec425d1abc1fac4cfa991f18be2144f2a7962

Download Submit
memory/876-753-0x0000018FF4440000-0x0000018FF4722000-memory.dmp

Filesize
2.9MB

Download
memory/876-751-0x0000018FF24B0000-0x0000018FF24DC000-memory.dmp

Filesize
176KB

Download
memory/876-766-0x0000018FF2420000-0x0000018FF2432000-memory.dmp

Filesize
72KB

Download
memory/876-755-0x0000018FF28B0000-0x0000018FF2962000-memory.dmp

Filesize
712KB

Download
memory/876-749-0x0000018FF2510000-0x0000018FF2592000-memory.dmp

Filesize
520KB

Download
memory/4492-860-0x00000238C5C80000-0x00000238C5C81000-memory.dmp

Filesize
4KB

Download
memory/4492-861-0x00000238C5C80000-0x00000238C5C81000-memory.dmp

Filesize
4KB

Download
memory/4492-862-0x00000238C5C80000-0x00000238C5C81000-memory.dmp

Filesize
4KB

Download
memory/4492-872-0x00000238C5C80000-0x00000238C5C81000-memory.dmp

Filesize
4KB

Download
memory/4492-871-0x00000238C5C80000-0x00000238C5C81000-memory.dmp

Filesize
4KB

Download
memory/4492-870-0x00000238C5C80000-0x00000238C5C81000-memory.dmp

Filesize
4KB

Download
memory/4492-869-0x00000238C5C80000-0x00000238C5C81000-memory.dmp

Filesize
4KB

Download
memory/4492-868-0x00000238C5C80000-0x00000238C5C81000-memory.dmp

Filesize
4KB

Download
memory/4492-867-0x00000238C5C80000-0x00000238C5C81000-memory.dmp

Filesize
4KB

Download
memory/4492-866-0x00000238C5C80000-0x00000238C5C81000-memory.dmp

Filesize
4KB

Download
memory/4564-268-0x000002B6B8F10000-0x000002B6B8FB9000-memory.dmp

Filesize
676KB

Download
memory/4564-262-0x00007FFDFCD80000-0x00007FFDFD841000-memory.dmp

Filesize
10.8MB

Download
memory/4564-269-0x000002B6B8F10000-0x000002B6B8FB9000-memory.dmp

Filesize
676KB

Download
memory/4564-289-0x000002B6B8F10000-0x000002B6B8FB9000-memory.dmp

Filesize
676KB

Download
memory/4564-259-0x00007FFDFCD80000-0x00007FFDFD841000-memory.dmp

Filesize
10.8MB

Download
memory/4564-258-0x000002B6BB040000-0x000002B6BB234000-memory.dmp

Filesize
2.0MB

Download
memory/4564-290-0x00007FFDFCD80000-0x00007FFDFD841000-memory.dmp

Filesize
10.8MB

Download
memory/4564-267-0x00007FFDFCD80000-0x00007FFDFD841000-memory.dmp

Filesize
10.8MB

Download
memory/4564-266-0x000002B6C0B40000-0x000002B6C0CCC000-memory.dmp

Filesize
1.5MB

Download
memory/4564-256-0x000002B6BA2F0000-0x000002B6BA3F2000-memory.dmp

Filesize
1.0MB

Download
memory/4564-255-0x00007FFDFCD80000-0x00007FFDFD841000-memory.dmp

Filesize
10.8MB

Download
memory/4564-254-0x000002B69D750000-0x000002B69E638000-memory.dmp

Filesize
14.9MB

Download
memory/4564-253-0x00007FFDFCD83000-0x00007FFDFCD85000-memory.dmp

Filesize
8KB

Download
memory/4564-261-0x00007FFDFCD83000-0x00007FFDFCD85000-memory.dmp

Filesize
8KB

Download
memory/4564-265-0x00007FFDFCD80000-0x00007FFDFD841000-memory.dmp

Filesize
10.8MB

Download
memory/4564-263-0x00007FFDFCD80000-0x00007FFDFD841000-memory.dmp

Filesize
10.8MB

Download
memory/4564-271-0x000002B6C2400000-0x000002B6C2568000-memory.dmp

Filesize
1.4MB

Download
memory/4596-859-0x000000001E5A0000-0x000000001E8F0000-memory.dmp

Filesize
3.3MB

Download
memory/4596-858-0x000000001B260000-0x000000001B26E000-memory.dmp

Filesize
56KB

Download
memory/4596-856-0x000000001B250000-0x000000001B25C000-memory.dmp

Filesize
48KB

Download
memory/4596-855-0x000000001E9D0000-0x000000001EEF8000-memory.dmp

Filesize
5.2MB

Download
memory/4596-854-0x000000001BD00000-0x000000001BD0A000-memory.dmp

Filesize
40KB

Download
memory/4596-778-0x0000000002340000-0x000000000234C000-memory.dmp

Filesize
48KB

Download
memory/4596-688-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download