xworm | d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b

max time kernel
160s
max time network
163s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-02-2025 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.txt
Size

18B
MD5

5b3f97d48c8751bd031b7ea53545bdb6
SHA1

88be3374c62f23406ec83bb11279f8423bd3f88d
SHA256

d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b
SHA512

ed2de1eec50310ced4bde8ef6ae4b7902920b007df7b6aeb200cfe9fcc0d36ef05af7526c4675be2feac52831668798d5fe3523175efad6f6549b30f30a0b5d6

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

89.213.177.102:5552

Attributes

Install_directory
%Public%
install_file
WINDOWN.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001700000002aca2-795.dat	family_xworm
behavioral1/memory/2004-802-0x00000000000B0000-0x00000000000C8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5280	powershell.exe
396	powershell.exe
4832	powershell.exe
4816	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WINDOWN.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WINDOWN.lnk	XClient.exe

Executes dropped EXE 19 IoCs

pid	Process
2004	XClient.exe
3108	XClient.exe
2016	XClient.exe
224	XClient.exe
5724	XClient.exe
3140	XClient.exe
3920	XClient.exe
3348	XClient.exe
5432	XClient.exe
684	XClient.exe
4820	XClient.exe
5264	XClient.exe
4568	XClient.exe
1004	WINDOWN.exe
3268	XClient.exe
5496	XClient.exe
6056	XClient.exe
5616	XClient.exe
5384	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINDOWN = "C:\\Users\\Public\\WINDOWN.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
2	camo.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133829803621937926"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	chrome.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XWorm-5.6-main.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\XWorm-V5.4-main.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3052	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
5988	chrome.exe
5988	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
1568	chrome.exe
5280	powershell.exe
5280	powershell.exe
5280	powershell.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe
4832	powershell.exe
4832	powershell.exe
4832	powershell.exe
4816	powershell.exe
4816	powershell.exe
4816	powershell.exe
2004	XClient.exe
2004	XClient.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe
Token: SeShutdownPrivilege	5988	chrome.exe
Token: SeCreatePagefilePrivilege	5988	chrome.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe
5988	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2004	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 3052	924	cmd.exe	78
PID 924 wrote to memory of 3052	924	cmd.exe	78
PID 5988 wrote to memory of 5944	5988	chrome.exe	82
PID 5988 wrote to memory of 5944	5988	chrome.exe	82
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3116	5988	chrome.exe	83
PID 5988 wrote to memory of 3844	5988	chrome.exe	84
PID 5988 wrote to memory of 3844	5988	chrome.exe	84
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85
PID 5988 wrote to memory of 1856	5988	chrome.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\test.txt
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\test.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82a94cc40,0x7ff82a94cc4c,0x7ff82a94cc58
  2⤵
  PID:5944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3608,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4300,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3512,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4316 /prefetch:8
  2⤵
  PID:5308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5012,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3508,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4384 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5420,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5272,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=872 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5244,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4896,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5732,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5940,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5964,i,2658948266308884349,16762336268566512843,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1568

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2320

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\r3adm3.txt
1⤵
PID:920

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\r3adm3.txt
1⤵
PID:1924

C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
"C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
1⤵
PID:1400
- C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
  "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WINDOWN.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WINDOWN.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4816
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WINDOWN" /tr "C:\Users\Public\WINDOWN.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2696
- C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
  "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
  2⤵
  PID:3668
- - C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
    "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
    3⤵
    - Executes dropped EXE
    PID:3108
- - C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
    "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
    3⤵
    PID:5800
  - - C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
      "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
      4⤵
      Executes dropped EXE
      PID:2016
  - - C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
      "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
      4⤵
      PID:5184
    - - C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        5⤵
        Executes dropped EXE
        
        PID:224
    - - C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        5⤵
        
        PID:5388
      - C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        6⤵
        Executes dropped EXE
        
        PID:5724
      - C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        6⤵
        
        PID:1120
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        7⤵
        Executes dropped EXE
        
        PID:3140
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        7⤵
        
        PID:2020
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        8⤵
        Executes dropped EXE
        
        PID:3920
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        8⤵
        
        PID:752
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        9⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        9⤵
        
        PID:5948
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        10⤵
        Executes dropped EXE
        
        PID:5432
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        10⤵
        
        PID:3488
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        11⤵
        Executes dropped EXE
        
        PID:684
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        11⤵
        
        PID:5868
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        12⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        12⤵
        
        PID:1740
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        13⤵
        Executes dropped EXE
        
        PID:5264
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        13⤵
        
        PID:4944
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        14⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        14⤵
        
        PID:1092
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        15⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        15⤵
        
        PID:4692
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        16⤵
        Executes dropped EXE
        
        PID:5496
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        16⤵
        
        PID:2676
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        17⤵
        Executes dropped EXE
        
        PID:6056
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        17⤵
        
        PID:2712
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        18⤵
        Executes dropped EXE
        
        PID:5616
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        18⤵
        
        PID:3024
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        19⤵
        Executes dropped EXE
        
        PID:5384
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        19⤵
        
        PID:1216
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        20⤵
        
        PID:4920
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        20⤵
        
        PID:3264
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        21⤵
        
        PID:836
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        21⤵
        
        PID:2388
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        22⤵
        
        PID:1924
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        22⤵
        
        PID:1516
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        23⤵
        
        PID:4656
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        23⤵
        
        PID:3948
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        24⤵
        
        PID:224
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        24⤵
        
        PID:3008
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        25⤵
        
        PID:3968
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XWorm V5.4.exe"
        25⤵
        
        PID:4072
        
        C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe
        
        "C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe"
        26⤵
        
        PID:5724

C:\Users\Public\WINDOWN.exe
C:\Users\Public\WINDOWN.exe
1⤵
- Executes dropped EXE
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
abbc300244254ae73aedde0e6bd20ee3

SHA1
55500e1c096a0f9d119c00e69a30911b025ec58e

SHA256
57417a2b6986dab460335957d7a5fd71ed1762ca146e249bbf52453edcdc423b

SHA512
e1d24b4afd849d12b5747e34bcd5a67d54c0ac592a33b1194aa8dbf7229a8dd90997e07991bd935277dd2a41b9d530d9d3e156f11b03cebdb0edf4600a6b1b77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000030

Filesize
22KB

MD5
9b5558381a28d410bf93be576c4e1ec6

SHA1
67c25103d7e61f1b482a665fa0d86921876765d4

SHA256
0adaedd1b52daea4ac19cbe9c095eeab8d4f288c1eef838aa416308580cbc665

SHA512
aaf3b065030b0fb7c5a689d4c44d5cc2cb0ca6a79ce7cdeca3c745c01bf4f64e44de2ddf8e06cbb35eafe0e7a005a34178c4185a5d4cd4fdab6fdc20df44e0f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000031

Filesize
18KB

MD5
ec02df94928186d3c6b59ce65f9000a3

SHA1
ff25873724d5bee7c3a1b0f70853f3f4db93056c

SHA256
31d2638dfacb6328063cfadac99239427e0eee86cd28e2deddfe4daa39c55674

SHA512
69ddeb0dd61ed03bc060b9399504988ee0c72c4de46e3a6efc967bb3686a593dca9362121d9b5106e9f2e355238614c5d108cf28354b53e5aff6f5e2e112b873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000043

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
1d3fee1e657ac19987e0434b7fe0e649

SHA1
25e6de702784617a91a5d1e12e2c998b9902da9b

SHA256
c6097d57899f7835fcae01d5663d2916b5304f8dc7cdd24e953a5cf6663acafb

SHA512
3b6df1220cdf54e00116e7bc3e7a555e9b2ceb11b498dafb8339d39eba766325422c0d6d3214606d517e57a2cc3b18a5beeeab7158b6c74cb11a86747584dc38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5d25df70943d7383ec072dead8aa3932

SHA1
76cb9cb52a073c39e5aa0760c7cc276900f00aeb

SHA256
d6e2fec505cb179841fd5da1a23f5bde10da7270d9f87baa448a062e9e669d27

SHA512
2fe807ef3ced447186aa5a23d6eaaeae0743706f255543697778ee8e69f4862b2e65fdc6c24b2dd0407fe1e4be6647bdf8fc31a4dccb82090d747e634547b3dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
96d90b269794d158a3ce58440ce55a6c

SHA1
a217378c228e178daf9079e32664d2558c540af2

SHA256
88db08a725dedc9e289d2ed5c592eff29c85f507adbe6eae522c85572cf485de

SHA512
8e43d29f4b0ef207ed24f7edfd103af79087d69f001827a59036bed56b23d51ee36adc42136b49fed2f8c33e074ba87ce7d491db7a52252d10fcbddc7f5ca5da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e29a8437ba959a15303acb57cfe42ab6

SHA1
21c05b62ffa82928544a85fd29ac715b39a5322c

SHA256
e943120e7f58b60afaca0509c88ec0b783821a416ee49fe7753e2db46cab74e6

SHA512
c7059ac71d67c84e86a5d777e1ceff3eb4679254803a98748fe62be3ca5fc049d051cc35c02c2a4fae2ee54eb65239c16b283120a496113432f3ce180ecc9439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
df6f5c9befd0e34a579c4d8121d00a35

SHA1
0c2dbe591e77dddfdb61e62271a873bd4d1bb3df

SHA256
49c9933f8294aa3810a94e94d45fca5492da396caeaed6c89539554c87d18df8

SHA512
595e9f2001f9a003a4ce5655a357f65547c9d79e2f3878a10bc0a2fad1886e58a30c762574de3fa64b8bb381dcd718faed8c621e5bbfc5033c9aa2bdf0196c5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d4235ce03f550c1dacaac65fb08434de

SHA1
41b2c49c183f34044acf976b7193ab53839422d5

SHA256
4dc53591ee28d28797c84f7bc4ae8e43c58f68e99e98bff327ea5b442be35362

SHA512
bee797c356c93de3e5343b79d4283e73a0e8dcb52043a1085a7221f4a373f85e9e8a4afd9b90a2575ada29d6ab96d006ad386ffa8ac8182847f5166c69d713ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1016B

MD5
4566288f6cd1a983152e3a149b980a23

SHA1
8f078a15ea4befc60c452d6f7c6057c681ba4f64

SHA256
37a6df8e750590353f6a11577fc9f3b532230c2d6f3a2184ea697633f416e9e8

SHA512
d25d212762808e5be264f65be6efba484e0b815932df83a5273ca69eb4cc9da1b7997df58199f207881e22e8357dcc5c0d4ebb157c787779fd188b19adf9e29a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
35066827618e9ef97f4c8427ad694299

SHA1
96377a64fabd0a302b45a3b5946f6b63f89d7734

SHA256
beb3288bec17700e4c1aea94365b90d56a5f723fca51142075ae2f20ee8976ad

SHA512
e59ef91d777b654a47f44d1129aa461197cc852995f150b579520bcbd617b3a973f36d6364ca0746f78f88aa60cb6aa518ce08fb4c7748c13681384cef373ad8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5128036c09abdabe4b42abf509e69e5c

SHA1
22325030924f357e7b9fc050445dacd72a72f1f7

SHA256
241ab4540afd47af090f6189608af6d5cc5474b20400edc8846d334d310fcfb8

SHA512
11c4cfb215fa74d9b1947f20f5b624f0903213fdc0eaf2f9982fed496c21fc0f6f805ca74c16b4126ade0aa2f2959fd2c33abd017c8e231c4f71f81dcacd6fb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
de4e1d347da44a46c259a98e1c35b6c2

SHA1
9e9c2ac8144dd0bc0c0da4a060931bf06a8d5888

SHA256
ec9c8403c12ddc9852c3394d3b349f2c4e5b61cc484a05d00471e6545c2fca6b

SHA512
f874c4cab6fb2676931db2a8232d4555df739dff59117f7b23526dec5167b80764d685cd5ab23d35ddb94d458d9f1fa4431ec0196e11f8a5c6bab5c485964321

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d27dc344bd549e9b9c00c1d0eb06aedd

SHA1
1c04e10ab94f894f51428eb3770dd12a27dc4c07

SHA256
046359276f3a43eb20f3d9ccd9e0e9cc7c00c62ba30d977c764a852faedbd831

SHA512
0eb5c12587a2bf32ac882233a9fbb352566b4a5ab3cc70e699aa21ee35a9da82d4067803d5b6a34934b79cf844bbb2efe0a2268eb2cb7fb581246e98acb84fc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
80a95efeae445010d4f08a44ddc02d66

SHA1
f654d5e874663e1820f9f3f22315897fee9251ee

SHA256
6fbbdc107331f7640de7e585d5caa39b684e3230c42a43f71b6f10b1a218cb2d

SHA512
4c77badaec866f77abcc118f447f7a7b47a5cd489416ac06ebac698c7d24de9f52222f676124850f061cfda7ab34e7d82293449b81bdca9191a4e63ee9c1cb39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a4799c1d041d6f0f24d99767048190f8

SHA1
23e395cb5d18bb69723c939ae127cce154ee38c7

SHA256
feb8c660bff70d0c2eead0e62ac4d13783d5bc5d69a56907cd9a841f3d2ddc16

SHA512
3d1702083c07c5f91ecdb9d781e6a16c73058c9c1b4ba1eaaa9f8ef5776f99ff34d30693bdfdfed52444cd478f08e48f69129fe62851d278801c70978e36b4d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9681b0905db61e3e5d4b3d2f9008563f

SHA1
471428b89c4954bc9e8c3bbd4961a0c2da301da2

SHA256
109c4c272025783752223047aba4d0e9548ef5bfaa0dc6effabaccba64419172

SHA512
5fb92a5ed00091f12740a0c5f9c67f55535c50c51c3da770ec2e6051f4b1b6661863072c70455b1ccfd66ea1dd761e1d75a87853d53bdea2f7f2ce40513d8e27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f1d9b2b10aabe1a7c3323822a94022bb

SHA1
55cd2de7aa8750e4f5b98aa070e65b4cd0d9ff58

SHA256
46b6f57101ca63033c9ead1261bf3713a92213c5898d763230bedadb65556615

SHA512
67f851283f3d9888a743fe25cfaf920ae45fad737198a0701d1a33a27e23f6ae2354b63688294e97157c5581f5f6b66959c2a5d4862434ed686f75071bca9f92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d7f7e848ede2aedc40d4b14183a8bcc7

SHA1
ed2e0dd3ea6477b19490694db089d993513ac679

SHA256
ce6dc2dacdb9a98cd4c7f5403c526705be18ba4c8f8e8bef6286a2794a515026

SHA512
e2e13213d98d125c7822914d7dc914c2590b795f73d0820d5e06e982745f40336db0052651405510a3944af5af7b34ed1dc74ad1ea33dd87cbbcdcd4cd4d9c10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
947280702db2151df0538141a828cf3a

SHA1
dd511399e761acabd0a30c3236c60f65539820ee

SHA256
342e9884568c793f588eab449ad110a05f2ea894c1df373b4d482f254dbbaaea

SHA512
b5e80078e2788a6d8fe5795f454455764437c73d1bcb53f976a190b09ea925f91b232a4b53810e0f5731b739469c34e7b285ab655a951d8636a8801e3a74eb79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
53138fe81e2a985b3ac37ab4bd850136

SHA1
377a3029bbfd71edfde5147c7e6e672490c053a0

SHA256
1eb93512f65f7668c49c344c081f118e64787c62db1f72677327889e14c04c76

SHA512
ecfaf7c9c0ef444c67a299fb05e3549152028830d078e03fc4c35fb87e1bf3d974359f9c38e1471e13ab1f01fd10611962d2665aa4cead93657083c789aa7506

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f76433f090b93815e907d4ca6fdd075e

SHA1
55e7deeeb364eb76b9ae304b52b55b43613a329e

SHA256
597ee226fc7521f887d38f693a351cbf3e17426d5278630142886e230f94cee8

SHA512
f7416256852377c7fa63751aa8d89f9ade01c7bb376cc9948b05f12558e9e8851815e1ceb2e8938af774dd8b64e2625802e36e2da2211ff0d65257b22bb202eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
db656bfa3c72e53c5f9e81a322f85f3d

SHA1
5b324cea8951dec2bdfb8e09f106c9b4cfc0a110

SHA256
276bdbdb7adf543c0e897bded1927cabe712765fc388ae65f99f1d6b7a0ee798

SHA512
7cfa242b628842e9c1334acc46b603f939179df8144c54f6742aff4b8f8919e806411e065124d2acedfd5ee32de0759f139396e314244b76f02f077f4711aa97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
87930c766245cd1939c3d15204c5f4b4

SHA1
8a390a75acc5a29eb5a63c1120024b0dd4a7ef18

SHA256
34412092a5b995ae9f8b0113738227319c3473a841369c8173b35933241ffd8f

SHA512
cb1a71a88a2010f0d8ad939a3def6954785614d1bc98bbd68615040f7ca6f70bd4874b19201c43b6788e834448731815e06c9a265ef7865818c35c5a1833e7b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
53cb64667316e6a55cd62bac13674266

SHA1
1c9106aa62da910f2d2df890b5512db8d099cdde

SHA256
1f52749c8dc9d11e76fdc21c6595cd33bc060834fe8d0e92325d697832b1b3e6

SHA512
7fd6e9fbc1066961eeb7cf27670cbd1ecc4de18e312729adf84f6dd684026bb0c9c68642952a65b0a58982632ce9a28b97d8818fc1f6fd962f3348584ce60bc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5f69570fb690f7e753900f022a114d73

SHA1
40f8d829bb927e374aeb677e16ec10c6ed221b50

SHA256
ec95b3301d9ea3050d826e2ec5b75ae456668ec13f14b756eb62df6f566b8709

SHA512
33cfcbc116252e55f91a1f8f8c645111586962bf3b4091a7eedd457d51ec0629587a688c280a8634102c1d5af15b4e1b46daca7098ce8758d7fa7f5e5b2e5548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5d576c2673740431e4c84b640d769e26

SHA1
c682a0b3836a542aa477b5ceec41ee334b205ed0

SHA256
07342245a0d1e96ad45b43ef680f1c7922e8732fa11fe2fab33883de4b0035db

SHA512
81f5646e54f8a390e38877da1940c63100440ab53ed448ab2d63e62fd1b6aa420e2ef0ae5a1f43c7de70a5bdcfb892e2fda58b8e48bb003ba45feda9864a10c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9d4aed53355f09513cb2a5400989e542

SHA1
bb583c2c4da69cc7e754cd8148352384114281cc

SHA256
7ea1f91b4828c668ff306fa42be84ab4eca80aa41ae96f5172bc4bd6ac5fca86

SHA512
f37c5ed62b370e1bd3545131ee519ea28799debe5790a5b29176d9593b26b4c8328a506ae7efa8e0eb4a9af7fbc591e69c2f2e04f91e68c15da6afa2e5908dc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
94700fff411184c1edb349ed608efcb1

SHA1
1b2655a26ef9dda1780599ce997969cdf3e4178b

SHA256
746e04e655ff922b8159ac13df44fb4bc39e366341358897e0af03458614af20

SHA512
829f4452916ae2ce66526288e49c6d51f436ab1395c1082433630c127646d214393a0ade4e9258b2ef71268154d866a8436571e10a76ee242b90a745be978e1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
75442c0c00ac0ba1381c052df03427ae

SHA1
f921e0b4cf20f004447c8242676c619dfa8ba2c5

SHA256
f65e436d2ed35066b84422596782a987b61541cd516f3f67aa20e3ad0aa6d6e9

SHA512
6f977f9295e463d49757009e4f48ceec1ef257f24734cf49b121087cba7dfd94c378446ebc9c715f29e9c4d6979cfd39cfc68ae96dac4e2db42397abadd86672

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
5cdd70cef886b30efdc47241905400c1

SHA1
2699732ecbb06a5415f467d1355a9d3a3216b484

SHA256
c2c82699b9b97fc2ea264ed3bcf7aab754517b6c3cd8abb1ca104251316568d1

SHA512
7b990fa8b105be1a9fc14182e677e99d1f02bdec836dd07a5dfd265d7e946674f1e0b9e9944c7bf18dac2aa0c851b0782e0d8f849431d66fcbd49b86f6cd0be0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
43bd54e2a2b20201fecbc17a14c05484

SHA1
92f1e8f70d18aba25e373e3387f2a557186a1d77

SHA256
3c343e711effea3a9857f758efa569c45a1a055b210845cbc98bb16ee85e8af4

SHA512
c0933bcbddf866b88c79ef2b44da45b4dbf6ada52f9bc47207dc17a10b59c260b596e2e775a9ab106f02d4cfdc4aad94ab87362bf4552b254b382a4c63d68c26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
0a11a85b60c33a5a652d024d93e3d792

SHA1
7042fd764a261ff83d0974acf75764c4867576a1

SHA256
1123431755b6146a0c2ed0c4fd517fd2199b3ea987541570ddff68bb0b8f0db8

SHA512
d3b9e91af2253b4e9b7f6f86cacf4fd1b7c18ebf4cb11824021ce822e1eede1c76102b214ebae9b979dcc3fd2d420139d9eaf6439da5f9d233e152c5671d01aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V5.4.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3191974035f167dcc246a2760b0a735a

SHA1
f84f81890d71bd90f56ebd6acf265eccacf2d5ad

SHA256
b5b9ca41af8d5829902352928f30400ed8fc41515f18a9ed4d06f2845d561d46

SHA512
bdae2185de2725850e79cc2ed1a8781f5df3ed40f0682682a941dcdadc842e1659ead1c783eead891fea8b9b81481f1b74cebc5f9474cacd823272ee54cc23ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f0e62045515b66d0a0105abc22dbf19

SHA1
894d685122f3f3c9a3457df2f0b12b0e851b394c

SHA256
529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

SHA512
f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4bjuovay.k3t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main.zip:Zone.Identifier

Filesize
134B

MD5
58eb0738d071b2cab2147a46e687a9b9

SHA1
9aed1e28f4f70230f5db6e38801ddbdf5a6ce9c0

SHA256
df1c66f7573e6c8aa8e1c15866ff0882fe26323a1e93ebcb77a90e19441b212b

SHA512
6a209950bcf9f0c978bff40dd8daf190b2748cb1491fd4d66191a70dda7a363c05d67c1238942d97093bcb84881962ecf61f5db1b0950c2430dcf963207831f9

Download Submit
C:\Users\Admin\Downloads\XWorm-V5.4-main.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\XWorm-V5.4-main\XWorm-V5.4-main\XWorm V5.4 Pass 1\XWorm V5.4 Pass 1\XClient.exe

Filesize
72KB

MD5
1eafede0f345d2b9a4446cb55d220321

SHA1
6ef58718e3b8df58dd8d77fa0234a833b553365d

SHA256
5212464574bbc3ed0071b3cb9938a50085ea68fbf485bc25c6dbf7a56279cc3e

SHA512
80e3864389b6edc13173f2cf8e9bd5fac0d8fd6c08fa89bef3e3ecfbd6e0e9b25024e218c637269ace49fe1cf41f910e3f733a0c7cd03894d7e9778d38da5fdd

Download Submit
memory/1400-790-0x0000000000710000-0x0000000001528000-memory.dmp

Filesize
14.1MB

Download
memory/2004-802-0x00000000000B0000-0x00000000000C8000-memory.dmp

Filesize
96KB

Download
memory/5280-813-0x000002A9F43C0000-0x000002A9F43E2000-memory.dmp

Filesize
136KB

Download