stormkitty | hxxps://gofile[.]io/d/eoWCRi

Analysis

max time kernel
899s
max time network
899s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-02-2025 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/eoWCRi

Score

10^/10

stormkitty xworm discovery persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

cUwAbqzVaxNI2pww

Attributes

install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x001900000002ac6f-539.dat	disable_win_def

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000300000000068b-487.dat	family_xworm
behavioral1/files/0x0004000000000699-497.dat	family_xworm
behavioral1/memory/1716-499-0x00000000002C0000-0x00000000002D0000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002ac79-545.dat	family_stormkitty
behavioral1/memory/1716-1239-0x000000001C4B0000-0x000000001C5D0000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
5592	Xworm V5.6.exe
1716	XClient.exe
4100	Xworm V5.6.exe

Loads dropped DLL 4 IoCs

pid	Process
1716	XClient.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	XClient.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
13	ip-api.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4872	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	XClient.exe

Enumerates system info in registry 2 TTPs 19 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	XClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1284	ipconfig.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 6a00310000000000445ad184100058574f524d2d7e312e362d4d00004e0009000400efbe445a9daa445a9daa2e0000002bac020000001900000000000000000000000000000010ab0f01580057006f0072006d002d0035002e0036002d006d00610069006e0000001c000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 8c003100000000004759c064110050524f4752417e310000740009000400efbec5525961445a9baa2e0000003f0000000000010000000000000000004a00000000004aca9b00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 7200310000000000445aab84100058574f524d2d7e312e362d4d0000560009000400efbe445a9daa445a9daa2e0000002aac02000000190000000000000000000000000000005801b200580057006f0072006d002d0035002e0036002d006d00610069006e00200028003100290000001c000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = ffffffff	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\NodeSlot = "5"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xworm V5.6.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XWorm-5.6-main (1).rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	msedge.exe
2880	msedge.exe
2796	msedge.exe
2796	msedge.exe
2332	identity_helper.exe
2332	identity_helper.exe
5396	msedge.exe
5396	msedge.exe
4556	msedge.exe
4556	msedge.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
1716	XClient.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
4100	Xworm V5.6.exe
1716	XClient.exe
1716	XClient.exe
1716	XClient.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
5592	Xworm V5.6.exe
4100	Xworm V5.6.exe
1716	XClient.exe
2264	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	4636	7zG.exe
Token: 35	4636	7zG.exe
Token: SeSecurityPrivilege	4636	7zG.exe
Token: SeSecurityPrivilege	4636	7zG.exe
Token: 33	6084	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6084	AUDIODG.EXE
Token: SeDebugPrivilege	1716	XClient.exe
Token: SeDebugPrivilege	1716	XClient.exe
Token: SeDebugPrivilege	4100	Xworm V5.6.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
4636	7zG.exe
5592	Xworm V5.6.exe
2796	msedge.exe
5592	Xworm V5.6.exe
4100	Xworm V5.6.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
5592	Xworm V5.6.exe
5592	Xworm V5.6.exe
4100	Xworm V5.6.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe
3780	msedge.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
5592	Xworm V5.6.exe
1716	XClient.exe
4100	Xworm V5.6.exe
2264	OpenWith.exe
2264	OpenWith.exe
2264	OpenWith.exe
2264	OpenWith.exe
2264	OpenWith.exe
2264	OpenWith.exe
2264	OpenWith.exe
2264	OpenWith.exe
2264	OpenWith.exe
2264	OpenWith.exe
2264	OpenWith.exe
2264	OpenWith.exe
2264	OpenWith.exe
2264	OpenWith.exe
2264	OpenWith.exe
2264	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
3108	OpenWith.exe
6100	OpenWith.exe
3928	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 3192	2796	msedge.exe	79
PID 2796 wrote to memory of 3192	2796	msedge.exe	79
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 4332	2796	msedge.exe	80
PID 2796 wrote to memory of 2880	2796	msedge.exe	81
PID 2796 wrote to memory of 2880	2796	msedge.exe	81
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82
PID 2796 wrote to memory of 3156	2796	msedge.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/eoWCRi
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca2cf3cb8,0x7ffca2cf3cc8,0x7ffca2cf3cd8
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,1197281845748320148,3812534447930500379,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5420

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm-5.6-main (1)\" -ad -an -ai#7zMap1448:98:7zEvent29269
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4636

C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fypjpbc2\fypjpbc2.cmdline"
  2⤵
  PID:3800
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7858.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95E15C3A6B8F44A18A92C89EC1FA5C75.TMP"
    3⤵
    PID:5332

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1784

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6084

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1716
- C:\Windows\SYSTEM32\CMD.EXE
  "CMD.EXE"
  2⤵
  PID:5316
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youtube.com/
  2⤵
  PID:2304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffca2cf3cb8,0x7ffca2cf3cc8,0x7ffca2cf3cd8
    3⤵
    PID:4644
- C:\Windows\SYSTEM32\cmd.exe
  "cmd"
  2⤵
  PID:3048
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4872

C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/maps/place/51.5081,-0.1278
  2⤵
  PID:5424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca2cf3cb8,0x7ffca2cf3cc8,0x7ffca2cf3cd8
    3⤵
    PID:5884

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffca2cf3cb8,0x7ffca2cf3cc8,0x7ffca2cf3cd8
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,573428383952242040,5975076375401350237,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,573428383952242040,5975076375401350237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,573428383952242040,5975076375401350237,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,573428383952242040,5975076375401350237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,573428383952242040,5975076375401350237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,573428383952242040,5975076375401350237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,573428383952242040,5975076375401350237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,573428383952242040,5975076375401350237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,573428383952242040,5975076375401350237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:1616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffca2cf3cb8,0x7ffca2cf3cc8,0x7ffca2cf3cd8
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2480 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1280 /prefetch:2
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,7788456080718233546,9736398740173558383,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:1
  2⤵
  PID:1100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6096

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\ClientsFolder\4094729DA4D2872DA683\Recovery\RecoveryData\cookies.txt
1⤵
PID:2816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3108

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\ClientsFolder\4094729DA4D2872DA683\Recovery\ProductKey_02-04-2025 21;28;49;598.txt
1⤵
PID:5836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5160

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3592

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1600

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:3628

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6100

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3928

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x64\System.Data.SQLite.DLL

Filesize
1.6MB

MD5
1b1a6d076bbde5e2ac079ef6dbc9d5f8

SHA1
6aa070d07379847f58adcab6b5739fc97b487a28

SHA256
eaadfbcafd981ec51c9c039e3adb4963b5a9d85637e27fd4c8cfca5f07ff8471

SHA512
05b0cb3d343a5706434390fe863e41852019aa27797fe5d1b80d13b8e24e0de0c2cb6e23d15e89a0f427aaeaf04bf0239f90feb95bfc6913ca4dc59007e6659e

Download Submit
C:\Users\Admin\AppData\Local\GMap.NET\TileDBv5\en\Data.gmdb

Filesize
32.2MB

MD5
c1908aa6edfec3602b63e89905c888c4

SHA1
aed61a7a8eada8ef92d91830802fb4ed5bd5e764

SHA256
380d75309abcf9bd7e980b61c41f9262f56c242b4403e555dc2ad18cd310a036

SHA512
99e1971093abca7124d214b6e6445ff5b6dcc6c7f2834fe4c5a4f99e0af0e71403b16c86e3c94b135f628e5632538b38c991a4af17601a9aee942348448a6acd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xworm V5.6.exe.log

Filesize
1KB

MD5
8e0f23092b7a620dc2f45b4a9a596029

SHA1
58cc7c47602c73529e91ff9db3c74ff05459e4ea

SHA256
58b9918225aee046894cb3c6263687bfe4b5a5b8dff7196d72687d0f3f735034

SHA512
be458f811ad6a1f6b320e8d3e68e71062a8de686bae77c400d65091947b805c95024f3f1837e088cf5ecac5388d36f354285a6b57f91ea55567f19706128a043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c6d1faa455d63060d780b0900d5e4145

SHA1
797c57d0b83c89af3c4dcb7c22900464b6209d2d

SHA256
515da9ca7bf0ee0fd6e287f8e2408e26f45deca99ade177dcfb6a7971da59b0a

SHA512
c94289243c71e720951433363fc9dcd5172cfbd5053eee8dbb07ce47ecca5e23c3456e535b82f2595931f0ec92b891e6268663177438ce6831f28044057ec0fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ab9e4fb3a66b25f5bd4afec9851062d

SHA1
dd871621299c94edb80a3df01b7fd8a61e98cb9d

SHA256
a6c04624f536faf77d7a773c92eaba74cb2a5aa99bd973aa3d61b39d98eb3642

SHA512
6a6d670aa2a9d908c03e878ac38178d5dae598a447eed7a465f65b79f0fc08de11fa7a75c10694cf5831b4281b50320f6bf8e4b744eaf4a36c771a604cf6266f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c69e51354cfdf7ecfc6f38c20907a3d0

SHA1
075d2bfb49d4ecd8ea6ea22adfd061639d2a760e

SHA256
6d51a7134fc2548accf67527702f6f9b610560a7e64896c44a732f490f819329

SHA512
6f4a5422311e8a929811725fcfeeaed788d9fd58b1a78ea0453695abf6dc1c4d9de0402fb1055884f68e3bc0b9ee616916c14877be47a046902d8d03ec97a375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8d42045e-60bd-47c1-b5d8-48b32262c8b0.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
964e3990386157864b947264e2c17929

SHA1
125d153adeb62f4dcfb047b6b1d7caedc1ffbd6f

SHA256
b321f8ffeac7d92ffdb0bc92d84d4084817df56bdd58b0e7106ad410bac9c112

SHA512
96ee69f70f6a53d6243ee4c9eff8bf6fe7c0211659e57b453c60c8244479822b47b2f0246c5d4f4d3c131264f18ad14807cc9556e838bb2dd0f457a7975e2e6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
48fea084cba6d222eb399ddca56f99d1

SHA1
ddfecbacabe1a7ab9259a3722af56cb8ecd37522

SHA256
c41a638addd874c64e50e7273b354639b2f5fa6d18e97f87c86116ad4a7c11f9

SHA512
a3e3d8572ea7e1e75d26380fe3d1e62ae4ef10844886b9b04fd0b39db93a3478ab9c3e5407fc1fddd0d48cd7edffdcfe5481a1a492565b183445cec114b4352e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
019083a0a1d91e36f43253d79262f507

SHA1
3c6f24b36ed282590ec44d1496bafe3cb9b3be62

SHA256
cce316634a5c0c19b384d97a07a88bc735d4b96726608f169ee531b14bcd71f3

SHA512
03187f83c3613ac3f612e30f0d980c6680691ba93e72beb2f75c323ce4fab7a2e377fd0c2e35d6fe3f7082084f8436b784bd626470ae6828a29f465ca1ef1488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
96B

MD5
637a82899647676f22aa0ab920323e0e

SHA1
6f128c6779b5995acc0f52ee7afb32e4b1e34133

SHA256
588b4d4fb9ffc80aa00c7336e582b346340358582fa9cd5fef190f2458b0874e

SHA512
f156fb19820cc25a29333bda18eb1d929f3c13aed88cc757ac9687066a6d7fc2ba73bacce4844abf33c3431e576cbd8faa99d8682c5f37d8f2b926811e891c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
d1ea76cd08246892bf9fe8636df273ae

SHA1
dde842b53090c8716b5bb15535a3438df0f35133

SHA256
c0690b64cae26a42ce4dc1169a0c820f2157364315379cbd81f971a993638773

SHA512
8aad6b3101604f7eea4dbd96ad539a7ba80b823b7c50107b38a9b175bc2035f4eca0c19d5fd42110b91a8b823c345d842fa2b95802796ad26cb6de9fd60f3b20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
469B

MD5
87f080dcb56c7a10e9cbd41abb2796cb

SHA1
aa72a4dfc814a51a0a1cc6c56aa79fcae864c2da

SHA256
97309a38dca464d44f88773a32f763dd7a987a13abbb23ccc73154b36c5b9dcc

SHA512
d9f0b2816569153c4ffe29dc623519102e087afda48a64ca3cabab9c3187c44fda638539741f0ef93bc9cc302861cce2a026eb5e4cc64dd410399ad56304765e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
c535c80eef709c32b34ee72df7fd860a

SHA1
6eabfceaa2e379e17a353d9b740b3ad21f04833e

SHA256
2161a507bb820f899e026f21739dadfb0c939d1d563d9330bad1423d1be3708d

SHA512
ed11f2d4416aafa0c1305bfdb72f3c8c73c13e36b159fcb506ad811620dbbb51c5a5dc730987550cb2d60b4d353fcd89af6586fb5fa6fdbf2e1ce96657846c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f8896597e82f426c52cbfae84252e11e

SHA1
9cdc4301a9738939c01922f90e9ad14a34b39224

SHA256
296dea5031e127321622260aa118b8713f1f88d1a3ed6e0a171ecabc762f7276

SHA512
b1c3757f053783d81656c56753d7e8edcca57ce144d5f2362ac574f9dc74e3dcb60768d49d8061a3b05015682eb4095552204c573b75c0969979ca56e7db884b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9db745307cce6f8f4cdda69f644fb236

SHA1
30dd5b8efb06b7833d65d9cf67d68fd369342b12

SHA256
97750a5499f3c2d87a1818bd66be7e4ffdf52646581e4679e0232500f3942fcc

SHA512
ebff9189ec6d9b44857c3adb7601496f3e8c3e2d02530601621cf6bb476236f6448b49a93df8113332126e30db0b522aa4a270942acaa915c525690e529d192c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
399B

MD5
e1f9042ce9a59f48c5da15c9463ddade

SHA1
d47eb49eb3d29752a0b1ed82b867d4134e36ee29

SHA256
3fd2f88a129e1ad09f7ad94074f152ddbf506f87c8a6ec95dd166c58b6a31906

SHA512
957a30929ca5be87e2f91b9471616b3bef9d2a281820528312902d6d4abca34756e249391e8ee21424fb28d7fde473c0bee08ef1890755163c86bb967714014b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
081487d0fbce2689fb9ddaf3f52a556b

SHA1
5be67b4c1e1de3ef07207fc5872659b1f43d0e4f

SHA256
7811ba587a94dbaa97385c729796fa1430e12e601d7f213842980c1d431d4af6

SHA512
b06b02c9b44118b430714d9263b1451426494a84821a5f7b01cf961b7f4dcb460d9ec885483aa0c371a25ece2107ebee86c949b5423cd94c2982bb766100195d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
30bf5222846b08bfa3a994be9299e252

SHA1
106b16ee120d35425fcc3703445b00bb8d838e6c

SHA256
986171f802586c66086669d5abfa3a45159d19856c246e23557afa838c226c8f

SHA512
c5b1cb0695414dfdc30ae57560ae84b2f3f922e6fb036a52013d0ed502fd6550662768bd0c85cb6545e08ed337da5bc35ba4d857d5171fdc5a4aec88fbdd69ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
22907c041958d588b0e20ab2cc98cccd

SHA1
47d4be216b9c1a4763d571ef3980022b55087505

SHA256
57e9961aa2f762459b78a18cb807a5e106c6aea967452859e51fe7889840dbf7

SHA512
87d3ef6741f64e4b81f76e95e9c119fa90b7233197f8035f7ac0632417d58b4a3dd6cb8058ecf48b33455c9ea0c7f4d1d802f737446e621fe9017b2346d8bfba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1bbd1ac4bf2c81633742f52646528e76

SHA1
9f004f46097cde8150e9323e7408b65def7aef14

SHA256
b65a252bfbfbd24e2848af6faf1bd8377b74fb16ef415bfd95d5a84b9b7ac9ce

SHA512
6cef7aa77c8fe9626f4a1bc5b547ae8744dfbbe492cedc18b3d24c7b3ac17ff4d1b2d1bf66f507048f4e455e031a5b78e88c27dcf1447d3f9977e0517c7f1828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9d5f89b5d39ccab426311ea2d0257730

SHA1
c1f3117e03fe0e3deb56b2a3b556fd829c2cf30f

SHA256
79bcb65f1eaecdbaf2cda45d3776f21b8a08972b0208f23c95faffa27e31f3e3

SHA512
74820e87240a103cff27b7ae421504c97dd749a831eabb2c8cd19bf5dac5fb539d690fb43ab41325f43826584dfe3f9f43af66e7924fef5a0bdf9373db24cd89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a1ef9925f5afc8670c73de438fbee551

SHA1
e200663822b77e0beff09d83f1707a47f17eff4d

SHA256
49b4ae49489ea08bfe7f344bcf5513d8dea877aa7cb005594ce6b993d8f74f03

SHA512
287fb14662f23cfbe6f09c127ed8a716f9ff8eb81d0e71f4ca85f7e354b5603614f960995e69503071cae5413790f1578debe88bca708e870168791b88943793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e4267e7c660bed141d709e5f72595229

SHA1
401f9b0d7e8788e65476d04a447defd6c8811554

SHA256
9253d8720b3a378176fe61fd8d2059721544740df2293a50b43cfcfce38aef0a

SHA512
c398688887d1ccf5bc52ab12b0208c4b15dac62893b08159fc15fd1eba4e472f4f4226cc9746fd9059adf17dab8acaa3966429d0ecb7a79dc4f1771afeb77ba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9ca1ca42d775c5a86237b5dda3e3372c

SHA1
a6b32a35fd235ded70f92729617dbd72f7070940

SHA256
de973ae43172ffec418027bd8705da696721b1c1a44278e63af398f25cd3eac5

SHA512
53c8d8efbda66fc363761a0157215cab284b7b4bc966bf567114acc60eb6de76aa23e4975fe7ca232c60bfc2976a6ee5b254d50f590ff8bc4a4d981571abd151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c00dc1eb73fd89955423dba1644c1906

SHA1
bd03187321c2e49a073b51ee7178d8635f3795e6

SHA256
dfd0457f7481c53417b459321fea8a23dc3342ae16b83ced65090655ff4260f5

SHA512
95d46b55a983ce632d6f6c06e3fb83751fd21dbaff46ebb4de55dd2b48d9bcd22718edef0694079023685d90ac98f425f9432a42979d558111012da01f24d1ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6f6d2207f8c1231dffaee045c2807627

SHA1
0442774d54c4ff1d9f079aad787570810196f9d6

SHA256
acb1170cd1c6c3f3dd2ed400b6d4561308d1dbee1801f4e92950894360908358

SHA512
d5f423a20444a1ec6ee8f9db04b1458f13bd24dbddc32b71350d681edfa888ebb7821c7b3bd7ca25b6ffb08ad341597510964013f8e5a81f24b19980d8b2a381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2ebc500d9762b215441703bf333f0a43

SHA1
e06f5bbb41b65e59d667de86b9a72720811286cc

SHA256
90d870bf2167fff29a455c1b675c1328ceb9705c9e1d0d5f90a09ae3ffc7b09b

SHA512
43c301c36e7d317317767e0b58c03c02c75e35cd548d8777dc7bf825d7ff1c165f8b85aa888407c8ed5dde2fbe8b9c0d89c7330d738dcd3199afb435926fd288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7276bbb796f9385b964ff081dac44491

SHA1
1eab56dde420ad0ab2f4c5eb85467c6a2f69f4e0

SHA256
a40172aea65e655f34855fa0674d26afdc66c11e1ba37c47beed6ae87b9520d0

SHA512
41c81ab66292896e763a22119f4b72392283155e216ba09596692e0fbcb81ca29cc45cf37bb799b9bd22d18782e3b49474abff41425077901fe94a260b485f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2f6bf34440e9c01af30b005bc1fa29ab

SHA1
8836047b769750e06991e9d86bc523a026990450

SHA256
866e7a48665a2c29129dc4d07178a6c388700ffa80ab40d74a6560d4876dafb4

SHA512
da4e00f9946bd86127017bb5c2e4b887bb12a8886bd13d6915728414da2b420cda0ee547b9ed34bb73d34290b568e39c1276ec16fa8eef219cbf2431bc81a835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b3836d73a7fe71ff6e9615f7224e643

SHA1
876b24104ba88ee81e834bd1f9246589ddfda7b2

SHA256
ddd5bc940a89c571d5bed57f978450f8420be35586c5f55aa48c1b4245be8168

SHA512
61bd43bb0f875a919f437f511a50c2b15ad4b3b8e3a3fe8cca0bd1832d216aa3f62b6596aaa6101f8de95a82341658ca2b24b56d0e621fb7674d94b6086f5f19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
93c1fe52019196f2fbdfc4188444cfac

SHA1
867e4ca7f50c15de8015133d85b5181e1c69c4fa

SHA256
65bd45788809ca0e504240b679b244ec7c5ce236b9c43ad349210c58f342b19c

SHA512
f5781087e2aae1517357fca465d2abfdb207a5681c6e80e560ef971e15e4b7ef83f227049c0425ed45cdf76c07af3dcf911261ff83f4a2de1f0bbd09c418fc0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\28da9c56fde4021055a681112c092453f74d8dd8\85677a3f-c6b4-4bdd-8354-e0be651eb8b8\index-dir\the-real-index

Filesize
72B

MD5
e0da4ddda277402456b1585744c01006

SHA1
c8828758bab47f31b90dc0d2e2ca283e442db6f0

SHA256
e8a8bd28cba998b1a13511b9697321a02dc0600fa40cd37cc23c3d3697869bcf

SHA512
ebf26b88c56827fd74802c87efe894043dc0de1178f6f9fe5c69c8b035fcf6b3f779b3d8d8889b702bfe8606e9e7a33e97a55d6044c45f7e09d3f1ae3e77098d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\28da9c56fde4021055a681112c092453f74d8dd8\85677a3f-c6b4-4bdd-8354-e0be651eb8b8\index-dir\the-real-index~RFe636344.TMP

Filesize
48B

MD5
fbcac5cddbd1413337d08d40673a2284

SHA1
a84f3d7ad483c687ab95f4c2ab1a1761e9999ec0

SHA256
727a5f818e437613a0802466f06346263a79f1952067d6b4b3f49191abfd0858

SHA512
68e18c99b33ae71fda9bab6248781f84d0e3014d1e7cabfdb4c191a840cfadc7861be88ded296c0317ae5546738a075e23014a597ceb0399ce746e10aaa928ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\28da9c56fde4021055a681112c092453f74d8dd8\index.txt

Filesize
90B

MD5
e170df52af1e67017ab9d9a82f646775

SHA1
41005623718d34b1cc7772a157dcff953ec97a01

SHA256
8489a9c59c4c377e2c54f17efceff500efd7506ddabca42aaa63dc7792a55db0

SHA512
d4b779eb8bb68684e92381bbdea222aca4879711eb859b477fb57cd37d57f502358273ef4f78fd3a82643ba35ab910e06b008910ca55843b01616994846973ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\28da9c56fde4021055a681112c092453f74d8dd8\index.txt

Filesize
84B

MD5
fb9f3a7614d27d3e9e8229ecb632497f

SHA1
992168b8836605e17251edba4172af8ce054e967

SHA256
9a09ba9af8410d079772b705580f632a9d01414ea2313668cadaadf0f0f2b604

SHA512
f5d5a6177620f5a954bbc65c66d2e7c4d8e6d2ac09e74d2562d67b901e17e083403fc04cd591fb59db8fdcc5a639f75f1d62897b6a2258624a9b8e669eba45d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\de23a00a-fa69-4915-8830-30527f586d8a\index-dir\the-real-index

Filesize
2KB

MD5
1f4baa7eff841f2aa53cd1d0c50eebe6

SHA1
193e580313b5b59b5e3ca63167f5b1d4bf8b3f9a

SHA256
a7603fea53acbb5e1a7456a3609320fad3072ceec1fcf761d7b825e53899a994

SHA512
4d853abcfa8aa5338ab55df248b41a82512dc1ea38ebcf30de56b76ddd2cade5f2f0a7a2085fe578967f23ba562858497c069b13ccba7309a0e89e00d6881b5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\de23a00a-fa69-4915-8830-30527f586d8a\index-dir\the-real-index~RFe5d1d5e.TMP

Filesize
48B

MD5
98e661e37dc220ee94f0b4a3e85e9c8a

SHA1
c647e12d8d7e867cc4f0bcf40949dd7d8bc58010

SHA256
a4a5c0333b89fc7b386943c119dd84104d541a7228ba11ed6cd3db58e718ce45

SHA512
a9cf03c0225eacf757e0de9eebf930df412bb6ad830f85a160670eba226e16429ea425c9c0de1b7b55c5ae7ce58c8c7a0bcc3761a53a94f75ef8ee9748510123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
16a6c7cd9651fd688123da10db2ae4c7

SHA1
d57d7b6affd44a65b2a6e0edadb431ba1d9f273f

SHA256
8810e98a350471c5c9093ba034f7defb497875adb46777d3744b962213c94a8f

SHA512
96bdb04d2b9ec63cc40476bef21f22105827c6b12e917d57171e40db7708b355552f5aac2c9e78d3a6deaf320aaa743db6dd660bbea6078f8b5da38367dd52f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
b9260b7404cf0aafdca487456f5b62fe

SHA1
061b427964839d833942dc9d819d3005e0d56cf4

SHA256
251c2d9f748779a3f2bc9f08ce5aceda4d4657053d5aea74e4afed2aab950ac6

SHA512
d0d4c8851cca657b3dccfdb965e49b25a5e6f6a59a4da6ef7e20f2ced404d772d344460afb01b8341f22d862512e7f8fd4cabbfdc8499b61cf102cea220ded23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
4c8d3fb11d54aae2d71973467baca2b2

SHA1
d5d9c980992a239be4dc165509c07e83a318b173

SHA256
d11ccea4063d5e6b6ceac826f915c1130ef9b1a99489035c05b4f31217cedc9d

SHA512
7b40a6cc1df29ddc8eb495270e378d4829f4ca6cada392c9bf8b9805839651825834e863e35a3015b4c46b9976827380cef037196aeab7b213968f8f12a87ec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
7ed1e2480b65def3b10df132916abb1e

SHA1
665502d8378fb2b3971ecd64b46f0a289896c776

SHA256
a9f8968b9a9ff79e8980d0f10244eb9dfc8fd70b5aaf7f111166cea06c91285d

SHA512
282dbcc10263bdd858d991a89bffd06f4cbdc8589de52bb6aa5580e8b0b743aa2b6a61e9bc5c5862a0b4a173ed151b5bd444388b45637cf7ff5f19a542d2c424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c07c13a92598b257c846222fc2faf345

SHA1
1ec4e9aa63d78e0959f805cdd34df4b50fde2039

SHA256
c6336f4f31cf4bf911cac4d99d123ef28e971d296252ff88757d75f89011543d

SHA512
c17e7694184f0933c39e95ab0e71c36830c221eaa3ae1c39498cb61f1c385c21bd2e47414f84adbf765493b95f7eef631504edef54982d16264eafc61518ce56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
6a8e91b03255ec4ce134c781b4e16d06

SHA1
96a2e55a2a2fa0a549847cac2cd8044e99206a04

SHA256
0e9d9e0429c6150799aa3d96b2423693f90a008c71526c34b7f4ee2309a0c5dd

SHA512
24714130079b3cf64c2a76202aa4b1f88a3cdac2f64292bad373d68c0c9a92e954c8eb822a046f4466754211e458d25208ae45ff6a31e0f5d6247f86c8c572ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5d1773.TMP

Filesize
48B

MD5
60075772d93264df363c214ef0e52268

SHA1
ddf5ca997e978fc02a76722f1ccf685234548955

SHA256
13c9f8ed2e60a8aac8eccd6469ae58bc454d2bc85cbd06b30d2cde26f63745d5

SHA512
dd082e6610a7b76bcbf4460c0b3cec8dd0af10e4304951bce3205d567262c87d40037f3923c7ffc9a36f3438363136ffe8c11492729b11982abe59ba345f4af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
39635641436a0333c1729f657d2eb1d8

SHA1
8a4fb1cb95a1565bf8368d6556e35206a77f9b33

SHA256
b420df589fb94f3b709102ad7a129e52f89ae0b56d114e49bfa9705fdfa67834

SHA512
0ae32cb3dc249f2461f134605409be72bb430f8c87234a16c44de8cbb215ee0487195e0e27cf348c175a29fd07bfb70a500f3dd5bad3f790eafdc416eb9a86a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
64017bfad002e95a5744693ac07ff9ca

SHA1
aeea999d4a201669c3c7dff242c78d6498b8c9de

SHA256
9d43f8f38b56c24c1a2c4786d393d3215e14be662d328dedb7fd174f338351a7

SHA512
00cad2f4449ba2cfc02d142874c008a5881c1a323e5ceee03448558c4913ae09ef0aa1fb881aec7b1986c3e54bae3c0f34da878b44fe038eefe00664b7a85b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2174298192532e4381d4627adf7ee273

SHA1
37a644f6ce419b454d6074ebcfdadb2d8d53a9d1

SHA256
f4cafd20602c229729950f39b411d100794a97ccc2ba9e2282e08ec91c05df3d

SHA512
361050de9a69dc7ec53fd6eacffeb99701c03d1d56756e13294cbe8699c79a154844813dc35796f04f14691e1e0e36b90c770b66a91cfaa01ff8488f1e3d9188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bdeb2b4fce2ba46ea838e4be50ae4719

SHA1
45b618c5198fbfd4f40afa2ff910f01572412e56

SHA256
c6b93149b6943f378fb2e0edf166f9823f9643f3b08901286715892faa3637d4

SHA512
77a3c22478e84b30f5acd9bc6d954fb9b84af0571f5b3d0173da1ef844370ded8073c26b1754e70d257d91a9cbc9b43ec23b0a2fa6c930d22e3d3671efe5395e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1a08672ceb5e28d7de5717f7c34d7bd1

SHA1
26c782621dbbb8ad0e72dc390e08fecc518d181b

SHA256
973e6227f0a1cfa52c3da69dffd71aa640e793729b133b68021802905b0b60f4

SHA512
c52ef00c53cd82c031ab51c612eff580868e8760481235e32044b1a55c6273eec80328f3e86a38f6b39344fa083a70d54cbaac976d9126a422578e019d75f1e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
da316f3ea030ccb22c24db9b76f4c6d9

SHA1
510204ed56524143b6370f892f5a9f66a8d57050

SHA256
9acd57c3598215c1a87b4279d61fc1ab08d2cce63d6b968e7a4112f638adb069

SHA512
cd377fd1da0e9360131b86280890f0ea134a11857d2ed4f1c76ed133d5c366f1a8f58a41b029efc34a6c355eb26d4ea3f3d0a34c3c3045ed66572a4888330387

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1bd72a3fd47c35b1f27927d4c6d6ab0d

SHA1
0f1b12f98fd20aea211a63bc6ce5df9c158e0ac9

SHA256
73a0c747750619c21c282780bb5f5dfa19706dfbc428af9ab0e46bcb03fab066

SHA512
4d8063e8db56a434a7257564c4f363eea2b6701a7ff470cabd9a95ea81733b5bafb77ec6f9f4daf6a39a2ec07993f0fa94dad93e9c92474604ba13e07ffe2f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
39f05fa5c688f598e30a3b5f0372a2d6

SHA1
b5c502f73fbf28dc554f9ffb892edb8d4e72f5aa

SHA256
6fb1c026f5ede5cc3ebd6f3a43a086243341d604424413db4b3e1565d43114d8

SHA512
ba3a0247f06cef290b77590ae06bd809a4b58ed23b7ae44e3ff077218d27e6274aa622ceca28345a3fff4ff18569da935200913f2161fc231f373fd45afe9be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7a612af0fd768628ada250ede965b9c1

SHA1
b2c55673484136a880ec002f61ace630428422a6

SHA256
a7a6a18f3431eb15d571b9d3581f678faea76ba0b4534daeb915efad5198f34e

SHA512
92674ee27ea13de7a6f931daa06143a8dbcbe0fe601b62bccbbaea89bdbc6ea20ca17e2f95bdb77db4888d5d86b98165b7d5f05a08425ea01a1e3f634b1672b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
54a223ecde58a4d3851f6eaf699c54c2

SHA1
f067b819fcac571c657f3ab1669015b50970d72a

SHA256
a6ba77f871ffa60856d9431edb0caa0f23e7a0bbcf560f51ec8393ac83cb4599

SHA512
070908adb5a24d5eb3570f8cba96e52802a1164efc0360c899f3c005b21ad7387a826656686cc7c072dc4c1b7e1079497c942824638f90887a657fb4e9744421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
275112f9e52eb859287ed148625b9d82

SHA1
f7ccfd096ad7ddac36451abd743da1c081778084

SHA256
a4b598c7395926fc73425ebc12c0b98ed4b8745c0cbf097bdf32164180cb5d63

SHA512
e3b17b45a97a9ba096a1a2fe8b554b27aafc6cb2800c74efe699eb35e45075d3e155ffebd0817e3d70f0db37badd2f105edb035ad093e3543fae4be24ee31ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
e0d9342fd8c493431b912cc27af4ac31

SHA1
4bb6b625129d85962d2f4c9c6a8ed8c9d73037ca

SHA256
17df96394f376f654ac201efe909ecedf3560987ceb13412a345a0816bb51548

SHA512
dc7b3acd271ab2ddb77827b52fbdc5f12994aeed6db55e078c2bdc8cf35a3704f345d288456bb4131b11ccd1d5c54e8a6ee8438f066c72cff2d0e4d02ff84e52

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\89a0f8ee-d1f4-411b-9092-a112a097d346.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
3KB

MD5
bd1047b793a01236dc5589fcf91ea7d5

SHA1
dfd9eb61656c6e856fbf0680b460fd6a479e9b84

SHA256
af99135e46abdae7b1f56a5756161e67f7c6ff3f03fec9d689cd3b3085aa439c

SHA512
f3bda6911caafd6feffa7b1e8bfebfbd8de805853d5db8233a9b0c97695516fe3e6f6c5ab526d7caabc85706eea26f7a1bfbb0643302ca1235e447bdeb018f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7858.tmp

Filesize
1KB

MD5
16b4cb02608e9813a4076384c5890438

SHA1
4aac47149bff4834676721896d687da11dfa9923

SHA256
e4ae0f99fb2ef6e788840911f155298b7e1a377cb233be7701f0f853482ad642

SHA512
bfe65458e46756c6c81a2b36faf603e52aa40da369d26d169b1c5302d7a4a6b63abcbc79029a91843785f020d7298ebd35ad7ab31b566cb4e11855e859fe860c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fypjpbc2\fypjpbc2.0.vb

Filesize
78KB

MD5
a3df6c513e0e5e0773b176c82daa93c8

SHA1
3dca52b5c3c01bd738f88a2d01db505abf870679

SHA256
e83c8d8a9f7a721db82a9eb5a170c3e36f31224e9a02077f84f9a34bacb23659

SHA512
cbc231269b17548356ab2e62ea67b7389d03880e155d1daf12d8c5c27330c21eabde72545f1b6e5b5e6fdc17623da81cb5469a7ac688cc84bd7d840e01537ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fypjpbc2\fypjpbc2.cmdline

Filesize
290B

MD5
2076ec6bbc836c9a213203aa3b7642c6

SHA1
7b0ca84e0e61f1d48024bfb5ca711bab0ff9d7bc

SHA256
57d491a7061c2282c8fb745295dac616cc97ec2681f609ea65a7b1380f9ebede

SHA512
261c918378b0ae8691536b2edf6a1df96534f885817ee335b5636ea5b6daf68ee381d3aef2a9b69860b7de5bbdeea2effc216a6ca27a69f883ee273248b4005c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc95E15C3A6B8F44A18A92C89EC1FA5C75.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\Desktop\XClient.exe

Filesize
38KB

MD5
0b0b5f4481cfed9501330015e75b12c3

SHA1
e506a5cb62db6af3df2a9bc20984fb141ae10fec

SHA256
aaac3533115aebebb7469c5664291075352505ce76b461f782abbaea0bcbfed3

SHA512
bfe29bef190c6ac07f23a0c2d8becbf240bf92eaa53c7d926de89a1d9904126ad29a170a704378a661f3aefb11c130b7f5c8c9c9525943bacf291deec0d5bc69

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1).rar

Filesize
20.9MB

MD5
aa521eb4b453d552d7b58b5ce7b7f51b

SHA1
2b2cc22039566e59fd1d945b95ddb7cc48387750

SHA256
0bdb2ac0f8e7c105273f959312d6df6aa9fd7660c96627dc827e6ce04f70aca3

SHA512
dd8d5b621504571f006c50a7bdec893487991b294b299e3b17f51144dbf79d6dbd6eef98c3754e26a14447ab93c93f06680c38f4edfeec2f787466fa74c6505c

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1).rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\ClientsFolder\4094729DA4D2872DA683\Recovery\RecoveryData\cookies.txt

Filesize
414B

MD5
a1299db409475db5d2eb0ac16838fc14

SHA1
e4a6824b6fe9bcc0870785e71b8471a9e5ed1d64

SHA256
a72b01bfd71de2bab426ffef4adfc5b5b9317be0b6d1c2c9122699f1aa42baba

SHA512
2284aaaabeb6c23cab21e5a8c1af6a3f5cc616cbe0027a489d616dfaa45d19bb50c255d579db2816489bfe1904244062be3b94cbe371b05151c315cc9a865f6d

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\GMap.NET.Core.dll

Filesize
2.9MB

MD5
819352ea9e832d24fc4cebb2757a462b

SHA1
aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

SHA256
58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

SHA512
6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\GMap.NET.WindowsForms.dll

Filesize
147KB

MD5
32a8742009ffdfd68b46fe8fd4794386

SHA1
de18190d77ae094b03d357abfa4a465058cd54e3

SHA256
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

SHA512
22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\NAudio.dll

Filesize
502KB

MD5
3b87d1363a45ce9368e9baec32c69466

SHA1
70a9f4df01d17060ec17df9528fca7026cc42935

SHA256
81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451

SHA512
1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\ActiveWindows.dll

Filesize
14KB

MD5
5a766a4991515011983ceddf7714b70b

SHA1
4eb00ae7fe780fa4fe94cedbf6052983f5fd138b

SHA256
567b9861026a0dbc5947e7515dc7ab3f496153f6b3db57c27238129ec207fc52

SHA512
4bd6b24e236387ff58631207ea42cd09293c3664468e72cd887de3b3b912d3795a22a98dcf4548fb339444337722a81f8877abb22177606d765d78e48ec01fd8

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Chat.dll

Filesize
18KB

MD5
59f75c7ffaccf9878a9d39e224a65adf

SHA1
46b0f61a07e85e3b54b728d9d7142ddc73c9d74b

SHA256
aab20f465955d77d6ec3b5c1c5f64402a925fb565dda5c8e38c296cb7406e492

SHA512
80056163b96ce7a8877874eaae559f75217c0a04b3e3d4c1283fe23badfc95fe4d587fd27127db4be459b8a3adf41900135ea12b0eeb4187adbcf796d9505cb8

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Chromium.dll

Filesize
32KB

MD5
edb2f0d0eb08dcd78b3ddf87a847de01

SHA1
cc23d101f917cad3664f8c1fa0788a89e03a669c

SHA256
b6d8bccdf123ceac6b9642ad3500d4e0b3d30b9c9dd2d29499d38c02bd8f9982

SHA512
8f87da834649a21a908c95a9ea8e2d94726bd9f33d4b7786348f6371dfae983cc2b5b5d4f80a17a60ded17d4eb71771ec25a7c82e4f3a90273c46c8ee3b8f2c3

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Clipboard.dll

Filesize
14KB

MD5
831eb0de839fc13de0abab64fe1e06e7

SHA1
53aad63a8b6fc9e35c814c55be9992abc92a1b54

SHA256
e31a1c2b1baa2aa2c36cabe3da17cd767c8fec4c206bd506e889341e5e0fa959

SHA512
2f61bcf972671d96e036b3c99546cd01e067bef15751a87c00ba6d656decb6b69a628415e5363e650b55610cf9f237585ada7ce51523e6efc0e27d7338966bee

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Cmstp-Bypass.dll

Filesize
11KB

MD5
cf15259e22b58a0dfd1156ab71cbd690

SHA1
3614f4e469d28d6e65471099e2d45c8e28a7a49e

SHA256
fa420fd3d1a5a2bb813ef8e6063480099f19091e8fa1b3389004c1ac559e806b

SHA512
7302a424ed62ec20be85282ff545a4ca9e1aecfe20c45630b294c1ae72732465d8298537ee923d9e288ae0c48328e52ad8a1a503e549f8f8737fabe2e6e9ad38

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\FileManager.dll

Filesize
679KB

MD5
641a8b61cb468359b1346a0891d65b59

SHA1
2cdc49bcd7428fe778a94cdcd19cabf5ece8c9c0

SHA256
b58ed3ebbcd27c7f4b173819528ff4db562b90475a5e304521ed5c564d39fffd

SHA512
042702d34664ea6288e891c9f7aa10a5b4b07317f25f82d6c9fa9ba9b98645c14073d0f66637060b416a30c58dec907d9383530320a318523c51f19ebd0a4fee

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\FilesSearcher.dll

Filesize
478KB

MD5
6f8f1621c16ac0976600146d2217e9d2

SHA1
b6aa233b93aae0a17ee8787576bf0fbc05cedde4

SHA256
e66e1273dc59ee9e05ce3e02f1b760b18dd296a47d92b3ce5b24efb48e5fb21b

SHA512
eb55acdea8648c8cdefee892758d9585ff81502fc7037d5814e1bd01fee0431f4dde0a4b04ccb2b0917e1b11588f2dc9f0bfe750117137a01bbd0c508f43ef6a

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\HBrowser.dll

Filesize
25KB

MD5
f0e921f2f850b7ec094036d20ff9be9b

SHA1
3b2d76d06470580858cc572257491e32d4b021c0

SHA256
75e8ff57fa6d95cf4d8405bffebb2b9b1c55a0abba0fe345f55b8f0e88be6f3c

SHA512
16028ae56cd1d78d5cb63c554155ae02804aac3f15c0d91a771b0dcd5c8df710f39481f6545ca6410b7cd9240ec77090f65e3379dcfe09f161a3dff6aec649f3

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\HRDP.dll

Filesize
1.7MB

MD5
f27b6e8cf5afa8771c679b7a79e11a08

SHA1
6c3fcf45e35aaf6b747f29a06108093c284100da

SHA256
4aa18745a5fddf7ec14adaff3ad1b4df1b910f4b6710bf55eb27fb3942bb67de

SHA512
0d84966bbc9290b04d2148082563675ec023906d58f5ba6861c20542271bf11be196d6ab24e48372f339438204bd5c198297da98a19fddb25a3df727b5aafa33

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\HVNC.dll

Filesize
58KB

MD5
30eb33588670191b4e74a0a05eecf191

SHA1
08760620ef080bb75c253ba80e97322c187a6b9f

SHA256
3a287acb1c89692f2c18596dd4405089ac998bb9cf44dd225e5211923d421e96

SHA512
820cca77096ff2eea8e459a848f7127dc46af2e5f42f43b2b7375be6f4778c1b0e34e4aa5a97f7fbabe0b53dcd351d09c231bb9afedf7bcec60d949918a06b97

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\HVNCMemory.dll

Filesize
39KB

MD5
065f0830d1e36f8f44702b0f567082e8

SHA1
724c33558fcc8ecd86ee56335e8f6eb5bfeac0db

SHA256
285b462e3cd4a5b207315ad33ee6965a8b98ca58abb8d16882e4bc2d758ff1a4

SHA512
bac0148e1b78a8fde242697bff1bbe10a18ffab85fdced062de3dc5017cd77f0d54d8096e273523b8a3910fe17fac111724acffa5bec30e4d81b7b3bd312d545

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\HiddenApps.dll

Filesize
45KB

MD5
ba2141a7aefa1a80e2091bf7c2ca72db

SHA1
9047b546ce9c0ea2c36d24a10eb31516a24a047d

SHA256
6a098f5a7f9328b35d73ee232846b13e2d587d47f473cbc9b3f1d74def7086ea

SHA512
91e43620e5717b699e34e658d6af49bba200dcf91ac0c9a0f237ec44666b57117a13bc8674895b7a9cac5a17b2f91cdc3daa5bcc52c43edbabd19bc1ed63038c

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Informations.dll

Filesize
22KB

MD5
67a884eeb9bd025a1ef69c8964b6d86f

SHA1
97e00d3687703b1d7cc0939e45f8232016d009d9

SHA256
cba453460be46cfa705817abbe181f9bf65dca6b6cea1ad31629aa08dbeaf72b

SHA512
52e852021a1639868e61d2bd1e8f14b9c410c16bfca584bf70ae9e71da78829c1cada87d481e55386eec25646f84bb9f3baee3b5009d56bcbb3be4e06ffa0ae7

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Keylogger.dll

Filesize
17KB

MD5
246f7916c4f21e98f22cb86587acb334

SHA1
b898523ed4db6612c79aad49fbd74f71ecdbd461

SHA256
acfe5c3aa2a3bae3437ead42e90044d7eee972ead25c1f7486bea4a23c201d3a

SHA512
1c256ca9b9857e6d393461b55e53175b7b0d88d8f3566fd457f2b3a4f241cb91c9207d54d8b0867ea0abd3577d127835beb13157c3e5df5c2b2b34b3339bd15d

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Maps.dll

Filesize
15KB

MD5
806c3802bfd7a97db07c99a5c2918198

SHA1
088393a9d96f0491e3e1cf6589f612aa5e1df5f8

SHA256
34b532a4d0560e26b0d5b81407befdc2424aacc9ef56e8b13de8ad0f4b3f1ab6

SHA512
ed164822297accd3717b4d8e3927f0c736c060bb7ec5d99d842498b63f74d0400c396575e9fa664ad36ae8d4285cfd91e225423a0c77a612912d66ea9f63356c

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\MessageBox.dll

Filesize
14KB

MD5
7db8b7e15194fa60ffed768b6cf948c2

SHA1
3de1b56cc550411c58cd1ad7ba845f3269559b5c

SHA256
bc09b671894c9a36f4eca45dd6fbf958a967acea9e85b66c38a319387b90dd29

SHA512
e7f5430b0d46f133dc9616f9eeae8fb42f07a8a4a18b927dd7497de29451086629dfc5e63c0b2a60a4603d8421c6570967c5dbde498bb480aef353b3ed8e18a1

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Microphone.dll

Filesize
540KB

MD5
9c3d90ccf5d47f6eef83542bd08d5aeb

SHA1
0c0aa80c3411f98e8db7a165e39484e8dae424c7

SHA256
612898afdf9120cfef5843f9b136c66ecc3e0bb6f3d1527d0599a11988b7783c

SHA512
0786f802fbd24d4ab79651298a5ba042c275d7d01c6ac2c9b3ca1e4ee952de7676ec8abf68d226b72696e9480bd4d4615077163efbcda7cff6a5f717736cbdfe

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Ngrok-Installer.dll

Filesize
400KB

MD5
3e19341a940638536b4a7891d5b2b777

SHA1
ca6f5b28e2e54f3f86fd9f45a792a868c82e35b5

SHA256
b574aabf02a65aa3b6f7bfff0a574873ce96429d3f708a10f87bc1f6518f14aa

SHA512
06639892ea4a27c8840872b0de450ae1a0dac61e1dcb64523973c629580323b723c0e9074ff2ddf9a67a8a6d45473432ffc4a1736c0ddc74e054ae13b774f3e2

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Options.dll

Filesize
30KB

MD5
97193fc4c016c228ae0535772a01051d

SHA1
f2f6d56d468329b1e9a91a3503376e4a6a4d5541

SHA256
5c34aee5196e0f8615b8d1d9017dd710ea28d2b7ac99295d46046d12eea58d78

SHA512
9f6d7da779e8c9d7307f716d4a4453982bb7f090c35947850f13ec3c9472f058fc11e1120a9641326970b9846d3c691e0c2afd430c12e5e8f30abadb5dcf5ed2

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Pastime.dll

Filesize
17KB

MD5
6430ab4458a703fb97be77d6bea74f5b

SHA1
59786b619243d4e00d82b0a3b7e9deb6c71b283c

SHA256
a46787527ac34cd71d96226ddfc0a06370b61e4ad0267105be2aec8d82e984c1

SHA512
7b6cf7a613671826330e7f8daddc4c7c37b4d191cf4938c1f5b0fb7b467b28a23fb56e412dc82192595cfa9d5b552668ef0aaa938c8ae166029a610b246d3ecc

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Performance.dll

Filesize
16KB

MD5
1841c479da7efd24521579053efcf440

SHA1
0aacfd06c7223b988584a381cb10d6c3f462fc6a

SHA256
043b6a0284468934582819996dbaa70b863ab4caa4f968c81c39a33b2ac81735

SHA512
3005e45728162cc04914e40a3b87a1c6fc7ffde5988d9ff382d388e9de4862899b3390567c6b7d54f0ec02283bf64bcd5529319ca32295c109a7420848fa3487

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\ProcessManager.dll

Filesize
19KB

MD5
3d4ec14005a25a4cb05b1aa679cf22bf

SHA1
6f4a827d94ad020bc23fbd04b7d8ca2995267094

SHA256
7cf1921a5f8429b2b9e8197de195cfae2353fe0d8cb98e563bdf1e782fe2ee4e

SHA512
0ee72d345d5431c7a6ffc71cf5e37938b93fd346e5a4746f5967f1aa2b69c34ca4ba0d0abd867778d8ca60b56f01e2d7fc5e7cf7c5a39a92015d4df2d68e382e

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Programs.dll

Filesize
13KB

MD5
a6734a047b0b57055807a4f33a80d4dd

SHA1
0b3a78b2362b0fd3817770fdc6dd070e3305615c

SHA256
953a8276faa4a18685d09cd9187ed3e409e3cccd7daf34b6097f1eb8d96125a4

SHA512
7292eab25f0e340e78063f32961eff16bb51895ad46cfd09933c0c30e3315129945d111a877a191fc261ad690ad6b02e1f2cabc4ff2fdac962ee272b41dd6dfa

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Ransomware.dll

Filesize
20KB

MD5
ccc9ea43ead4aa754b91e2039fe0ac1c

SHA1
f382635559045ac1aeb1368d74e6b5c6e98e6a48

SHA256
14c2bbccdabb8408395d636b44b99de4b16db2e6bf35181cb71e7be516d83ad9

SHA512
5d05254ba5cd7b1967a84d5b0e6fd23c54766474fb8660a001bf3d21a3f5c8c20fcdb830fb8659a90da96655e6ee818ceefb6afa610cc853b7fba84bb9db4413

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Recovery.dll

Filesize
1.1MB

MD5
776193701a2ed869b5f1b6e71970a0ac

SHA1
2f973458531aaa283cdc835af4e24f5f709cbad1

SHA256
66dbe3b90371fe58caa957e83c1c1f0acce941a36cf140a0f07e64403dd13303

SHA512
a41f981c861e8d40487a9cd0863f9055165427e10580548e972a47ef47cf3e777aab2df70dc6f464cc3077860e86eda7462e9754f9047a1ecc0ed9721663aeb9

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Plugins\Shell.dll

Filesize
14KB

MD5
04609b39e656e297db73be0d02c7e35e

SHA1
f8abd484e7703a4d9629b033e8ec39c82eaf4654

SHA256
6c69b4d45638097e31169d94914e4acb6a8cc7f46788ffa4f241e4c1efb213bb

SHA512
11a88d55497fedeeb05b146ebd3135755aeb08c4596e9379eec83501e734aa6ba926d9bbda1c5f50e361836d65ea88d2c018f0b4b4b668c82ff2163730eaaf27

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main (1)\XWorm-5.6-main (1)\XWorm-5.6-main\Xworm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
memory/1716-1173-0x000000001C270000-0x000000001C2AA000-memory.dmp

Filesize
232KB

Download
memory/1716-558-0x000000001AFC0000-0x000000001AFCA000-memory.dmp

Filesize
40KB

Download
memory/1716-1979-0x000000001C5E0000-0x000000001C66E000-memory.dmp

Filesize
568KB

Download
memory/1716-1978-0x000000001C3C0000-0x000000001C44E000-memory.dmp

Filesize
568KB

Download
memory/1716-1427-0x000000001C2B0000-0x000000001C2BA000-memory.dmp

Filesize
40KB

Download
memory/1716-1358-0x000000001C200000-0x000000001C20A000-memory.dmp

Filesize
40KB

Download
memory/1716-1437-0x000000001BF70000-0x000000001BF7A000-memory.dmp

Filesize
40KB

Download
memory/1716-1977-0x0000000020530000-0x0000000020A58000-memory.dmp

Filesize
5.2MB

Download
memory/1716-1976-0x000000001BFE0000-0x000000001BFEC000-memory.dmp

Filesize
48KB

Download
memory/1716-1975-0x000000001BF80000-0x000000001BFB6000-memory.dmp

Filesize
216KB

Download
memory/1716-678-0x000000001B950000-0x000000001B95A000-memory.dmp

Filesize
40KB

Download
memory/1716-1464-0x000000001BFC0000-0x000000001BFD2000-memory.dmp

Filesize
72KB

Download
memory/1716-546-0x0000000000B20000-0x0000000000B2A000-memory.dmp

Filesize
40KB

Download
memory/1716-499-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/1716-1380-0x000000001C5D0000-0x000000001C5DA000-memory.dmp

Filesize
40KB

Download
memory/1716-1311-0x000000001B960000-0x000000001B96E000-memory.dmp

Filesize
56KB

Download
memory/1716-1278-0x000000001C230000-0x000000001C252000-memory.dmp

Filesize
136KB

Download
memory/1716-1239-0x000000001C4B0000-0x000000001C5D0000-memory.dmp

Filesize
1.1MB

Download
memory/1716-1178-0x000000001C1D0000-0x000000001C1DC000-memory.dmp

Filesize
48KB

Download
memory/1716-1231-0x000000001D770000-0x000000001DAC0000-memory.dmp

Filesize
3.3MB

Download
memory/4100-1451-0x000001E374670000-0x000001E374696000-memory.dmp

Filesize
152KB

Download
memory/4100-1450-0x000001E37D230000-0x000001E37D26A000-memory.dmp

Filesize
232KB

Download
memory/4100-1440-0x000001E37A220000-0x000001E37A3BB000-memory.dmp

Filesize
1.6MB

Download
memory/5592-366-0x000001EA00B40000-0x000001EA01A28000-memory.dmp

Filesize
14.9MB

Download
memory/5592-368-0x000001EA1D8F0000-0x000001EA1DAE4000-memory.dmp

Filesize
2.0MB

Download
memory/5592-482-0x000001EA24EB0000-0x000001EA25018000-memory.dmp

Filesize
1.4MB

Download
memory/5592-505-0x000001EA25830000-0x000001EA25B12000-memory.dmp

Filesize
2.9MB

Download
memory/5592-501-0x000001EA1D470000-0x000001EA1D4F2000-memory.dmp

Filesize
520KB

Download
memory/5592-507-0x000001EA22C70000-0x000001EA22D22000-memory.dmp

Filesize
712KB

Download
memory/5592-503-0x000001EA1D410000-0x000001EA1D43C000-memory.dmp

Filesize
176KB

Download