stealerium | hxxps://github[.]com/HexShifter0/Xworm-V6[.]0/releases/download/BugFix%2BNewFeature/XWorm[.]V6[.]0[.]zip

Analysis

max time kernel
215s
max time network
215s
platform
windows11-21h2_x64
resource
win11-20250211-en
resource tags

arch:x64arch:x86image:win11-20250211-enlocale:en-usos:windows11-21h2-x64system
submitted
12/02/2025, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/HexShifter0/Xworm-V6.0/releases/download/BugFix%2BNewFeature/XWorm.V6.0.zip

Score

10^/10

stealerium xworm discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

OnCH8EVI1tYADuXo

Attributes

Install_directory
%LocalAppData%
install_file
msedge.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL
telegram
https://api.telegram.org/bot7483240807:AAEYFrBoMgquxWoikOe9bVlqmoMC2b2AOO4/sendMessage?chat_id=5279018187

aes.plain

Extracted

Family

stealerium

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/sendMessage?chat_id=

Attributes

email
[email protected]
url
https://szurubooru.zulipchat.com/api/v1/messages

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x001900000002ae57-180.dat	family_xworm
behavioral2/files/0x001900000002ae58-190.dat	family_xworm
behavioral2/files/0x001900000002ae5b-208.dat	family_xworm
behavioral2/memory/3172-210-0x0000000000940000-0x000000000096E000-memory.dmp	family_xworm
behavioral2/memory/2492-211-0x0000000000400000-0x0000000000428000-memory.dmp	family_xworm
behavioral2/memory/3716-209-0x0000000000490000-0x00000000004BC000-memory.dmp	family_xworm

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4988	powershell.exe
4212	powershell.exe
4144	powershell.exe
4788	powershell.exe
5052	powershell.exe
2348	powershell.exe
4760	powershell.exe
1120	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
20	4468	Process not Found

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe

Executes dropped EXE 13 IoCs

pid	Process
3716	Chrome Update.exe
2492	OneDrive.exe
3172	msedge.exe
3736	Xworm V5.6.exe
3060	update.dotnet.exe
3432	Chrome Update.exe
3608	OneDrive.exe
1900	msedge.exe
1500	Xworm V5.6.exe
1788	update.dotnet.exe
2388	XClient.exe
2956	OneDrive.exe
4148	msedge.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2417498994-1216132997-487892065-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2417498994-1216132997-487892065-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
32	pastebin.com
34	pastebin.com
40	raw.githubusercontent.com
28	raw.githubusercontent.com
29	pastebin.com
30	pastebin.com
31	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2692	MicrosoftEdgeUpdate.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5056	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2408	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2417498994-1216132997-487892065-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XWorm.V6.0.zip:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5000	schtasks.exe
3532	schtasks.exe
3684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
3080	chrome.exe
2348	powershell.exe
2348	powershell.exe
4760	powershell.exe
4760	powershell.exe
2348	powershell.exe
4760	powershell.exe
1120	powershell.exe
1120	powershell.exe
4988	powershell.exe
4988	powershell.exe
4988	powershell.exe
1120	powershell.exe
4144	powershell.exe
4144	powershell.exe
4212	powershell.exe
4212	powershell.exe
4144	powershell.exe
4212	powershell.exe
4788	powershell.exe
5052	powershell.exe
4788	powershell.exe
5052	powershell.exe
4788	powershell.exe
5052	powershell.exe
3716	Chrome Update.exe
3716	Chrome Update.exe
3172	msedge.exe
3172	msedge.exe
2492	OneDrive.exe
2492	OneDrive.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe
Token: SeShutdownPrivilege	4764	chrome.exe
Token: SeCreatePagefilePrivilege	4764	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe
4764	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3716	Chrome Update.exe
3172	msedge.exe
2492	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3156	4764	chrome.exe	81
PID 4764 wrote to memory of 3156	4764	chrome.exe	81
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 3692	4764	chrome.exe	82
PID 4764 wrote to memory of 4880	4764	chrome.exe	83
PID 4764 wrote to memory of 4880	4764	chrome.exe	83
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84
PID 4764 wrote to memory of 1784	4764	chrome.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/HexShifter0/Xworm-V6.0/releases/download/BugFix%2BNewFeature/XWorm.V6.0.zip
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80d9ccc40,0x7ff80d9ccc4c,0x7ff80d9ccc58
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2044,i,18212512328553457833,4253014609526500181,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1576,i,18212512328553457833,4253014609526500181,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2532 /prefetch:3
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1960,i,18212512328553457833,4253014609526500181,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,18212512328553457833,4253014609526500181,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,18212512328553457833,4253014609526500181,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4540,i,18212512328553457833,4253014609526500181,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4952,i,18212512328553457833,4253014609526500181,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4920,i,18212512328553457833,4253014609526500181,262144 --variations-seed-version=20250210-180233.097000 --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3080

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4068

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTBBODkxNjgtMUUwNy00M0I1LTkzREYtMTdBQzk2RTJENzIwfSIgdXNlcmlkPSJ7NTlDOTM0ODYtRUREOS00ODVBLUFEQ0QtNTI4QkQxMkFDM0U0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Mzk4QjhEQ0YtMzlEQi00QTBBLUFBNTAtQkFBNTZENTJDNTA2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczOTI4MjMwMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzUzNTk3Mjc0MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUyMDA3MzYyMzYiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3952

C:\Users\Admin\Downloads\XWorm.V6.0\XWorm V6.0.exe
"C:\Users\Admin\Downloads\XWorm.V6.0\XWorm V6.0.exe"
1⤵
PID:3228
- C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3716
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5000
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4788
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3532
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5052
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3684
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe
  "C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe"
  2⤵
  - Executes dropped EXE
  PID:3060
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\87369ea9-7e5d-4025-9cae-19cc8d4e9cd4.bat"
    3⤵
    PID:3952
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4772
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3060
      4⤵
      Kills process with taskkill
      PID:2408
  - - C:\Windows\system32\timeout.exe
      timeout /T 2 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:5056

C:\Users\Admin\Downloads\XWorm.V6.0\XWorm V6.0.exe
"C:\Users\Admin\Downloads\XWorm.V6.0\XWorm V6.0.exe"
1⤵
PID:1488
- C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe
  "C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe"
  2⤵
  - Executes dropped EXE
  PID:1788

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
PID:2388

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:2956

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
42705a084c4853db40e098bec1a31a76

SHA1
894f08285b250a888326aed7897cf517aefe64c0

SHA256
73ae9504915d54c54391cd31cd1e73ccaca33d5f07b4898c349168a70396e2b8

SHA512
c7e7f3da04ff2ddfb027e4ee0d362fee0c4b3495927795b62cc7f120925f0ecec255b7646a5e5e9c08489db08422187440428b594220336c954303226cc1ad0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
46ee2c9c990b7f657b0bef3a52dfeed6

SHA1
386a7f02a0f6cf4dd9ca8afec03bbf1ea50a16f7

SHA256
e04eb40d926da16681ded0f41d86e370942975ac21b2af9ef47430c6134bd36b

SHA512
c101c32d01bcdaf36ad1cb28ed0d34b74ee37bb422a73720bcc0b927950c71a081730763465d0001366d76e604313c07f1e22a4da7237571c84c82f77336c1bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bcf07477f016f4fcfd55420cd520f67d

SHA1
650cbbc7eace81e7e3a5bbeeea5ab6bec5d96d03

SHA256
6471ff61d0c89c5eec3df9a0af2f2de55389aed1ff049738783b50284c4a116d

SHA512
d725b2887a00c6e7df73250465c72241cafb3abca82bd2f20f7fa46daa28a4b8c8508334ce6284eaec1544ce828758a39c842251d0ca24430c0272ba711b594b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
70cb25f4cdfc9de12c0fbbd016f3053e

SHA1
4b28a24619e417649415e7e88334f298023adab9

SHA256
49d0ca04b09bd824b090d9849abe64e86d004e47d64b6ec9508f4bdfd6260920

SHA512
2109d758a35dd94952450b53bef25c5774e70f9e421d0d8cdf1630dd22a7b9ff6a813a0c00b029439a01179c86ecfedc8d28a6a26b9692caa046935402e7c12b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0d569798c7453ee5214dc5f3224b4d73

SHA1
90856c22b32bc63339e0f6c7381cf7c55485ab0f

SHA256
0e1134c0994056d2c9bdd9468c9da5a32e7e75d3002152c74e7aa51431f07912

SHA512
287bbfa7a16a64ea9436ed068e225d73d66b60e7c0ec674efc07bfd00b79259e920d69b0417e15a00f8b58822c00d3d514f5665b367ca5123d392fc89a1f7cf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b302e444b13ff9fc691074e1e676e4f5

SHA1
b772d56262efd2137b0e199054e9a12a800d256a

SHA256
92772ab362b26343e131ad96a90d09d20dc322b444d8bed32eeb5a20bd28e977

SHA512
fd4a83e14b1ac1111a528f01b04fea447aecf887cff430b815e745369469031ae219a84be74eb2b2f3567e538878942c8ad957d3618105d5be50c74caeef3112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8285a24416631d84e8a5a7060ec3fffc

SHA1
3fb4de2dc6ee52ef083a8de7c5b60b2edc0acffa

SHA256
913b0b5bb71daeff2c88fb6bd5583c451edea348533fbac7e45ce2916633d793

SHA512
35d84aa38d0f9ae69b443fa0c4e6cea197b6d0fa9df6a6684c54d10590965327756b20d00572c7070614fe40c48c21504f2aa8610d2444d421e06ebc5b652f05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1c27561730cac879f1614117a15108b2

SHA1
377134fc8a08539158090015ac5f7b5e1e5c598b

SHA256
bb623fe33836f5c23bddf3fb7af98819d137335a03cd0c5b30e8eee6fe4b67d3

SHA512
336cd03b4184f883d11635446658b37014497464a44a7da5219985283829c59ab4c7768107a7c35e472a5c0f210d2674d4fd16ac02a180dee31da99a74e8f6a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f9d5b62fe68502ef4c736621e5823c6f

SHA1
f6f5df8ac1f51ae70eeaca7bcb107544dbd20af8

SHA256
28bdda7da21c900c83f24eabbae0d1c2e4c3c071fd5dd06803a123cee44bc89e

SHA512
191244fb6d0a65e365503f59ba254005030f312bcbc450f2e55549dee4dcb0fec13ffdac336d7e07f268660dc4ed443eabde31fe7027815c1aeffc5739003ee9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
fdda40697e19135f6b978395033ae371

SHA1
8e547ad5bd249160877b9f2f34f5d02f14e1d13e

SHA256
a79d1da84ec8af2c1f404c4e5e4b06951e48794317d4abb6665dbce684ea7988

SHA512
ed0dace9b86181f54290816c607bca3b26d5c2b83123fa6295203f2a1b2fadfb4719a671c5ef4a24d2795f0c4821e70d521e14229e10137f5dbdc5cf1ebc89f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8ef53da4c4849fb9e2c2b48b7ca1409a

SHA1
bcd27401cc6ba24bc1475e26622975d2dbbd2bb8

SHA256
5d4a0537207fe220d36a6eac11054cb4a3d2de3ca6cd547a441008101c1891f7

SHA512
8f813d3502fd22ab07ba418b479d45c5978a8bf50b6bad1e68fe88c2d1f0eb78b8fc95a757065e29a94bded7936d7ebd81f73132524f67794695898ecbe43137

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d1910af7a0bd8f7988b89eb4396f56a1

SHA1
da45ed2eb804b3b3417222a7d5020eddd19e289c

SHA256
12c82fa55dcae6713a60d003c5158ac6e7ffa906a17b86a59091291156c64bed

SHA512
a09d4131b4d94b95bf12412d24939ddda07364e6e0172f3acbb4c4d269c081571c00485531cc526599eddb4577658816df96b30c0ccc852530b24aa00f53d1d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
af99ed57fecaa36b0150c38e604efeaf

SHA1
d77702497ed6135d74acb4cc28cd2bdda8274cf8

SHA256
529772ee059a2313111b1933a1fb91b46e61413191f8930a142d44aba978c46f

SHA512
16ae0eb8310b5e66ca742db7717da5d0f1acb53fcb0c45840a99da81d8d9ea4c1a3640f2d46bc540d114c144667de0052ac692ebc92120f5ebb82c27105aec33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
45288606f13b25266dbbc98c7c95892f

SHA1
87100ca4b5c6349a81b7010b0ddc786e2406e7fb

SHA256
8fd43b7a15fc4a75894b07d4df9202d663db5a52af8c110493c71e315734d023

SHA512
ae092373d05a7179079e37c577946f1f536b2186c83c1641d670eac7eaa601b144c872a69dab0bc2dd032f490fd48e456a79961638d34c9bd1809f25b7c117d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c5a4524a46ab044f1d7cb29e0ea4e4a5

SHA1
62cfc0ee650f2494bdb410440dd09e2f356d5874

SHA256
7b4052d019f27793d811ed6da39e7a412cb584bf930ab71944272354a841e2e6

SHA512
9716f307caa1c79159ddbd58bc0278d20eb85e6b71c6910ace138f69b902be63b055e91a441889270f683b7c1382ed04d4a64f080a46d4fe5f4137fb08506231

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f2f05fa04ebf81995b332a105bdfea91

SHA1
9681d17f6778854c7f51987390b2e3b1ed384c82

SHA256
d690c2b31f0263bcbd710d85cbe65687cad44594a13a3d5a32dff577533140ed

SHA512
045e26dd316d3f592ece4cfa7974fe783fa72740bd1f96ecb430705b462c9eb8f3d8ab7f6ae7ddb9d86acee4233e1be2b31165189c93f3c4f8d0d0b9ce809494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bd92e9eadb8443da73604a3fc7c5664d

SHA1
89538ab9aa4bc9840e2f6deac9d30b80773c5805

SHA256
682ac58fc9a6dd159afca95eeca7dedae1cde2480abaabb03eb53b9948016855

SHA512
25566b501a8f773f6e028ac58d5ba3160edc19ab52a84a208f20e739dd8e06bf227e334de47927499b4bff6b5004653876595bdcdc30f62c923b47cfff926e10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
46fd610ef5aa6f2ab40ebd881da469ea

SHA1
17ce93c7c2d68c70c21129066310efb0e57d2838

SHA256
6599436abd6c3e0f560ad2681e6c1e6885acae3d8d6e696bcdfb9c2dbde977e3

SHA512
1cb807db5c8c58b20aef1939d66a35c4567253961c2b7d777357558d8dacbc86618eccd91a87a1f6d45b4cafab564e4767d8e2a74bd7e2d3dd47ff19c13aee57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
126KB

MD5
fb0c9b03e598c8065b722df22342c4da

SHA1
27940b389fe5462c07de5f0f74e61c58f0281dc8

SHA256
da9c0439e4ead50a2fd8ea6571c644bd197d4696e0a59937f1c878b17eb3bde9

SHA512
a0489aea952b01ccccfed9a05c1e6424b96d207aa108e3f234f3a186bb2ad15bca23b7576f66788f8bd963da2fdeeac1dfbae3b041dc4dc318c1a6da83e87a83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V6.0.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b9b360b86f321509992675cbbb2c25f5

SHA1
c0dc0f9c0558894eaf0c3769d6381f85c45faa88

SHA256
9dcf8030e8774487863580166d2124101c8691de2e2d7f4a4be3cadd810237c2

SHA512
375949cd016ea6df701949dab08173e340f25141b7ca067d2baa98ce3c0b3e48b920bb7f2c59cdd4ab8a2c5d3b59cd38f241ea312aef145daef60dec03378af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34c8b93dd58a4703db0d6dd86bb21d70

SHA1
b53aa49b882070b857951b6638d6da3a03ac2f56

SHA256
34b95e4d12196f68f7a030b98190fda89c34b696251ab9ed831e48d983896898

SHA512
bba4a86b8a66104ed21fd58717168cdf68b93c801a94ec65e25c2b66c1b9354b9e7c1c01cadde451948e072d96c3fa4994c94ef33aeff9b603e7b5d82f7111e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\87369ea9-7e5d-4025-9cae-19cc8d4e9cd4.bat

Filesize
152B

MD5
580238c5c2a1b877cfb062f0f04a16ba

SHA1
61f822904620b0ffc53480969870fadd84ce9ea2

SHA256
7425747a2ff09c3b41696d360151c63ef705bb9a837a2e72381b8c944948fb89

SHA512
03a84b2bd68b478dfe229b0f5a806b39054d687389e133db17b80831d44e205a9b47cf03eb9f21bd0b5212094cfa024481e7a5f0690e56545d8d200a5c9be551

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe

Filesize
153KB

MD5
8b8585c779df2f6df99f749d3b07f146

SHA1
b553267f8e6f2bb6531ca2cb330e0d6b7bc41a1d

SHA256
4a9d13e9b68d26c6feb71856b7a61a2a1b8f2dc1c7aaa9ad5dfd5609b5a2da6c

SHA512
b89cae4386d0b8173b87533b5af3d863a188836185d105d6007786ba0e415537e84b759b8c22b37430ee544c554db9f50aa21466c5549c8b80c4f5a3fa6cb5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdvdwvms.2a0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe

Filesize
6.1MB

MD5
b3899dd5602b3587ee487ba34d7cfd47

SHA1
ace70e4fcea9b819eaf5bda4453866698252357f

SHA256
28c53ad86d705da7e21a1c0cbc996e15ab8f024368aa031b025d05f3dfdbeb2e

SHA512
104b8252db4e9a88e388370a6def71e0cbb536604d5a41ac60169a35a9662980d1359000d5ea316f29deb4c534678e86e266bba12bb0b658f2666d13b26c200a

Download Submit
C:\Users\Admin\Downloads\XWorm.V6.0.zip

Filesize
34.5MB

MD5
a0b7d7f290385441b7b4c863d3873a22

SHA1
c66d5b61e0c82c05ce271994775bf6124457b6e1

SHA256
b8574159eebd064a1d7854e8422fb0222759bbc31b1469ff7866a06b4aa560f0

SHA512
10ddf84eb55a0b4fbd3a6f4e2549801e897b4789baedf9b73ba00c62afe62ba8f7536f00a223a762922b46826a987a89fd3b298a6fd594978b2205c38b1b3b78

Download Submit
C:\Users\Admin\Downloads\XWorm.V6.0.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2348-254-0x0000023F78FC0000-0x0000023F78FE2000-memory.dmp

Filesize
136KB

Download
memory/2492-211-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3060-244-0x000002687E9D0000-0x000002687EFE6000-memory.dmp

Filesize
6.1MB

Download
memory/3172-210-0x0000000000940000-0x000000000096E000-memory.dmp

Filesize
184KB

Download
memory/3228-175-0x0000000000C50000-0x00000000021E4000-memory.dmp

Filesize
21.6MB

Download
memory/3716-209-0x0000000000490000-0x00000000004BC000-memory.dmp

Filesize
176KB

Download
memory/3736-245-0x000001D812B60000-0x000001D813A48000-memory.dmp

Filesize
14.9MB

Download