xworm | hxxp://89[.]213[.]248[.]62/

Analysis

max time kernel
252s
max time network
256s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28/02/2025, 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://89.213.248.62/

Score

10^/10

xworm agilenet discovery rat trojan

Malware Config

Extracted

Family

xworm

89.213.248.62:7777

Attributes

Install_directory
%AppData%
install_file
Checker.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000027e65-150.dat	family_xworm
behavioral1/memory/4576-153-0x0000000000500000-0x0000000000532000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 4 IoCs

flow	pid	Process
27	1572	chrome.exe
70	1572	chrome.exe
71	1572	chrome.exe
81	1572	chrome.exe

Executes dropped EXE 3 IoCs

pid	Process
4576	OxyCheckerV2.exe
2320	XWormLoader 5.2 x64.exe
3036	XWorm V5.2.exe

Loads dropped DLL 1 IoCs

pid	Process
3036	XWorm V5.2.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0008000000027ede-279.dat	agile_net
behavioral1/memory/3036-292-0x000002E2AE390000-0x000002E2AEFC8000-memory.dmp	agile_net

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
63	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133852333641336721"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe1000000099ff7b7e6481db010032e2ed6981db017249ed7efd89db0114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1886653772-2813795769-2221171443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4128	chrome.exe
4128	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1868	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe
Token: SeShutdownPrivilege	4128	chrome.exe
Token: SeCreatePagefilePrivilege	4128	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe
4128	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1976	OpenWith.exe
1868	chrome.exe
1868	chrome.exe
1868	chrome.exe
2596	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 2384	4128	chrome.exe	84
PID 4128 wrote to memory of 2384	4128	chrome.exe	84
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1532	4128	chrome.exe	85
PID 4128 wrote to memory of 1572	4128	chrome.exe	86
PID 4128 wrote to memory of 1572	4128	chrome.exe	86
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87
PID 4128 wrote to memory of 2744	4128	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://89.213.248.62/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7fffff86cc40,0x7fffff86cc4c,0x7fffff86cc58
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1960,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1676,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3052,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3068 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3056,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4612,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4964,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4940,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5076,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5576,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5636,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5940,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5736,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5744,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=836,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5880,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6080,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  PID:1424
- C:\Users\Admin\Downloads\OxyCheckerV2.exe
  "C:\Users\Admin\Downloads\OxyCheckerV2.exe"
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6200,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  PID:356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5976,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3524,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6036 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=6116,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6104,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5848,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5616,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6136,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3028 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5852,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5988,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=6028,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5460,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:1092
- C:\Users\Admin\Downloads\XWorm V5.2.exe
  "C:\Users\Admin\Downloads\XWorm V5.2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=5704,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1504 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=6296,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6124,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6552,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6560 /prefetch:8
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=5768,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=4980,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5936,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5140,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5132,i,13376139710172943903,1464121260792223762,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2596

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1448

C:\Users\Admin\Downloads\XWormLoader 5.2 x64.exe
"C:\Users\Admin\Downloads\XWormLoader 5.2 x64.exe"
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1976

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6d77ab776a40cf5847b9f4834e4558b1

SHA1
17d2d18108a6488beeb746d20c6a61077c64b6d9

SHA256
54c09665481754c142765a082e06af184417e94c715b33f5d10922271f3dae71

SHA512
b1eb8a31048b5bac8439ac1083485c0908e65ecc2f6654364401f56dab84df51aa7b6ce2b5da470f7e3c7712b7e75ea15793e07523940a9775da4da60c1a0f86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016

Filesize
214KB

MD5
d20fef07db1e8a9290802e00d1d65064

SHA1
71befda9256ed5b8cd8889f0eeab41c50d66e64e

SHA256
f9cb4624d03224bfce50c4c0e484418acd462c249f38b4684e72b27a1f30144d

SHA512
ad5b2c8df60027c6dd5104bb8c2357b04eb24d69245c607ff99a6f2a887f929428252ad793d9aaa8c903c7b1e1bf9653cd35f79747d5281e7e3d2c21fa828537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f042b82bc623edff238b70ec3c25d46e

SHA1
983219dc32336471847fa0c04f613580b2e36307

SHA256
484013aeca134a769b45d0a577f566fe6ebf42ef5628cf9b9cebc240546c6b72

SHA512
66f171a40dfda4383c950791d86865cca918b5ea4bb898aa2e0931e036df64749d46f0e2959e6b771afd0e91a647e6d572f304dc70bc415f09399c663a7b9b28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
3b1d9b1fb901b40c4a0b7914d93e42cf

SHA1
5a7d7f9b5c1ea6a1ecc3deff55b39efbc28a8a34

SHA256
11414f4ed3b15a90d8541f749afd7620f71a2d335fe35e95eede1f428740d7f9

SHA512
00bb6fe49676e17f2dde09797e5b1632f208079e9e39dd92247a1b134b9cb81a53ea5e68e56ac8963f211473f0bb04ffd760611aa37206a8334833033711f98f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
482372825227065f38ec43d15060efe1

SHA1
a054fe80bb99be1e0a4b73d864f3b539b56fb9d2

SHA256
520d57ac6242f8e633f28d696b50e1821ddd47efe1fd5c68553a2cf25cb7654e

SHA512
4c9351def09a76c77a904c55af51b36cb790f0eb0b5ab05c0b04f33cd93c3b212fca496a0b6c199808516ffeabc18b79d1e518d4eba5f6b7ceba81517bf369d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2fc43a8d25557e813e5218b895fa9e3c

SHA1
4d3ab10eee8d9eafb5a291eb17125b666f2b4886

SHA256
b24e408b49154c393bfa42fe3271370d426d6b01f4b9649cc06ba6461a60802d

SHA512
f9da2360d6349797ebcbd7c9499c56a0740de5d592bacdc8e362c3b3a94edfbdad19cd0248405891edbd642bc366151522e6de7d1c38a0b8d55faded219880d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b51993c696a6d276fcf0df3c762db407

SHA1
267e902064532749a8f5535a8ceac9d1c642ce44

SHA256
976d78c206c6ed9655033823813fc6a342e0153bd23c28722a19b6c56a31d73d

SHA512
b655022afe7da9a04118f697a11220630dd458714245f704e66c1e6ff9dfbd01931b984b7917377311786dda8d4bea4c492a48f4caa8a117b02e29d6ac8a9c97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
75fa2b38707ce31de5bafe815d250eef

SHA1
e198ce9d50ce346aa96cbe59e9a5a5eabb9e2216

SHA256
541aea182246d2a720af6db3fdbb362deb49e2a42ff46e0324a749dc4e00a1a3

SHA512
069a5d063e6015722ccb6eb700db4814147027da0c3093da2b6211fb160b693aceb5c67245b0edd38cdeaa4af68322518ab9062fb2cbe7e7c4165668983aa01b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e7c64d53641e5a66e12c6c24003e7997

SHA1
47c4e8d96eb56382f7a75b43c76b9d7040fcd544

SHA256
08cf355657f58bb2d59f22ffd97c17dcb69dba6ee349dc32d9934912452a4057

SHA512
72efe5b8b39a1136d723e2079fe75258c0bba7473a923e388a134bb17da0beb85d28896f01b8c7d4eb624cbfc2e310c1b1fd3bffb33e86b1711ecf2325ba6632

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee69fbf624617f0c50e52536c5615b44

SHA1
fac01d3c5ed59c626530bd6f59ee65104cd2c8a1

SHA256
dc54d1dc174e2bffbbeb5da9d0302620251b745120d49b9778636e33d800a26b

SHA512
d9b2bf42b666b91de21aa2c4e628ba1d3b63b0c5904dedc741e860bace91ed8c47c2e238178dceac08e222022cd40fd2bee194985de46da95a5a214f45b4e2d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3d5576295d58057ad959ee04c6f99a82

SHA1
065fdb394d82cc9ac4f5aa5e3bf5cb9330cdb4ae

SHA256
36800a8e318a7cd191cceaee14a3f2efd64f132f74f9a6563edfcd88601a0d40

SHA512
767a196651741baec7d165be0a4e9c0e4589af38b065f1d0cec59a2cc5c5e19ec9b44d4c43f6bcbc6ceb107c623241208226f71ac48875640d1412493a312acb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9deac6cb17fce9f81d0a05834609e548

SHA1
9d54e857db030262852f98c9febdf6d42e1f4195

SHA256
d40d3ae56f9a52909166c85a1d5015f4f9de4918fedc566ed49211251fd2a946

SHA512
3e6233eb6825fb6f4c59de3aae9e73ac79a8162f7bc26e8f02cd1cc88291378ed016ff1c36c14a264efb1f7c4c6bfa00e94a55813747a7af3dacb591a6bd3a50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
83b21e7e1c21c305989ee5b49e5f9af2

SHA1
2f79c4dbcb725eb0044a0c8554a31a57ed31cea5

SHA256
e207c30abf55e876c6c1bce8b40366dd5b6ef128bd4110c2eaab6408db6055c6

SHA512
27d3144a449a684cfaf27ec4854d58057b93304d7062bedae7b03eaf34ab6a109799ba6bc3810758eb0d63e34b18ba5ec2d95a535c2d21283c2b3c6875650aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5d46f83d7a5111a534c14156d42fffa7

SHA1
649f7fcce663a6d2df10dd5341259a58b45aee5b

SHA256
5cf771fbf6a1084c58e0ca566f931dea5a326de1da1c97e208351a4051af2b13

SHA512
f157e9df3fa1003e288348de9db552099ca9941e8b8a31ae969b114174c0491cca3b7493a1141e654af8adb29d69449364ad8e74ac881ca2b5110aa617ca4a65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d73f378d06e8b758869d6c25d9b50f0d

SHA1
2d450495832afd6707cae15ec76d4ffd94278ee4

SHA256
065dca53f98918c3c1ce55bde913f0e38d971154e66bf06fec1ea4f34eb28195

SHA512
b2098a41fca2536e708c35c58e3afa813723b67beee8ba47581d4bcaf771e64a39555d22af22d668a47921e12d5c83eae88fd37f5d7d972fc2c1fa18dcc60b54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a5744e419b131c16276d261b293d0ac

SHA1
1bd523b7decf6a841307b3710a17e1185bbc1026

SHA256
a54b9eef7ad74e381b4a3f1bda0f090b3b7d5cffd7720961cc8c3f88a87b9cd8

SHA512
baf542e17ccb0fc9b99b238d983a8871db18217ca726e06a3bfce7bf5cb453ebf33a1f41f45929b5d754b07778994013fd2f21671ff2b124c058c1ac66eeec70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
068c682f5ddc2f23fcac866d280eddc5

SHA1
9d2c066e95e6db1b6180b94a1ffdae536dfdd8bd

SHA256
7a9f5c386d590ad1ffd4f426ebc0b86e4f3ae303c2a4033d66921602e4d05d5e

SHA512
b927fa7ab2b80f74bcf1ffbd0c231fe53050b82172702bb38115dc80ba93f12ac72aebf906f1cd86a7b87b841381ee6b3bbd4c2bb343ec564dce2f0631c86fd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9f4260a338ec7031cdeea2cf17c0e23a

SHA1
72c1e66dd03da8d80401459cf397c4c28183a306

SHA256
fa9c1c74a81f87986c616474bf62812e44f2f1b9e5da9f72c029ac149a77f836

SHA512
b63ad65693b528272d54b50929a8f0b7b69a92681db67c1e8db62e42f86a25b681d80a0ce03c57647a45bc82740a75c4323882659ecda45627e139dbe3ed7e68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9e8c0f5be939c01eca5b391c89f15bff

SHA1
46e52736355b8c23f6d045406a535b8a2afc2bac

SHA256
d2d348cd42b9ea387939d6e09bb1119a102a0861b944afb63a13813722b7d10d

SHA512
9d500fcd0a42a7060d23b6c9eda99e24252489f0e0d8a258ae053631735668b7d8d3c3bd382640d145df80a273b75e2b17c8b78110b25429d979805d552c53e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
555fc328a298516419dbbba6f66a913e

SHA1
4e09479cdd62d8d660d8bd1cc7eae6f93e77b2ef

SHA256
439c0219ad7aa10fca1d52888fca5601420077b2e9c9043fcff7c56efc8a6581

SHA512
9b24c44ddf74620c6d5b978ed86b75827344ed4969870a298819613aaf7477ba6f03889df97235df0e1773e3981685bffe9a5ec9246f6445397f7efe52ed735c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c75f7285df242f3441d732ca62723cbd

SHA1
585a113d70809cb18cf4ec820dfb48409a34db80

SHA256
c94160d3cb2e5b3c5b8990b5ba8d1034310e64e067ba2eea1f7f4aa1fcbc70a1

SHA512
21f900af0c58aa1835e33a33782ec600dd69d91e5b03db2834245973baa930fea275a88724097e09e3822eb7946396e803ee40802e99f79d00885008d856a544

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9b506471e07053f0dc94be89ce63c868

SHA1
5142b7430941a574d80d06ccedfc2dec4723c1f9

SHA256
21e348e3200436ff4c0e05fb657b2185e96051a9059b5b1e58b0615e57c4a8a3

SHA512
1c9d0c1e84bc794cfb4eda8407179052842c20f9995c4ce729e0b73704f0def99edc04da349b1da18c72faf165f8a914e899da81d37d5e55e5c5d2979f500cde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f4bd323e698e25f5cfe8752afcf452fd

SHA1
29e4d3736a1ecc7130b90ef978239bd5f239600a

SHA256
b0ffe44c9ae3f15adae784d70d653b78150861b065e8f1915ca834476f60bd6c

SHA512
12ec4b95b84e69e79bd36bf2eb055a096be3419fd13b4f325ccd2b690ab717c350cd12eec67b38ab8c55c08c0fb46297a6d7f14501365f75196c03809b445e23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
a77f10de62c058a79d1f0f7136c46d52

SHA1
163d1fbd3384ef2efb5a24cb177546a36f59a930

SHA256
ef14a79ac4d94b51cbf92b5db2187da2f1f08ac2524adb36fe011b52d2ebe7e2

SHA512
bb6636c8ebd9e149c4f2676ee04a8283213364f2ee233826c6dfeac6f334dcf2a377d9982b9fe557a19f656b00f78c7686a6927dacc9c8551ee926d4a979e873

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
7060f6b93dcb0641ebcb250453b215c9

SHA1
02e929897eff8c4987477b9f0e7d807bf1f703dc

SHA256
54739f064a436bdf8be19a78919137af64547050aa05a9b7e4cc601bed27df56

SHA512
fabcccd001a0d6ffcdb0b36146d3b40902c19593a92f59e3759fe1f1ee83f0279f0c2ea91a23cbeb03217fb123686d093bd26b5580597c5cb48e93b22bcb6392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
54a1e3c3c0a5913eb49ccc507279cb90

SHA1
155ec990b65945b6fc671e7b1bb26859192ea5ac

SHA256
cf18171e9cd554c69d21b0cbb45713015e16c75fabc5d5a3f32abf50b1123261

SHA512
febb3178cf31b11de528a5807c8c3a1be430295105a5d0bfec0c46bedbe9964b3519f86ff34f8093c101c7c5aa6d9626ed15a69029c35331230867453eecb978

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
e1940c0920a463af6eb3c3d1b7d7782e

SHA1
dada55af187af5374dc48ba5c8d5ce71e2081d49

SHA256
ce5bf5f3775471c4b50a46f9b9a72a8ad3e2021d5d264a3a59da79dfb2b3ae6d

SHA512
2044d8d099ce5e2a41c623c220f694194f168c0548ce1b64da28933151bfa0b11503ac8d4a0151c1bd99f8916b844fe09a164b0818c145d35505c46b31d1d7e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
4be302941413ed8539c43de215956550

SHA1
7ba5ca71b90471b4dd703f80e6c6e96f35d8ecf4

SHA256
0c086ff373c15ee5f45fd71468d2c73f700dd05b4e54d6f73646edd03fe26e37

SHA512
12f37bfebe89389cf43e0fad22f6d6f0bef1d5b985eebd6f6846f4fef041ab21e29953c1a55895cce837cc5095fa24a05e5f636ef58654447a72828818461916

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\Downloads\07c270fd-8980-4781-b12c-385c897e0384.tmp

Filesize
64KB

MD5
98822acae603184ea65f4d701d4027f4

SHA1
eb1528c7eae86e5f57b50bbe9547af421929142f

SHA256
614f67eae455bc6d7f5bba01509d271355fef00bac29974d88eb546994179fe8

SHA512
3c1ae26e803ddf0ab0e0376aa93269cc858a07e186d01477ef94839a05d5283b8df4395fc6c778892ecf8d542b327c71e18c0ef93824ce373f10fc64d2f5a3d3

Download Submit
C:\Users\Admin\Downloads\OxyCheckerV2.exe

Filesize
175KB

MD5
e257605c2950afc1b21235ae2eff4852

SHA1
c604a8f3eb901466ebb8c5bd85410c294da705f5

SHA256
f33d6d6d48959c468049f8a31dae3832da85d404443ccc971cafd12f92ab12f5

SHA512
0b4b3085672d7cf2ca37d83e2218a1e9955eab7e89d9861243b95162e914644a12b6c3837f7642cc964db54193e878abf6a04fe1f443faf6f214a88f390f8766

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2.exe

Filesize
12.2MB

MD5
8b7b015c1ea809f5c6ade7269bdc5610

SHA1
c67d5d83ca18731d17f79529cfdb3d3dcad36b96

SHA256
7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

SHA512
e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

Download Submit
C:\Users\Admin\Downloads\XWormLoader 5.2 x32.exe

Filesize
109KB

MD5
f3b2ec58b71ba6793adcc2729e2140b1

SHA1
d9e93a33ac617afe326421df4f05882a61e0a4f2

SHA256
2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae

SHA512
473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495

Download Submit
C:\Users\Admin\Downloads\XWormLoader 5.2 x64.exe

Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit
C:\Users\Admin\Downloads\XWormLoader 5.2 x64.exe.config.crdownload

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
memory/2320-267-0x0000000000CA0000-0x0000000000CC0000-memory.dmp

Filesize
128KB

Download
memory/3036-300-0x000002E2CA490000-0x000002E2CB07C000-memory.dmp

Filesize
11.9MB

Download
memory/3036-292-0x000002E2AE390000-0x000002E2AEFC8000-memory.dmp

Filesize
12.2MB

Download
memory/4576-152-0x00007FFFEB9D3000-0x00007FFFEB9D5000-memory.dmp

Filesize
8KB

Download
memory/4576-153-0x0000000000500000-0x0000000000532000-memory.dmp

Filesize
200KB

Download
memory/4576-155-0x00007FFFEB9D0000-0x00007FFFEC492000-memory.dmp

Filesize
10.8MB

Download
memory/4576-154-0x00007FFFEB9D0000-0x00007FFFEC492000-memory.dmp

Filesize
10.8MB

Download