Malware Analysis Report

2025-08-05 19:41

Sample ID 240402-qwwy6sbg5t
Target b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.zip
SHA256 736ec1ee4959f468aa9594fb659e1ac1406956c1928a62e413fd874afc043e59
Tags
xworm rat trojan evasion themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

736ec1ee4959f468aa9594fb659e1ac1406956c1928a62e413fd874afc043e59

Threat Level: Known bad

The file b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.zip was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan evasion themida

Detect Xworm Payload

Xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Drops file in Drivers directory

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 13:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 13:37

Reported

2024-04-02 13:40

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1756 set thread context of 2500 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 2748 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 1976 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 2820 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 1624 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 2904 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 1276 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 968 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 828 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 2188 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 1636 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 676 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 1816 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 2268 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 3060 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 set thread context of 2632 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2420 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2420 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 2420 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 2420 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 2420 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1756 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe

"C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

"C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblAuthManager

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblGameSave

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxGipSvc

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxNetApiSvc

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop xboxgip

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblAuthManager

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblGameSave

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxNetApiSvc

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxGipSvc

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete xboxgip

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop vgk

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\xbgm" /f

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /disable

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTaskLogon" /disableL

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe -Command "& {Get-AppxPackage -allusers *xbox* | Remove-AppxPackage}"

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 xboxlive.com udp
US 8.8.8.8:53 user.auth.xboxlive.com udp
US 8.8.8.8:53 presence-heartbeat.xboxlive.com udp

Files

memory/2420-1-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

memory/2420-0-0x0000000000380000-0x0000000000A8E000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 626eb43e3611e3217f8602f7b8206889
SHA1 358935565a0a495a62559b204b7b41cbc365d8d9
SHA256 3c468ad439464cebe619052e06cf797b296ab0d9bcf88d475fb5c9b42b489573
SHA512 f4bf30eeadb557501362de71d4b6d58ab498d98e52b453f6e20309da36fe288d098dab9bb08cfcecf12787536ff20f0e649401ab6b0ff75e6671a4f3ebc4cd29

memory/2080-7-0x0000000000980000-0x000000000099C000-memory.dmp

memory/2080-8-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

\Users\Admin\AppData\Roaming\xSpoofer-new.exe

MD5 233320478ce264f9e08d249244dc4fdb
SHA1 af46758a7c39b4edf4b5b0819f732abb5ad19e17
SHA256 edb57df920f62e6f1241695f8a46e420f104455a54fe91431db545834fd8d5ba
SHA512 b1c06e96cbabd58f8489a18c8c270718cea634a9bbd4fd67786cd5d31cfa475d4f97e2389f1ce2b5ddf10db9687b5cb5361e878d29427f9670f59343468d5967

memory/2420-14-0x000000013F360000-0x000000013FE50000-memory.dmp

memory/2420-17-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

memory/1756-16-0x000000013F360000-0x000000013FE50000-memory.dmp

memory/1756-18-0x00000000774C0000-0x0000000077669000-memory.dmp

memory/2500-23-0x0000000100000000-0x000000010000F000-memory.dmp

memory/2500-22-0x0000000100000000-0x000000010000F000-memory.dmp

memory/1756-25-0x0000000004280000-0x0000000004D70000-memory.dmp

memory/2500-28-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

memory/2500-29-0x0000000100000000-0x000000010000F000-memory.dmp

memory/2500-27-0x0000000100000000-0x000000010000F000-memory.dmp

memory/2500-32-0x0000000100000000-0x000000010000F000-memory.dmp

memory/2500-33-0x0000000100000000-0x000000010000F000-memory.dmp

memory/2500-34-0x000000013F360000-0x000000013FE50000-memory.dmp

memory/1756-37-0x0000000004280000-0x0000000004D70000-memory.dmp

memory/2500-26-0x0000000100000000-0x000000010000F000-memory.dmp

memory/2500-24-0x0000000100000000-0x000000010000F000-memory.dmp

memory/2500-21-0x0000000100000000-0x000000010000F000-memory.dmp

memory/2500-20-0x0000000100000000-0x000000010000F000-memory.dmp

memory/2080-39-0x0000000000900000-0x0000000000980000-memory.dmp

memory/2080-40-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

memory/2748-47-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

memory/1756-41-0x000000013F360000-0x000000013FE50000-memory.dmp

memory/2748-53-0x0000000100000000-0x000000010000F000-memory.dmp

memory/1976-61-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

memory/1976-67-0x0000000100000000-0x000000010000F000-memory.dmp

memory/1756-68-0x000000013F360000-0x000000013FE50000-memory.dmp

memory/1756-82-0x00000000774C0000-0x0000000077669000-memory.dmp

memory/2820-83-0x0000000100000000-0x000000010000F000-memory.dmp

memory/1624-98-0x0000000100000000-0x000000010000F000-memory.dmp

memory/1756-97-0x0000000004280000-0x0000000004D70000-memory.dmp

memory/2820-155-0x0000000100000000-0x000000010000F000-memory.dmp

memory/1636-184-0x0000000100000000-0x000000010000F000-memory.dmp

memory/676-197-0x0000000100000000-0x0000000100056000-memory.dmp

memory/1816-211-0x0000000100000000-0x0000000100056000-memory.dmp

memory/2268-224-0x0000000100000000-0x0000000100048000-memory.dmp

memory/3060-237-0x0000000100000000-0x0000000100048000-memory.dmp

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

MD5 18dcfd641e2bd515bf3f583497e9f190
SHA1 128c05d286d815ee61b31ba3c1a1d1aca1720583
SHA256 d3a13414facd5974f187438584dc70b4a8eb265f534401f146180519412f8e1d
SHA512 d249da60c7e0a5c097ee925d3d8bc343a4663d031900c4682d43821d322e59763af45e6cf2dd5d97ba6ef19e2f60ebcc67cfc99c5009b773f86a7f164644800e

memory/2632-253-0x0000000140000000-0x0000000140077000-memory.dmp

memory/968-210-0x0000000100000000-0x000000010000F000-memory.dmp

memory/2188-170-0x0000000100000000-0x000000010000F000-memory.dmp

memory/2188-169-0x0000000100000000-0x000000010000F000-memory.dmp

memory/828-154-0x0000000100000000-0x000000010000F000-memory.dmp

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

MD5 485e3b493d3e0843a255bb3c5340424e
SHA1 1daa7fc3e21c59dd0756d39ea35e09ab53e83aea
SHA256 880d83c0ff985df0a3d9a454d2d861bc4018b0c6304040f53c29a6817a44871d
SHA512 fa5ee9c11e74812acf5ecc9c473a8c52458250a7a709254878438ec287f5f34e90142e8db8ddd3de8848cfe74eae95929e98ded6369fc5809b8eb7d24f047d7d

memory/968-140-0x0000000100000000-0x000000010000F000-memory.dmp

memory/1276-127-0x0000000100000000-0x000000010000F000-memory.dmp

memory/1276-126-0x0000000100000000-0x000000010000F000-memory.dmp

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

MD5 01cc2635f0c521ea12f5ae582ae4beb9
SHA1 c28945aa836d2b59913ff14754966f295470dc52
SHA256 f17cc9f90639e7d3283b829fbeb8e7e944ba9df4839a25abf9a45b52180b2569
SHA512 f078c58564d06c718ee4c279f9c6743038d2c19a2d827d670a3fb3f0ceaf83dba71bc29e965a7f7eca4e6300e9c69b26ff9b6a9e6000f16993b0f2ad184924c9

memory/2904-113-0x0000000100000000-0x000000010000F000-memory.dmp

memory/1756-112-0x0000000004280000-0x0000000004D70000-memory.dmp

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

MD5 156a4c2e3fb23e567834eeda09eb9b25
SHA1 d2697ab15a3bb2776a48bc4ffab220874f0cc243
SHA256 556cbd300605791e8b0d0c0cf2dedfd78e6da05123e18fef3900d10a1e47b55c
SHA512 e5c2cf353e30f20d449a965b7d31a6248134aeee407fafd1fb1d5c15856b26bb4b40d1928898601426080601528da83e5d000361a163daa391c5e9b796ac5405

memory/1624-91-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

MD5 b01ef26a47d9b3b2869ff8435f0673f4
SHA1 33b522e9e0eb1fdd2b4fc1129167f84f9be3c4fb
SHA256 287b89409a8169e208eda6789b82052f85672b204773c85b78a1f5fce611e6e4
SHA512 4f3222d61743e1a37fe11937bad8de456429f2bca58be2647acda387215082edff69b8764777994afba953d6517e675d681521c0887204606ae11b7b7158a9bd

memory/2820-76-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

memory/2632-254-0x000000001B720000-0x000000001BA02000-memory.dmp

memory/2632-259-0x0000000002CD0000-0x0000000002D50000-memory.dmp

memory/2632-258-0x0000000002CD0000-0x0000000002D50000-memory.dmp

memory/2632-261-0x0000000002CD0000-0x0000000002D50000-memory.dmp

memory/2632-262-0x0000000002CD0000-0x0000000002D50000-memory.dmp

memory/2632-263-0x0000000140000000-0x0000000140077000-memory.dmp

memory/2632-264-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

memory/2632-260-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

memory/2632-257-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/2632-255-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

memory/3060-280-0x000000013F360000-0x000000013FE50000-memory.dmp

memory/1756-284-0x00000000774C0000-0x0000000077669000-memory.dmp

memory/1756-283-0x000000013F360000-0x000000013FE50000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 13:37

Reported

2024-04-02 13:40

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1848 set thread context of 4404 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 1920 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 1996 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 2064 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 4892 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 2428 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 4060 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 2380 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 3828 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 1360 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 4764 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 2136 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 512 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 944 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 2232 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 4180 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 set thread context of 4308 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1020 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe C:\Users\Admin\AppData\Roaming\XClient.exe
PID 1020 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1020 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
PID 1848 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe

"C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"

C:\Users\Admin\AppData\Roaming\XClient.exe

"C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

"C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblAuthManager

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblGameSave

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxGipSvc

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxNetApiSvc

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop xboxgip

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblAuthManager

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblGameSave

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxNetApiSvc

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxGipSvc

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete xboxgip

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop vgk

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\xbgm" /f

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /disable

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTaskLogon" /disableL

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe -Command "& {Get-AppxPackage -allusers *xbox* | Remove-AppxPackage}"

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 73.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 57.162.23.2.in-addr.arpa udp
US 8.8.8.8:53 xboxlive.com udp
US 8.8.8.8:53 user.auth.xboxlive.com udp
US 8.8.8.8:53 presence-heartbeat.xboxlive.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
SG 159.65.137.18:1335 141.95.84.21 tcp
US 8.8.8.8:53 18.137.65.159.in-addr.arpa udp
US 8.8.8.8:53 10.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/1020-0-0x0000000000B50000-0x000000000125E000-memory.dmp

memory/1020-1-0x00007FF974490000-0x00007FF974F51000-memory.dmp

C:\Users\Admin\AppData\Roaming\XClient.exe

MD5 626eb43e3611e3217f8602f7b8206889
SHA1 358935565a0a495a62559b204b7b41cbc365d8d9
SHA256 3c468ad439464cebe619052e06cf797b296ab0d9bcf88d475fb5c9b42b489573
SHA512 f4bf30eeadb557501362de71d4b6d58ab498d98e52b453f6e20309da36fe288d098dab9bb08cfcecf12787536ff20f0e649401ab6b0ff75e6671a4f3ebc4cd29

memory/4304-13-0x0000000000200000-0x000000000021C000-memory.dmp

memory/4304-14-0x00007FF974490000-0x00007FF974F51000-memory.dmp

C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

MD5 233320478ce264f9e08d249244dc4fdb
SHA1 af46758a7c39b4edf4b5b0819f732abb5ad19e17
SHA256 edb57df920f62e6f1241695f8a46e420f104455a54fe91431db545834fd8d5ba
SHA512 b1c06e96cbabd58f8489a18c8c270718cea634a9bbd4fd67786cd5d31cfa475d4f97e2389f1ce2b5ddf10db9687b5cb5361e878d29427f9670f59343468d5967

memory/1848-25-0x00007FF633440000-0x00007FF633F30000-memory.dmp

memory/1020-28-0x00007FF974490000-0x00007FF974F51000-memory.dmp

memory/1848-29-0x00007FF992450000-0x00007FF992645000-memory.dmp

memory/4404-30-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4404-32-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4404-35-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4304-34-0x000000001ADF0000-0x000000001AE00000-memory.dmp

memory/4404-36-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4404-37-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4404-38-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4404-39-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1920-42-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1920-44-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1920-46-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1920-47-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1920-48-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1996-51-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1996-53-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1996-55-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1996-56-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1996-57-0x0000000140000000-0x0000000140017000-memory.dmp

memory/2064-60-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4304-61-0x00007FF974490000-0x00007FF974F51000-memory.dmp

memory/2064-63-0x0000000140000000-0x0000000140017000-memory.dmp

memory/2064-65-0x0000000140000000-0x0000000140017000-memory.dmp

memory/2064-64-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1848-66-0x00007FF633440000-0x00007FF633F30000-memory.dmp

memory/2064-67-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1848-71-0x00007FF992450000-0x00007FF992645000-memory.dmp

memory/4892-70-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4892-73-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4892-75-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4892-76-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4892-77-0x0000000140000000-0x0000000140017000-memory.dmp

memory/2428-80-0x0000000140000000-0x0000000140017000-memory.dmp

memory/2428-82-0x0000000140000000-0x0000000140017000-memory.dmp

memory/2428-84-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4060-87-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4060-89-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4060-91-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4060-90-0x0000000140000000-0x0000000140017000-memory.dmp

memory/2380-94-0x0000000140000000-0x0000000140017000-memory.dmp

memory/2380-96-0x0000000140000000-0x0000000140017000-memory.dmp

memory/2380-98-0x0000000140000000-0x0000000140017000-memory.dmp

memory/3828-101-0x0000000140000000-0x0000000140017000-memory.dmp

memory/3828-103-0x0000000140000000-0x0000000140017000-memory.dmp

memory/3828-105-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1360-108-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1360-110-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1360-111-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4764-114-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4764-117-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4764-118-0x0000000140000000-0x0000000140017000-memory.dmp

memory/4764-116-0x0000000140000000-0x0000000140017000-memory.dmp

memory/1848-121-0x00007FF633440000-0x00007FF633F30000-memory.dmp

memory/2136-123-0x0000000140000000-0x0000000140057000-memory.dmp

memory/2136-122-0x0000000140000000-0x0000000140057000-memory.dmp

memory/2136-119-0x0000000140000000-0x0000000140057000-memory.dmp

memory/2136-124-0x0000000140000000-0x0000000140057000-memory.dmp

memory/2136-125-0x0000000140000000-0x0000000140057000-memory.dmp

memory/512-130-0x0000000140000000-0x0000000140057000-memory.dmp

memory/944-136-0x0000000140000000-0x000000014003E000-memory.dmp

memory/944-137-0x0000000140000000-0x000000014003E000-memory.dmp

memory/2232-143-0x0000000140000000-0x000000014003E000-memory.dmp

memory/4180-151-0x0000000140000000-0x0000000140071000-memory.dmp

memory/4180-153-0x000001E4E48A0000-0x000001E4E48B0000-memory.dmp

memory/4180-152-0x00007FF974490000-0x00007FF974F51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ycn2jevy.wne.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4180-163-0x000001E4E6680000-0x000001E4E66A2000-memory.dmp

memory/4180-165-0x000001E4E48A0000-0x000001E4E48B0000-memory.dmp

memory/4180-166-0x000001E4FE940000-0x000001E4FE956000-memory.dmp

memory/4180-167-0x000001E4FE930000-0x000001E4FE93A000-memory.dmp

memory/4180-168-0x000001E4FE9D0000-0x000001E4FE9F6000-memory.dmp

memory/4180-170-0x000001E4E48A0000-0x000001E4E48B0000-memory.dmp

memory/4180-171-0x00007FF974490000-0x00007FF974F51000-memory.dmp

memory/4180-172-0x000001E4E48A0000-0x000001E4E48B0000-memory.dmp

memory/4180-174-0x000001E4E48A0000-0x000001E4E48B0000-memory.dmp

memory/4180-175-0x000001E4E48A0000-0x000001E4E48B0000-memory.dmp

memory/4180-178-0x0000000140000000-0x0000000140071000-memory.dmp

memory/4180-179-0x00007FF974490000-0x00007FF974F51000-memory.dmp

memory/4308-185-0x0000000140000000-0x0000000140AE7000-memory.dmp

memory/4308-204-0x0000000140000000-0x0000000140AE7000-memory.dmp

memory/4308-205-0x00000147CFE90000-0x00000147CFE91000-memory.dmp

memory/4308-208-0x0000000140000000-0x0000000140AE7000-memory.dmp