hxxps://tinyurl[.]com/Xworm-v5

Analysis

max time kernel
1795s
max time network
1780s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
11-04-2024 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://tinyurl.com/Xworm-v5

Score

7^/10

agilenet

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

XWorm V5.0.exeXWormLoader.exeXWormLoader.exeXWorm V5.0.exe

pid process

2628 XWorm V5.0.exe
984 XWormLoader.exe
2032 XWormLoader.exe
2824 XWorm V5.0.exe
Loads dropped DLL 2 IoCs

Processes:

XWorm V5.0.exeXWorm V5.0.exe

pid process

2628 XWorm V5.0.exe
2824 XWorm V5.0.exe

pid	process
2628	XWorm V5.0.exe
984	XWormLoader.exe
2032	XWormLoader.exe
2824	XWorm V5.0.exe

pid	process
2628	XWorm V5.0.exe
2824	XWorm V5.0.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zOC0B1F4D7\XWorm V5.0.exe	agile_net
behavioral1/memory/2628-252-0x00000187AAEC0000-0x00000187AB932000-memory.dmp	agile_net

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5060 984 WerFault.exe XWormLoader.exe
3096 2032 WerFault.exe XWormLoader.exe

pid	pid_target	process	target process
5060	984	WerFault.exe	XWormLoader.exe
3096	2032	WerFault.exe	XWormLoader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings	msedge.exe

NTFS ADS 6 IoCs

Processes:

msedge.exe7zFM.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\XWorm v5.0 (Crack).zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zOC0B1F4D7\XWorm V5.0.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zOC0BFB208\XWormLoader.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zOC0BFA818\XWormLoader.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zOC0B98A28\XWorm V5.0.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zOC0B3F688\XWorm V5.0.exe:Zone.Identifier	7zFM.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe7zFM.exemsedge.exe

pid	process
3132	msedge.exe
3132	msedge.exe
248	msedge.exe
248	msedge.exe
2556	msedge.exe
2556	msedge.exe
4792	identity_helper.exe
4792	identity_helper.exe
2188	msedge.exe
2188	msedge.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe
1216	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2828 7zFM.exe

pid	process
2828	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

AUDIODG.EXE7zFM.exeXWorm V5.0.exeXWorm V5.0.exe

description	pid	process
Token: 33	1956	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1956	AUDIODG.EXE
Token: SeRestorePrivilege	2828	7zFM.exe
Token: 35	2828	7zFM.exe
Token: SeSecurityPrivilege	2828	7zFM.exe
Token: SeDebugPrivilege	2628	XWorm V5.0.exe
Token: SeSecurityPrivilege	2828	7zFM.exe
Token: SeSecurityPrivilege	2828	7zFM.exe
Token: SeSecurityPrivilege	2828	7zFM.exe
Token: SeDebugPrivilege	2824	XWorm V5.0.exe
Token: SeSecurityPrivilege	2828	7zFM.exe
Token: SeSecurityPrivilege	2828	7zFM.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

msedge.exe7zFM.exe

pid	process
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe
2828	7zFM.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe
248	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 248 wrote to memory of 1600	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 1600	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2972	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 3132	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 3132	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe
PID 248 wrote to memory of 2396	248	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tinyurl.com/Xworm-v5
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd33e53cb8,0x7ffd33e53cc8,0x7ffd33e53cd8
2⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
2⤵
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2360 /prefetch:8
2⤵
PID:2396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
2⤵
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5060 /prefetch:8
2⤵
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
2⤵
PID:2628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
2⤵
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
2⤵
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
2⤵
PID:784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
2⤵
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
2⤵
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
2⤵
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
2⤵
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2540 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
2⤵
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
2⤵
PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
2⤵
PID:1352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1696

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2216

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm v5.0 (Crack).zip\XWorm v5.0 (Crack)\XWorm v5.0.rar"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2828

C:\Users\Admin\AppData\Local\Temp\7zOC0B1F4D7\XWorm V5.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC0B1F4D7\XWorm V5.0.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Users\Admin\AppData\Local\Temp\7zOC0BFB208\XWormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC0BFB208\XWormLoader.exe"
2⤵
- Executes dropped EXE
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 908
3⤵
- Program crash
PID:5060

C:\Users\Admin\AppData\Local\Temp\7zOC0BFA818\XWormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC0BFA818\XWormLoader.exe"
2⤵
- Executes dropped EXE
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 896
3⤵
- Program crash
PID:3096

C:\Users\Admin\AppData\Local\Temp\7zOC0B98A28\XWorm V5.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC0B98A28\XWorm V5.0.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 984 -ip 984
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2032 -ip 2032
1⤵
PID:1120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c65e704fc47bc3d9d2c45a244bb74d76

SHA1
3e7917feebea866e0909e089e0b976b4a0947a6e

SHA256
2e5d6a5eeb72575f974d5fa3cdff7ad4d87a361399ffdd4b03f93cdbdec3a110

SHA512
36c3be0e5fbc23c5c0ad2e14cfb1cf7913bea9a5aeb83f9f6fcf5dbc52a94d8ccb370cef723b0cda82b5fba1941b6a9ff57f77ff0076a2c5cf4250711e3dd909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5c3ea95e17becd26086dd59ba83b8e84

SHA1
7943b2a84dcf26240afc77459ffaaf269bfef29f

SHA256
a241c88bb86182b5998d9818e6e054d29b201b53f4f1a6b9b2ee8ba22dd238dc

SHA512
64c905e923298528783dc64450c96390dc5edbda51f553c04d88ee944b0c660b05392dc0c823d7fb47f604b04061390b285f982dfcc767c8168ccb00d7e94e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
f46224a4cc769252e7701e63935f29fe

SHA1
966772eaece8421be6e8e53fac174bfe03a9c336

SHA256
8c30d3be5b68aadbd2cdad39e0d7e21197fa88cba3f367e151b074830dcb3bb8

SHA512
66c865983a22204ada2de571498d98b1e48c3619e811fe27a64aaccfcdf65042384e3395c69f01d03ca68ba9bd128a9de16fca12b9aa5027ef815f4894217dca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
257B

MD5
3842b39dfd9c594179bff5cc01c282a8

SHA1
a6b1391fe067b1926cf81eb43c93a2a44f8cf3df

SHA256
2ae59fc3ecf8aca282a53a1212e95aeef3828eb7a471e543df73ce17bbf6c8a1

SHA512
c714360ebe31a9def378688d4bda22f4ee253571e8dc80da94ad8c197ff9de7537eb960d23480c214075ae7fa717662e56b8cc065b67a06f2ab44ca1d2f7649b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
327B

MD5
7f8bf2b4515007acd5ee7326f05632e8

SHA1
1e7e807764262ba9102de71371c0e66a6d30cffb

SHA256
78a571e2c1ebcb286b1c27607c3235dd4ba0d5152b984344e78a312f5c6b0d8c

SHA512
d38fd1a52abdf5681a1a8b5f379c1445171b099a2468f273da02a0abf4a3f2ad8159235341689907bdad2dbb4fe8f8da9a32e71e80b33b1a0afb0e57d644d08d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d8bf4349eab0e8bb9dbce397648267c1

SHA1
d6b4d0b6d43aa595768842da8dff60d74b6bc6ab

SHA256
6abf187124f3802690767a48fdb80daaf021cb6244ca6a066c5f5bba7165843b

SHA512
0718dab17ff053d4cec63bce57714ca9ff115c1a5559080e321ba66235fdea8f76a15a6b39adff58207e41026fc523918d6bf2f37b74ca5c0a7cd7e143081d98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3bc227eea90db2b636471f3d8fbd7e45

SHA1
1cca4e709a09dad198940113082bca9607950ce2

SHA256
bae3a5c33a0f62b1af6314f9a8ed7cf4e0ad6077dc6be2edb06086e80f413231

SHA512
22a789ceb20f7dde8890216a45ad8cfdae6bbe33992506c12274447a367c9d6ca3becbf486fb41f827bd19069edcd0d95d5304d12743cff573aa03f879f4d312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f9a849d885621f992514427a972ab402

SHA1
e04f8fe9dda49fe8a97d2b0dc925521a05317790

SHA256
3ed7fac3e9ee6856a220e1d26d9e0704d93fb6f4fab91d477b5bc2fd2b023631

SHA512
c3c361b3c8069b2ccc4f0424814878886b3ebe2680662f835807cdaac3146e6ad3c2ba536bb30e9dd8c6b320ad1df32a3b19341144c588c2935a6b8f21927321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f69336154bca0b0f3a53668cdf5b1862

SHA1
ed51fc98eae443bdc73162f77401f26c5a939177

SHA256
27fae90f7dd965e66dc0d45305bc05d6e98544b222d4cc6a45da96bb5382725d

SHA512
bfa475bd9321f67477319bde3cd69ef2c0756f2dc212921578f4f31d3655e31e557d0fa691f1f0ce77856c551fb6298568b3f8e1d7ea3b06080eb738138e04b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c8d7189bc3d7876ef5b13f32ad28c052

SHA1
dca1af24f0106cc795236ac22075f82bcec82964

SHA256
f4cf8b5bc036e127947da01f3f53814ac30d09ee32244dd16ff664337d183952

SHA512
e97b6265271edf0f691651c8947e534af12c5dd3937979bb4a0906c92b37831ed7c8f9db8b408deb3b4a1c0042e5c28ec36515980fdea23e018d9d0f9a4afe93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e5308b597f4b87d689e8e016361e350b

SHA1
8391a76ad0fbbfa0f45c4f3d9a0830c1cc7a084e

SHA256
f0d0e7d518e92ea18528fed56cc6236b1bf99ec74423646dc3435535b51d75c2

SHA512
026b58b5ecaff7621a21260435730288b51b9d72274e61e39ed5b95d302c9543870cc94a9184b14f479eb91750b57bf4956773a1d660a21b49c487fa0242574c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
161f8463de818e3c5cb5fea78909a710

SHA1
66108d405dbe3950e3e90d85e6ce3764bba2b303

SHA256
843136dd2a650c738bb217711503efeda971a048b82ff522e336dfbfc07dccaa

SHA512
ce980dbce0ba57c6996f97ffb724bd9a16ae33204c709c97d1b1d01465c9f6311ee6b06edd81deb3e95cc116a2b624346cab7fbedc03eaf91ca089695ba38207

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b1fa.TMP
Filesize
48B

MD5
0d551d03efee5c2177a3442b9673b523

SHA1
d5a0a92140fc5b39375ef9b6b942ed7ea34c81da

SHA256
4940dd7d9564c52b6b6eb83687a777718bbad277e9b72772bd04cc7966722901

SHA512
418dfe88a32bfd71e2daf6310610cc192caec839553ce0ddefd665b51178d5d1e9a9156d27ca4e7f59520193b01cca1e44ac48cc9d2ddd673ec70f526faefa43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
077c6c4589f3179b5e797c4d8335fa4c

SHA1
675717a29d00488886279506395fd069dedc366f

SHA256
5bc4c7d0eccb3fe7c2de8832173a6a20086baf99d41b62c32ab0d2dd23cdfa52

SHA512
b77dcf682606a5dc2b78651944c1a5e5d8577d67e9a1b0b5cae878bb3c6b760deb1de7da25d234f4666c92e2411f3f1a203f756a902024c3ab4b74562aa32d47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ec15e703847e54878f55fb2557c09e56

SHA1
9840c7c49d272776960398772514aff4cea7c7f9

SHA256
2c83d64bf360a06caaa8fbf38296ac0a4bc1a1a6873a421d314121e5be81a4cf

SHA512
74997d9ea31df5f41d30f591f3131331179765e85a5e939b0e4c74a11a47ff5f6045ba538fc0de7966c3625215aa46e1fa56e665ff612e3a749cea17d07a6a79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
934a5f3af2d4c7a5aedbbf0a5191de72

SHA1
fcc33191dea6f64b5cd4a373f061669ea0a52412

SHA256
75df7b9552969bfce5dcb7253aede00ba365bd109522652c23cb5baaa1c27548

SHA512
be4421727aa71837adcf417251ddd31858ed50397d3e3ab6a5b6664f5971938ba578cb2cb347347f4e831ce983ff4f11a25373b878f23c7c50bad2382c2239b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC0B1F4D7\XWorm V5.0.exe
Filesize
10.4MB

MD5
227494b22a4ee99f48a269c362fd5f19

SHA1
d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9

SHA256
7471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2

SHA512
71070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC0B1F4D7\XWorm V5.0.exe:Zone.Identifier
Filesize
87B

MD5
113e1915ae1f5f91752f332fe2ec4b02

SHA1
5dc3a14d394dc8e5e9373e71d1498daa2f03d34f

SHA256
420b85e5a28d7d0478dc11e40edfa46f5aabf3974820208238c66d0a07e0483b

SHA512
d417dd8129d7cfc15ce02ec0e38ef297f6c46e1b06921633a1b7f091f2f5d604bfb61104badfc69ddfada7f3c816be333d26de38a2361fa10cb74a624a48b40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC0BFB208\XWormLoader.exe
Filesize
101KB

MD5
39d81ca537ceb52632fbb2e975c3ee2f

SHA1
0a3814bd3ccea28b144983daab277d72313524e4

SHA256
76c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7

SHA512
18f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll
Filesize
112KB

MD5
a239b7cac8be034a23e7e231d3bcc6df

SHA1
ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d

SHA256
063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8

SHA512
c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524

Download Submit
C:\Users\Admin\Downloads\XWorm v5.0 (Crack).zip
Filesize
31.5MB

MD5
531f0c6040e1a59de66b9c78102ecf83

SHA1
2a189d4102d1eda3fdf1b4eef28f8b92ab3693aa

SHA256
121f7cf59b49b51bfdb57a5bf95c542e5b4237da6f5a784aa77c8931b0d172a4

SHA512
a48883b52e4b49901d9d0cd0cd1e5b3e3ad760173e638b854514bf79f631647684dbe56a8020f7670bd3e98a6ff74786a5031d537019ec8392d61f113517606e

Download Submit
C:\Users\Admin\Downloads\XWorm v5.0 (Crack).zip:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_248_ADYDTCVCDUYUPERG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/984-294-0x0000000074BD0000-0x0000000075381000-memory.dmp

Filesize
7.7MB

Download
memory/984-293-0x00000000000F0000-0x000000000010E000-memory.dmp

Filesize
120KB

Download
memory/984-295-0x0000000074BD0000-0x0000000075381000-memory.dmp

Filesize
7.7MB

Download
memory/2032-318-0x0000000074BD0000-0x0000000075381000-memory.dmp

Filesize
7.7MB

Download
memory/2032-317-0x0000000000670000-0x000000000068E000-memory.dmp

Filesize
120KB

Download
memory/2032-319-0x0000000074BD0000-0x0000000075381000-memory.dmp

Filesize
7.7MB

Download
memory/2628-260-0x00000187C66F0000-0x00000187C6700000-memory.dmp

Filesize
64KB

Download
memory/2628-262-0x00007FFD1F280000-0x00007FFD1FD42000-memory.dmp

Filesize
10.8MB

Download
memory/2628-261-0x00000187C6700000-0x00000187C72B6000-memory.dmp

Filesize
11.7MB

Download
memory/2628-252-0x00000187AAEC0000-0x00000187AB932000-memory.dmp

Filesize
10.4MB

Download
memory/2628-251-0x00007FFD1F280000-0x00007FFD1FD42000-memory.dmp

Filesize
10.8MB

Download
memory/2824-345-0x00007FFD1F280000-0x00007FFD1FD42000-memory.dmp

Filesize
10.8MB

Download
memory/2824-344-0x0000015D616A0000-0x0000015D616B0000-memory.dmp

Filesize
64KB

Download
memory/2824-341-0x00007FFD1F280000-0x00007FFD1FD42000-memory.dmp

Filesize
10.8MB

Download