Analysis
-
max time kernel
1795s -
max time network
1780s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-04-2024 14:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://tinyurl.com/Xworm-v5
Resource
win11-20240221-en
General
-
Target
https://tinyurl.com/Xworm-v5
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
XWorm V5.0.exeXWormLoader.exeXWormLoader.exeXWorm V5.0.exepid process 2628 XWorm V5.0.exe 984 XWormLoader.exe 2032 XWormLoader.exe 2824 XWorm V5.0.exe -
Loads dropped DLL 2 IoCs
Processes:
XWorm V5.0.exeXWorm V5.0.exepid process 2628 XWorm V5.0.exe 2824 XWorm V5.0.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zOC0B1F4D7\XWorm V5.0.exe agile_net behavioral1/memory/2628-252-0x00000187AAEC0000-0x00000187AB932000-memory.dmp agile_net -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5060 984 WerFault.exe XWormLoader.exe 3096 2032 WerFault.exe XWormLoader.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000_Classes\Local Settings msedge.exe -
NTFS ADS 6 IoCs
Processes:
msedge.exe7zFM.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\XWorm v5.0 (Crack).zip:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Local\Temp\7zOC0B1F4D7\XWorm V5.0.exe:Zone.Identifier 7zFM.exe File created C:\Users\Admin\AppData\Local\Temp\7zOC0BFB208\XWormLoader.exe:Zone.Identifier 7zFM.exe File created C:\Users\Admin\AppData\Local\Temp\7zOC0BFA818\XWormLoader.exe:Zone.Identifier 7zFM.exe File created C:\Users\Admin\AppData\Local\Temp\7zOC0B98A28\XWorm V5.0.exe:Zone.Identifier 7zFM.exe File created C:\Users\Admin\AppData\Local\Temp\7zOC0B3F688\XWorm V5.0.exe:Zone.Identifier 7zFM.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe7zFM.exemsedge.exepid process 3132 msedge.exe 3132 msedge.exe 248 msedge.exe 248 msedge.exe 2556 msedge.exe 2556 msedge.exe 4792 identity_helper.exe 4792 identity_helper.exe 2188 msedge.exe 2188 msedge.exe 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 1216 msedge.exe 1216 msedge.exe 1216 msedge.exe 1216 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 2828 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
msedge.exepid process 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
AUDIODG.EXE7zFM.exeXWorm V5.0.exeXWorm V5.0.exedescription pid process Token: 33 1956 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1956 AUDIODG.EXE Token: SeRestorePrivilege 2828 7zFM.exe Token: 35 2828 7zFM.exe Token: SeSecurityPrivilege 2828 7zFM.exe Token: SeDebugPrivilege 2628 XWorm V5.0.exe Token: SeSecurityPrivilege 2828 7zFM.exe Token: SeSecurityPrivilege 2828 7zFM.exe Token: SeSecurityPrivilege 2828 7zFM.exe Token: SeDebugPrivilege 2824 XWorm V5.0.exe Token: SeSecurityPrivilege 2828 7zFM.exe Token: SeSecurityPrivilege 2828 7zFM.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
Processes:
msedge.exe7zFM.exepid process 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 248 wrote to memory of 1600 248 msedge.exe msedge.exe PID 248 wrote to memory of 1600 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 2972 248 msedge.exe msedge.exe PID 248 wrote to memory of 3132 248 msedge.exe msedge.exe PID 248 wrote to memory of 3132 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe PID 248 wrote to memory of 2396 248 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tinyurl.com/Xworm-v51⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd33e53cb8,0x7ffd33e53cc8,0x7ffd33e53cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2360 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5060 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2540 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,4872407382489219034,1996901854794853753,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004DC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_XWorm v5.0 (Crack).zip\XWorm v5.0 (Crack)\XWorm v5.0.rar"1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7zOC0B1F4D7\XWorm V5.0.exe"C:\Users\Admin\AppData\Local\Temp\7zOC0B1F4D7\XWorm V5.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zOC0BFB208\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\7zOC0BFB208\XWormLoader.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 9083⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7zOC0BFA818\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\7zOC0BFA818\XWormLoader.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 8963⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\7zOC0B98A28\XWorm V5.0.exe"C:\Users\Admin\AppData\Local\Temp\7zOC0B98A28\XWorm V5.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 984 -ip 9841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2032 -ip 20321⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c65e704fc47bc3d9d2c45a244bb74d76
SHA13e7917feebea866e0909e089e0b976b4a0947a6e
SHA2562e5d6a5eeb72575f974d5fa3cdff7ad4d87a361399ffdd4b03f93cdbdec3a110
SHA51236c3be0e5fbc23c5c0ad2e14cfb1cf7913bea9a5aeb83f9f6fcf5dbc52a94d8ccb370cef723b0cda82b5fba1941b6a9ff57f77ff0076a2c5cf4250711e3dd909
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55c3ea95e17becd26086dd59ba83b8e84
SHA17943b2a84dcf26240afc77459ffaaf269bfef29f
SHA256a241c88bb86182b5998d9818e6e054d29b201b53f4f1a6b9b2ee8ba22dd238dc
SHA51264c905e923298528783dc64450c96390dc5edbda51f553c04d88ee944b0c660b05392dc0c823d7fb47f604b04061390b285f982dfcc767c8168ccb00d7e94e21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD5f46224a4cc769252e7701e63935f29fe
SHA1966772eaece8421be6e8e53fac174bfe03a9c336
SHA2568c30d3be5b68aadbd2cdad39e0d7e21197fa88cba3f367e151b074830dcb3bb8
SHA51266c865983a22204ada2de571498d98b1e48c3619e811fe27a64aaccfcdf65042384e3395c69f01d03ca68ba9bd128a9de16fca12b9aa5027ef815f4894217dca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
257B
MD53842b39dfd9c594179bff5cc01c282a8
SHA1a6b1391fe067b1926cf81eb43c93a2a44f8cf3df
SHA2562ae59fc3ecf8aca282a53a1212e95aeef3828eb7a471e543df73ce17bbf6c8a1
SHA512c714360ebe31a9def378688d4bda22f4ee253571e8dc80da94ad8c197ff9de7537eb960d23480c214075ae7fa717662e56b8cc065b67a06f2ab44ca1d2f7649b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
327B
MD57f8bf2b4515007acd5ee7326f05632e8
SHA11e7e807764262ba9102de71371c0e66a6d30cffb
SHA25678a571e2c1ebcb286b1c27607c3235dd4ba0d5152b984344e78a312f5c6b0d8c
SHA512d38fd1a52abdf5681a1a8b5f379c1445171b099a2468f273da02a0abf4a3f2ad8159235341689907bdad2dbb4fe8f8da9a32e71e80b33b1a0afb0e57d644d08d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5d8bf4349eab0e8bb9dbce397648267c1
SHA1d6b4d0b6d43aa595768842da8dff60d74b6bc6ab
SHA2566abf187124f3802690767a48fdb80daaf021cb6244ca6a066c5f5bba7165843b
SHA5120718dab17ff053d4cec63bce57714ca9ff115c1a5559080e321ba66235fdea8f76a15a6b39adff58207e41026fc523918d6bf2f37b74ca5c0a7cd7e143081d98
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD53bc227eea90db2b636471f3d8fbd7e45
SHA11cca4e709a09dad198940113082bca9607950ce2
SHA256bae3a5c33a0f62b1af6314f9a8ed7cf4e0ad6077dc6be2edb06086e80f413231
SHA51222a789ceb20f7dde8890216a45ad8cfdae6bbe33992506c12274447a367c9d6ca3becbf486fb41f827bd19069edcd0d95d5304d12743cff573aa03f879f4d312
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f9a849d885621f992514427a972ab402
SHA1e04f8fe9dda49fe8a97d2b0dc925521a05317790
SHA2563ed7fac3e9ee6856a220e1d26d9e0704d93fb6f4fab91d477b5bc2fd2b023631
SHA512c3c361b3c8069b2ccc4f0424814878886b3ebe2680662f835807cdaac3146e6ad3c2ba536bb30e9dd8c6b320ad1df32a3b19341144c588c2935a6b8f21927321
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f69336154bca0b0f3a53668cdf5b1862
SHA1ed51fc98eae443bdc73162f77401f26c5a939177
SHA25627fae90f7dd965e66dc0d45305bc05d6e98544b222d4cc6a45da96bb5382725d
SHA512bfa475bd9321f67477319bde3cd69ef2c0756f2dc212921578f4f31d3655e31e557d0fa691f1f0ce77856c551fb6298568b3f8e1d7ea3b06080eb738138e04b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c8d7189bc3d7876ef5b13f32ad28c052
SHA1dca1af24f0106cc795236ac22075f82bcec82964
SHA256f4cf8b5bc036e127947da01f3f53814ac30d09ee32244dd16ff664337d183952
SHA512e97b6265271edf0f691651c8947e534af12c5dd3937979bb4a0906c92b37831ed7c8f9db8b408deb3b4a1c0042e5c28ec36515980fdea23e018d9d0f9a4afe93
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e5308b597f4b87d689e8e016361e350b
SHA18391a76ad0fbbfa0f45c4f3d9a0830c1cc7a084e
SHA256f0d0e7d518e92ea18528fed56cc6236b1bf99ec74423646dc3435535b51d75c2
SHA512026b58b5ecaff7621a21260435730288b51b9d72274e61e39ed5b95d302c9543870cc94a9184b14f479eb91750b57bf4956773a1d660a21b49c487fa0242574c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD5161f8463de818e3c5cb5fea78909a710
SHA166108d405dbe3950e3e90d85e6ce3764bba2b303
SHA256843136dd2a650c738bb217711503efeda971a048b82ff522e336dfbfc07dccaa
SHA512ce980dbce0ba57c6996f97ffb724bd9a16ae33204c709c97d1b1d01465c9f6311ee6b06edd81deb3e95cc116a2b624346cab7fbedc03eaf91ca089695ba38207
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b1fa.TMPFilesize
48B
MD50d551d03efee5c2177a3442b9673b523
SHA1d5a0a92140fc5b39375ef9b6b942ed7ea34c81da
SHA2564940dd7d9564c52b6b6eb83687a777718bbad277e9b72772bd04cc7966722901
SHA512418dfe88a32bfd71e2daf6310610cc192caec839553ce0ddefd665b51178d5d1e9a9156d27ca4e7f59520193b01cca1e44ac48cc9d2ddd673ec70f526faefa43
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5077c6c4589f3179b5e797c4d8335fa4c
SHA1675717a29d00488886279506395fd069dedc366f
SHA2565bc4c7d0eccb3fe7c2de8832173a6a20086baf99d41b62c32ab0d2dd23cdfa52
SHA512b77dcf682606a5dc2b78651944c1a5e5d8577d67e9a1b0b5cae878bb3c6b760deb1de7da25d234f4666c92e2411f3f1a203f756a902024c3ab4b74562aa32d47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ec15e703847e54878f55fb2557c09e56
SHA19840c7c49d272776960398772514aff4cea7c7f9
SHA2562c83d64bf360a06caaa8fbf38296ac0a4bc1a1a6873a421d314121e5be81a4cf
SHA51274997d9ea31df5f41d30f591f3131331179765e85a5e939b0e4c74a11a47ff5f6045ba538fc0de7966c3625215aa46e1fa56e665ff612e3a749cea17d07a6a79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5934a5f3af2d4c7a5aedbbf0a5191de72
SHA1fcc33191dea6f64b5cd4a373f061669ea0a52412
SHA25675df7b9552969bfce5dcb7253aede00ba365bd109522652c23cb5baaa1c27548
SHA512be4421727aa71837adcf417251ddd31858ed50397d3e3ab6a5b6664f5971938ba578cb2cb347347f4e831ce983ff4f11a25373b878f23c7c50bad2382c2239b3
-
C:\Users\Admin\AppData\Local\Temp\7zOC0B1F4D7\XWorm V5.0.exeFilesize
10.4MB
MD5227494b22a4ee99f48a269c362fd5f19
SHA1d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9
SHA2567471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2
SHA51271070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0
-
C:\Users\Admin\AppData\Local\Temp\7zOC0B1F4D7\XWorm V5.0.exe:Zone.IdentifierFilesize
87B
MD5113e1915ae1f5f91752f332fe2ec4b02
SHA15dc3a14d394dc8e5e9373e71d1498daa2f03d34f
SHA256420b85e5a28d7d0478dc11e40edfa46f5aabf3974820208238c66d0a07e0483b
SHA512d417dd8129d7cfc15ce02ec0e38ef297f6c46e1b06921633a1b7f091f2f5d604bfb61104badfc69ddfada7f3c816be333d26de38a2361fa10cb74a624a48b40c
-
C:\Users\Admin\AppData\Local\Temp\7zOC0BFB208\XWormLoader.exeFilesize
101KB
MD539d81ca537ceb52632fbb2e975c3ee2f
SHA10a3814bd3ccea28b144983daab277d72313524e4
SHA25676c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7
SHA51218f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a
-
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dllFilesize
112KB
MD5a239b7cac8be034a23e7e231d3bcc6df
SHA1ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d
SHA256063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8
SHA512c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524
-
C:\Users\Admin\Downloads\XWorm v5.0 (Crack).zipFilesize
31.5MB
MD5531f0c6040e1a59de66b9c78102ecf83
SHA12a189d4102d1eda3fdf1b4eef28f8b92ab3693aa
SHA256121f7cf59b49b51bfdb57a5bf95c542e5b4237da6f5a784aa77c8931b0d172a4
SHA512a48883b52e4b49901d9d0cd0cd1e5b3e3ad760173e638b854514bf79f631647684dbe56a8020f7670bd3e98a6ff74786a5031d537019ec8392d61f113517606e
-
C:\Users\Admin\Downloads\XWorm v5.0 (Crack).zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
\??\pipe\LOCAL\crashpad_248_ADYDTCVCDUYUPERGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/984-294-0x0000000074BD0000-0x0000000075381000-memory.dmpFilesize
7.7MB
-
memory/984-293-0x00000000000F0000-0x000000000010E000-memory.dmpFilesize
120KB
-
memory/984-295-0x0000000074BD0000-0x0000000075381000-memory.dmpFilesize
7.7MB
-
memory/2032-318-0x0000000074BD0000-0x0000000075381000-memory.dmpFilesize
7.7MB
-
memory/2032-317-0x0000000000670000-0x000000000068E000-memory.dmpFilesize
120KB
-
memory/2032-319-0x0000000074BD0000-0x0000000075381000-memory.dmpFilesize
7.7MB
-
memory/2628-260-0x00000187C66F0000-0x00000187C6700000-memory.dmpFilesize
64KB
-
memory/2628-262-0x00007FFD1F280000-0x00007FFD1FD42000-memory.dmpFilesize
10.8MB
-
memory/2628-261-0x00000187C6700000-0x00000187C72B6000-memory.dmpFilesize
11.7MB
-
memory/2628-252-0x00000187AAEC0000-0x00000187AB932000-memory.dmpFilesize
10.4MB
-
memory/2628-251-0x00007FFD1F280000-0x00007FFD1FD42000-memory.dmpFilesize
10.8MB
-
memory/2824-345-0x00007FFD1F280000-0x00007FFD1FD42000-memory.dmpFilesize
10.8MB
-
memory/2824-344-0x0000015D616A0000-0x0000015D616B0000-memory.dmpFilesize
64KB
-
memory/2824-341-0x00007FFD1F280000-0x00007FFD1FD42000-memory.dmpFilesize
10.8MB