Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://telegra.ph/XW...

windows11-21h2-x64

10

Analysis

  • max time kernel
    298s
  • max time network
    307s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-04-2024 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://telegra.ph/XWorm-50-09-06

Score
10/10
xwormagilenetrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

testarosa.duckdns.org:7110

Mutex

Rg1w8TcZ1AXGhMnB

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsDefender.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Executes dropped EXE 15 IoCs
  • Loads dropped DLL 6 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • NTFS ADS 19 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://telegra.ph/XWorm-50-09-06
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff83f2f3cb8,0x7ff83f2f3cc8,0x7ff83f2f3cd8
      2⤵
        PID:4348
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
        2⤵
          PID:4836
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:832
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
          2⤵
            PID:3832
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
            2⤵
              PID:4720
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
              2⤵
                PID:4848
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
                2⤵
                  PID:4036
                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2712
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
                  2⤵
                    PID:804
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
                    2⤵
                      PID:3108
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
                      2⤵
                        PID:3380
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
                        2⤵
                          PID:2640
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
                          2⤵
                            PID:4060
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2440 /prefetch:1
                            2⤵
                              PID:3112
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
                              2⤵
                                PID:3544
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
                                2⤵
                                  PID:4040
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
                                  2⤵
                                    PID:4504
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:2772
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
                                    2⤵
                                      PID:3416
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
                                      2⤵
                                        PID:4224
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
                                        2⤵
                                          PID:2008
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
                                          2⤵
                                            PID:4240
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1
                                            2⤵
                                              PID:656
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
                                              2⤵
                                                PID:2912
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7452 /prefetch:1
                                                2⤵
                                                  PID:4776
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
                                                  2⤵
                                                    PID:2452
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7560 /prefetch:1
                                                    2⤵
                                                      PID:1588
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6872 /prefetch:8
                                                      2⤵
                                                      • NTFS ADS
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:3112
                                                    • C:\Program Files\7-Zip\7zFM.exe
                                                      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm-V5.0.rar"
                                                      2⤵
                                                      • Modifies registry class
                                                      • NTFS ADS
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of FindShellTrayWindow
                                                      PID:4848
                                                      • C:\Users\Admin\AppData\Local\Temp\7zO0F21A268\Fix64.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\7zO0F21A268\Fix64.exe"
                                                        3⤵
                                                        • Executes dropped EXE
                                                        PID:4376
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 872
                                                          4⤵
                                                          • Program crash
                                                          PID:1432
                                                      • C:\Users\Admin\AppData\Local\Temp\7zO0F234F38\XWorm V5.0.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\7zO0F234F38\XWorm V5.0.exe"
                                                        3⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1028
                                                      • C:\Users\Admin\AppData\Local\Temp\7zO0F23FB88\XWorm V5.0.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\7zO0F23FB88\XWorm V5.0.exe"
                                                        3⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3564
                                                      • C:\Users\Admin\AppData\Local\Temp\7zO0F26BCB8\Fix64.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\7zO0F26BCB8\Fix64.exe"
                                                        3⤵
                                                        • Executes dropped EXE
                                                        PID:4152
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 872
                                                          4⤵
                                                          • Program crash
                                                          PID:3808
                                                      • C:\Windows\system32\NOTEPAD.EXE
                                                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0F2FF049\FixNoStart.txt
                                                        3⤵
                                                        • Opens file in notepad (likely ransom note)
                                                        PID:5044
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO0F298639\Fixer.bat" "
                                                        3⤵
                                                          PID:4088
                                                          • C:\Windows\system32\lodctr.exe
                                                            lodctr /r
                                                            4⤵
                                                            • Drops file in System32 directory
                                                            PID:2724
                                                        • C:\Users\Admin\AppData\Local\Temp\7zO0F2CCCF9\XWorm V5.0.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\7zO0F2CCCF9\XWorm V5.0.exe"
                                                          3⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1952
                                                        • C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe"
                                                          3⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: AddClipboardFormatListener
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3800
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe'
                                                            4⤵
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:3288
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWormLoader.exe'
                                                            4⤵
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:3960
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender.exe'
                                                            4⤵
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:3720
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender.exe'
                                                            4⤵
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:3456
                                                          • C:\Windows\System32\schtasks.exe
                                                            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender.exe"
                                                            4⤵
                                                            • Creates scheduled task(s)
                                                            PID:3828
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,9041400168977101031,4010029029594844033,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6928 /prefetch:2
                                                        2⤵
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:2272
                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                      1⤵
                                                        PID:2520
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:2700
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4376 -ip 4376
                                                          1⤵
                                                            PID:428
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4152 -ip 4152
                                                            1⤵
                                                              PID:1620
                                                            • C:\Windows\System32\rundll32.exe
                                                              C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                              1⤵
                                                                PID:776
                                                              • C:\Program Files\7-Zip\7zFM.exe
                                                                "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm-V5.0.rar"
                                                                1⤵
                                                                • Modifies registry class
                                                                • NTFS ADS
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • Suspicious use of FindShellTrayWindow
                                                                PID:3848
                                                                • C:\Users\Admin\AppData\Local\Temp\7zO80F95F1A\XWormLoader.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\7zO80F95F1A\XWormLoader.exe"
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:3740
                                                                • C:\Users\Admin\AppData\Local\Temp\7zO80F55A2A\XWorm V5.0.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\7zO80F55A2A\XWorm V5.0.exe"
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2116
                                                                • C:\Windows\system32\NOTEPAD.EXE
                                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO80FE64EA\FixNoStart.txt
                                                                  2⤵
                                                                  • Opens file in notepad (likely ransom note)
                                                                  PID:640
                                                                • C:\Windows\system32\NOTEPAD.EXE
                                                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO80FE298A\FixNoStart.txt
                                                                  2⤵
                                                                  • Opens file in notepad (likely ransom note)
                                                                  PID:2472
                                                                • C:\Users\Admin\AppData\Local\Temp\7zO80FDD38A\Fix64.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\7zO80FDD38A\Fix64.exe"
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:1940
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 844
                                                                    3⤵
                                                                    • Program crash
                                                                    PID:5116
                                                                • C:\Users\Admin\AppData\Local\Temp\7zO80F9A69A\Fix64.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\7zO80F9A69A\Fix64.exe"
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:5016
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 844
                                                                    3⤵
                                                                    • Program crash
                                                                    PID:4672
                                                              • C:\ProgramData\WindowsDefender.exe
                                                                C:\ProgramData\WindowsDefender.exe
                                                                1⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:664
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1940 -ip 1940
                                                                1⤵
                                                                  PID:2380
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5016 -ip 5016
                                                                  1⤵
                                                                    PID:3244
                                                                  • C:\Program Files\7-Zip\7zFM.exe
                                                                    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\XWorm-V5.0.rar"
                                                                    1⤵
                                                                    • NTFS ADS
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:32
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zO02029A2B\XWormLoader.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\7zO02029A2B\XWormLoader.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2728
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zO0208BE3B\XWorm V5.0.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\7zO0208BE3B\XWorm V5.0.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1120
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO020EC24B\Fixer.bat" "
                                                                      2⤵
                                                                        PID:3900
                                                                        • C:\Windows\system32\lodctr.exe
                                                                          lodctr /r
                                                                          3⤵
                                                                          • Drops file in System32 directory
                                                                          PID:1412
                                                                      • C:\Users\Admin\AppData\Local\Temp\7zO0202A29B\XWorm V5.0.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\7zO0202A29B\XWorm V5.0.exe"
                                                                        2⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:3836
                                                                    • C:\ProgramData\WindowsDefender.exe
                                                                      C:\ProgramData\WindowsDefender.exe
                                                                      1⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4572

                                                                    Network

                                                                    MITRE ATT&CK Matrix ATT&CK v13

                                                                    Initial Access

                                                                    Execution

                                                                    Scheduled Task/Job

                                                                    1
                                                                    T1053

                                                                    Persistence

                                                                    Scheduled Task/Job

                                                                    1
                                                                    T1053

                                                                    Privilege Escalation

                                                                    Scheduled Task/Job

                                                                    1
                                                                    T1053

                                                                    Defense Evasion

                                                                    Credential Access

                                                                    Discovery

                                                                    System Information Discovery

                                                                    2
                                                                    T1082

                                                                    Query Registry

                                                                    2
                                                                    T1012

                                                                    Lateral Movement

                                                                    Collection

                                                                    Exfiltration

                                                                    Command and Control

                                                                    Impact

                                                                    Resource Development

                                                                    Reconnaissance

                                                                    Replay Monitor

                                                                    Loading Replay Monitor...

                                                                    Downloads

                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                      Filesize

                                                                      2KB

                                                                      MD5

                                                                      627073ee3ca9676911bee35548eff2b8

                                                                      SHA1

                                                                      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                                                      SHA256

                                                                      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                                                      SHA512

                                                                      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                      Filesize

                                                                      152B

                                                                      MD5

                                                                      d4604cbec2768d84c36d8ab35dfed413

                                                                      SHA1

                                                                      a5b3db6d2a1fa5a8de9999966172239a9b1340c2

                                                                      SHA256

                                                                      4ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2

                                                                      SHA512

                                                                      c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                      Filesize

                                                                      152B

                                                                      MD5

                                                                      577e1c0c1d7ab0053d280fcc67377478

                                                                      SHA1

                                                                      60032085bb950466bba9185ba965e228ec8915e5

                                                                      SHA256

                                                                      1d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158

                                                                      SHA512

                                                                      39d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                      Filesize

                                                                      1KB

                                                                      MD5

                                                                      21dc328b80ea14c96337e7e379a93187

                                                                      SHA1

                                                                      ca988018e5c0dca9893e6063e26b49d3f1d8b3b9

                                                                      SHA256

                                                                      d5f211975a4353450919ce05ee6dd3d38843dbff4edd53f52ccaeeae6860d847

                                                                      SHA512

                                                                      12026740ba91a666a5f6bc790722d391a4ccfc3dfb73c3176709d2a083e4f2a7cc07ca7d8aa7980eff61253cb7b0d69eb32aee4bedcadbe9638a0e8876ecb518

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                      Filesize

                                                                      3KB

                                                                      MD5

                                                                      db01c8bd8a523977913ca58f7b04fa95

                                                                      SHA1

                                                                      7cbb95b4bfebc9dae13994a913e772cd5bbdd115

                                                                      SHA256

                                                                      604958c8738454d21c9caf240b60ea5342c071e7529e1156ac3fb504e3b770e7

                                                                      SHA512

                                                                      23673a825f8cc6d03d00ffcf4eea1ca52f0bd5f71dbe944b1b98157bb5684f6e18abf8c305ba7c243e2908e5ae46d007caa7aca30b528fca6254dae5534878cc

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                      Filesize

                                                                      5KB

                                                                      MD5

                                                                      080697ee611e232b344032f618ce9950

                                                                      SHA1

                                                                      c84ba2f4ee8fd4e1d7d2bdadb0112f8e4e2ab3cc

                                                                      SHA256

                                                                      d98f97e71ab479ae6818a3cb26c410277957ac211225f89ef92f020c8510628c

                                                                      SHA512

                                                                      b24077e9181ca455ba8e70d7955d9dfaec19027da465283a52cc309a02e6a0d88964a8e7cfb99a27106ced7f11145e7827f6a65789f20ec5b226dbc1fdd46753

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                      Filesize

                                                                      8KB

                                                                      MD5

                                                                      8e662b8ecd410760c9a6a9f73570cdd5

                                                                      SHA1

                                                                      6b59c6cc0e124d55a24b72d1868b163b77a9b979

                                                                      SHA256

                                                                      d444708a6aedb81cdf3d250ccbc5f06d25b4b4b2a15708707848805de8040c92

                                                                      SHA512

                                                                      6ed49297722fcf08a991dad36b0d25b9afe08f4106cdb992d27ea57680b4fb3421e59cc13d75a2d096759d5394356cd80beb5b0b878e6ac3ffa01ab66bcae675

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                      Filesize

                                                                      7KB

                                                                      MD5

                                                                      7ba9266e06b6424c9566276b0585d225

                                                                      SHA1

                                                                      fcda45affa3fb9dd40f3df247dfbc7eb0d0179c6

                                                                      SHA256

                                                                      e5c33c8d740202177909a7fe1ccf23039b918485ca8265ec704d9240bf18bdb2

                                                                      SHA512

                                                                      054d87766d7dab6f7be790607f77a4259500b1b5b657bc05c1c425a42e282000997d4effef863abf610a5a51b9a7eee77941c357f7adb94cc4a76947b481a8e3

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                      Filesize

                                                                      8KB

                                                                      MD5

                                                                      351478e9a0ab1edc0064f5339e7e8c4d

                                                                      SHA1

                                                                      8d91d67af4e07f5cc31e0e00eb8f8a14a1965f27

                                                                      SHA256

                                                                      52b88e3c62534564ab60f293789227a4ba5516174fa7111d1fda98672bbf20b0

                                                                      SHA512

                                                                      1fe5e6cdc763e9f5f6f393a84377a11918d2461cba5acd745e49a50ea0628af42bfa0ed26e489c1c14252548b85423da215fb48bf5d2186b12b561a16569a23a

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                                                                      Filesize

                                                                      240B

                                                                      MD5

                                                                      91d271306fa0b9b581bb2f5eeceb59e2

                                                                      SHA1

                                                                      8415067a76887f1d93ccd72413e6d2ce70814747

                                                                      SHA256

                                                                      69cb11be05655da9b7ac1b3aed46766d6c118fe00448e8dd57936c487fccae80

                                                                      SHA512

                                                                      707c499eef7738e5a26def1860b6471b86d74fe7bc34c7a9c67f72a08869edd2368665606d8d63ba038e70cd182f94e6ecc120ed40fc60f948fff83a26606557

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582e3f.TMP
                                                                      Filesize

                                                                      48B

                                                                      MD5

                                                                      368fd9b0cf868c7873a285c00d31af92

                                                                      SHA1

                                                                      cc613f4545f152b99d5336e0714ff7cae23909dc

                                                                      SHA256

                                                                      1624a8da19084a3e5defe985e761befe7cd4f9d73d4ef506eb5fd05de6feef9a

                                                                      SHA512

                                                                      414296c18cd9b5513277195683a16fd2d8a1312874261d9de3b82a9f14b1b9044a7e4abcb910edd370fbf00165fdb1eae8c7757a5bc551f918641c56c527c49c

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                      Filesize

                                                                      2KB

                                                                      MD5

                                                                      72faa99835d113982c4e3409e1f2a72e

                                                                      SHA1

                                                                      b8aa0aa74e18ac12bb87b35a599ef2d59d6f335a

                                                                      SHA256

                                                                      cd6b8d86f97f3f83cb84de9611c46715350d9884e5caeb0d1f13b00192022bda

                                                                      SHA512

                                                                      7eb14642038410aa6a02ff1a336982f60d2ac288beb4fa0729856775928803380bbe2e6a848b2092c13c1a902c88758db29d4414650531ec0275175c83a7672a

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ff40.TMP
                                                                      Filesize

                                                                      2KB

                                                                      MD5

                                                                      7ae6f06b4f7d33468de605d3ddf3b77f

                                                                      SHA1

                                                                      902558f795b44b3ca5034636111a24fb5f50b468

                                                                      SHA256

                                                                      93ae5041eafd946f922601e32069d8457d024450371a2e8b869ca340e557e0b6

                                                                      SHA512

                                                                      7b3a738af401ded64a297ab823227e644361f8a1c641dc64235678131e504f0aaaafd1f6c76b791b247d0b776655e2ffc6acdfe5e2dd70d2606e920cda661041

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                      Filesize

                                                                      16B

                                                                      MD5

                                                                      46295cac801e5d4857d09837238a6394

                                                                      SHA1

                                                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                      SHA256

                                                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                      SHA512

                                                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                      Filesize

                                                                      16B

                                                                      MD5

                                                                      206702161f94c5cd39fadd03f4014d98

                                                                      SHA1

                                                                      bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                      SHA256

                                                                      1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                      SHA512

                                                                      0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                      Filesize

                                                                      11KB

                                                                      MD5

                                                                      72cecbcc82c8163fb76d17990e999b2c

                                                                      SHA1

                                                                      a67a85c4098a31c0ba43422df8d09cbb364db82c

                                                                      SHA256

                                                                      460e27513c2f5f272e636f5d82bfb357eeba9f6c9ee789a33ea3721a04620ab7

                                                                      SHA512

                                                                      56f75a8f9002735fdb5def7cb98ea99f94e0873f4fff62490747dbbf874ef471fbd502d37e50b28667abf6770b3a579708fda72f6f6182add0726aca356d7b02

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                      Filesize

                                                                      11KB

                                                                      MD5

                                                                      10dd1382343e8556643dec6bd3222bf5

                                                                      SHA1

                                                                      ae0512dbe0639109a31fe7872ca46bd80e26dff0

                                                                      SHA256

                                                                      16a38dce4a55f58695de0895da297bcc7c55a3be1544f89bd973431d3ed4ba60

                                                                      SHA512

                                                                      9e1f2bd9362e4f0531b617cba00ea185f815fae092030350f4a108d217a4df34513f17acccac542fc30d59188ab392fcc411f0fd296bfb190cec9b92e364827e

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                      Filesize

                                                                      11KB

                                                                      MD5

                                                                      9df49f7ea06a964408561ae55094ab32

                                                                      SHA1

                                                                      4deefb4776aa71926885d1ccadd6c2fa522fc205

                                                                      SHA256

                                                                      5dc41c86b3f391e5312939271567a23210aef29c914feae7cf44346e48e158b1

                                                                      SHA512

                                                                      81e67ac308620206453a67c5258f8c92294b1bbe7bf136f14ba024360fada3d8a28ced1c23dde8bcd217e8fd1c9ca2143ac9d0a70d661e246428fcc959167659

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
                                                                      Filesize

                                                                      14KB

                                                                      MD5

                                                                      8f13c1e871ec6f02652b38b31cfcba9a

                                                                      SHA1

                                                                      992d553ea0cac9f8e95434418dcf8c3bf618d5f6

                                                                      SHA256

                                                                      3764b0ce3b692039ae60e9da386a7070dc6c98cede0df101504186746659568d

                                                                      SHA512

                                                                      2d15217c773c1c1c33c4af93fff26edbe891fadea2b789d493735f5284c99a643d86489bdca678a55ebb1793c8ce37a80b37d2b393722d4c134865ad100bf456

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                      Filesize

                                                                      944B

                                                                      MD5

                                                                      6903d57eed54e89b68ebb957928d1b99

                                                                      SHA1

                                                                      fade011fbf2e4bc044d41e380cf70bd6a9f73212

                                                                      SHA256

                                                                      36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

                                                                      SHA512

                                                                      c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                      Filesize

                                                                      944B

                                                                      MD5

                                                                      051a74485331f9d9f5014e58ec71566c

                                                                      SHA1

                                                                      4ed0256a84f2e95609a0b4d5c249bca624db8fe4

                                                                      SHA256

                                                                      3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

                                                                      SHA512

                                                                      1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                      Filesize

                                                                      944B

                                                                      MD5

                                                                      119f072cb44ba7b650fdcf73c670cef0

                                                                      SHA1

                                                                      c2c60b6f946a7b06f86ee1f50c2487e6d4c44f3a

                                                                      SHA256

                                                                      bd76b46dd2400be6c57f805ca3ed77e87a55440d1e2bdbc822b984e07cea8bdb

                                                                      SHA512

                                                                      f56c37835af1c800362f248344bb00cbab528a2be60d9a8c7e14ffa214b55c9a802769d60151c954051fc52df5a67895d899c18819ee89c1116a5bb66064cf73

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zO0F21A268\Fix64.exe
                                                                      Filesize

                                                                      101KB

                                                                      MD5

                                                                      3bd72a361ce4e5514c2e6eee83f08545

                                                                      SHA1

                                                                      a5089aa08760b87c7940e6e1e0eac39509a1a9da

                                                                      SHA256

                                                                      62a14b870bde8d57e50360039d3474210d1fdaf490afdd1bf36ce92fbaff893b

                                                                      SHA512

                                                                      4cc7da68e5b766be6ace9d9ae0458fd09b827fc565dc545ad9d43b4f87638e622f3d280189c23e521dbac3311c583f66d96a9ce751b9aa985036a46b0f2cbc7d

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zO0F21A268\Fix64.exe:Zone.Identifier
                                                                      Filesize

                                                                      196B

                                                                      MD5

                                                                      2e9fc08e958c9c759f5453ce430cc8ce

                                                                      SHA1

                                                                      4a9e35901267cec3d9a66b057d2e829a3645c61e

                                                                      SHA256

                                                                      ce12b7f8deeb2c8c86ff0c4bfe89918605cd1050c2f9bb5d516ff040b801b7a5

                                                                      SHA512

                                                                      a895710af8ee9cea3453c2c1d0aeb4825d2078e2eb19b4952abdf9362f5fea2b161bf3ab6699fa9c694c16e9360029103209bab1800ebbb2d65ae962543a4d41

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zO0F234F38\XWorm V5.0.exe
                                                                      Filesize

                                                                      10.4MB

                                                                      MD5

                                                                      227494b22a4ee99f48a269c362fd5f19

                                                                      SHA1

                                                                      d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9

                                                                      SHA256

                                                                      7471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2

                                                                      SHA512

                                                                      71070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zO0F298639\Fixer.bat
                                                                      Filesize

                                                                      122B

                                                                      MD5

                                                                      2dabc46ce85aaff29f22cd74ec074f86

                                                                      SHA1

                                                                      208ae3e48d67b94cc8be7bbfd9341d373fa8a730

                                                                      SHA256

                                                                      a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55

                                                                      SHA512

                                                                      6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zO0F2D6099\XWormLoader.exe
                                                                      Filesize

                                                                      111KB

                                                                      MD5

                                                                      9158e38c3bacd6cc50e4355783fead8b

                                                                      SHA1

                                                                      c30c982c2d061e4bd8b5e0e3f89693b3939a0833

                                                                      SHA256

                                                                      1f10356e86d377e76ab31ca4401f0f49f4caa9587227c61c56f8fc38dc4d7bda

                                                                      SHA512

                                                                      98683f6d5954238428b83df22acef64b7b3ca12b84c6b7cdd90063e4800006d3243b678eb5702045c32e8a7fd76c44cd453d6b6aca732b5a4d50d555d1b753bd

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zO0F2FF049\FixNoStart.txt
                                                                      Filesize

                                                                      108B

                                                                      MD5

                                                                      d29fc8fa55dbe2092a0557dc967be12e

                                                                      SHA1

                                                                      96e829d1c325514c1ac86432a6bb101512a8b58e

                                                                      SHA256

                                                                      454871b7ec4e5870757ad7ca884f70aee89116c154d6126078d2a7d43c2106fd

                                                                      SHA512

                                                                      c0e2bfca18fb719c1f84145438c8afdeb53012fdf82d14b9bd128da2495352ed2140e6ae9a5e52e2f0b01e371db71d5126ae9f7ba6225349ebd9c79ba370ad2f

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll
                                                                      Filesize

                                                                      112KB

                                                                      MD5

                                                                      a239b7cac8be034a23e7e231d3bcc6df

                                                                      SHA1

                                                                      ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d

                                                                      SHA256

                                                                      063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8

                                                                      SHA512

                                                                      c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524

                                                                      Download Submit
                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v3zmvd2k.xop.ps1
                                                                      Filesize

                                                                      60B

                                                                      MD5

                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                      SHA1

                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                      SHA256

                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                      SHA512

                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                      Download Submit
                                                                    • C:\Users\Admin\Downloads\XWorm-V5.0.rar
                                                                      Filesize

                                                                      28.8MB

                                                                      MD5

                                                                      f778fc725ed79c15d3ad889e7a33bea8

                                                                      SHA1

                                                                      6dfce5a46e080fb2436b09a5ed68b98b4c28c17d

                                                                      SHA256

                                                                      c2a1b97d657542e949496bc96e5a6c4e0beb101a629e7591519d0cb7e906dbfa

                                                                      SHA512

                                                                      ecb5365ae67963d1d246851a852fda53d7ed100e99377d340124b432a3d502044d4ae3abf2e67f7b1224dd08e42e45906d173fcf0e667ec1f052102a4196745a

                                                                      Download Submit
                                                                    • C:\Users\Admin\Downloads\XWorm-V5.0.rar:Zone.Identifier
                                                                      Filesize

                                                                      26B

                                                                      MD5

                                                                      fbccf14d504b7b2dbcb5a5bda75bd93b

                                                                      SHA1

                                                                      d59fc84cdd5217c6cf74785703655f78da6b582b

                                                                      SHA256

                                                                      eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                                                      SHA512

                                                                      aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                                                      Download Submit
                                                                    • C:\Windows\System32\perfc009.dat
                                                                      Filesize

                                                                      35KB

                                                                      MD5

                                                                      7f41bddfccdfe4a298b0bfcf14a20836

                                                                      SHA1

                                                                      8acacdd3503c65fb2ddc4fbb9f41811ae8550276

                                                                      SHA256

                                                                      446d064235ee69494d5797e01e4039eca0a026c9b801cacf0670334104eedbbb

                                                                      SHA512

                                                                      bb984e7660899c293eb3e8c14156cee5237e0cd2b0ada7b03c850f027a08d728fe8774f7a377e911ed54bd788ac5c88fd6e24b41fda6d5020dc6fae0e4980c85

                                                                      Download Submit
                                                                    • C:\Windows\System32\perfh009.dat
                                                                      Filesize

                                                                      297KB

                                                                      MD5

                                                                      50362589add3f92e63c918a06d664416

                                                                      SHA1

                                                                      e1f96e10fb0f9d3bec9ea89f07f97811ccc78182

                                                                      SHA256

                                                                      9a60acb9d0cb67b40154feb3ff45119f122301ee059798c87a02cc0c23e2ffce

                                                                      SHA512

                                                                      e21404bc7a5708ab1f4bd1df5baff4302bc31ac894d0940a38b8967b40aac46c2b3e51566d6410e66c4e867e1d8a88489adccf8bdcaec682e9ddabc0dac64468

                                                                      Download Submit
                                                                    • \??\pipe\LOCAL\crashpad_4364_TVCSBLGXKAFJTZRA
                                                                      MD5

                                                                      d41d8cd98f00b204e9800998ecf8427e

                                                                      SHA1

                                                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                      SHA256

                                                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                      SHA512

                                                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                      Download Submit
                                                                    • memory/664-1008-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/664-1011-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/1028-444-0x000001C97DB60000-0x000001C97E716000-memory.dmp
                                                                      Filesize

                                                                      11.7MB

                                                                      Download
                                                                    • memory/1028-445-0x00007FF8376C0000-0x00007FF838182000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/1028-428-0x00007FF8376C0000-0x00007FF838182000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/1028-429-0x000001C962450000-0x000001C962EC2000-memory.dmp
                                                                      Filesize

                                                                      10.4MB

                                                                      Download
                                                                    • memory/1028-443-0x000001C964B60000-0x000001C964B70000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/1120-1113-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/1120-1114-0x000002854C310000-0x000002854C320000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/1120-1128-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/1940-1047-0x00000000001D0000-0x00000000001EE000-memory.dmp
                                                                      Filesize

                                                                      120KB

                                                                      Download
                                                                    • memory/1940-1048-0x0000000074DA0000-0x0000000075551000-memory.dmp
                                                                      Filesize

                                                                      7.7MB

                                                                      Download
                                                                    • memory/1940-1049-0x0000000074DA0000-0x0000000075551000-memory.dmp
                                                                      Filesize

                                                                      7.7MB

                                                                      Download
                                                                    • memory/1952-862-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/1952-861-0x0000019381D60000-0x0000019381D70000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/1952-859-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/2116-1005-0x00000223D21D0000-0x00000223D21E0000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/2116-1003-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/2116-1009-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/2728-1105-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/2728-1092-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3288-897-0x000001D6BFA20000-0x000001D6BFA30000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/3288-911-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3288-896-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3288-898-0x000001D6BFA20000-0x000001D6BFA30000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/3288-899-0x000001D6BFA30000-0x000001D6BFA52000-memory.dmp
                                                                      Filesize

                                                                      136KB

                                                                      Download
                                                                    • memory/3288-908-0x000001D6BFA20000-0x000001D6BFA30000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/3456-951-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3456-952-0x00000231F2FB0000-0x00000231F2FC0000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/3456-956-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3456-954-0x00000231F2FB0000-0x00000231F2FC0000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/3456-953-0x00000231F2FB0000-0x00000231F2FC0000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/3564-495-0x00007FF8376C0000-0x00007FF838182000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3564-492-0x00007FF8376C0000-0x00007FF838182000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3720-927-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3720-929-0x000002A29B160000-0x000002A29B170000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/3720-941-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3720-939-0x000002A29B160000-0x000002A29B170000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/3740-979-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3740-993-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3800-895-0x0000000000AF0000-0x0000000000B00000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/3800-893-0x0000000000290000-0x00000000002B2000-memory.dmp
                                                                      Filesize

                                                                      136KB

                                                                      Download
                                                                    • memory/3800-923-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3800-928-0x0000000000AF0000-0x0000000000B00000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/3800-894-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3836-1447-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3836-1446-0x000001EB60680000-0x000001EB60690000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/3836-1445-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3960-926-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3960-921-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/3960-922-0x0000022F78770000-0x0000022F78780000-memory.dmp
                                                                      Filesize

                                                                      64KB

                                                                      Download
                                                                    • memory/4152-519-0x0000000074D00000-0x00000000754B1000-memory.dmp
                                                                      Filesize

                                                                      7.7MB

                                                                      Download
                                                                    • memory/4152-518-0x0000000074D00000-0x00000000754B1000-memory.dmp
                                                                      Filesize

                                                                      7.7MB

                                                                      Download
                                                                    • memory/4152-517-0x0000000000BC0000-0x0000000000BDE000-memory.dmp
                                                                      Filesize

                                                                      120KB

                                                                      Download
                                                                    • memory/4376-388-0x0000000074D00000-0x00000000754B1000-memory.dmp
                                                                      Filesize

                                                                      7.7MB

                                                                      Download
                                                                    • memory/4376-382-0x0000000074D00000-0x00000000754B1000-memory.dmp
                                                                      Filesize

                                                                      7.7MB

                                                                      Download
                                                                    • memory/4376-381-0x0000000000CF0000-0x0000000000D0E000-memory.dmp
                                                                      Filesize

                                                                      120KB

                                                                      Download
                                                                    • memory/4572-1422-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/4572-1423-0x00007FF837890000-0x00007FF838352000-memory.dmp
                                                                      Filesize

                                                                      10.8MB

                                                                      Download
                                                                    • memory/5016-1072-0x0000000074DA0000-0x0000000075551000-memory.dmp
                                                                      Filesize

                                                                      7.7MB

                                                                      Download
                                                                    • memory/5016-1071-0x0000000074DA0000-0x0000000075551000-memory.dmp
                                                                      Filesize

                                                                      7.7MB

                                                                      Download
                                                                    • memory/5016-1070-0x0000000000850000-0x000000000086E000-memory.dmp
                                                                      Filesize

                                                                      120KB

                                                                      Download