Malware Analysis Report

2024-09-23 02:50

Sample ID 240712-rcar9swglk
Target XWorm V5.2.txt
SHA256 1b418092ab7db0616964e4e6fa1b7d87c0e50bdec33f9825a19daaba8a5f4c2e
Tags
agilenet agenttesla stormkitty xworm keylogger rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b418092ab7db0616964e4e6fa1b7d87c0e50bdec33f9825a19daaba8a5f4c2e

Threat Level: Known bad

The file XWorm V5.2.txt was found to be: Known bad.

Malicious Activity Summary

agilenet agenttesla stormkitty xworm keylogger rat spyware stealer trojan

StormKitty payload

Xworm

Agenttesla family

AgentTesla payload

AgentTesla

Contains code to disable Windows Defender

Detect Xworm Payload

Stormkitty family

AgentTesla payload

Loads dropped DLL

Uses the VBS compiler for execution

Obfuscated with Agile.Net obfuscator

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-12 14:02

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Agenttesla family

agenttesla

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 14:02

Reported

2024-07-12 14:08

Platform

win10v2004-20240709-en

Max time kernel

318s

Max time network

299s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.zip"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x64.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\0 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239} C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 000000000200000001000000ffffffff C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000800000007000000060000000500000004000000030000000200000000000000ffffffff C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\0 = 6000310000000000ec589970100058574f524d567e312e320000460009000400efbeec589970ec5899702e000000153502000000070000000000000000000000000000002a6cc900580057006f0072006d002000560035002e00320000001a000000 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\SniffedFolderType = "Pictures" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\0\0\NodeSlot = "15" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1 = 7e00310000000000ec58987011004465736b746f7000680009000400efbee9586970ec5898702e0000006ee101000000010000000000000000003e0000000000f2e662004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\0\0 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\0\0 = 5000310000000000ec589970100049636f6e73003c0009000400efbeec589970ec5899702e00000033350200000007000000000000000000000000000000e519f900490063006f006e007300000014000000 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0 = 6000310000000000ec589970100058574f524d567e312e320000460009000400efbeec589870ec5899702e0000006934020000000a0000000000000000000000000000004af12f01580057006f0072006d002000560035002e00320000001a000000 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\0\0\MRUListEx = ffffffff C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x64.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3176 wrote to memory of 4028 N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3176 wrote to memory of 4028 N/A C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 4428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.zip"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe

"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdbafd46f8,0x7ffdbafd4708,0x7ffdbafd4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdbafd46f8,0x7ffdbafd4708,0x7ffdbafd4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1

C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe

"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4a0 0x464

C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x64.exe

"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x64.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u53ku1sn\u53ku1sn.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8FEA6D54C7BE48598096D22C6A92781.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 cdn4.cdn-telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
NL 149.154.167.99:443 telegram.org tcp
US 34.111.35.152:443 cdn4.cdn-telegram.org tcp
US 34.111.35.152:443 cdn4.cdn-telegram.org tcp
US 8.8.8.8:53 152.35.111.34.in-addr.arpa udp
N/A 224.0.0.251:5353 udp

Files

memory/3176-0-0x0000023070570000-0x00000230711A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

MD5 2f1a50031dcf5c87d92e8b2491fdcea6
SHA1 71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA256 47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA512 1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

memory/3176-8-0x0000023074880000-0x000002307546C000-memory.dmp

memory/3176-9-0x0000023075670000-0x0000023075864000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 54aadd2d8ec66e446f1edb466b99ba8d
SHA1 a94f02b035dc918d8d9a46e6886413f15be5bff0
SHA256 1971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e
SHA512 7e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994

\??\pipe\LOCAL\crashpad_4028_STWCIVSYDXGBLAKZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 2f842025e22e522658c640cfc7edc529
SHA1 4c2b24b02709acdd159f1b9bbeb396e52af27033
SHA256 1191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e
SHA512 6e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ec240603b49c4d252d1105652b090b22
SHA1 ae7fb38f78041d108b861116f9057aedcfe9980d
SHA256 aee7ae90ae44b212719c28a8da06be3cea4271100ec2dccfac3d499813d00bd7
SHA512 8da94de51462f1923ab156b7c854ca538682540794eed1bfad99b421181a790984e2e911f82ae8d9e546e411a1ff9c1f8cca9149ca5740048f6b469991cab641

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 91caf675067e0007b2023d2d810e5146
SHA1 a01724a164b8462dedd5d3e57d7e524c6bb28971
SHA256 e43c14d1f76e2235f54209ffd28227242d0ddb038b1bede4b355ed05158b200a
SHA512 020b228bccea28bddcc2602675a9b0fa1d65315e26a33bf4d4f67eeb47668afbc385cc4241631cb7053f5e1f4b320528d7b312097522382f534cb42eb5074c03

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c56d9511ca84540b828eb2ffd9de7aab
SHA1 9a7057f98a17c17ca76404dafd95cc51d17e087b
SHA256 19d8dc01c33a1cb1c4346081d53868efc9612ed96cb749d86c3be7ff3ba8c988
SHA512 bc9b08125ab361cf4165ea359f4a5aa826ce1cc70d4744b44b928db63a8ead444df23ab86faadd3deffeaefeec578faa13afccac2816f136f2ffec45da1e20fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 de8aef7ec5d065475854fbf92c587c3c
SHA1 9050fb4ae8871dad6e92a555473f379e04060c66
SHA256 b94b97fb5c9e43a6798309394cfdae71741119212a1504350c0f2b59ad69aae3
SHA512 7f74c42d85047dd9c27866f76d310b70e68e64c00ef2561792f3011561aa60a6b1e04b3b45b712513680398f20294728bbe2d65a26db39da3b7a9f26aea8ef06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2e6fca3dd8e204f6b40dee9993718471
SHA1 b9d1dda6826c3c3899eff4f9f732e73a6fc91cd1
SHA256 ad607fc8457ad077c5171e224849cc60f814e4e80f0b7f1b0dcaff2aebf6dc0b
SHA512 8fb17cbe79bdb0760ae1f4afc772ea78a9f3a06d3f3ec9a54ef2b529d505bf44d18f2ba41070438f28327ad48c35ab228d5e8499fe27a9f5918be81379d217f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d15da93450a5673b34de6213acb1ace6
SHA1 5215a129e4932f74ed909ee30d38ef04faacc3d1
SHA256 f3608b852bddd21a75f2e9bc3e0ab994e824e2d6c1aaeb466c9dabc72ce3d769
SHA512 bbc322292e43a4dad8af1a67f8b18d7a3ff0d7176b47a0ef263554d805f775e10b26bf869d23ad7b384be5e3f1c92f0454b81852ee4aeb6d548df931b3db2578

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 d909d6e9ec5b3749c364e8e071732f45
SHA1 91315f9534b2afdba7e06f967e8eafde8ce733cd
SHA256 30fa00dfff4a877e3de10328092e24acdfd4b463d6986edc455e45b1543dfa0f
SHA512 0d603ee841d8970754bf8d13732d9d742881580ff93e6b2fde89c7847df0bcf8805a77cdc4f3ef7e590646b8e1e86542863757345b42de3c93b9dbc35969b5b7

memory/3496-210-0x0000000000810000-0x0000000000830000-memory.dmp

memory/3496-211-0x0000000005520000-0x0000000005562000-memory.dmp

memory/3496-212-0x0000000005A10000-0x0000000005AAC000-memory.dmp

memory/3496-213-0x0000000005970000-0x0000000005998000-memory.dmp

memory/3496-214-0x0000000005630000-0x0000000005636000-memory.dmp

memory/3496-215-0x0000000005AB0000-0x0000000005B0E000-memory.dmp

memory/3496-216-0x0000000005B10000-0x0000000005B66000-memory.dmp

memory/3496-217-0x0000000005A00000-0x0000000005A06000-memory.dmp

memory/3496-218-0x0000000005B90000-0x0000000005B96000-memory.dmp

memory/3496-219-0x0000000005C30000-0x0000000005C6C000-memory.dmp

memory/3496-220-0x0000000005CA0000-0x0000000005CBA000-memory.dmp

memory/3496-221-0x0000000005C20000-0x0000000005C30000-memory.dmp

memory/3496-224-0x0000000006930000-0x0000000007568000-memory.dmp

memory/3496-225-0x0000000007570000-0x0000000007B14000-memory.dmp

memory/3496-226-0x0000000006050000-0x00000000060E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aPjMR\aPjMR.dll

MD5 0b0e63957367e620b8697c5341af35b9
SHA1 69361c2762b2d1cada80667cd55bc5082e60af86
SHA256 bd9cdcfaa0edecdb89a204965d20f4a896c6650d4840e28736d9bd832390e1c5
SHA512 07d0e52c863f52ecb3d12fab9e71c7a18d54cbedb47250bee7e4297ff72ed793c23a2735c48090c261fe4633d53d03e305c1338dfc881bb86874d1633ff6ecee

memory/3496-233-0x00000000050D0000-0x00000000050DA000-memory.dmp

memory/3496-234-0x0000000006840000-0x0000000006896000-memory.dmp

memory/3496-235-0x000000000C450000-0x000000000C644000-memory.dmp

memory/3496-236-0x000000000F460000-0x000000000F4C6000-memory.dmp

memory/4000-239-0x0000000000540000-0x0000000000560000-memory.dmp

memory/4000-240-0x000001EC7D500000-0x000001EC7D542000-memory.dmp

memory/4000-241-0x000001EC7D550000-0x000001EC7D578000-memory.dmp

memory/4000-242-0x000001EC63530000-0x000001EC63536000-memory.dmp

memory/4000-243-0x000001EC7D700000-0x000001EC7D75E000-memory.dmp

memory/4000-244-0x000001EC7D760000-0x000001EC7D7B6000-memory.dmp

memory/4000-245-0x000001EC63480000-0x000001EC63486000-memory.dmp

memory/4000-246-0x000001EC63500000-0x000001EC63506000-memory.dmp

memory/4000-247-0x000001EC7D7C0000-0x000001EC7D7FC000-memory.dmp

memory/4000-248-0x000001EC7D680000-0x000001EC7D69A000-memory.dmp

memory/4000-249-0x000001EC7E440000-0x000001EC7F078000-memory.dmp

memory/3496-254-0x00000000155D0000-0x0000000015738000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u53ku1sn\u53ku1sn.cmdline

MD5 e0e4e8d82caf1aef895e40c9ef81dfca
SHA1 3dd21aab6568d08325f6323a7318bbd35afceebf
SHA256 29530c7c074c91412ce71922ad32d7b6230bf3c883f126608558b856a2db78b3
SHA512 dc49bdeb3e528f92b0be878b3ed36aa509a15c79b1ec6361ccced22915294087dd61916e47e980461730bd3729f7947bb46f71fde70cb0c47db3d46dbefe32b7

C:\Users\Admin\AppData\Local\Temp\u53ku1sn\u53ku1sn.0.vb

MD5 b00c9315636e2eedff72eb0cb4fc2afa
SHA1 7064d856dbdebed2003e1acf909c30696a5dcd02
SHA256 12acc294c22872afaa8a13083521875067bae6546e62fe9f90a43408adb80b4b
SHA512 31f70f70e8268bb038dbae63b74d42c9400239e1ffba171a81359f9a1c54be5d2e1c8ef2ebef46fd0f172b11fcd9f5a1cd69223f12bceda7cf3c61254808694e

C:\Users\Admin\AppData\Local\Temp\vbc8FEA6D54C7BE48598096D22C6A92781.TMP

MD5 d40c58bd46211e4ffcbfbdfac7c2bb69
SHA1 c5cf88224acc284a4e81bd612369f0e39f3ac604
SHA256 01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca
SHA512 48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

C:\Users\Admin\AppData\Local\Temp\RES3A61.tmp

MD5 7b695e4bdc12183cf75bc6b945425395
SHA1 1cbefd2ed156343f143a4a3b5b89496aa29f8fe0
SHA256 82b5695d39b5e1d873ac3bd8c4f3cbf336e0a79b150cc34612cb2be5013dd77c
SHA512 c35c8d23157a11d4a22e0d3305fd922f1b57b88e64dffc3b017f1645d6625cf4f322b20a5ee6aa0d84a314790a7df4fd9c07451fac4aa7da61e9c6f1ca271e64

C:\Users\Admin\Downloads\XClient.exe

MD5 855318f36359cf34867802c5cf89cd81
SHA1 70d8de50c13b774540cc712cf59b016006271cd0
SHA256 7484e5f9e4bfc4fd85bcd0034e266f9eecea0e2b1e61401264297a84ce046f8a
SHA512 51367f24302017f68da0a586d1585900e61c49929fbb8151c8e21f2496ed3c2c03dbd6ea9756307583880bf2e8154715e36bc9afb5e025b2fb64f8fa0a36e09c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 14:02

Reported

2024-07-12 14:08

Platform

win11-20240709-en

Max time kernel

145s

Max time network

278s

Command Line

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.zip"

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A