xworm | 4584e840367c8990cb040f840d4e6af35424e3ab7618985bfc76190757eae2a2

Analysis

max time kernel
299s
max time network
299s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.2.exe
Size

9.1MB
MD5

1c264a483f2f667410157dac2f067d66
SHA1

4831f141b41802d06d6735b237c53f4d34e9d428
SHA256

1c906ee702dadbc5ce1668754a488cbbc9838c63aaa6fb77fe5e848491b6f474
SHA512

1b48506e8cd01b66e930b8bb70998a3e4f02a300ef1a97252e105013b7e455c021d014a4cf3b1ba77deadc94e1908c8314c2875900145760cc5c402f37d637a2
SSDEEP

196608:6OdkWMB1TCCAaa/f+cUhBLHK1gzaFsKnULGZ3d/VRyDhwymXeexoAxG:6K2B1CkcDUDLHK18as0mcvow+Ax

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

uk1.localto.net:3725

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x000500000001ad33-8.dat	family_xworm
behavioral1/memory/2952-9-0x0000000000A60000-0x0000000000A76000-memory.dmp	family_xworm
behavioral1/memory/1652-61-0x0000000001050000-0x0000000001066000-memory.dmp	family_xworm
behavioral1/memory/2756-92-0x0000000000380000-0x0000000000396000-memory.dmp	family_xworm
behavioral1/memory/1988-101-0x00000000000E0000-0x00000000000F6000-memory.dmp	family_xworm
behavioral1/memory/2276-102-0x0000000000AE0000-0x0000000000AF6000-memory.dmp	family_xworm
behavioral1/memory/2960-103-0x0000000000040000-0x0000000000056000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2892	powershell.exe
1996	powershell.exe
2268	powershell.exe
2364	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XWorm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XWorm.exe

Executes dropped EXE 64 IoCs

pid	Process
2952	XWorm.exe
2828	XWorm.exe
2692	XWorm.exe
2960	XWorm.exe
2864	XWorm.exe
1344	XWorm.exe
1656	XWorm.exe
1636	XWorm.exe
2100	XWorm.exe
2008	XWorm.exe
3036	XWorm.exe
2228	XWorm.exe
1116	XWorm.exe
2804	XWorm.exe
1028	XWorm.exe
2504	XWorm.exe
2180	XWorm.exe
1056	XWorm.exe
2196	XWorm.exe
1652	svchost.exe
760	XWorm.exe
2140	XWorm.exe
1084	XWorm.exe
2452	XWorm.exe
2748	XWorm.exe
2836	XWorm.exe
2728	XWorm.exe
1668	XWorm.exe
536	XWorm.exe
872	XWorm.exe
1872	XWorm.exe
2272	XWorm.exe
2004	XWorm.exe
1784	XWorm.exe
288	XWorm.exe
1316	XWorm.exe
2440	XWorm.exe
1732	XWorm.exe
596	XWorm.exe
908	XWorm.exe
1748	XWorm.exe
2552	XWorm.exe
1156	XWorm.exe
2332	XWorm.exe
544	XWorm.exe
2096	XWorm.exe
2864	XWorm.exe
2564	XWorm.exe
2756	svchost.exe
1600	XWorm.exe
2644	XWorm.exe
1720	XWorm.exe
1936	XWorm.exe
2608	XWorm.exe
2860	XWorm.exe
1208	XWorm.exe
1928	XWorm.exe
1752	XWorm.exe
2248	XWorm.exe
1056	XWorm.exe
2040	XWorm.exe
2420	XWorm.exe
2484	XWorm.exe
1508	XWorm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe"	XWorm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2892	powershell.exe
1996	powershell.exe
2268	powershell.exe
2364	powershell.exe
2952	XWorm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	XWorm.exe
Token: SeDebugPrivilege	2828	XWorm.exe
Token: SeDebugPrivilege	2692	XWorm.exe
Token: SeDebugPrivilege	2960	XWorm.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2864	XWorm.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1344	XWorm.exe
Token: SeDebugPrivilege	2952	XWorm.exe
Token: SeDebugPrivilege	1656	XWorm.exe
Token: SeDebugPrivilege	1636	XWorm.exe
Token: SeDebugPrivilege	2100	XWorm.exe
Token: SeDebugPrivilege	2008	XWorm.exe
Token: SeDebugPrivilege	3036	XWorm.exe
Token: SeDebugPrivilege	2228	XWorm.exe
Token: SeDebugPrivilege	1116	XWorm.exe
Token: SeDebugPrivilege	2804	XWorm.exe
Token: SeDebugPrivilege	1028	XWorm.exe
Token: SeDebugPrivilege	2504	XWorm.exe
Token: SeDebugPrivilege	2180	XWorm.exe
Token: SeDebugPrivilege	1056	XWorm.exe
Token: SeDebugPrivilege	2196	XWorm.exe
Token: SeDebugPrivilege	1652	svchost.exe
Token: SeDebugPrivilege	760	XWorm.exe
Token: SeDebugPrivilege	2140	XWorm.exe
Token: SeDebugPrivilege	1084	XWorm.exe
Token: SeDebugPrivilege	2452	XWorm.exe
Token: SeDebugPrivilege	2748	XWorm.exe
Token: SeDebugPrivilege	2836	XWorm.exe
Token: SeDebugPrivilege	2728	XWorm.exe
Token: SeDebugPrivilege	1668	XWorm.exe
Token: SeDebugPrivilege	536	XWorm.exe
Token: SeDebugPrivilege	872	XWorm.exe
Token: SeDebugPrivilege	1872	XWorm.exe
Token: SeDebugPrivilege	2272	XWorm.exe
Token: SeDebugPrivilege	2004	XWorm.exe
Token: SeDebugPrivilege	1784	XWorm.exe
Token: SeDebugPrivilege	288	XWorm.exe
Token: SeDebugPrivilege	1316	XWorm.exe
Token: SeDebugPrivilege	2440	XWorm.exe
Token: SeDebugPrivilege	1732	XWorm.exe
Token: SeDebugPrivilege	596	XWorm.exe
Token: SeDebugPrivilege	908	XWorm.exe
Token: SeDebugPrivilege	1748	XWorm.exe
Token: SeDebugPrivilege	2552	XWorm.exe
Token: SeDebugPrivilege	1156	XWorm.exe
Token: SeDebugPrivilege	2332	XWorm.exe
Token: SeDebugPrivilege	544	XWorm.exe
Token: SeDebugPrivilege	2096	XWorm.exe
Token: SeDebugPrivilege	2864	XWorm.exe
Token: SeDebugPrivilege	2564	XWorm.exe
Token: SeDebugPrivilege	2756	svchost.exe
Token: SeDebugPrivilege	1600	XWorm.exe
Token: SeDebugPrivilege	2644	XWorm.exe
Token: SeDebugPrivilege	1720	XWorm.exe
Token: SeDebugPrivilege	1936	XWorm.exe
Token: SeDebugPrivilege	2608	XWorm.exe
Token: SeDebugPrivilege	2860	XWorm.exe
Token: SeDebugPrivilege	1208	XWorm.exe
Token: SeDebugPrivilege	1928	XWorm.exe
Token: SeDebugPrivilege	1752	XWorm.exe
Token: SeDebugPrivilege	2248	XWorm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2952	XWorm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2440	1972	XWorm V5.2.exe	30
PID 1972 wrote to memory of 2440	1972	XWorm V5.2.exe	30
PID 1972 wrote to memory of 2440	1972	XWorm V5.2.exe	30
PID 1972 wrote to memory of 2952	1972	XWorm V5.2.exe	31
PID 1972 wrote to memory of 2952	1972	XWorm V5.2.exe	31
PID 1972 wrote to memory of 2952	1972	XWorm V5.2.exe	31
PID 2440 wrote to memory of 2840	2440	XWorm V5.2.exe	32
PID 2440 wrote to memory of 2840	2440	XWorm V5.2.exe	32
PID 2440 wrote to memory of 2840	2440	XWorm V5.2.exe	32
PID 2440 wrote to memory of 2828	2440	XWorm V5.2.exe	33
PID 2440 wrote to memory of 2828	2440	XWorm V5.2.exe	33
PID 2440 wrote to memory of 2828	2440	XWorm V5.2.exe	33
PID 2840 wrote to memory of 2656	2840	XWorm V5.2.exe	36
PID 2840 wrote to memory of 2656	2840	XWorm V5.2.exe	36
PID 2840 wrote to memory of 2656	2840	XWorm V5.2.exe	36
PID 2840 wrote to memory of 2692	2840	XWorm V5.2.exe	37
PID 2840 wrote to memory of 2692	2840	XWorm V5.2.exe	37
PID 2840 wrote to memory of 2692	2840	XWorm V5.2.exe	37
PID 2656 wrote to memory of 2924	2656	XWorm V5.2.exe	38
PID 2656 wrote to memory of 2924	2656	XWorm V5.2.exe	38
PID 2656 wrote to memory of 2924	2656	XWorm V5.2.exe	38
PID 2656 wrote to memory of 2960	2656	XWorm V5.2.exe	39
PID 2656 wrote to memory of 2960	2656	XWorm V5.2.exe	39
PID 2656 wrote to memory of 2960	2656	XWorm V5.2.exe	39
PID 2952 wrote to memory of 2892	2952	XWorm.exe	40
PID 2952 wrote to memory of 2892	2952	XWorm.exe	40
PID 2952 wrote to memory of 2892	2952	XWorm.exe	40
PID 2924 wrote to memory of 1056	2924	XWorm V5.2.exe	42
PID 2924 wrote to memory of 1056	2924	XWorm V5.2.exe	42
PID 2924 wrote to memory of 1056	2924	XWorm V5.2.exe	42
PID 2924 wrote to memory of 2864	2924	XWorm V5.2.exe	43
PID 2924 wrote to memory of 2864	2924	XWorm V5.2.exe	43
PID 2924 wrote to memory of 2864	2924	XWorm V5.2.exe	43
PID 2952 wrote to memory of 1996	2952	XWorm.exe	44
PID 2952 wrote to memory of 1996	2952	XWorm.exe	44
PID 2952 wrote to memory of 1996	2952	XWorm.exe	44
PID 2952 wrote to memory of 2268	2952	XWorm.exe	46
PID 2952 wrote to memory of 2268	2952	XWorm.exe	46
PID 2952 wrote to memory of 2268	2952	XWorm.exe	46
PID 2952 wrote to memory of 2364	2952	XWorm.exe	48
PID 2952 wrote to memory of 2364	2952	XWorm.exe	48
PID 2952 wrote to memory of 2364	2952	XWorm.exe	48
PID 1056 wrote to memory of 1328	1056	XWorm V5.2.exe	50
PID 1056 wrote to memory of 1328	1056	XWorm V5.2.exe	50
PID 1056 wrote to memory of 1328	1056	XWorm V5.2.exe	50
PID 1056 wrote to memory of 1344	1056	XWorm V5.2.exe	51
PID 1056 wrote to memory of 1344	1056	XWorm V5.2.exe	51
PID 1056 wrote to memory of 1344	1056	XWorm V5.2.exe	51
PID 2952 wrote to memory of 700	2952	XWorm.exe	52
PID 2952 wrote to memory of 700	2952	XWorm.exe	52
PID 2952 wrote to memory of 700	2952	XWorm.exe	52
PID 1328 wrote to memory of 1800	1328	XWorm V5.2.exe	54
PID 1328 wrote to memory of 1800	1328	XWorm V5.2.exe	54
PID 1328 wrote to memory of 1800	1328	XWorm V5.2.exe	54
PID 1328 wrote to memory of 1656	1328	XWorm V5.2.exe	55
PID 1328 wrote to memory of 1656	1328	XWorm V5.2.exe	55
PID 1328 wrote to memory of 1656	1328	XWorm V5.2.exe	55
PID 1800 wrote to memory of 1004	1800	XWorm V5.2.exe	56
PID 1800 wrote to memory of 1004	1800	XWorm V5.2.exe	56
PID 1800 wrote to memory of 1004	1800	XWorm V5.2.exe	56
PID 1800 wrote to memory of 1636	1800	XWorm V5.2.exe	57
PID 1800 wrote to memory of 1636	1800	XWorm V5.2.exe	57
PID 1800 wrote to memory of 1636	1800	XWorm V5.2.exe	57
PID 1004 wrote to memory of 1060	1004	XWorm V5.2.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
  "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
      "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        10⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        11⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        12⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        13⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        14⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        15⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        16⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        17⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        18⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        19⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        20⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        21⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        22⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        23⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        24⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        25⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        26⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        27⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        28⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        29⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        30⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        31⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        32⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        33⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        34⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        35⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        36⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        37⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        38⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        39⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        40⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        41⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        42⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        43⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        44⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        45⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        46⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        47⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        48⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        49⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        50⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        51⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        52⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        53⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        54⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        55⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        56⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        57⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        58⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        59⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        60⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        61⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        62⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        63⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        64⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        65⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        66⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        67⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        68⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        69⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        70⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        71⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        72⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        73⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        74⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        75⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        76⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        77⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        78⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        79⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        80⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        81⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        82⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        83⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        84⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        85⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        86⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        87⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        88⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        89⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        90⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        91⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        92⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        93⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        94⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        95⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        96⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        97⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        98⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        99⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        100⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        101⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        102⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        103⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        104⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        105⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        106⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        107⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        108⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        109⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        110⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        111⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        112⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        113⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        114⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        115⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        116⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        117⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        118⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        119⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        120⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        121⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        122⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        123⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        124⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        125⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        126⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        127⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        128⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        129⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        130⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        131⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        132⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        133⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        134⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        135⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        136⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        136⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        135⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        134⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        133⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        132⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        131⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        130⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        129⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        128⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        127⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        126⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        125⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        124⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        123⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        122⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        121⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        120⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        119⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        118⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        117⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        116⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        115⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        114⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        113⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        112⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        111⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        110⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        109⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        108⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        107⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        106⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        105⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        104⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        103⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        102⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        101⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        100⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        99⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        98⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        97⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        96⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        95⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        94⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        93⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        92⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        91⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        90⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        89⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        88⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        87⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        86⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        85⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        84⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        83⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        82⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        81⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        80⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        79⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        78⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        77⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        76⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        75⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        74⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        73⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        72⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        71⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        70⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        69⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        68⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        67⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        66⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        65⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        64⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        63⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        62⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        61⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        60⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        59⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
      - C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\XWorm.exe
      "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2692
- - C:\Users\Admin\AppData\Local\Temp\XWorm.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- C:\Users\Admin\AppData\Local\Temp\XWorm.exe
  "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:700

C:\Windows\system32\taskeng.exe
taskeng.exe {33A7221D-1C5B-4F58-BDCB-6FC3F4965EF9} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
PID:916
- C:\ProgramData\svchost.exe
  C:\ProgramData\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\ProgramData\svchost.exe
  C:\ProgramData\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\ProgramData\svchost.exe
  C:\ProgramData\svchost.exe
  2⤵
  PID:1988
- C:\ProgramData\svchost.exe
  C:\ProgramData\svchost.exe
  2⤵
  PID:2276
- C:\ProgramData\svchost.exe
  C:\ProgramData\svchost.exe
  2⤵
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XWorm.exe

Filesize
61KB

MD5
433b1bb16223dc6eac212edff6177362

SHA1
f8e020d7066b0570c0b6030878f33bd83211046e

SHA256
238db9b1b269432ad832a8a0d86471af730ee4afadc6b98e680c05d6395a6c3d

SHA512
d285d522deda22eed55df4f8ad707ab4f760e072a4e8001bb7e42666f9845f0fe19827eedb15e6bf1573fdb15aa46101ca0da625ac6e74f8fc88b31b94c599b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
99777b6417d65a000467dc5deead0e9b

SHA1
956e5fec8dd2b3da3d140def5a17a8ff4152f56e

SHA256
0674d76935206b20dab1e5ba7c0c5f427a27ab72835c849d41d44b95a7ff64a8

SHA512
c15b0de18192e266a3a00fdb79fd23e9e5eeea4fbe765ad78a9e50a4d126cd1496b7f11c4dc65d0a7713af7445de6a00e85946f167350ba953905c7ebed3bed9

Download Submit
memory/1652-61-0x0000000001050000-0x0000000001066000-memory.dmp

Filesize
88KB

Download
memory/1972-1-0x0000000000BD0000-0x00000000014F0000-memory.dmp

Filesize
9.1MB

Download
memory/1972-2-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/1972-10-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/1972-0-0x000007FEF5143000-0x000007FEF5144000-memory.dmp

Filesize
4KB

Download
memory/1988-101-0x00000000000E0000-0x00000000000F6000-memory.dmp

Filesize
88KB

Download
memory/1996-28-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/1996-27-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2276-102-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/2440-12-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2440-5-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-92-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/2892-20-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2892-19-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2952-9-0x0000000000A60000-0x0000000000A76000-memory.dmp

Filesize
88KB

Download
memory/2960-103-0x0000000000040000-0x0000000000056000-memory.dmp

Filesize
88KB

Download