xworm | 4584e840367c8990cb040f840d4e6af35424e3ab7618985bfc76190757eae2a2

General

Target

XWorm V5.2.exe
Size

9.1MB
MD5

1c264a483f2f667410157dac2f067d66
SHA1

4831f141b41802d06d6735b237c53f4d34e9d428
SHA256

1c906ee702dadbc5ce1668754a488cbbc9838c63aaa6fb77fe5e848491b6f474
SHA512

1b48506e8cd01b66e930b8bb70998a3e4f02a300ef1a97252e105013b7e455c021d014a4cf3b1ba77deadc94e1908c8314c2875900145760cc5c402f37d637a2
SSDEEP

196608:6OdkWMB1TCCAaa/f+cUhBLHK1gzaFsKnULGZ3d/VRyDhwymXeexoAxG:6K2B1CkcDUDLHK18as0mcvow+Ax

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

uk1.localto.net:3725

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\XWorm.exe	family_xworm
behavioral1/memory/2388-9-0x0000000000220000-0x0000000000236000-memory.dmp	family_xworm
behavioral1/memory/2644-54-0x0000000000EC0000-0x0000000000ED6000-memory.dmp	family_xworm
behavioral1/memory/832-84-0x00000000012B0000-0x00000000012C6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1936 powershell.exe
2380 powershell.exe
1144 powershell.exe
2636 powershell.exe

pid	process
1936	powershell.exe
2380	powershell.exe
1144	powershell.exe
2636	powershell.exe

Drops startup file 2 IoCs

Processes:

XWorm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XWorm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XWorm.exe

Executes dropped EXE 64 IoCs

Processes:

XWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exesvchost.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exesvchost.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exe

pid	process
2388	XWorm.exe
2736	XWorm.exe
2708	XWorm.exe
1216	XWorm.exe
1688	XWorm.exe
624	XWorm.exe
1756	XWorm.exe
1648	XWorm.exe
876	XWorm.exe
2408	XWorm.exe
1280	XWorm.exe
2332	XWorm.exe
2644	svchost.exe
1772	XWorm.exe
2516	XWorm.exe
2436	XWorm.exe
2044	XWorm.exe
2380	XWorm.exe
1680	XWorm.exe
2244	XWorm.exe
2176	XWorm.exe
2928	XWorm.exe
2988	XWorm.exe
2800	XWorm.exe
2676	XWorm.exe
2868	XWorm.exe
1996	XWorm.exe
1684	XWorm.exe
1748	XWorm.exe
2232	XWorm.exe
1464	XWorm.exe
2636	XWorm.exe
2064	XWorm.exe
1076	XWorm.exe
3056	XWorm.exe
2148	XWorm.exe
2364	XWorm.exe
3036	XWorm.exe
1488	XWorm.exe
1236	XWorm.exe
832	svchost.exe
1188	XWorm.exe
2584	XWorm.exe
1788	XWorm.exe
948	XWorm.exe
752	XWorm.exe
2788	XWorm.exe
2292	XWorm.exe
3000	XWorm.exe
324	XWorm.exe
2824	XWorm.exe
2616	XWorm.exe
2532	XWorm.exe
2592	XWorm.exe
816	XWorm.exe
1388	XWorm.exe
1244	XWorm.exe
1468	XWorm.exe
908	XWorm.exe
444	XWorm.exe
1764	XWorm.exe
2980	XWorm.exe
1688	XWorm.exe
2792	XWorm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XWorm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe"	XWorm.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

668 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeXWorm.exe

pid process

1936 powershell.exe
2380 powershell.exe
1144 powershell.exe
2636 powershell.exe
2388 XWorm.exe

flow	ioc
4	ip-api.com

pid	process
668	schtasks.exe

pid	process
1936	powershell.exe
2380	powershell.exe
1144	powershell.exe
2636	powershell.exe
2388	XWorm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

XWorm.exeXWorm.exeXWorm.exeXWorm.exepowershell.exepowershell.exepowershell.exepowershell.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exesvchost.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exesvchost.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exeXWorm.exe

description	pid	process
Token: SeDebugPrivilege	2388	XWorm.exe
Token: SeDebugPrivilege	2736	XWorm.exe
Token: SeDebugPrivilege	2708	XWorm.exe
Token: SeDebugPrivilege	1216	XWorm.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1688	XWorm.exe
Token: SeDebugPrivilege	2388	XWorm.exe
Token: SeDebugPrivilege	624	XWorm.exe
Token: SeDebugPrivilege	1756	XWorm.exe
Token: SeDebugPrivilege	1648	XWorm.exe
Token: SeDebugPrivilege	876	XWorm.exe
Token: SeDebugPrivilege	2408	XWorm.exe
Token: SeDebugPrivilege	1280	XWorm.exe
Token: SeDebugPrivilege	2332	XWorm.exe
Token: SeDebugPrivilege	2644	svchost.exe
Token: SeDebugPrivilege	1772	XWorm.exe
Token: SeDebugPrivilege	2516	XWorm.exe
Token: SeDebugPrivilege	2436	XWorm.exe
Token: SeDebugPrivilege	2044	XWorm.exe
Token: SeDebugPrivilege	2380	XWorm.exe
Token: SeDebugPrivilege	1680	XWorm.exe
Token: SeDebugPrivilege	2244	XWorm.exe
Token: SeDebugPrivilege	2176	XWorm.exe
Token: SeDebugPrivilege	2928	XWorm.exe
Token: SeDebugPrivilege	2988	XWorm.exe
Token: SeDebugPrivilege	2800	XWorm.exe
Token: SeDebugPrivilege	2676	XWorm.exe
Token: SeDebugPrivilege	2868	XWorm.exe
Token: SeDebugPrivilege	1996	XWorm.exe
Token: SeDebugPrivilege	1684	XWorm.exe
Token: SeDebugPrivilege	1748	XWorm.exe
Token: SeDebugPrivilege	2232	XWorm.exe
Token: SeDebugPrivilege	1464	XWorm.exe
Token: SeDebugPrivilege	2636	XWorm.exe
Token: SeDebugPrivilege	2064	XWorm.exe
Token: SeDebugPrivilege	1076	XWorm.exe
Token: SeDebugPrivilege	3056	XWorm.exe
Token: SeDebugPrivilege	2148	XWorm.exe
Token: SeDebugPrivilege	2364	XWorm.exe
Token: SeDebugPrivilege	3036	XWorm.exe
Token: SeDebugPrivilege	1488	XWorm.exe
Token: SeDebugPrivilege	1236	XWorm.exe
Token: SeDebugPrivilege	832	svchost.exe
Token: SeDebugPrivilege	1188	XWorm.exe
Token: SeDebugPrivilege	2584	XWorm.exe
Token: SeDebugPrivilege	1788	XWorm.exe
Token: SeDebugPrivilege	948	XWorm.exe
Token: SeDebugPrivilege	752	XWorm.exe
Token: SeDebugPrivilege	2788	XWorm.exe
Token: SeDebugPrivilege	2292	XWorm.exe
Token: SeDebugPrivilege	3000	XWorm.exe
Token: SeDebugPrivilege	324	XWorm.exe
Token: SeDebugPrivilege	2824	XWorm.exe
Token: SeDebugPrivilege	2616	XWorm.exe
Token: SeDebugPrivilege	2532	XWorm.exe
Token: SeDebugPrivilege	2592	XWorm.exe
Token: SeDebugPrivilege	816	XWorm.exe
Token: SeDebugPrivilege	1388	XWorm.exe
Token: SeDebugPrivilege	1244	XWorm.exe
Token: SeDebugPrivilege	1468	XWorm.exe
Token: SeDebugPrivilege	908	XWorm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

XWorm.exe

pid process

2388 XWorm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XWorm V5.2.exeXWorm V5.2.exeXWorm V5.2.exeXWorm V5.2.exeXWorm.exeXWorm V5.2.exeXWorm V5.2.exeXWorm V5.2.exeXWorm V5.2.exeXWorm V5.2.exe

description	pid	process	target process
PID 2096 wrote to memory of 3044	2096	XWorm V5.2.exe	XWorm V5.2.exe
PID 2096 wrote to memory of 3044	2096	XWorm V5.2.exe	XWorm V5.2.exe
PID 2096 wrote to memory of 3044	2096	XWorm V5.2.exe	XWorm V5.2.exe
PID 2096 wrote to memory of 2388	2096	XWorm V5.2.exe	XWorm.exe
PID 2096 wrote to memory of 2388	2096	XWorm V5.2.exe	XWorm.exe
PID 2096 wrote to memory of 2388	2096	XWorm V5.2.exe	XWorm.exe
PID 3044 wrote to memory of 2704	3044	XWorm V5.2.exe	XWorm V5.2.exe
PID 3044 wrote to memory of 2704	3044	XWorm V5.2.exe	XWorm V5.2.exe
PID 3044 wrote to memory of 2704	3044	XWorm V5.2.exe	XWorm V5.2.exe
PID 3044 wrote to memory of 2736	3044	XWorm V5.2.exe	XWorm.exe
PID 3044 wrote to memory of 2736	3044	XWorm V5.2.exe	XWorm.exe
PID 3044 wrote to memory of 2736	3044	XWorm V5.2.exe	XWorm.exe
PID 2704 wrote to memory of 2644	2704	XWorm V5.2.exe	XWorm V5.2.exe
PID 2704 wrote to memory of 2644	2704	XWorm V5.2.exe	XWorm V5.2.exe
PID 2704 wrote to memory of 2644	2704	XWorm V5.2.exe	XWorm V5.2.exe
PID 2704 wrote to memory of 2708	2704	XWorm V5.2.exe	XWorm.exe
PID 2704 wrote to memory of 2708	2704	XWorm V5.2.exe	XWorm.exe
PID 2704 wrote to memory of 2708	2704	XWorm V5.2.exe	XWorm.exe
PID 2644 wrote to memory of 688	2644	XWorm V5.2.exe	XWorm V5.2.exe
PID 2644 wrote to memory of 688	2644	XWorm V5.2.exe	XWorm V5.2.exe
PID 2644 wrote to memory of 688	2644	XWorm V5.2.exe	XWorm V5.2.exe
PID 2644 wrote to memory of 1216	2644	XWorm V5.2.exe	XWorm.exe
PID 2644 wrote to memory of 1216	2644	XWorm V5.2.exe	XWorm.exe
PID 2644 wrote to memory of 1216	2644	XWorm V5.2.exe	XWorm.exe
PID 2388 wrote to memory of 1936	2388	XWorm.exe	powershell.exe
PID 2388 wrote to memory of 1936	2388	XWorm.exe	powershell.exe
PID 2388 wrote to memory of 1936	2388	XWorm.exe	powershell.exe
PID 2388 wrote to memory of 2380	2388	XWorm.exe	powershell.exe
PID 2388 wrote to memory of 2380	2388	XWorm.exe	powershell.exe
PID 2388 wrote to memory of 2380	2388	XWorm.exe	powershell.exe
PID 2388 wrote to memory of 1144	2388	XWorm.exe	powershell.exe
PID 2388 wrote to memory of 1144	2388	XWorm.exe	powershell.exe
PID 2388 wrote to memory of 1144	2388	XWorm.exe	powershell.exe
PID 2388 wrote to memory of 2636	2388	XWorm.exe	powershell.exe
PID 2388 wrote to memory of 2636	2388	XWorm.exe	powershell.exe
PID 2388 wrote to memory of 2636	2388	XWorm.exe	powershell.exe
PID 688 wrote to memory of 1080	688	XWorm V5.2.exe	XWorm V5.2.exe
PID 688 wrote to memory of 1080	688	XWorm V5.2.exe	XWorm V5.2.exe
PID 688 wrote to memory of 1080	688	XWorm V5.2.exe	XWorm V5.2.exe
PID 688 wrote to memory of 1688	688	XWorm V5.2.exe	XWorm.exe
PID 688 wrote to memory of 1688	688	XWorm V5.2.exe	XWorm.exe
PID 688 wrote to memory of 1688	688	XWorm V5.2.exe	XWorm.exe
PID 2388 wrote to memory of 668	2388	XWorm.exe	schtasks.exe
PID 2388 wrote to memory of 668	2388	XWorm.exe	schtasks.exe
PID 2388 wrote to memory of 668	2388	XWorm.exe	schtasks.exe
PID 1080 wrote to memory of 1932	1080	XWorm V5.2.exe	XWorm V5.2.exe
PID 1080 wrote to memory of 1932	1080	XWorm V5.2.exe	XWorm V5.2.exe
PID 1080 wrote to memory of 1932	1080	XWorm V5.2.exe	XWorm V5.2.exe
PID 1080 wrote to memory of 624	1080	XWorm V5.2.exe	XWorm.exe
PID 1080 wrote to memory of 624	1080	XWorm V5.2.exe	XWorm.exe
PID 1080 wrote to memory of 624	1080	XWorm V5.2.exe	XWorm.exe
PID 1932 wrote to memory of 844	1932	XWorm V5.2.exe	XWorm V5.2.exe
PID 1932 wrote to memory of 844	1932	XWorm V5.2.exe	XWorm V5.2.exe
PID 1932 wrote to memory of 844	1932	XWorm V5.2.exe	XWorm V5.2.exe
PID 1932 wrote to memory of 1756	1932	XWorm V5.2.exe	XWorm.exe
PID 1932 wrote to memory of 1756	1932	XWorm V5.2.exe	XWorm.exe
PID 1932 wrote to memory of 1756	1932	XWorm V5.2.exe	XWorm.exe
PID 844 wrote to memory of 2136	844	XWorm V5.2.exe	XWorm V5.2.exe
PID 844 wrote to memory of 2136	844	XWorm V5.2.exe	XWorm V5.2.exe
PID 844 wrote to memory of 2136	844	XWorm V5.2.exe	XWorm V5.2.exe
PID 844 wrote to memory of 1648	844	XWorm V5.2.exe	XWorm.exe
PID 844 wrote to memory of 1648	844	XWorm V5.2.exe	XWorm.exe
PID 844 wrote to memory of 1648	844	XWorm V5.2.exe	XWorm.exe
PID 2136 wrote to memory of 836	2136	XWorm V5.2.exe	XWorm V5.2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
  "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
      "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:688
      - C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        10⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        11⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        12⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        13⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        14⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        15⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        16⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        17⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        18⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        19⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        20⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        21⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        22⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        23⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        24⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        25⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        26⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        27⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        28⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        29⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        30⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        31⤵
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        32⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        33⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        34⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        35⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        36⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        37⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        38⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        39⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        40⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        41⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        42⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        43⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        44⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        45⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        46⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        47⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        48⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        49⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        50⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        51⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        52⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        53⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        54⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        55⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        56⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        57⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        58⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        59⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        60⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        61⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        62⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        63⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        64⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        65⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        66⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        67⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.exe"
        68⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        68⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        67⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        66⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        65⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        64⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        63⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        62⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        61⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        60⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        59⤵
        Executes dropped EXE
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
      - C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Users\Admin\AppData\Local\Temp\XWorm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\XWorm.exe
      "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2708
- - C:\Users\Admin\AppData\Local\Temp\XWorm.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- C:\Users\Admin\AppData\Local\Temp\XWorm.exe
  "C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2636
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:668

C:\Windows\system32\taskeng.exe
taskeng.exe {FE8050AE-35B6-4CB3-A910-2E190BE8D234} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
PID:1904
- C:\ProgramData\svchost.exe
  C:\ProgramData\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\ProgramData\svchost.exe
  C:\ProgramData\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\ProgramData\svchost.exe
  C:\ProgramData\svchost.exe
  2⤵
  PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XWorm.exe

Filesize
61KB

MD5
433b1bb16223dc6eac212edff6177362

SHA1
f8e020d7066b0570c0b6030878f33bd83211046e

SHA256
238db9b1b269432ad832a8a0d86471af730ee4afadc6b98e680c05d6395a6c3d

SHA512
d285d522deda22eed55df4f8ad707ab4f760e072a4e8001bb7e42666f9845f0fe19827eedb15e6bf1573fdb15aa46101ca0da625ac6e74f8fc88b31b94c599b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
09c7e48dc36bb124d21d442e275e1b69

SHA1
accfa844eb4fbfdc45635a561b60b1faaeedbe42

SHA256
4f417342c3dae6567e855fee460e9b5061252ba9d86a439e0b864eaf2cde6fd8

SHA512
6bb9926ebed2e0d19c33692d0a3ccd85bd83c35fd6c1320193ac85aa4c8545a3de4cd5af78b586aec6bc33f7e1db20a3bf8545a2fdf040073d04fad4187be59d

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/832-84-0x00000000012B0000-0x00000000012C6000-memory.dmp

Filesize
88KB

Download
memory/1936-20-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1936-19-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2096-10-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

Filesize
4KB

Download
memory/2096-2-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-1-0x00000000002D0000-0x0000000000BF0000-memory.dmp

Filesize
9.1MB

Download
memory/2380-26-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2380-27-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2388-9-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2644-54-0x0000000000EC0000-0x0000000000ED6000-memory.dmp

Filesize
88KB

Download
memory/3044-12-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download
memory/3044-5-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads