7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-10-2024 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm-5.6-main/Plugins/HVNC.dll
Size

58KB
MD5

30eb33588670191b4e74a0a05eecf191
SHA1

08760620ef080bb75c253ba80e97322c187a6b9f
SHA256

3a287acb1c89692f2c18596dd4405089ac998bb9cf44dd225e5211923d421e96
SHA512

820cca77096ff2eea8e459a848f7127dc46af2e5f42f43b2b7375be6f4778c1b0e34e4aa5a97f7fbabe0b53dcd351d09c231bb9afedf7bcec60d949918a06b97
SSDEEP

768:XsKVHERYe3lgPPTxOEUyP82P6mUrYrthCO7h2ORS9SQdHfiLpmbG8p:8K1ERYe0TEE3P82P1EMS36Kp

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
2	camo.githubusercontent.com
37	camo.githubusercontent.com
38	camo.githubusercontent.com
39	camo.githubusercontent.com
40	camo.githubusercontent.com
41	camo.githubusercontent.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XWorm-5.6-main.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4564	chrome.exe
4564	chrome.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
788	Xworm V5.6.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe
4636	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
788	Xworm V5.6.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe
Token: SeShutdownPrivilege	4564	chrome.exe
Token: SeCreatePagefilePrivilege	4564	chrome.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
788	Xworm V5.6.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
4564	chrome.exe
788	Xworm V5.6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 2600	4564	chrome.exe	80
PID 4564 wrote to memory of 2600	4564	chrome.exe	80
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 3032	4564	chrome.exe	81
PID 4564 wrote to memory of 2472	4564	chrome.exe	82
PID 4564 wrote to memory of 2472	4564	chrome.exe	82
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83
PID 4564 wrote to memory of 2656	4564	chrome.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\XWorm-5.6-main\Plugins\HVNC.dll,#1
1⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7fff9587cc40,0x7fff9587cc4c,0x7fff9587cc58
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,6018993746858170135,11420318408415727768,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,6018993746858170135,11420318408415727768,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,6018993746858170135,11420318408415727768,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,6018993746858170135,11420318408415727768,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,6018993746858170135,11420318408415727768,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,6018993746858170135,11420318408415727768,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4608,i,6018993746858170135,11420318408415727768,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4588,i,6018993746858170135,11420318408415727768,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4612,i,6018993746858170135,11420318408415727768,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:2188
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff62feb4698,0x7ff62feb46a4,0x7ff62feb46b0
    3⤵
    - Drops file in Windows directory
    PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4304,i,6018993746858170135,11420318408415727768,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4364 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4704,i,6018993746858170135,11420318408415727768,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3528,i,6018993746858170135,11420318408415727768,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4576,i,6018993746858170135,11420318408415727768,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3480,i,6018993746858170135,11420318408415727768,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4636

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2648

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2004

C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe
"C:\Users\Admin\Downloads\XWorm-5.6-main\XWorm-5.6-main\Xworm V5.6.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:788

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2156

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000470 0x00000000000004C8
1⤵
PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6955d57b3a49edf6644dde2120e13da8

SHA1
337ed0674c9f82a98ae584f6bbbe34199329dddb

SHA256
675af5e0e10f095970a39e1fc54f0c1bac28ef69936decf379542f96d66537fe

SHA512
1fb4f1088169a518337c06ae2438dfb6a9ca71820e7c569a2adc507bafc81ccacc1535b240743168f7726be8781733ab3fcafc350517ccf615423a4de07c3bf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
816cb84446e1e04938d9fd0ed4bc1f4a

SHA1
dcd3bb97199c91980ec7633e000acbf1bfc98783

SHA256
f207d32064bf9fd193fd89646dc1af464d7e6e64c5da40db104298129509d801

SHA512
3a95a4599b4ad780d71773bf450a4c6a2012eae9ebcfef8c8117746a56d64bb074a20a317495c2068cdc25c79be5cf805b204cb3722a810c66eca328d2ef14af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
560f5bf3139edfcd724c500a01ee26a7

SHA1
e66e676882f9e854e10c2ce1d5ebbf31fc59f6cb

SHA256
9dcaa1f178e8854ee31445898d4ba389831cdd39854bb2c5b7a0911c196499c6

SHA512
4fc92ffa44c2f8684bc58dab9abc7e1472f25dcbc73acb332b67d4b64c2414b206077d48a96a5db7d0d99d7f8dbf8099a19284373100ffafeb00b4cfaca375a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
706d36a81cb021b18862ce84e48cf521

SHA1
79aec38077e88deff2bb251ab66840c322eba721

SHA256
8169e1376fc528954ab038fd9b6ae73e6f1cd6cb7e0e563b2a626a0ed46ceb25

SHA512
dec6079ab7df211d26aab6ac9f196fd3ce0db32e26e24b653d1bc021cf7b07fd512992791df27d5f2c7842af34435621305ee9b0b029d24a8f4b722a9f521292

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
079ee19248eb1e4ffd25e34ef805188c

SHA1
f6fb1bbf8e8318c57210a433625fc95276fcc924

SHA256
a64d58aaa9d6807fb05bf8dbc8c7d7906f2421c1447a75979f2b851f4c5e3250

SHA512
d9f66e908829763b13d970ca7d7b6b89834f0d17a2f8b1efbe98df2b2c1687274668e281d008426fa1093a7ecb963131072c783d93950b8104fbf8939ff8a1f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2f6cc66d5a245a6e62a24cd57a095744

SHA1
855acc1add214d38cdc3eccd69f7b557bc42210d

SHA256
023b90f554d77f655fd65b49adf636f8df3d7d5c50c3a3e269819931e0abb842

SHA512
64897d8ad7010d0da839391360653e8bf8fc2ed2bbbe276267b847990ea2181dfcb7ed6fdfcf268ae5c3d87996813c201cf040437c8b8cd41bc544b31c58c764

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0898a558258e3c942f01a0760a46743b

SHA1
fe75d664e6ccc855a7d889a23f5bd30d0adf6447

SHA256
e0f6ac1c6f3ff44538cf06b83f84ce073faa0905a0317ead24cc6049d71d5812

SHA512
3fef1e2a58b7fa4d21a26a6769b3fb8c3d0ecf2ce6618d8994240a581b36fd639451d65536d5428925c0ba8f32ad5cb9be898baf2648a38897548e256b707788

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d8ba6b92163d12ef1eb1c89c0084afeb

SHA1
cbd9eaa6a34636cdc2bd637487bd5ccaf8468996

SHA256
cc697768914b78863f358ab3d8d82f0380c2ab324a2dd3cfd96de8995846a689

SHA512
cfbca6b8d9c592ede4496cf63c8de832a2f46246036478e738cef417381dfe7e20bd63513e8b8611500d98c7d7650c7171a3c07b1e4b2aa146fbb9d989f7fc31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a42d10aa8060c0040f7ee8805a45fc8b

SHA1
d3df0c82c5913bb93a1c8a5500ed4bcc6e4fb407

SHA256
34388eb0b3b221f5c1e35ccc9156617aae370502e30eacd7ededea2d8fbdea9a

SHA512
fd1242268ebff1f92fad495a87d42731b81739cae64666ce846e195ad34832c0a3c6ac27c987b4cc3f2872fe44961745611aa44388fbe92e9ad4c8754a0110ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f70cc916a466fba9a4a68ef5e5bd1fd0

SHA1
fd62ab14352341517e1d15a8fdb7a7903d09995b

SHA256
8456c8c1878fb2d39914af63f643eecc240dfc1cef96810445d066e46a1f4ff2

SHA512
9950f1b4388a33e4ab68c72f2f8f24a3fbbb2cddd8f22201dc3293f129a8388404ab400b8c94838a918aa5792a11c9515030671ce380cb12c4867b21ce9375bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
140b442347c900f4b8c342f99c402f10

SHA1
a453590054fc7f22d4029da456b65a0462d3b724

SHA256
c98a16251637b122ce644de75a15dccd4b3e552c8833ac6c0e10f050b220c470

SHA512
ae4c9f1327a2c602ac74ba2af2292797823e0ff3dc52301bf89d5be6cd9d997a87f645eb45de6d0d3c7ba4a3e85c69beca7d3d4a01d737bd184052ed776d50df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2defc1e4b7a6c405cda060f76e9a9868

SHA1
f6da9e32f3e4995a9bcf5a5caf497605a1fbb899

SHA256
570c4842b4cfea5975cf18e19e0cd2c50526628ddcaf69f7bb7c6b670ef0db02

SHA512
56e1725a000c39860ba3f184f9b03019e10a6e609e9862ac6fecd71819d5132d88ab4e46dd94b12ff303954f43aa5a4e9c5acaead926fc02cffd490dcad2d6f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
3d3d38b8bd1e49df8b196bad064857cb

SHA1
d67531ac1afac0e2cafdd3c4f8fbce814a71dbf7

SHA256
b46e7472afeb19ecb72ca3e1659d9ab0b8422b6cb40c3f404cd3febc5a3ac4e0

SHA512
e964f549dbc565235a64ae6b567ea1f1fdf74cbf606872429f2527e0d51446149f3b79dfa3e66408b1ebba56aadd02c89cf4d47a473c1044202212a4b244a7dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
2245fc5ccab25f92addf83caa1d11f9b

SHA1
f9da2f0f7ce54f71a0a9d0cdeafa813f5f6fe344

SHA256
1d7335b0ce5ca74e5a142c62cbf4c1ddbfc6a2a8fb32a38130d4e1c887e5f5df

SHA512
d9030dda63f5ee09dcd9e082d46489b48b746e9ec0150c0281198d84db32f39519163e61c932e743d19c530d9b90a530b8d47550de5f405c1c3f28dcce94d6c2

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main.zip.crdownload

Filesize
25.1MB

MD5
95c1c4a3673071e05814af8b2a138be4

SHA1
4c08b79195e0ff13b63cfb0e815a09dc426ac340

SHA256
7c270da2506ba3354531e0934096315422ee719ad9ea16cb1ee86a7004a9ce27

SHA512
339a47ecfc6d403beb55d51128164a520c4bea63733be3cfd47aec47953fbf2792aa4e150f4122994a7620122b0e0fc20c1eeb2f9697cf5578df08426820fecd

Download Submit
C:\Users\Admin\Downloads\XWorm-5.6-main.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/788-276-0x000001B457300000-0x000001B4581E8000-memory.dmp

Filesize
14.9MB

Download
memory/788-278-0x000001B4745F0000-0x000001B4747E4000-memory.dmp

Filesize
2.0MB

Download