xworm | 61e8f2c36942c9910c894ae09f9554462d98e38fce868574e8cf00283978ea83

Analysis

max time kernel
122s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-11-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm v5.6 Edition Cracked By WantHacks.rar
Size

22.1MB
MD5

f2bc2af2db699fcc4a6a86dcdcb63688
SHA1

c640018e4f0a0b314012a25c0eb87cba17f14d28
SHA256

61e8f2c36942c9910c894ae09f9554462d98e38fce868574e8cf00283978ea83
SHA512

00830190d2417f2a0f9fd168631ad8b8f6050cd8d48ba0f40ea8561cd6bf2b1d123c156f62e60260ff5328367c76bbbb750afb09b9bc2dbd57e3f7c10c398745
SSDEEP

393216:+yaCIiJA/fWwI1VJkEhDQDNIoRcYN4SMV+fphpKotgPJXbK9/KW9KP6Qr+:+yoiJA/upytROSMVypjdtg5O9/KW6Tr+

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

Mutex

HSKN9MpfBLZsOPaW

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

xworm

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x001900000002aafe-301.dat	disable_win_def

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab74-275.dat	family_xworm
behavioral1/files/0x001900000002ab7d-285.dat	family_xworm
behavioral1/files/0x001900000002ab7d-289.dat	family_xworm
behavioral1/memory/112-291-0x0000000000AD0000-0x0000000000AE8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
3620	Xworm V5.6.exe
112	XClient.exe
1956	XClient.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 9c003100000000006b59eaa5100058574f524d567e312e3645440000800009000400efbe6b594ba66b594ca62e000000bbaa020000001a000000000000000000000000000000cb4f2f01580057006f0072006d002000760035002e0036002000450064006900740069006f006e00200043007200610063006b00650064002000420079002000570061006e0074004800610063006b00730000001c000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xworm V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Xworm V5.6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "3"	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xworm V5.6.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xworm V5.6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xworm V5.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Xworm V5.6.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe
3620	Xworm V5.6.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2708	7zFM.exe
3620	Xworm V5.6.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	2708	7zFM.exe
Token: 35	2708	7zFM.exe
Token: SeSecurityPrivilege	2708	7zFM.exe
Token: 33	1528	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1528	AUDIODG.EXE
Token: SeDebugPrivilege	112	XClient.exe
Token: SeDebugPrivilege	1956	XClient.exe
Token: SeDebugPrivilege	112	XClient.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2708	7zFM.exe
2708	7zFM.exe
3620	Xworm V5.6.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3620	Xworm V5.6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3620	Xworm V5.6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 2456	3620	Xworm V5.6.exe	91
PID 3620 wrote to memory of 2456	3620	Xworm V5.6.exe	91
PID 2456 wrote to memory of 4004	2456	vbc.exe	93
PID 2456 wrote to memory of 4004	2456	vbc.exe	93

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm v5.6 Edition Cracked By WantHacks.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4944

C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\Xworm V5.6.exe
"C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\Xworm V5.6.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dcr1xb5g\dcr1xb5g.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56D5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF1D72DED7A647F1B582D0D38B82596D.TMP"
    3⤵
    PID:4004

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1688

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Users\Admin\Desktop\XClient.exe
"C:\Users\Admin\Desktop\XClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE49A7EAA7\XWorm v5.6 Edition Cracked By WantHacks\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE49A7EAA7\XWorm v5.6 Edition Cracked By WantHacks\Plugins\ReadME.txt

Filesize
30KB

MD5
8e95717f17455f118e91bc5f00796a87

SHA1
5165f7b6897d7824fc312eb1f89da3633ead4273

SHA256
fd48451771d1b0570457d12e2912b48672d484a42caf02fc9b2c0a8e32b5b6c3

SHA512
f91ca87ee748d49ae64d4e409b9dc9fe314f1da7604bd54401914b0c0b3b7469a6d2034e043ac857a3d0e73c2ca9a171bed276bcbbd1c06f109dfb6dac2b3288

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES56D5.tmp

Filesize
1KB

MD5
a293e5e3698f338a958f41b80de5f6bc

SHA1
fdf56fa2b0f889a1a95fb95673f977e06c9932b1

SHA256
126033f39f7b3720a640ce44922dae50d0006c9a7a8f7137a4e0f685e40281e5

SHA512
e7fadd76eb6423d60d4f14ec8da35556386d50e1dde0bf87702801e4f710370dbae8060ddc87a2c956be16f71c4c9ca5333e3d3045325bf0e1d4f03a543bcd83

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcr1xb5g\dcr1xb5g.0.vb

Filesize
78KB

MD5
0e86f3bf6082fadb1ac022e4c84097b2

SHA1
ac2aff20e769c547bb0f78d10b9ef69038f7e434

SHA256
f5290b1e88aa2ae852b7a9eb4cf04cdc43a85de7d238ac02536b962031d51bd6

SHA512
5c9c0e4b3913cebde907ab71fc489c557ac0e55c70d125b3c2a779ac4873be4e0626e64c38a1f8fb411386f0ac2b5c463e57060be7fa7b930496fb02342dc222

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcr1xb5g\dcr1xb5g.cmdline

Filesize
290B

MD5
84056d32f2e32eee1ed899f3b5440496

SHA1
f7568b05ba53d73c5ef0987dca402547dcab438e

SHA256
378b49a6e9af3fc875698ca3c9d9ebabebba3da1bf83b797e936a92576ac5884

SHA512
644a2c7911bd71ea953eb013505e79067df8b463a76d33dd3573f4be2d910008b17878581c678e9f53958d3402d3305f3b49cd351769672cc7b7cd7c019ac353

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFF1D72DED7A647F1B582D0D38B82596D.TMP

Filesize
1KB

MD5
d40c58bd46211e4ffcbfbdfac7c2bb69

SHA1
c5cf88224acc284a4e81bd612369f0e39f3ac604

SHA256
01902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca

SHA512
48b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68

Download Submit
C:\Users\Admin\Desktop\XClient.exe

Filesize
34KB

MD5
c3dde25fdd0564ea5da282a5018e05a9

SHA1
3ec0c9674d5c7ae1f35d9781765fa1237ccb8b1c

SHA256
90a63d386e7a816f3f8ac147222ca601d245b878e6b940390097c6dc43e1e1d3

SHA512
0913553726af5aa302f6c5963354789c0b697f92ffab6ee4c905805ea96d6454c905a76019bbbadec5bd362a4115e0e55de3cd07404130bc6ddc22e5c6c3c1b4

Download Submit
C:\Users\Admin\Desktop\XClient.exe

Filesize
72KB

MD5
76630e59b0ec281c75429f783dc434ae

SHA1
f8d82477fb53e7bbe70c85e735b1c5d5004d9dc4

SHA256
531edd4300aa1ee52110c20be612ef66a3848f7baac173b9c081a061c29d0ba7

SHA512
4a5daaa041c7aeef34c6f4bd0b26553ad0e6637930554a92bf57833e9c97e52efd9f08024421ee362e07b681e61c19e195fb767e7434fbf40ac866b6d31af25e

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\GMap.NET.Core.dll

Filesize
2.9MB

MD5
819352ea9e832d24fc4cebb2757a462b

SHA1
aba7e1b29bdcd0c5a307087b55c2ec0c7ca81f11

SHA256
58c755fcfc65cddea561023d736e8991f0ad69da5e1378dea59e98c5db901b86

SHA512
6a5b0e1553616ea29ec72c12072ae05bdd709468a173e8adbdfe391b072c001ecacb3dd879845f8d599c6152eca2530cdaa2c069b1f94294f778158eaaebe45a

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\GMap.NET.WindowsForms.dll

Filesize
147KB

MD5
32a8742009ffdfd68b46fe8fd4794386

SHA1
de18190d77ae094b03d357abfa4a465058cd54e3

SHA256
741e1a8f05863856a25d101bd35bf97cba0b637f0c04ecb432c1d85a78ef1365

SHA512
22418d5e887a6022abe8a7cbb0b6917a7478d468d211eecd03a95b8fb6452fc59db5178573e25d5d449968ead26bb0b2bfbfada7043c9a7a1796baca5235a82b

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\NAudio.dll

Filesize
502KB

MD5
3b87d1363a45ce9368e9baec32c69466

SHA1
70a9f4df01d17060ec17df9528fca7026cc42935

SHA256
81b3f1dc3f1eac9762b8a292751a44b64b87d0d4c3982debfdd2621012186451

SHA512
1f07d3b041763b4bc31f6bd7b181deb8d34ff66ec666193932ffc460371adbcd4451483a99009b9b0b71f3864ed5c15c6c3b3777fabeb76f9918c726c35eb7d7

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\Plugins\FileManager.dll

Filesize
679KB

MD5
641a8b61cb468359b1346a0891d65b59

SHA1
2cdc49bcd7428fe778a94cdcd19cabf5ece8c9c0

SHA256
b58ed3ebbcd27c7f4b173819528ff4db562b90475a5e304521ed5c564d39fffd

SHA512
042702d34664ea6288e891c9f7aa10a5b4b07317f25f82d6c9fa9ba9b98645c14073d0f66637060b416a30c58dec907d9383530320a318523c51f19ebd0a4fee

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\Plugins\Informations.dll

Filesize
22KB

MD5
67a884eeb9bd025a1ef69c8964b6d86f

SHA1
97e00d3687703b1d7cc0939e45f8232016d009d9

SHA256
cba453460be46cfa705817abbe181f9bf65dca6b6cea1ad31629aa08dbeaf72b

SHA512
52e852021a1639868e61d2bd1e8f14b9c410c16bfca584bf70ae9e71da78829c1cada87d481e55386eec25646f84bb9f3baee3b5009d56bcbb3be4e06ffa0ae7

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\Plugins\Maps.dll

Filesize
15KB

MD5
806c3802bfd7a97db07c99a5c2918198

SHA1
088393a9d96f0491e3e1cf6589f612aa5e1df5f8

SHA256
34b532a4d0560e26b0d5b81407befdc2424aacc9ef56e8b13de8ad0f4b3f1ab6

SHA512
ed164822297accd3717b4d8e3927f0c736c060bb7ec5d99d842498b63f74d0400c396575e9fa664ad36ae8d4285cfd91e225423a0c77a612912d66ea9f63356c

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\Plugins\Options.dll

Filesize
30KB

MD5
97193fc4c016c228ae0535772a01051d

SHA1
f2f6d56d468329b1e9a91a3503376e4a6a4d5541

SHA256
5c34aee5196e0f8615b8d1d9017dd710ea28d2b7ac99295d46046d12eea58d78

SHA512
9f6d7da779e8c9d7307f716d4a4453982bb7f090c35947850f13ec3c9472f058fc11e1120a9641326970b9846d3c691e0c2afd430c12e5e8f30abadb5dcf5ed2

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\Plugins\TCPConnections.dll

Filesize
16KB

MD5
9cae90969d14ab4d686c56bae19e041e

SHA1
0359e8eeed993bbbc6f141b115bd533eeb52533d

SHA256
27e17a43478448f64107df786a170753dbd116eafca7c027f6d357f11e6a4def

SHA512
04a9dc16299d866af7f56ff2ef355310d9437c909ec0dd3549d2f142e71149b09822106e254970f00801fe2f0df6b6d2670cf6a8256d85cd35b963c028f6202d

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\Xworm V5.6.exe

Filesize
24.7MB

MD5
d626f885874892781aa6efcc7e0c2a69

SHA1
09f2aeab8f4618f26471261a746bad43bfc917ff

SHA256
df512cabbda87f7630eaa05abce3b84698a00a36d41222a95649f851d3317a1f

SHA512
26695528d81a1cf737d9337f11ca29fcbb7defb0418002e955501d7048c597cf23330be7bc49d33eceead020eb3a3e752d6a6c048ee54aa23c9e1981a520aa63

Download Submit
C:\Users\Admin\Desktop\XWorm v5.6 Edition Cracked By WantHacks\Xworm V5.6.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
memory/112-291-0x0000000000AD0000-0x0000000000AE8000-memory.dmp

Filesize
96KB

Download
memory/3620-287-0x000002683E3D0000-0x000002683E538000-memory.dmp

Filesize
1.4MB

Download
memory/3620-261-0x0000026840930000-0x00000268409B2000-memory.dmp

Filesize
520KB

Download
memory/3620-259-0x00007FFF84BF3000-0x00007FFF84BF5000-memory.dmp

Filesize
8KB

Download
memory/3620-258-0x000002683E8D0000-0x000002683F4F8000-memory.dmp

Filesize
12.2MB

Download
memory/3620-269-0x00007FFF84BF0000-0x00007FFF856B2000-memory.dmp

Filesize
10.8MB

Download
memory/3620-257-0x00007FFF84BF0000-0x00007FFF856B2000-memory.dmp

Filesize
10.8MB

Download
memory/3620-267-0x0000026840E30000-0x0000026841112000-memory.dmp

Filesize
2.9MB

Download
memory/3620-256-0x000002683D960000-0x000002683DB54000-memory.dmp

Filesize
2.0MB

Download
memory/3620-254-0x0000026821480000-0x0000026822D38000-memory.dmp

Filesize
24.7MB

Download
memory/3620-253-0x00007FFF84BF3000-0x00007FFF84BF5000-memory.dmp

Filesize
8KB

Download
memory/3620-265-0x0000026840A20000-0x0000026840A4C000-memory.dmp

Filesize
176KB

Download
memory/3620-263-0x0000026840A80000-0x0000026840B32000-memory.dmp

Filesize
712KB

Download