Analysis Overview
SHA256
6b66904ae1929991852392fe2d578712738799cdd82539507d714f536eb8e0ed
Threat Level: Known bad
The file Xworm.V6.0.zip was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
Stormkitty family
Contains code to disable Windows Defender
Xworm
Xworm family
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Drops startup file
Checks computer location settings
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Opens file in notepad (likely ransom note)
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-29 03:59
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-29 03:59
Reported
2024-11-29 04:02
Platform
win7-20240708-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Xworm.V6.0.zip"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-29 03:59
Reported
2024-11-29 04:16
Platform
win10v2004-20241007-en
Max time kernel
984s
Max time network
990s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO4D0CDC69\Xworm V6.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Xworm V6.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO4D0CA6D7\Xworm V6.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\OneDrive.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO4D02E038\Xworm V6.0.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk | C:\Users\Admin\AppData\Local\Temp\OneDrive.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk | C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk | C:\Users\Admin\AppData\Local\Temp\OneDrive.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk | C:\Users\Admin\AppData\Local\Temp\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk | C:\Users\Admin\AppData\Local\Temp\msedge.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk | C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe" | C:\Users\Admin\AppData\Local\Temp\OneDrive.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe" | C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\msedge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OneDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Xworm.V6.0.zip"
C:\Users\Admin\AppData\Local\Temp\7zO4D0CA6D7\Xworm V6.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO4D0CA6D7\Xworm V6.0.exe"
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
C:\Users\Admin\AppData\Local\Temp\7zO4D02E038\Xworm V6.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO4D02E038\Xworm V6.0.exe"
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4D0B1329\ErrorLogs.txt
C:\Users\Admin\AppData\Local\Temp\7zO4D0CDC69\Xworm V6.0.exe
"C:\Users\Admin\AppData\Local\Temp\7zO4D0CDC69\Xworm V6.0.exe"
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
C:\Users\Admin\Desktop\Xworm V6.0.exe
"C:\Users\Admin\Desktop\Xworm V6.0.exe"
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp | |
| BE | 109.236.137.30:7000 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zO4D0CA6D7\Xworm V6.0.exe
| MD5 | fae9f588f8bf2ea148c92de1083eb8a2 |
| SHA1 | 8103ee4ad2ba5c5ab6fafa80fbc536646fdabaa9 |
| SHA256 | 54e8a0545faac8f1de60cfacd3baf32135ee0a2b296f5ff36a0bd4a87abe1394 |
| SHA512 | f05ddbcc784d3903e3d151155060a6fccbda672c183c2b71d7601e7c16579ff225a00156d3203ee3990b6a19cce7022644352f3db8b5b862928d6b3b0034ec0e |
memory/4960-12-0x00007FF94AB93000-0x00007FF94AB95000-memory.dmp
memory/4960-13-0x0000000000220000-0x00000000011A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
| MD5 | a1cd6f4a3a37ed83515aa4752f98eb1d |
| SHA1 | 7f787c8d72787d8d130b4788b006b799167d1802 |
| SHA256 | 5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65 |
| SHA512 | 9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355 |
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
| MD5 | 16cdd301591c6af35a03cd18caee2e59 |
| SHA1 | 92c6575b57eac309c8664d4ac76d87f2906e8ef3 |
| SHA256 | 11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8 |
| SHA512 | a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476 |
memory/4824-47-0x0000000000650000-0x0000000000678000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msedge.exe
| MD5 | aee20d80f94ae0885bb2cabadb78efc9 |
| SHA1 | 1e82eba032fcb0b89e1fdf937a79133a5057d0a1 |
| SHA256 | 498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d |
| SHA512 | 3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42 |
memory/2760-49-0x0000000000590000-0x00000000005BE000-memory.dmp
memory/4036-48-0x0000000000A70000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
| MD5 | 56ccb739926a725e78a7acf9af52c4bb |
| SHA1 | 5b01b90137871c3c8f0d04f510c4d56b23932cbc |
| SHA256 | 90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405 |
| SHA512 | 2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1 |
memory/1452-62-0x000001C76ED80000-0x000001C76FC68000-memory.dmp
memory/2492-63-0x000001B5EE730000-0x000001B5EE752000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ka0c3vry.kqc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a53fcd7ca5f768ef5b87edc8ff9274aa |
| SHA1 | cf5838b36607558f3f25ca29921c523ad9cda3f9 |
| SHA256 | 2366de0b561dd9d45362c9fca44eb0aae96766fb55848b63f29f599d6cef7d99 |
| SHA512 | c642f4c3d12e8abf4c29141a068c9c93a7e8cca4442ffbaca037362b517abf55d9fc69b1653c63c8a07d3f17f159839f60912d7d0fef760a0a2770fb0d093fdb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 47605a4dda32c9dff09a9ca441417339 |
| SHA1 | 4f68c895c35b0dc36257fc8251e70b968c560b62 |
| SHA256 | e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a |
| SHA512 | b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0342b267f79ac6d33bf583a0b3b04dd1 |
| SHA1 | 78ef2010a90ff2fa10d68628b39647d9773983ab |
| SHA256 | dc0ea9007b6ac003b0f10a0f34361ee5defb05495c29a35d2951c4e4a604f1c5 |
| SHA512 | c484d055c44f353d1eeb1b626751d8863b0ed5af13376f46b62726568e8c7e4589986a7badf1a3de40f69c40ae6a4fa8fd4b2e47180a7cad17daa3943faf00d4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dbb22d95851b93abf2afe8fb96a8e544 |
| SHA1 | 920ec5fdb323537bcf78f7e29a4fc274e657f7a4 |
| SHA256 | e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465 |
| SHA512 | 16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | da5c82b0e070047f7377042d08093ff4 |
| SHA1 | 89d05987cd60828cca516c5c40c18935c35e8bd3 |
| SHA256 | 77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5 |
| SHA512 | 7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 336e5ecd286a50d241ded3783713c713 |
| SHA1 | 15b57d7e4d6e2235894875620c99715b506d6f13 |
| SHA256 | 85203e7ac1b91c21c5e7ead187c3ed702b2524cd7ffde1451066e624a8ab0ce1 |
| SHA512 | b59e9b6c247aaf0124354d79c3366a0ded6e95b9afd8ce3b4d3e29e876b5b0722f6193c8fed9e473cfd7312e1232874af7a83bd3627001a0bf689923fc4b1440 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8cb3e9459807e35f02130fad3f9860d |
| SHA1 | 5af7f32cb8a30e850892b15e9164030a041f4bd6 |
| SHA256 | 2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68 |
| SHA512 | 045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xworm V6.0.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | fff3a196c8c8c909b28ee06cf72fd9c6 |
| SHA1 | 3311fe0cd4fd217dab2fa893ca605442f76cfc68 |
| SHA256 | 86ada28e147781a7f491082ef0c468efdeddb82639e5854546ed9bdef49e03ea |
| SHA512 | ae18952e894a0f9e129b39beec17c9f57b2fe3791c8199f06ae29cbcda5d28cf7eaabb7386f9675b6a454cb8ee448b5d5b231901470e4b480d7d85cb69e99639 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 4fe00b888c18166f4130753bf61c41a7 |
| SHA1 | b108aade4b1d1240c6f1638ee39f5b969fc7a6e2 |
| SHA256 | d597246461ea45fbf9dd9587d2baa48c812a256d55faacc1f69085e0b24d82cd |
| SHA512 | 0568ef130ffa2ca2e05a7c3912dc0cc4841195a986a75dc16e9ff3d6a08dcd15986b21ff6578b1f71a333bfe5d6088a795ffd47580d294c64869b4a3a4054f86 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 7415007e2776bc2baf6fda17f008ea3b |
| SHA1 | 2ba20b4df2130fc2133c790eb52c4f15168d7180 |
| SHA256 | ca8a0b34518c1091526d65c0962f94f72bfb755e060cb84c36c349f297fdf5a2 |
| SHA512 | 67f802d89690bbbb18974b5dc04ec806cc23a9118fd5b91d446972efa356f1eab1cb4bd101c30798bf0facbef1db8efee6d484b7a19931ba4dd08b4ab2454b49 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 2944f38672af71357715356845e1e869 |
| SHA1 | c6e37c6ad97e86f520dd1e20a35566dba81e8610 |
| SHA256 | 95f1cebac94467740a188fda6bc2a25f4ed4ebe3cb76766cccb5538458d4bdc8 |
| SHA512 | 810ae92e177e791066908935ebaf6f2ad5bdfa93412de35a753fdba088f3d8b9a9fc8861ac0408d1f494283483f14c5cc284b81fdf3d699164fbb1bb9e605c6c |
C:\Users\Admin\AppData\Local\Temp\7zO4D0B1329\ErrorLogs.txt
| MD5 | f77f4fb386c891a5640cf26473cebea4 |
| SHA1 | db2fc673ed4b895561caf8670d1e40204a3d6fa6 |
| SHA256 | 633eef2d5302c0c224cd71aeb7d29901564f30e5a9b3d31cc0a55c1c6eeb3d5c |
| SHA512 | 47fe461ccb295c95d951c0499d943febdc7b9b41923bd03b9b0876e52abc220cde47dd4a3ff13e98f991636fc21b6ef5297b679dde8dcd38b51cd0648eea38f9 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | fcb5e613298b02799d2c3d5f9c59a094 |
| SHA1 | 8b89857e41b9dd77c8b99be8931b1911fd866ebb |
| SHA256 | 36cca3a66b8402e78d5fe4e9aae9923de10f55fe6da6e92b1983e53e0bd529b2 |
| SHA512 | 4fac0daf574e96c07853bd0973e0f04a58bf80da9a4f85155508fb28957ce394ec6b6cbd60db33e63db7d0ac0df90fc493102c5b783e1b6abd51288f874a33d6 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 49cd36b9a8cb91d957822b50a475184c |
| SHA1 | a18d7fca65440441eb4eea839cb13bf486a3cece |
| SHA256 | 7b784f178ed65d8e88faaff0603745bc535534bbc27c547cc36e5ef3831f0ade |
| SHA512 | 338311e91074ebcf400b069a10e5ddbd0827cb76f93c272dcfa10956d1203aa8dbed5242a256ad1bd42c49e8ffe71f9ecfb0bdec46d2fe697c37c8613d240d86 |
C:\Users\Admin\AppData\Local\Temp\Log.tmp
| MD5 | 005b80b48b9cf19e6003a8e643a5d998 |
| SHA1 | 9627a2569a50205816f8e14f30037e29d5ca7d94 |
| SHA256 | 0b181d445fab43b717b17ed38c6e8fde081d6fe539bd090271d1eab1a2c65496 |
| SHA512 | 9294b1fc016e4a501efc5756adf5033dfc48e1aa3b774843b1da1b0e75953ac934138e1199f80293de59466605477c86bb275d053447d7579fe50f859934412a |