xred | fd2af290651593318f6181ffbbf227f8ae72c1ab1deb2a2ffae91d7a8988c8da

Analysis

max time kernel
80s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2025, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd2af290651593318f6181ffbbf227f8ae72c1ab1deb2a2ffae91d7a8988c8da.exe
Size

56.3MB
MD5

f21bab83ac325830cf3aab824cc1fadf
SHA1

0cab604f8e23814a0d9e43dc63e3bebce5336168
SHA256

fd2af290651593318f6181ffbbf227f8ae72c1ab1deb2a2ffae91d7a8988c8da
SHA512

6cfa5d269e041870ad38c6c162cc2090df296b056eb89bc7afb790342797cf983a6906733bb27acfcbca7674dd18366c24003818cd4b8dc34b141ddb9a802537
SSDEEP

1572864:5WWXtHc1Y6Iv97dZJl+T/pq5Z4vA9jtycxrSuICF98bh:5Lc1Y6IJfI/U5ZWotFnxSbh

Score

10^/10

xred xworm backdoor discovery persistence rat trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

209.50.250.24:4562

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 58 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e452-33.dat	family_xworm
behavioral2/files/0x000400000001e57a-44.dat	family_xworm
behavioral2/memory/4976-171-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4012-168-0x0000000000880000-0x00000000008B8000-memory.dmp	family_xworm
behavioral2/memory/3552-249-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4532-261-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/1044-272-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/1172-308-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/3236-316-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4092-330-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/1288-363-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/3476-376-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4208-389-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/3236-399-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/1012-400-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/2184-401-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4324-402-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4280-412-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/2708-413-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4780-414-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4952-415-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/3384-416-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4604-417-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/5060-418-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4708-419-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/3236-420-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4776-421-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4512-422-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4024-423-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4412-424-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/1012-425-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/2184-435-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/548-436-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/2972-437-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/5060-438-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/1896-439-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/2268-440-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/728-441-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4752-452-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/992-462-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/1540-472-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4948-473-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/3416-474-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4512-475-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/5040-485-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/244-486-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4260-487-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4092-488-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/3936-498-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/1896-499-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4496-501-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4476-511-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/4980-512-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/3068-513-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/1932-523-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/3220-524-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/3656-534-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm
behavioral2/memory/3284-535-0x0000000000400000-0x00000000004F1000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	fd2af290651593318f6181ffbbf227f8ae72c1ab1deb2a2ffae91d7a8988c8da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Discord.Bot.Client.1.0.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	XWorm -V5.6.exe

Executes dropped EXE 64 IoCs

pid	Process
2964	Discord.Bot.Client.1.0.0.exe
3180	WizWorm.exe
4976	XWorm -V5.6.exe
1540	Discord.Bot.Client.1.0.0.exe
4012	._cache_XWorm -V5.6.exe
3236	Synaptics.exe
3552	XWorm -V5.6.exe
4248	Discord.Bot.Client.1.0.0.exe
3452	._cache_Synaptics.exe
2816	._cache_XWorm -V5.6.exe
4532	XWorm -V5.6.exe
3628	Discord.Bot.Client.1.0.0.exe
696	._cache_XWorm -V5.6.exe
1044	XWorm -V5.6.exe
516	._cache_XWorm -V5.6.exe
2524	Discord.Bot.Client.1.0.0.exe
1172	XWorm -V5.6.exe
3796	Discord.Bot.Client.1.0.0.exe
1724	._cache_XWorm -V5.6.exe
4092	XWorm -V5.6.exe
1128	Discord.Bot.Client.1.0.0.exe
1212	._cache_XWorm -V5.6.exe
1288	XWorm -V5.6.exe
2200	Discord.Bot.Client.1.0.0.exe
2268	._cache_XWorm -V5.6.exe
3476	XWorm -V5.6.exe
1172	Discord.Bot.Client.1.0.0.exe
1972	._cache_XWorm -V5.6.exe
4208	XWorm -V5.6.exe
4248	Discord.Bot.Client.1.0.0.exe
1724	._cache_XWorm -V5.6.exe
1012	XWorm -V5.6.exe
1044	Discord.Bot.Client.1.0.0.exe
4408	._cache_XWorm -V5.6.exe
2184	XWorm -V5.6.exe
4848	Discord.Bot.Client.1.0.0.exe
224	._cache_XWorm -V5.6.exe
4324	XWorm -V5.6.exe
4908	Discord.Bot.Client.1.0.0.exe
552	._cache_XWorm -V5.6.exe
4280	XWorm -V5.6.exe
5036	Discord.Bot.Client.1.0.0.exe
1456	._cache_XWorm -V5.6.exe
2708	XWorm -V5.6.exe
2032	Discord.Bot.Client.1.0.0.exe
4780	XWorm -V5.6.exe
3416	._cache_XWorm -V5.6.exe
2360	Discord.Bot.Client.1.0.0.exe
4004	._cache_XWorm -V5.6.exe
4952	XWorm -V5.6.exe
3672	Discord.Bot.Client.1.0.0.exe
2848	._cache_XWorm -V5.6.exe
3384	XWorm -V5.6.exe
1832	Discord.Bot.Client.1.0.0.exe
4604	XWorm -V5.6.exe
1932	._cache_XWorm -V5.6.exe
4412	Discord.Bot.Client.1.0.0.exe
1288	._cache_XWorm -V5.6.exe
5060	XWorm -V5.6.exe
4360	Discord.Bot.Client.1.0.0.exe
3916	._cache_XWorm -V5.6.exe
4708	XWorm -V5.6.exe
4780	Discord.Bot.Client.1.0.0.exe
1652	._cache_XWorm -V5.6.exe

Loads dropped DLL 64 IoCs

pid	Process
3552	XWorm -V5.6.exe
3552	XWorm -V5.6.exe
4532	XWorm -V5.6.exe
4532	XWorm -V5.6.exe
1044	XWorm -V5.6.exe
1044	XWorm -V5.6.exe
1172	XWorm -V5.6.exe
1172	XWorm -V5.6.exe
4092	XWorm -V5.6.exe
4092	XWorm -V5.6.exe
1288	XWorm -V5.6.exe
1288	XWorm -V5.6.exe
3476	XWorm -V5.6.exe
3476	XWorm -V5.6.exe
4208	XWorm -V5.6.exe
4208	XWorm -V5.6.exe
1012	XWorm -V5.6.exe
1012	XWorm -V5.6.exe
2184	XWorm -V5.6.exe
2184	XWorm -V5.6.exe
4324	XWorm -V5.6.exe
4324	XWorm -V5.6.exe
4280	XWorm -V5.6.exe
4280	XWorm -V5.6.exe
2708	XWorm -V5.6.exe
2708	XWorm -V5.6.exe
4780	XWorm -V5.6.exe
4780	XWorm -V5.6.exe
4952	XWorm -V5.6.exe
4952	XWorm -V5.6.exe
3384	XWorm -V5.6.exe
3384	XWorm -V5.6.exe
4604	XWorm -V5.6.exe
4604	XWorm -V5.6.exe
5060	XWorm -V5.6.exe
5060	XWorm -V5.6.exe
4708	XWorm -V5.6.exe
4708	XWorm -V5.6.exe
4776	XWorm -V5.6.exe
4776	XWorm -V5.6.exe
4512	XWorm -V5.6.exe
4512	XWorm -V5.6.exe
4024	XWorm -V5.6.exe
4024	XWorm -V5.6.exe
4412	XWorm -V5.6.exe
4412	XWorm -V5.6.exe
1012	XWorm -V5.6.exe
1012	XWorm -V5.6.exe
2184	XWorm -V5.6.exe
2184	XWorm -V5.6.exe
548	XWorm -V5.6.exe
548	XWorm -V5.6.exe
2972	XWorm -V5.6.exe
2972	XWorm -V5.6.exe
5060	XWorm -V5.6.exe
5060	XWorm -V5.6.exe
1896	XWorm -V5.6.exe
1896	XWorm -V5.6.exe
2268	XWorm -V5.6.exe
2268	XWorm -V5.6.exe
728	XWorm -V5.6.exe
728	XWorm -V5.6.exe
4752	XWorm -V5.6.exe
4752	XWorm -V5.6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	XWorm -V5.6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWorm -V5.6.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	XWorm -V5.6.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5056	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	3452	._cache_Synaptics.exe
Token: SeDebugPrivilege	2816	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	696	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	516	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1724	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1212	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	2268	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1972	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1724	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	4408	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	224	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	552	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1456	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	3416	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	4004	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	2848	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1932	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1288	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	3916	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1652	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	2624	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1308	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	2052	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	3180	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	4380	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	4552	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1616	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	4888	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	3892	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	4876	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	4408	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1460	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	2008	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	4860	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	3220	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	2872	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	3892	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1724	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	4408	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	2360	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	4848	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	412	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1036	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	3368	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	2052	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	2316	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	2684	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	3572	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	852	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1764	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	2848	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1220	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	4776	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	4248	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	3208	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1808	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	224	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	2724	._cache_XWorm -V5.6.exe
Token: SeDebugPrivilege	1628	._cache_XWorm -V5.6.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5056	EXCEL.EXE
5056	EXCEL.EXE
5056	EXCEL.EXE
5056	EXCEL.EXE
5056	EXCEL.EXE
5056	EXCEL.EXE
5056	EXCEL.EXE
5056	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2964	1972	fd2af290651593318f6181ffbbf227f8ae72c1ab1deb2a2ffae91d7a8988c8da.exe	87
PID 1972 wrote to memory of 2964	1972	fd2af290651593318f6181ffbbf227f8ae72c1ab1deb2a2ffae91d7a8988c8da.exe	87
PID 1972 wrote to memory of 3180	1972	fd2af290651593318f6181ffbbf227f8ae72c1ab1deb2a2ffae91d7a8988c8da.exe	88
PID 1972 wrote to memory of 3180	1972	fd2af290651593318f6181ffbbf227f8ae72c1ab1deb2a2ffae91d7a8988c8da.exe	88
PID 2964 wrote to memory of 4976	2964	Discord.Bot.Client.1.0.0.exe	89
PID 2964 wrote to memory of 4976	2964	Discord.Bot.Client.1.0.0.exe	89
PID 2964 wrote to memory of 4976	2964	Discord.Bot.Client.1.0.0.exe	89
PID 2964 wrote to memory of 1540	2964	Discord.Bot.Client.1.0.0.exe	90
PID 2964 wrote to memory of 1540	2964	Discord.Bot.Client.1.0.0.exe	90
PID 4976 wrote to memory of 4012	4976	XWorm -V5.6.exe	96
PID 4976 wrote to memory of 4012	4976	XWorm -V5.6.exe	96
PID 4976 wrote to memory of 3236	4976	XWorm -V5.6.exe	97
PID 4976 wrote to memory of 3236	4976	XWorm -V5.6.exe	97
PID 4976 wrote to memory of 3236	4976	XWorm -V5.6.exe	97
PID 1540 wrote to memory of 3552	1540	Discord.Bot.Client.1.0.0.exe	99
PID 1540 wrote to memory of 3552	1540	Discord.Bot.Client.1.0.0.exe	99
PID 1540 wrote to memory of 3552	1540	Discord.Bot.Client.1.0.0.exe	99
PID 1540 wrote to memory of 4248	1540	Discord.Bot.Client.1.0.0.exe	130
PID 1540 wrote to memory of 4248	1540	Discord.Bot.Client.1.0.0.exe	130
PID 3236 wrote to memory of 3452	3236	Synaptics.exe	102
PID 3236 wrote to memory of 3452	3236	Synaptics.exe	102
PID 3552 wrote to memory of 2816	3552	XWorm -V5.6.exe	103
PID 3552 wrote to memory of 2816	3552	XWorm -V5.6.exe	103
PID 4248 wrote to memory of 4532	4248	Discord.Bot.Client.1.0.0.exe	104
PID 4248 wrote to memory of 4532	4248	Discord.Bot.Client.1.0.0.exe	104
PID 4248 wrote to memory of 4532	4248	Discord.Bot.Client.1.0.0.exe	104
PID 4248 wrote to memory of 3628	4248	Discord.Bot.Client.1.0.0.exe	105
PID 4248 wrote to memory of 3628	4248	Discord.Bot.Client.1.0.0.exe	105
PID 4532 wrote to memory of 696	4532	XWorm -V5.6.exe	107
PID 4532 wrote to memory of 696	4532	XWorm -V5.6.exe	107
PID 3628 wrote to memory of 1044	3628	Discord.Bot.Client.1.0.0.exe	133
PID 3628 wrote to memory of 1044	3628	Discord.Bot.Client.1.0.0.exe	133
PID 3628 wrote to memory of 1044	3628	Discord.Bot.Client.1.0.0.exe	133
PID 1044 wrote to memory of 516	1044	XWorm -V5.6.exe	110
PID 1044 wrote to memory of 516	1044	XWorm -V5.6.exe	110
PID 3628 wrote to memory of 2524	3628	Discord.Bot.Client.1.0.0.exe	111
PID 3628 wrote to memory of 2524	3628	Discord.Bot.Client.1.0.0.exe	111
PID 2524 wrote to memory of 1172	2524	Discord.Bot.Client.1.0.0.exe	126
PID 2524 wrote to memory of 1172	2524	Discord.Bot.Client.1.0.0.exe	126
PID 2524 wrote to memory of 1172	2524	Discord.Bot.Client.1.0.0.exe	126
PID 2524 wrote to memory of 3796	2524	Discord.Bot.Client.1.0.0.exe	115
PID 2524 wrote to memory of 3796	2524	Discord.Bot.Client.1.0.0.exe	115
PID 1172 wrote to memory of 1724	1172	XWorm -V5.6.exe	131
PID 1172 wrote to memory of 1724	1172	XWorm -V5.6.exe	131
PID 3796 wrote to memory of 4092	3796	Discord.Bot.Client.1.0.0.exe	117
PID 3796 wrote to memory of 4092	3796	Discord.Bot.Client.1.0.0.exe	117
PID 3796 wrote to memory of 4092	3796	Discord.Bot.Client.1.0.0.exe	117
PID 3796 wrote to memory of 1128	3796	Discord.Bot.Client.1.0.0.exe	119
PID 3796 wrote to memory of 1128	3796	Discord.Bot.Client.1.0.0.exe	119
PID 4092 wrote to memory of 1212	4092	XWorm -V5.6.exe	120
PID 4092 wrote to memory of 1212	4092	XWorm -V5.6.exe	120
PID 1128 wrote to memory of 1288	1128	Discord.Bot.Client.1.0.0.exe	160
PID 1128 wrote to memory of 1288	1128	Discord.Bot.Client.1.0.0.exe	160
PID 1128 wrote to memory of 1288	1128	Discord.Bot.Client.1.0.0.exe	160
PID 1128 wrote to memory of 2200	1128	Discord.Bot.Client.1.0.0.exe	122
PID 1128 wrote to memory of 2200	1128	Discord.Bot.Client.1.0.0.exe	122
PID 1288 wrote to memory of 2268	1288	XWorm -V5.6.exe	123
PID 1288 wrote to memory of 2268	1288	XWorm -V5.6.exe	123
PID 2200 wrote to memory of 3476	2200	Discord.Bot.Client.1.0.0.exe	125
PID 2200 wrote to memory of 3476	2200	Discord.Bot.Client.1.0.0.exe	125
PID 2200 wrote to memory of 3476	2200	Discord.Bot.Client.1.0.0.exe	125
PID 2200 wrote to memory of 1172	2200	Discord.Bot.Client.1.0.0.exe	126
PID 2200 wrote to memory of 1172	2200	Discord.Bot.Client.1.0.0.exe	126
PID 3476 wrote to memory of 1972	3476	XWorm -V5.6.exe	127

C:\Users\Admin\AppData\Local\Temp\fd2af290651593318f6181ffbbf227f8ae72c1ab1deb2a2ffae91d7a8988c8da.exe
"C:\Users\Admin\AppData\Local\Temp\fd2af290651593318f6181ffbbf227f8ae72c1ab1deb2a2ffae91d7a8988c8da.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
  "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
    "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4012
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
- - C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
    "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
      "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3552
    - - C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
  - - C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
      "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
      - C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
    - - C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3628
      - C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:516
      - C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        10⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4248
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        13⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        14⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        17⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        18⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        19⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4412
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4360
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        22⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        23⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        23⤵
        Checks computer location settings
        
        PID:3648
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        24⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        24⤵
        Checks computer location settings
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        25⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        25⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3180
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        26⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        27⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        28⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4380
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        27⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        28⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        29⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        28⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        29⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        30⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        29⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        30⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        31⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        30⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        31⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        32⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        31⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        32⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        33⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        32⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        33⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        34⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        33⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        34⤵
        Checks computer location settings
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        35⤵
        Checks computer location settings
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        35⤵
        Checks computer location settings
        
        PID:5040
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        36⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        37⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        36⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        37⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        38⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        37⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        38⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        39⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        38⤵
        Checks computer location settings
        
        PID:3388
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        39⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        40⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        39⤵
        Checks computer location settings
        
        PID:3696
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        40⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        41⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        40⤵
        Checks computer location settings
        
        PID:216
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        41⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        42⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4408
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        41⤵
        Checks computer location settings
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        42⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        43⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        42⤵
        Checks computer location settings
        
        PID:224
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        43⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        44⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        43⤵
        Checks computer location settings
        
        PID:4604
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        44⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        45⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        44⤵
        Checks computer location settings
        
        PID:4984
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        45⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        46⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        45⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        46⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        47⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        46⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        47⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        48⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        47⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        48⤵
        Modifies registry class
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        49⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        48⤵
        Checks computer location settings
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        49⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        50⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        49⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        50⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        51⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        50⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        51⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        52⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        51⤵
        Checks computer location settings
        
        PID:3208
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        52⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        53⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        52⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        53⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        54⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        53⤵
        Checks computer location settings
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        54⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        55⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        54⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        55⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        56⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        55⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        56⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        57⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        56⤵
        Checks computer location settings
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        57⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        58⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        57⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        58⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        59⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        58⤵
        Checks computer location settings
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        59⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        60⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        59⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        60⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        61⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        60⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        61⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        62⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        61⤵
        Checks computer location settings
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        62⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        63⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        62⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        63⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        64⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        63⤵
        Checks computer location settings
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        64⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        65⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        64⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        65⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        66⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        65⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        67⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        66⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        67⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        68⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        67⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        68⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        69⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        68⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        69⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        70⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        69⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        70⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        71⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        70⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        71⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        72⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        71⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        72⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        73⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        72⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        73⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        74⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        73⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        74⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        75⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        74⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        75⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        76⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        75⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        76⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        77⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        76⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        77⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        78⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        77⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        78⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        79⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        78⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        79⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        80⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        79⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        80⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        81⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        80⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        81⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        82⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        81⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        82⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        83⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        82⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        83⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        84⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        83⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        84⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        85⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        84⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        85⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        86⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        85⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        86⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        87⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        86⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        87⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        88⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        87⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        88⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        89⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        88⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        89⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        90⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        89⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        90⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        91⤵
        
        PID:264
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        90⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        91⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        92⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        91⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        92⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        93⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        92⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        93⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        94⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        93⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        94⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        95⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        94⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        95⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        96⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        95⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        96⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        97⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        96⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        97⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        98⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        97⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        98⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        99⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        98⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        99⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        100⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        99⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        100⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        101⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        100⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        101⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        102⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        101⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        102⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        103⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        102⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        103⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        104⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        103⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        104⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        105⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        104⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        105⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        106⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        105⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        106⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        107⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        106⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        107⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        108⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        107⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        108⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        109⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        108⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        109⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        110⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        109⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        110⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        111⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        110⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        111⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        112⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        111⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        112⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        113⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        112⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        113⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        114⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        113⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        114⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        115⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        114⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        115⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        116⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        115⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        116⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        117⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        116⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        117⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        118⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        117⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        118⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        119⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        118⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        119⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        120⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        119⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        120⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        121⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        120⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        121⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        122⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        121⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        122⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        123⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        122⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        123⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        124⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        123⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        124⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        125⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        124⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        125⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        126⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        125⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        126⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        127⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        126⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        127⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        128⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        127⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        128⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        129⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        128⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        129⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        130⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        129⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        130⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        131⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        130⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        131⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        132⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        131⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        132⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        133⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        132⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        133⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        134⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        133⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        134⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        135⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        134⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        135⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        136⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        135⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        136⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        137⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        136⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        137⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        138⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        137⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        138⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        139⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        138⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        139⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        140⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        139⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        140⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        141⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        140⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        141⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        142⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        141⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        142⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        143⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        142⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        143⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        144⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        143⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        144⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        145⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        144⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        145⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        146⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        145⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        146⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        147⤵
        
        PID:180
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        146⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        147⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        148⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        147⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        148⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        149⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        148⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe"
        149⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe"
        150⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe"
        149⤵
        
        PID:1996
- C:\Users\Admin\AppData\Roaming\WizWorm.exe
  "C:\Users\Admin\AppData\Roaming\WizWorm.exe"
  2⤵
  - Executes dropped EXE
  PID:3180

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Discord.Bot.Client.1.0.0.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_XWorm -V5.6.exe

Filesize
194KB

MD5
d3e22b66b78acdd2d894bba7f51e54bc

SHA1
059aeaea70858f4202f71d82d5742b7e923411fa

SHA256
8533ddb25eef736be61b3e3ec0cea6ea7eefd121120ffb971b7ea1b1f1f863de

SHA512
b9ca1fd07f2fbc92a66ddac1f767bd05a94062cbad61de49f02b5688bb94fa0e7a0de0d4cd6539146a3e83c0558441fbd82a5c195a564b90d299228273fd79fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\22285E00

Filesize
22KB

MD5
8c101353f11c3d1976f20937e1651fde

SHA1
70f031f4bbd695f69f6ac4410501f061b4616691

SHA256
de9bc36d334f67bc7252ccbbc2c72d2fcdbb3fa1834442d698176b15abeea531

SHA512
2d10fedf789e7c36c8cad34d8ebcdc48c18e9cbc2e91ead022604a15e6b45c2a81a36ae4892aee2c9ad492b872d688a427e5f85d80a86e46aab2d99d6de83d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\u6ZyT34x.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Roaming\Discord.Bot.Client.1.0.0.exe

Filesize
41.9MB

MD5
dcc8b129b2f0694416b32de7abb1c76c

SHA1
f9317b861b0d10e964cfe4b02851eac120b5601f

SHA256
39d1f5b350cb5d125d1f6a8ec502440b23e0a7c9836e172394e723cfed357e77

SHA512
8a11c324bdbbd79b6d1dd416022b0c06aa08c6a4b0ad4f93645b4c1577249c8a06b5943cf2db12d62b0256c31a214be885ea55dedb8c6bbe7722b5942029a465

Download Submit
C:\Users\Admin\AppData\Roaming\WizWorm.exe

Filesize
14.3MB

MD5
0d7b4b1882f63bdd50b95c566d71ae14

SHA1
fd44458018d9ba5beee8a67b7f22bb5c6e1f850d

SHA256
4a095cf379d66c7123416fec489a8ef6b767fec71959e13714127d6c3bb41c06

SHA512
97ad65c805be31d1d530077b4736ff4c844c51a2d4550e856933f08a328e4c74ecef7e22040a27e9a03509170c4bc780e26b0389cb57385d5217f56d68a7aeda

Download Submit
C:\Users\Admin\AppData\Roaming\XWorm -V5.6.exe

Filesize
939KB

MD5
758b53a6eef2a3a811f3271e92c72e2f

SHA1
a813953f2b23cb5fae59b2248bafa6e16c80e9ef

SHA256
183ac70aa719ee42293766685f5777a4e8bbf5e3c29dd584064779849e1c874b

SHA512
479c789815e185d9985d42d528e2bb8f677d3dfcbef5dd7b80fa74a3b981928cdf2e9f6ee049acdaa67832ccc82f7c9d9835bb370cac2163e56d4cd45d1d7eb0

Download Submit
memory/244-486-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/548-436-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/728-441-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/992-462-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1012-400-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1012-425-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1044-272-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1172-308-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1288-363-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1540-472-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1896-499-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1896-439-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1932-523-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1972-0-0x00007FFF841C3000-0x00007FFF841C5000-memory.dmp

Filesize
8KB

Download
memory/1972-1-0x0000000000110000-0x0000000003958000-memory.dmp

Filesize
56.3MB

Download
memory/2184-401-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2184-435-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2268-440-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2708-413-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2964-13-0x00007FFF841C0000-0x00007FFF84C81000-memory.dmp

Filesize
10.8MB

Download
memory/2964-22-0x0000000000460000-0x0000000002E4A000-memory.dmp

Filesize
41.9MB

Download
memory/2964-93-0x00007FFF841C0000-0x00007FFF84C81000-memory.dmp

Filesize
10.8MB

Download
memory/2972-437-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3068-513-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3180-90-0x000001EB23170000-0x000001EB24362000-memory.dmp

Filesize
17.9MB

Download
memory/3180-27-0x00007FFF841C0000-0x00007FFF84C81000-memory.dmp

Filesize
10.8MB

Download
memory/3180-235-0x00007FFF841C0000-0x00007FFF84C81000-memory.dmp

Filesize
10.8MB

Download
memory/3180-28-0x000001EB07CF0000-0x000001EB08B4E000-memory.dmp

Filesize
14.4MB

Download
memory/3220-524-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3236-316-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3236-399-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3236-420-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3284-535-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3384-416-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3416-474-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3476-376-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3552-249-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3656-534-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/3936-498-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4012-168-0x0000000000880000-0x00000000008B8000-memory.dmp

Filesize
224KB

Download
memory/4024-423-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4092-330-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4092-488-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4208-389-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4260-487-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4280-412-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4324-402-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4412-424-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4476-511-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4496-501-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4512-475-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4512-422-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4532-261-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4604-417-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4708-419-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4752-452-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4776-421-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4780-414-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4948-473-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4952-415-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4976-171-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4980-512-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/5040-485-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/5056-267-0x00007FFF60240000-0x00007FFF60250000-memory.dmp

Filesize
64KB

Download
memory/5056-255-0x00007FFF627D0000-0x00007FFF627E0000-memory.dmp

Filesize
64KB

Download
memory/5056-256-0x00007FFF627D0000-0x00007FFF627E0000-memory.dmp

Filesize
64KB

Download
memory/5056-259-0x00007FFF627D0000-0x00007FFF627E0000-memory.dmp

Filesize
64KB

Download
memory/5056-258-0x00007FFF627D0000-0x00007FFF627E0000-memory.dmp

Filesize
64KB

Download
memory/5056-257-0x00007FFF627D0000-0x00007FFF627E0000-memory.dmp

Filesize
64KB

Download
memory/5056-262-0x00007FFF60240000-0x00007FFF60250000-memory.dmp

Filesize
64KB

Download
memory/5060-438-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/5060-418-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads