xworm | hxxps://gofile[.]io/d/Q6x7e0

Resubmissions

01/03/2025, 19:34

250301-yadvgaztgx 10

01/03/2025, 19:30

250301-x72gcsztaw 8

Analysis

max time kernel
76s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/Q6x7e0

Score

10^/10

xworm agilenet discovery rat trojan

Malware Config

Extracted

Family

xworm

79.110.49.194:700

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d81-292.dat	family_xworm
behavioral1/memory/5460-299-0x00000000008F0000-0x0000000000908000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	XWorm V5.2.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 3 IoCs

pid	Process
3184	XWorm V5.2.exe
5460	XClient.exe
2692	XWorm V5.2.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x000b000000023d75-304.dat	agile_net

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5460	XClient.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
316	msedge.exe
316	msedge.exe
4028	msedge.exe
4028	msedge.exe
1692	identity_helper.exe
1692	identity_helper.exe
5456	msedge.exe
5456	msedge.exe
5460	XClient.exe
5460	XClient.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3536	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	5820	7zG.exe
Token: 35	5820	7zG.exe
Token: SeSecurityPrivilege	5820	7zG.exe
Token: SeSecurityPrivilege	5820	7zG.exe
Token: SeDebugPrivilege	5460	XClient.exe
Token: SeDebugPrivilege	3536	taskmgr.exe
Token: SeSystemProfilePrivilege	3536	taskmgr.exe
Token: SeCreateGlobalPrivilege	3536	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
5820	7zG.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe
3536	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5460	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 4724	4028	msedge.exe	85
PID 4028 wrote to memory of 4724	4028	msedge.exe	85
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 5064	4028	msedge.exe	86
PID 4028 wrote to memory of 316	4028	msedge.exe	87
PID 4028 wrote to memory of 316	4028	msedge.exe	87
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88
PID 4028 wrote to memory of 2532	4028	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/Q6x7e0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa000646f8,0x7ffa00064708,0x7ffa00064718
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,7111389834129266827,2579577535225465003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5652

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm v5.1-5.2\" -ad -an -ai#7zMap13683:88:7zEvent8930
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5820

C:\Users\Admin\Downloads\XWorm v5.1-5.2\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe
"C:\Users\Admin\Downloads\XWorm v5.1-5.2\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3184
- C:\Users\Admin\AppData\Roaming\XClient.exe
  "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5460
- C:\Users\Admin\AppData\Roaming\XWorm V5.2.exe
  "C:\Users\Admin\AppData\Roaming\XWorm V5.2.exe"
  2⤵
  - Executes dropped EXE
  PID:2692

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6738f4e2490ee5070d850bf03bf3efa5

SHA1
fbc49d2dd145369e8861532e6ebf0bd56a0fe67c

SHA256
ca80bbae3c392e46d730a53d0ee4cfecbbe45c264ad3b3c7ee287252c21eaeab

SHA512
2939edf5e6c34c9ea669a129a4a5a410fbbd29cd504dc8e007e9b3b3c7fbb9bea8c14d6177ac375d0c481995774a02d210328569231cb01db07b59452333b22b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
93be3a1bf9c257eaf83babf49b0b5e01

SHA1
d55c01e95c2e6a87a5ece8cc1d466cc98a520e2a

SHA256
8786fd66f4602e6ed3fa5248bd597b3f362ffa458f85207eaa154beb55522348

SHA512
885b09dd3072921f375eedb5f0575561adc89700ecfbe999bc3e5ea1d7cb45e19d85c5e420f2c0a12b428742e1110e66f4ceecbe5a6badddd36cc9e0aff48e52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
283cd3ba132dbc8c544f3a90069864f1

SHA1
c12388723f3f57d22c3000cce44a6a321cd0c64a

SHA256
74bbff9504150f375ca886af926e36a71d2b8a6e3c79f813eaecb38c49816aac

SHA512
616c43bd0cf1c9048d20cf9512eccc0c2f402a11c629e7e03bc6d1a8a1818794a8dd3e7082db768f655fecf1298028de2854ab3ac78cb02761a334e58d034c08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
937B

MD5
c8ff679255bc5e5dc36b7cb744737312

SHA1
02a9514202a7607b66e8fccac446b6d4423db792

SHA256
b5a474f692934943d39339fc860815e02d24b85f2bdf0cc5bfd4372a4d6a1882

SHA512
e5dcf2ee935fc40a8fb2de5ffda54e2bc66d7a86f88c2f3de8517fcaf865552769d7e495f14c88a216cfd4a5a56a45c656357f88e0277999b9b5174e0926c905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
232332b0325fd57da481495704b6aa77

SHA1
911b7cb1dbf93473e83ad584f8fa57608cbc0e6a

SHA256
22f13d3da90a42906829d0ccdf37045aa0b3e2d8b492b4b5219232b48204356c

SHA512
36bd17f62029a2547635484159564334bf1ce3a9eb44fa5877e1c68a4c263e1c4b9dc4704e190f80b5b48cb322f67fe4260ef0f874d2682c5e670e8c7f19b3e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7a6c3f38ffa3f6af3c4717f0d5dd3518

SHA1
9290a2ee97e6b986d93f9b002a6fc3fded68103b

SHA256
972dfc42f308ce3803494911a3b305931acf0a681204fbdf420962fc2c4f026c

SHA512
0693edbd382f992d51920db338e597ad179b876b219e29e05f7e281af57d1e40e01c64c06068c8132e3b4d934ce6d220a05c815273e95ffbb0128145ef33707b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c83a1e863b192b19b025b9f117f2a8a

SHA1
aae6f5a51bf94c76f722bd477c9c785dd9e7128e

SHA256
9e32e6ced224527a36d1972187fd985b9683e9d32f6e894157a0e5fe67caa574

SHA512
b2a714d9173b8d05a1a00cab04ae8a5ee8affad7625bccaefef4b56bf8263f6106ec142259d0a92b9964e47a6fb60712594d89ed89079645f3859e592a0f3688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
10ba19bfd79d6764c5087e06ec335e84

SHA1
4b1e4549b18ceb581ce2084ddfad0fbb6fa44610

SHA256
acd3ee89812278dda156f2773f159db659fb2358c067147112d139a2149fa938

SHA512
8d958ea8be20ee6d2d5f773852a34a889b6e0663af2460f92f394b7fe88a7d8fe70c569463e2000b21554b1ce0691dfb8744fa1fcccab8c3188890b5734077cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Filesize
771B

MD5
11e1042a70fa9993182de352aaff2aaf

SHA1
717f2fa18922af47169f62a43643043cb4e98ebc

SHA256
d1c5348dc811ce676f8225b0d12f54076fa1f1f120f6be4258cb7b5244a263ef

SHA512
0e013a95b22476f41b26bb2e036ef334c793f6efcea06f83842490c65a0ecb956233a999d241c5b41ad4e9cfd694b42a2dc5d36d43a2a9e724b43a07d1b1be10

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
68KB

MD5
0fb6321afb58973439326e8637024383

SHA1
e96398a9c7385a1c74906683bad19ea35eee4755

SHA256
83fff7f4a44605164b83b38754fe95c108922207bfdbc09e23ea8365acba3588

SHA512
1b5354f3234b314af34df07a647204d8316ba7aa06599ab7d6213561805df272863aeec4fe306963846dcf0407399f995d5447dc2a2fa05bc0137f7d75667821

Download Submit
C:\Users\Admin\AppData\Roaming\XWorm V5.2.exe

Filesize
12.2MB

MD5
8b7b015c1ea809f5c6ade7269bdc5610

SHA1
c67d5d83ca18731d17f79529cfdb3d3dcad36b96

SHA256
7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

SHA512
e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

Download Submit
C:\Users\Admin\Downloads\XWorm v5.1-5.2.7z

Filesize
29.8MB

MD5
f40d052a4397b798a263214ee91b8b5e

SHA1
1d1e82d6e749f14f9b2e7a13376d98904aabe177

SHA256
ad64baa90487a0f0e16135a18a6584f47398acbae00c55ec1916f19c75f79ce9

SHA512
341ded37a56ee3dc9ff5801fbc88a9b2b1bbafc66db921ebde1e58fbd949e770233ed6595bece39edb9b7c2530ccfff779570dc47c6b689a74f392f3e4916159

Download Submit
C:\Users\Admin\Downloads\XWorm v5.1-5.2\XWorm v5.1-5.2\XWorm\XWorm V5.2\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\XWorm v5.1-5.2\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe

Filesize
12.3MB

MD5
10bc0c310ed11973daf22f82e72c8a1e

SHA1
98e86be95f847bb6d16f4d8b4fffe8fbf068504e

SHA256
3ae833cc0593d67a20d38c46e587feef7818dd0e8863fd337c6d4ad6d90f5ac3

SHA512
59bcde741c5fdd24301fb4120860c83229e055067c1452074075a839582806cec3f177ed460596b2419f2ee7c74cdd41db5d6bb80a6720b46f2835439ceea774

Download Submit
memory/3184-285-0x0000000000730000-0x000000000137C000-memory.dmp

Filesize
12.3MB

Download
memory/3536-331-0x0000028DB26E0000-0x0000028DB26E1000-memory.dmp

Filesize
4KB

Download
memory/3536-321-0x0000028DB26E0000-0x0000028DB26E1000-memory.dmp

Filesize
4KB

Download
memory/3536-333-0x0000028DB26E0000-0x0000028DB26E1000-memory.dmp

Filesize
4KB

Download
memory/3536-332-0x0000028DB26E0000-0x0000028DB26E1000-memory.dmp

Filesize
4KB

Download
memory/3536-322-0x0000028DB26E0000-0x0000028DB26E1000-memory.dmp

Filesize
4KB

Download
memory/3536-330-0x0000028DB26E0000-0x0000028DB26E1000-memory.dmp

Filesize
4KB

Download
memory/3536-329-0x0000028DB26E0000-0x0000028DB26E1000-memory.dmp

Filesize
4KB

Download
memory/3536-328-0x0000028DB26E0000-0x0000028DB26E1000-memory.dmp

Filesize
4KB

Download
memory/3536-327-0x0000028DB26E0000-0x0000028DB26E1000-memory.dmp

Filesize
4KB

Download
memory/3536-323-0x0000028DB26E0000-0x0000028DB26E1000-memory.dmp

Filesize
4KB

Download
memory/5460-299-0x00000000008F0000-0x0000000000908000-memory.dmp

Filesize
96KB

Download