Windows Analysis Report
Xworm V5.6.exe

Overview

General Information

Sample name: Xworm V5.6.exe
Analysis ID: 1473530
MD5: 56ccb739926a725e78a7acf9af52c4bb
SHA1: 5b01b90137871c3c8f0d04f510c4d56b23932cbc
SHA256: 90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
Tags: exe
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected RUNPE
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
.NET source code contains very large strings
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Xworm V5.6.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: Xworm V5.6.exe ReversingLabs: Detection: 72%
Machine Learning detection for sample
Source: Xworm V5.6.exe Joe Sandbox ML: detected
Source: Xworm V5.6.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.pdbL$0H source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Runtime.Remoting.ni.pdbRSDS-L source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Xml.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.ni.pdbRSDS source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Drawing.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Configuration.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Xml.pdbX source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: Xworm V5.6.exe, 00000000.00000002.1954538675.0000020B26B77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Runtime.Remoting.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Configuration.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: PC:\Windows\Microsoft.VisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1953599922.00000031A3760000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Runtime.Remoting.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1954538675.0000020B26B1C000.00000004.00000020.00020000.00000000.sdmp, Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb4 source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbL0 source: Xworm V5.6.exe, 00000000.00000002.1954538675.0000020B26B77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: mscorlib.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Drawing.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbiewCtlR& source: Xworm V5.6.exe, 00000000.00000002.1954538675.0000020B26B77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbLQ]ZL source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbent source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1953599922.00000031A3760000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdber source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Drawing.pdb) source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: symbols\dll\Microsoft.VisualBasic.pdb` source: Xworm V5.6.exe, 00000000.00000002.1953599922.00000031A3760000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER5E5E.tmp.dmp.4.dr

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: Xworm V5.6.exe, type: SAMPLE
Source: Xworm V5.6.exe String found in binary or memory: http://exmple.com
Source: Xworm V5.6.exe String found in binary or memory: http://ip-api.com/csv/?fields=status
Source: Xworm V5.6.exe String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Xworm V5.6.exe, 00000000.00000002.1955467069.0000020B28544000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Xworm V5.6.exe, 00000000.00000002.1961648464.0000020B42912000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Xworm V5.6.exe String found in binary or memory: https://api.telegram.org/bot
Source: Xworm V5.6.exe String found in binary or memory: https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-windows-386.zip
Source: Xworm V5.6.exe String found in binary or memory: https://evilcoder.mysellix.io
Source: Xworm V5.6.exe String found in binary or memory: https://pastebin.com/raw/H3wFXmEi
Source: Xworm V5.6.exe String found in binary or memory: https://t.me/XCoderGroup
Source: Xworm V5.6.exe String found in binary or memory: https://www.google.com/maps/place/)icons8-letter-16.png

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Xworm V5.6.exe, type: SAMPLE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
.NET source code contains very large strings
Source: Xworm V5.6.exe, SplashScreen.cs Long String: Length: 913540
One or more processes crash
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7264 -s 1268
Sample file is different than original file name gathered from version info
Source: Xworm V5.6.exe, 00000000.00000000.1710434997.0000020B26882000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameXWorm.exe, vs Xworm V5.6.exe
Source: Xworm V5.6.exe, 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename7z.exe, vs Xworm V5.6.exe
Source: Xworm V5.6.exe, 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs Xworm V5.6.exe
Source: Xworm V5.6.exe, 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: teTEexe dll sysPEVFT2_FONT_TRUETYPEVFT2_FONT_VECTORVFT2_FONT_RASTERVERSIONED_PRINTERINPUTMETHODCOMMSOUNDINSTALLABLESYSTEMNETWORKMOUSEDISPLAYLANGUAGEKEYBOARDPRINTERVFT_STATIC_LIB0x6VFT_VXDVFT_FONTVFT_DRVVFT_DLLVFT_APPVFT_UNKNOWNVOS__WINDOWS32VOS__PM32VOS__PM16VOS__WINDOWS16VOS__BASEVOS_WINCEVOS_NTVOS_OS232VOS_OS216VOS_DOSVOS_UNKNOWNVOS_NT_WINDOWS32VOS_OS232_PM32VOS_OS216_PM16VOS_DOS_WINDOWS32VOS_DOS_WINDOWS16SPECIALBUILDINFOINFERREDPRIVATEBUILDPATCHEDPRERELEASEImage BaseHeap CommitHeap ReserveStack CommitStack ReserveDLL CharacteristicsSubsystemSubsystem VersionImage VersionOS VersionLinker VersionUninitialized Data SizeInitialized Data SizeCode SizeFile AlignmentSection AlignmentImage SizeMANIFESTHTMLANIICONANICURSORVXDPLUGPLAYDLGINCLUDEVERSIONGROUP_ICONGROUP_CURSORMESSAGETABLERCDATAACCELERATORFONTFONTDIRSTRINGDIALOGMENUICONBITMAPCURSORXBOXEFI ROMEFI RuntimeEFI BootWindows CEPosixWindows CUIWindows GUINativeCEEM32RCEFTriCoreMIPS-FPU16MIPS-FPUAlpha-64MIPS-16PPC-FPPPCAM33ARM-NTARM-ThumbSH5SH4SH3ESH3-DSPSH3MIPS-V2MIPS-R10000MIPS-R4000MIPS-R3000I860SharedNotPagedNotCachedDiscardableExtendedRelocationsGPCOMDATRemoveCommentsUninitializedDataInitializedDataCodeNoPadTerminalServerAwareWDMNoBindNoSEHNoIsolationNX-CompatibleIntegrityRelocatedBig-EndianLittle-EndianUniCPUSystemNetRunRemovableRunNoDebugInfoAggressiveWsTrimNoLocalSymsNoLineNumsNoRelocsLargeAddress32-bitDLLExecutableChecksum errorefi[].ico.bmpversion.txtstring.txt.debugVFT2_DRV_FILESUBTYPE FILETYPE FILEOS VS_FF_ | FILEFLAGS FILEFLAGSMASK ProductVersionFileVersionPRODUCTVERSION FILEVERSION .rsrc_1StringFileInfo, TranslationVALUEVarFileInfoBLOCKVS_VERSION_INFOFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs Xworm V5.6.exe
Source: Xworm V5.6.exe, 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename7z.dll, vs Xworm V5.6.exe
Source: Xworm V5.6.exe Binary or memory string: OriginalFilename7z.exe, vs Xworm V5.6.exe
Source: Xworm V5.6.exe Binary or memory string: OriginalFilename vs Xworm V5.6.exe
Source: Xworm V5.6.exe Binary or memory string: teTEexe dll sysPEVFT2_FONT_TRUETYPEVFT2_FONT_VECTORVFT2_FONT_RASTERVERSIONED_PRINTERINPUTMETHODCOMMSOUNDINSTALLABLESYSTEMNETWORKMOUSEDISPLAYLANGUAGEKEYBOARDPRINTERVFT_STATIC_LIB0x6VFT_VXDVFT_FONTVFT_DRVVFT_DLLVFT_APPVFT_UNKNOWNVOS__WINDOWS32VOS__PM32VOS__PM16VOS__WINDOWS16VOS__BASEVOS_WINCEVOS_NTVOS_OS232VOS_OS216VOS_DOSVOS_UNKNOWNVOS_NT_WINDOWS32VOS_OS232_PM32VOS_OS216_PM16VOS_DOS_WINDOWS32VOS_DOS_WINDOWS16SPECIALBUILDINFOINFERREDPRIVATEBUILDPATCHEDPRERELEASEImage BaseHeap CommitHeap ReserveStack CommitStack ReserveDLL CharacteristicsSubsystemSubsystem VersionImage VersionOS VersionLinker VersionUninitialized Data SizeInitialized Data SizeCode SizeFile AlignmentSection AlignmentImage SizeMANIFESTHTMLANIICONANICURSORVXDPLUGPLAYDLGINCLUDEVERSIONGROUP_ICONGROUP_CURSORMESSAGETABLERCDATAACCELERATORFONTFONTDIRSTRINGDIALOGMENUICONBITMAPCURSORXBOXEFI ROMEFI RuntimeEFI BootWindows CEPosixWindows CUIWindows GUINativeCEEM32RCEFTriCoreMIPS-FPU16MIPS-FPUAlpha-64MIPS-16PPC-FPPPCAM33ARM-NTARM-ThumbSH5SH4SH3ESH3-DSPSH3MIPS-V2MIPS-R10000MIPS-R4000MIPS-R3000I860SharedNotPagedNotCachedDiscardableExtendedRelocationsGPCOMDATRemoveCommentsUninitializedDataInitializedDataCodeNoPadTerminalServerAwareWDMNoBindNoSEHNoIsolationNX-CompatibleIntegrityRelocatedBig-EndianLittle-EndianUniCPUSystemNetRunRemovableRunNoDebugInfoAggressiveWsTrimNoLocalSymsNoLineNumsNoRelocsLargeAddress32-bitDLLExecutableChecksum errorefi[].ico.bmpversion.txtstring.txt.debugVFT2_DRV_FILESUBTYPE FILETYPE FILEOS VS_FF_ | FILEFLAGS FILEFLAGSMASK ProductVersionFileVersionPRODUCTVERSION FILEVERSION .rsrc_1StringFileInfo, TranslationVALUEVarFileInfoBLOCKVS_VERSION_INFOFileVersionFileDescriptionOriginalFilename: _winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs Xworm V5.6.exe
Source: Xworm V5.6.exe Binary or memory string: OriginalFilename7z.dll, vs Xworm V5.6.exe
Source: Xworm V5.6.exe Binary or memory string: OriginalFilenameXWorm.exe, vs Xworm V5.6.exe
Yara signature match
Source: Xworm V5.6.exe, type: SAMPLE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Xworm V5.6.exe, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Xworm V5.6.exe, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Xworm V5.6.exe, ToolsBox.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Xworm V5.6.exe, Builder.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Xworm V5.6.exe, SplashScreen.cs Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAB4AAAAQ4CAIAAABnsVYUAAAAAXNSR0IB2cksfwAAAAlwSFlzAAALEwAACxMBAJqcGAAKdAZJREFUeJzsneuS2zjPredGpiMn+X7uN31y5v7vbMtNmwYPC8IiQVt2swo1ldbIEokTwUcS+c/y+U7J4eODkuXjLcjh8/3n8WOV9d8/3l/XP6PEc8JplPz6OEl5XGn/8v4e5NrId9ivtamy8aG168EgscHx4OHzJJUeJZc9RgmXLYXVAyuhbbJ3tXZW7JjJz8/PoMAfb29RFH3S0tHHUqXRTNde4/vKbl4tbomR9bJRPl8LKZrq1N/MvmV8KfZFsto3mDgGTjCxxV49cQ0F+eclqDP59fHRIJXrfwIBfXx5+3OKjuPHr7+fIemdz2HzZ5qmYuLKMtj1COsnQGQWOrf87fUkbPtRjGRu+ZXJf76//fioy8v76yrh3zLKVvWef/735KhBCdFjKzHllZdIP0QyvD1nRxXKP76u8uPzz0kSJb+vktlI5tL1v+c0eDHB8vnOxgvdfjaHOOjqJC/vq8uddRL+r8yEhBR+niXnWwvpt3Q+AXUCe50wRsvfnjMSqX9Zqpkak9o6jncvr6+hsIkxe1YR9vP42/CTn+t/33i7Axtt9jd2ecNeOD9nEirtmIR/pHaR40WSsYEdoTkG50OkhzBMV0Y9p7hDcaHXkMtFmZnO7dePdW85VanbBbQHjcv3she0IzkfLK2c6arwUrWed2p/KT9FKbv+OyST5fU1NjILea98zsrPtR778qIQ/i9ptVAKspf0sR7+gKQczfXxHZZwhtqmp/5Bes7gQz6Ltwu+dZWToDHIq74NRddJUcfVkT7Xf/w4DTpvaJz99+31VKEdP3/+Pa6y/mP9MxysCsqZXv7P1j9wns7f91CMxfp9XfqOZtCn1LRWO29vIVldjxv4STLuXIqu6EuWOrziKoIGhHNkbT9uPErqxtRYJRNQ8jP0Kxy81UBG9QC8LylVN1Z87B/6BqTBZGueDECXhUvsV6VHlYufALTXhI2VWLXkQ9eWHfMCd2cAulRgOanYssv1vvHkTQBdVktPA6DLRKbZ1ymuoeCE61IAeQHoEFkyabTp/14AuuxXyLQsYLUPVDqARhOSCKBPqr4AaC2HDPYfVj/s9en2TABN6+ojTHuuk5YeE5AF2XBh/f9O7aza3QVAG/Xz0ADaHjJKfs4k5P8qDM3emUhyNbAjjOvB+ZByPMc4RfUz1P9gAA3tslXfTgB9n3q+yDwhKcVG7gRAB7+Nj6B0+rzsAEBf0UzTA+YJoH2FBdDx/ACg4/nfEEAreUxvZ1eXzc5ziQWSadb87aEB9DVFFxB5AugBBUeaHx8OQKPAjgczvgl7pF7fnrC8JFYt+dBFtnNvABpNwGCC3rpvvJQOoOUbmgmGfnAAnSW1CaCNADrL7yHjNQCUewHo7COPteW/P08iwzwL+aEAGo1NJYCuvJ5/Q/95FAB9lsQo+ZlSb48CoHv0DGO8x15kQTZaaP+8VzudACUNZMWLNjGiJYDOI31nALraTQVMKPk5EwVAZ7IJoB3t2xCP9TbX3pR3jFNUP0P93wNAK/4wGkCz+Qf197YA2hC5Xv5TzFj3CaCXGjs+4AcbdwTQ0vGyg4TfTgDtKpfXIPJXATYBdAasvxuAxl/kb7ezq8s4vqKksUAyzSZ/2yGAjr+9pugCIjeMd0rwVgP5+wJomSKtxahB7gWgw7/RohmVHqFAnUtwuAY8+uQWvcluuW+8ziaAlgw6VE4TQPsO8Ja29RRJXgBaKiGWAidayuu87OPh4xYAOuvXmmbvCKDjhHxJP/FeVbpcZtprLqqvD3ND/6EBX0c8mtozAXQTgI7zmVi8biw9hIQsyEYL7Z/3aqcToGzznyyiUWGz7A9Al1fQ60klP2fyrQD0UH9OBOl/GIAuT7b4wwTQ7i5BSfn5xXk8ElO5PQDo8i0cWbmVcl8AnWXUCaCrIYmC1C0nC5kAuq0x2cgVc4KlnV1dxvFVrt6pzAehPDiATurG1C5X/Yv4ov0KB281kL8dgEYFkFcwjAbQegsryLjI1LrjTgDtHPBOABo9UWDv++gAmh4AnOIaiqGdiSBwDGR3ABrYUZ84EX4CRPr/OdLfT8tAs4CPBdAwzxQL6QStxq+5w9vl9fxj8B/Wr2g/vBOArmhAXb8SwaMJoCeANl2fnICx12z2H3lBpb6qU+b35Hgys9oZgGarRx3MJRng/ST6OWdJ8zznGzfNhJW2RQ/xrcPZuMgW79o8X7m+/HfzC0Dw+k52YfMPas+jA2jUzrgngaRy65HYyJ0A6HJ1Sj2O7gWg7RlV90+U65BNvfLV3gC0V30r3VtHz7I2M1mq8P8R0c3m+QXM7xruW4abMZ939XdL5NtCL7Y9tFC8ENG6JwB9bXBKA8oxtCU/4+CtBjILoHtCoOrkmdwIQFcXTXYJhnsBaBjwKFQMieCW5U6sWvKhCzk0aOc+AXQ1BuqFJvbbrHLS7YI/9Z0A2tWfDe1MC8T7AOgsv7cvwXE/AJ0/qrnJJoSWfJjkn6P4SOULQL+8vua+avAf1q9oP5wA+qEAdFm8NtqLLMhGC+2f7PUH1DPJdZr8J15qEyxmoDkG9ZUjZ6/27A9AV7UHdYukrPSeGkBLGfEiCBsXvgC6Uuej+Orwzx5h8w/q73AAbfIi8zId5nb++/YqAXSEdLGR+wHQpRcpfnVHAB0UIj/ga/DPCaA34pc1Cg+gCWM9L4AOYh+53GozGz/8tgA6ae1lLH55+5OYW3TQK36rYXt4IABtcQiLPDqArm48uB6EmxCGrQUngGYD2yvgCwW2bUKIVlbh7/uEAFr7VA34tpvrGtqZFoj3AdBumxDeCUCXVz4DCBbI4utnetMBNNJzsqnAx8fL6+sE0HpUhiy0fPz5EqHYMB97cADdoyXZzrkJYRuw8Kpnyke/WbFu95/sspsAWrLmTD+HYnHDvQHoUmkba0E
Source: Xworm V5.6.exe, 00000000.00000002.1953599922.00000031A3760000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb
Source: Xworm V5.6.exe, 00000000.00000002.1954538675.0000020B26B1C000.00000004.00000020.00020000.00000000.sdmp, Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
Source: classification engine Classification label: mal100.troj.evad.winEXE@2/5@0/0
Source: C:\Users\user\Desktop\Xworm V5.6.exe Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7264
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e61b8e20-0be3-42be-b74b-ee1a1b7e5944 Jump to behavior
Source: Xworm V5.6.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Xworm V5.6.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Xworm V5.6.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Xworm V5.6.exe ReversingLabs: Detection: 72%
Source: Xworm V5.6.exe String found in binary or memory: -help
Source: Xworm V5.6.exe String found in binary or memory: Check charset encoding and -scs switch.Cannot find listfilebsobbbtbdba-helph?asut012sea0-pstlsdelsncsnrsnssnisnlsnhspfspespdsasscsswsltsccscsslpsosiscrcsemlsfxstmrvuanaxaiiwstxtaoadybspbseUnsupported switch postfix -stmUnsupported switch postfix -bbDuplicate archive path:Incorrect Number of benmchmark iterationsOnly one archive can be created with rename commandstdout mode and email mode cannot be combined-ai switch is not supported for this commandCannot use absolute pathnames for this commandArchive name cannot by emptyCannot find archive nameUnsupported -spf:2Unsupported command:The command must be spcifiedThere is no second file name for rename pair:Unsupported rename command:-rIncorrect wildcard type markerToo short switchUnsupported Map data sizeMap data errorUnsupported Map dataMapViewOfFile errorCan not open mappingIncorrect volume size:incorrect update switch commandUnsupported charset:Can not delete output folderCan not delete output fileCan not rename existing fileCan not create file with auto nameSeSecurityPrivilege
Source: Xworm V5.6.exe String found in binary or memory: [ Play ]9StopToolStripMenuItem1.Image-StopToolStripMenuItem1
Source: Xworm V5.6.exe String found in binary or memory: [ Extra 1 ]IReportWindowToolStripMenuItem1.Image=ReportWindowToolStripMenuItem1![ ReportWindow ]9StartToolStripMenuItem.Image-StartToolStripMenuItem7StopToolStripMenuItem.Image+StopToolStripMenuItemGPerformanceToolStripMenuItem1.Image;PerformanceToolStripMenuItem1
Source: Xworm V5.6.exe String found in binary or memory: -Plugins\Ransomware.dll1Plugins\ReverseProxy.dll7Plugins\Ngrok-Installer.dll
Source: Xworm V5.6.exe String found in binary or memory: cActiveWindows.dll,Chat.dll,Clipboard.dll,FileManager.dll,FilesSearcher.dll,HRDP.dll,HVNC.dll,Informations.dll,Keylogger.dll,Maps.dll,Microphone.dll,Ngrok-Installer.dll,Options.dll,Pastime.dll,Performance.dll,ProcessManager.dll,Programs.dll,Ransomware.dll,Chromium.dll,Recovery.dll,Stealer.dll,Regedit.dll,RemoteDesktop.dll,ReverseProxy.dll,RunPE.dll,Shell.dll,StartupManager.dll,TCPConnections.dll,UACBypass.dll,VB.NET Compiler.dll,WebCam.dll,WSound.dll,ServiceManager.dll,MessageBox.dll,HVNCMemory.dll,Cmstp-Bypass.dll,HiddenApps.dll,HBrowser.dll,VoiceChat.dll
Source: C:\Users\user\Desktop\Xworm V5.6.exe File read: C:\Users\user\Desktop\Xworm V5.6.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Xworm V5.6.exe "C:\Users\user\Desktop\Xworm V5.6.exe"
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7264 -s 1268
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Xworm V5.6.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Xworm V5.6.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Xworm V5.6.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Xworm V5.6.exe Static file information: File size 15602688 > 1048576
Source: Xworm V5.6.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0xebec00
Source: Xworm V5.6.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.pdbL$0H source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Runtime.Remoting.ni.pdbRSDS-L source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Xml.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.ni.pdbRSDS source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Drawing.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Configuration.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Xml.pdbX source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: Xworm V5.6.exe, 00000000.00000002.1954538675.0000020B26B77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Runtime.Remoting.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Configuration.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: PC:\Windows\Microsoft.VisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1953599922.00000031A3760000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Runtime.Remoting.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1954538675.0000020B26B1C000.00000004.00000020.00020000.00000000.sdmp, Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb4 source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbL0 source: Xworm V5.6.exe, 00000000.00000002.1954538675.0000020B26B77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: mscorlib.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Drawing.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbiewCtlR& source: Xworm V5.6.exe, 00000000.00000002.1954538675.0000020B26B77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbLQ]ZL source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbent source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdb source: Xworm V5.6.exe, 00000000.00000002.1953599922.00000031A3760000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdber source: Xworm V5.6.exe, 00000000.00000002.1962772586.0000020B432E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Drawing.pdb) source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: symbols\dll\Microsoft.VisualBasic.pdb` source: Xworm V5.6.exe, 00000000.00000002.1953599922.00000031A3760000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.ni.pdb source: WER5E5E.tmp.dmp.4.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER5E5E.tmp.dmp.4.dr
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected RUNPE
Source: Yara match File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.1706082399.0000020B26659000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Xworm V5.6.exe Binary or memory string: IF GETMODULEHANDLE("SBIEDLL.DLL").TOINT32() <> 0 THEN
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Xworm V5.6.exe Memory allocated: 20B26BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Memory allocated: 20B404D0000 memory reserve | memory write watch Jump to behavior
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Xworm V5.6.exe Binary or memory string: If (manufacturer = "microsoft corporation" AndAlso item("Model").ToString().ToUpperInvariant().Contains("VIRTUAL")) OrElse manufacturer.Contains("vmware") OrElse item("Model").ToString() = "VirtualBox" Then
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match File source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR

Language, Device and Operating System Detection
barindex
Yara detected Telegram Recon
Source: Yara match File source: Xworm V5.6.exe, type: SAMPLE
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Users\user\Desktop\Xworm V5.6.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xworm V5.6.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1706082399.0000020B26659000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: Xworm V5.6.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000000.1706082399.0000020B262C6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1706082399.0000020B26659000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Xworm V5.6.exe PID: 7264, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1473530 Sample: Xworm V5.6.exe Startdate: 15/07/2024 Architecture: WINDOWS Score: 100 13 Malicious sample detected (through community Yara rule) 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 9 other signatures 2->19 6 Xworm V5.6.exe 2 2->6         started        process3 process4 8 WerFault.exe 19 16 6->8         started        file5 11 C:\ProgramData\Microsoft\...\Report.wer, Unicode 8->11 dropped
No contacted IP infos