agenttesla | 123840c0d58f465fd97e1f7d10ec5d1568be311d831730f4dbcade25660f4e05

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
01-05-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm v5.1-5.2/XWorm/XWorm V5.2/XWorm V5.2.exe
Size

12.2MB
MD5

8b7b015c1ea809f5c6ade7269bdc5610
SHA1

c67d5d83ca18731d17f79529cfdb3d3dcad36b96
SHA256

7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e
SHA512

e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180
SSDEEP

196608:pcWPW6SJ5POYAa23tuQUj7prczC9YNu+/ChWbPP91SDwDrZhd:pce0JtOSSLU3prczy0uqkaIkDtn

Score

10^/10

agenttesla agilenet keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1476-10-0x0000016AD3010000-0x0000016AD3204000-memory.dmp	family_agenttesla

Loads dropped DLL 1 IoCs

Processes:

XWorm V5.2.exe

pid process

1476 XWorm V5.2.exe

pid	process
1476	XWorm V5.2.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1476-0-0x0000016AB6030000-0x0000016AB6C68000-memory.dmp	agile_net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeXWorm V5.2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3580	msedge.exe
3580	msedge.exe
2168	msedge.exe
2168	msedge.exe
2684	msedge.exe
2684	msedge.exe
3504	identity_helper.exe
3504	identity_helper.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

XWorm V5.2.exe

description pid process

Token: SeDebugPrivilege 1476 XWorm V5.2.exe

description	pid	process
Token: SeDebugPrivilege	1476	XWorm V5.2.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe
2168	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XWorm V5.2.exemsedge.exe

description	pid	process	target process
PID 1476 wrote to memory of 2168	1476	XWorm V5.2.exe	msedge.exe
PID 1476 wrote to memory of 2168	1476	XWorm V5.2.exe	msedge.exe
PID 2168 wrote to memory of 2952	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 2952	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 4128	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 3580	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 3580	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe
PID 2168 wrote to memory of 232	2168	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0xdc,0x108,0x100,0x10c,0x7ffdf0b73cb8,0x7ffdf0b73cc8,0x7ffdf0b73cd8
3⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
3⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
3⤵
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
3⤵
PID:2524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
3⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
3⤵
PID:1856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
3⤵
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
3⤵
PID:2060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
3⤵
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
3⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
3⤵
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
3⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:1
3⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
3⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
3⤵
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
3⤵
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
3⤵
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
3⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4500 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1
3⤵
PID:2148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffdf0b73cb8,0x7ffdf0b73cc8,0x7ffdf0b73cd8
3⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf0b73cb8,0x7ffdf0b73cc8,0x7ffdf0b73cd8
3⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
2⤵
PID:816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf0b73cb8,0x7ffdf0b73cc8,0x7ffdf0b73cd8
3⤵
PID:2432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
bdf3e009c72d4fe1aa9a062e409d68f6

SHA1
7c7cc29a19adb5aa0a44782bb644575340914474

SHA256
8728752ef08d5b17d7eb77ed69cfdd1fc73b9d6e27200844b0953aeece7a7fdc

SHA512
75b85a025733914163d90846af462124db41a40f1ce97e1e0736a05e4f09fe9e78d72316753317dabea28d50906631f634431a39384a332d66fa87352ff497f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7c16971be0e6f1e01725260be0e299cd

SHA1
e7dc1882a0fc68087a2d146b3a639ee7392ac5ed

SHA256
b1fa098c668cdf8092aa096c83328b93e4014df102614aaaf6ab8dc12844bdc0

SHA512
dc76816e756d27eedc2fe7035101f35d90d54ec7d7c724ad6a330b5dd2b1e6d108f3ae44cedb14a02110157be8ddac7d454efae1becebf0efc9931fdc06e953c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
acb84ffa06be6931cbac2e3c12967852

SHA1
3c8a33cb8211afd0dbea6cefa6cb31e367250f36

SHA256
4511663a9123cea434640fbfc4ad4fcfc786cc91eb88ddd29e4472b19254749b

SHA512
d3d0259c66b5b7685b5c10cc8cb6597acae3b761aa448c08f557e5572d6460ed32f358aec5156c08d1cfcbb0921684eafc21bb655aa1a4044ed60641c292a0a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
3f696dac220bf6bd8ac591d3b7af72d3

SHA1
450cf03f8269990140ccfba9b3a96e49c2592623

SHA256
0b189c057b6294634fa107ce87a1d532d781533bbece6629ab90b540ad948e71

SHA512
2e1092c90427123dd81f879bde19be53c176ceee2f1a168836a23e03a264c7396ce7a1ff3d4ba6ca0b27df43091b136d5121589cf6cd6c3c90d2a350afbdc0ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
1747558366f47a41b9865e613d9472d4

SHA1
302588578368863564debfc7cc78ff8c9ffc26eb

SHA256
85346fc260e40b27af0b024aa34c215cd752cacb040338ec80957c509cf6bf79

SHA512
63cd1b2bd4dbe253656ee921bd6efe26e4f08a64e9072c844f61e6ae1ceb6bdb76b74b19a9a3239c14302562d2fadf47ddb61d9387c75c3fa8c044afa8d965c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
35172d8552672a5862abe74938e4b806

SHA1
a2e7b6ac6e408fa01d3a0886a3b0f23b14a34bf3

SHA256
6a06b1a770615254a0f85d8884869e8a18221c5836e472c4d38834b3b26d2e95

SHA512
4bcb316bdaec0be255ce1ff6b596f4c40a2a51d1e7841198e336d1bb370644052c612321ad43527b372b5b0759546dd4279119f0da60ec38acce0cb09e89344d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
bb8c79c26fb23dfa0fba31ecdd811934

SHA1
5b5d6bf17f535b800b7c16a38011c2c8dc4e866f

SHA256
b423562eb6257f694f1975926202a62052626e13908ac2ca096e6d76fcf276d6

SHA512
e5d5a7ff14b357bad31da922ad4dd890c1404e269824bd6171cedfd704e59f010a21da2c8d317d14bb4eaac5d6dcdc622a3f52b877a6f5954ff282ddb313203b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll
Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
\??\pipe\LOCAL\crashpad_2168_FKAKNHBNXCSTCSVU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1476-10-0x0000016AD3010000-0x0000016AD3204000-memory.dmp

Filesize
2.0MB

Download
memory/1476-11-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmp

Filesize
64KB

Download
memory/1476-35-0x00007FFDE0DB0000-0x00007FFDE1872000-memory.dmp

Filesize
10.8MB

Download
memory/1476-36-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmp

Filesize
64KB

Download
memory/1476-42-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmp

Filesize
64KB

Download
memory/1476-41-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmp

Filesize
64KB

Download
memory/1476-12-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmp

Filesize
64KB

Download
memory/1476-0-0x0000016AB6030000-0x0000016AB6C68000-memory.dmp

Filesize
12.2MB

Download
memory/1476-9-0x0000016AD20B0000-0x0000016AD2C9C000-memory.dmp

Filesize
11.9MB

Download
memory/1476-8-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmp

Filesize
64KB

Download
memory/1476-1-0x00007FFDE0DB0000-0x00007FFDE1872000-memory.dmp

Filesize
10.8MB

Download