Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-05-2024 01:31
Behavioral task
behavioral1
Sample
XWorm v5.1-5.2/XWorm/XWorm V5.2/XWorm V5.2.exe
Resource
win11-20240419-en
Behavioral task
behavioral2
Sample
XWorm v5.1-5.2/XWorm/XWorm V5.2/XWormLoader 5.2 x32.exe
Resource
win11-20240426-en
General
-
Target
XWorm v5.1-5.2/XWorm/XWorm V5.2/XWorm V5.2.exe
-
Size
12.2MB
-
MD5
8b7b015c1ea809f5c6ade7269bdc5610
-
SHA1
c67d5d83ca18731d17f79529cfdb3d3dcad36b96
-
SHA256
7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e
-
SHA512
e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180
-
SSDEEP
196608:pcWPW6SJ5POYAa23tuQUj7prczC9YNu+/ChWbPP91SDwDrZhd:pce0JtOSSLU3prczy0uqkaIkDtn
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1476-10-0x0000016AD3010000-0x0000016AD3204000-memory.dmp family_agenttesla -
Loads dropped DLL 1 IoCs
Processes:
XWorm V5.2.exepid process 1476 XWorm V5.2.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1476-0-0x0000016AB6030000-0x0000016AB6C68000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exeXWorm V5.2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWorm V5.2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3580 msedge.exe 3580 msedge.exe 2168 msedge.exe 2168 msedge.exe 2684 msedge.exe 2684 msedge.exe 3504 identity_helper.exe 3504 identity_helper.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe 3288 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
Processes:
msedge.exepid process 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
XWorm V5.2.exedescription pid process Token: SeDebugPrivilege 1476 XWorm V5.2.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XWorm V5.2.exemsedge.exedescription pid process target process PID 1476 wrote to memory of 2168 1476 XWorm V5.2.exe msedge.exe PID 1476 wrote to memory of 2168 1476 XWorm V5.2.exe msedge.exe PID 2168 wrote to memory of 2952 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 2952 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 4128 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 3580 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 3580 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe PID 2168 wrote to memory of 232 2168 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe"C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe"1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0xdc,0x108,0x100,0x10c,0x7ffdf0b73cb8,0x7ffdf0b73cc8,0x7ffdf0b73cd83⤵PID:2952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:23⤵PID:4128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3580 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:83⤵PID:232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:13⤵PID:2524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:13⤵PID:2132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:13⤵PID:1856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:13⤵PID:4668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:13⤵PID:2060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:13⤵PID:2664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:13⤵PID:4180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2684 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3504 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:13⤵PID:880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:13⤵PID:4336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:13⤵PID:3288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:13⤵PID:2132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:13⤵PID:2972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:13⤵PID:4324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:13⤵PID:3156
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:13⤵PID:1544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4500 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3288 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:13⤵PID:2148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵PID:2088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffdf0b73cb8,0x7ffdf0b73cc8,0x7ffdf0b73cd83⤵PID:1636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵PID:4440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf0b73cb8,0x7ffdf0b73cc8,0x7ffdf0b73cd83⤵PID:3376
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵PID:816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf0b73cb8,0x7ffdf0b73cc8,0x7ffdf0b73cd83⤵PID:2432
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1220
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5bdf3e009c72d4fe1aa9a062e409d68f6
SHA17c7cc29a19adb5aa0a44782bb644575340914474
SHA2568728752ef08d5b17d7eb77ed69cfdd1fc73b9d6e27200844b0953aeece7a7fdc
SHA51275b85a025733914163d90846af462124db41a40f1ce97e1e0736a05e4f09fe9e78d72316753317dabea28d50906631f634431a39384a332d66fa87352ff497f8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57c16971be0e6f1e01725260be0e299cd
SHA1e7dc1882a0fc68087a2d146b3a639ee7392ac5ed
SHA256b1fa098c668cdf8092aa096c83328b93e4014df102614aaaf6ab8dc12844bdc0
SHA512dc76816e756d27eedc2fe7035101f35d90d54ec7d7c724ad6a330b5dd2b1e6d108f3ae44cedb14a02110157be8ddac7d454efae1becebf0efc9931fdc06e953c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5acb84ffa06be6931cbac2e3c12967852
SHA13c8a33cb8211afd0dbea6cefa6cb31e367250f36
SHA2564511663a9123cea434640fbfc4ad4fcfc786cc91eb88ddd29e4472b19254749b
SHA512d3d0259c66b5b7685b5c10cc8cb6597acae3b761aa448c08f557e5572d6460ed32f358aec5156c08d1cfcbb0921684eafc21bb655aa1a4044ed60641c292a0a9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD53f696dac220bf6bd8ac591d3b7af72d3
SHA1450cf03f8269990140ccfba9b3a96e49c2592623
SHA2560b189c057b6294634fa107ce87a1d532d781533bbece6629ab90b540ad948e71
SHA5122e1092c90427123dd81f879bde19be53c176ceee2f1a168836a23e03a264c7396ce7a1ff3d4ba6ca0b27df43091b136d5121589cf6cd6c3c90d2a350afbdc0ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD51747558366f47a41b9865e613d9472d4
SHA1302588578368863564debfc7cc78ff8c9ffc26eb
SHA25685346fc260e40b27af0b024aa34c215cd752cacb040338ec80957c509cf6bf79
SHA51263cd1b2bd4dbe253656ee921bd6efe26e4f08a64e9072c844f61e6ae1ceb6bdb76b74b19a9a3239c14302562d2fadf47ddb61d9387c75c3fa8c044afa8d965c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD535172d8552672a5862abe74938e4b806
SHA1a2e7b6ac6e408fa01d3a0886a3b0f23b14a34bf3
SHA2566a06b1a770615254a0f85d8884869e8a18221c5836e472c4d38834b3b26d2e95
SHA5124bcb316bdaec0be255ce1ff6b596f4c40a2a51d1e7841198e336d1bb370644052c612321ad43527b372b5b0759546dd4279119f0da60ec38acce0cb09e89344d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5bb8c79c26fb23dfa0fba31ecdd811934
SHA15b5d6bf17f535b800b7c16a38011c2c8dc4e866f
SHA256b423562eb6257f694f1975926202a62052626e13908ac2ca096e6d76fcf276d6
SHA512e5d5a7ff14b357bad31da922ad4dd890c1404e269824bd6171cedfd704e59f010a21da2c8d317d14bb4eaac5d6dcdc622a3f52b877a6f5954ff282ddb313203b
-
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dllFilesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
\??\pipe\LOCAL\crashpad_2168_FKAKNHBNXCSTCSVUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1476-10-0x0000016AD3010000-0x0000016AD3204000-memory.dmpFilesize
2.0MB
-
memory/1476-11-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmpFilesize
64KB
-
memory/1476-35-0x00007FFDE0DB0000-0x00007FFDE1872000-memory.dmpFilesize
10.8MB
-
memory/1476-36-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmpFilesize
64KB
-
memory/1476-42-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmpFilesize
64KB
-
memory/1476-41-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmpFilesize
64KB
-
memory/1476-12-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmpFilesize
64KB
-
memory/1476-0-0x0000016AB6030000-0x0000016AB6C68000-memory.dmpFilesize
12.2MB
-
memory/1476-9-0x0000016AD20B0000-0x0000016AD2C9C000-memory.dmpFilesize
11.9MB
-
memory/1476-8-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmpFilesize
64KB
-
memory/1476-1-0x00007FFDE0DB0000-0x00007FFDE1872000-memory.dmpFilesize
10.8MB