Malware Analysis Report

2024-09-22 23:53

Sample ID 240501-bxcjlacg6w
Target XWorm v5.1-5.2.rar
SHA256 123840c0d58f465fd97e1f7d10ec5d1568be311d831730f4dbcade25660f4e05
Tags
agilenet agenttesla stormkitty keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

123840c0d58f465fd97e1f7d10ec5d1568be311d831730f4dbcade25660f4e05

Threat Level: Known bad

The file XWorm v5.1-5.2.rar was found to be: Known bad.

Malicious Activity Summary

agilenet agenttesla stormkitty keylogger spyware stealer trojan

Agenttesla family

AgentTesla

StormKitty payload

AgentTesla payload

Stormkitty family

Contains code to disable Windows Defender

AgentTesla payload

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-01 01:31

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Agenttesla family

agenttesla

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 01:31

Reported

2024-05-01 01:35

Platform

win11-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1476 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1476 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 4128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2168 wrote to memory of 232 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWorm V5.2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0xdc,0x108,0x100,0x10c,0x7ffdf0b73cb8,0x7ffdf0b73cc8,0x7ffdf0b73cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffdf0b73cb8,0x7ffdf0b73cc8,0x7ffdf0b73cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf0b73cb8,0x7ffdf0b73cc8,0x7ffdf0b73cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdf0b73cb8,0x7ffdf0b73cc8,0x7ffdf0b73cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4500 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6435644291691223510,7477113289738323641,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 t.me udp

Files

memory/1476-0-0x0000016AB6030000-0x0000016AB6C68000-memory.dmp

memory/1476-1-0x00007FFDE0DB0000-0x00007FFDE1872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

MD5 2f1a50031dcf5c87d92e8b2491fdcea6
SHA1 71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA256 47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA512 1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

memory/1476-8-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmp

memory/1476-9-0x0000016AD20B0000-0x0000016AD2C9C000-memory.dmp

memory/1476-10-0x0000016AD3010000-0x0000016AD3204000-memory.dmp

memory/1476-12-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmp

memory/1476-11-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bdf3e009c72d4fe1aa9a062e409d68f6
SHA1 7c7cc29a19adb5aa0a44782bb644575340914474
SHA256 8728752ef08d5b17d7eb77ed69cfdd1fc73b9d6e27200844b0953aeece7a7fdc
SHA512 75b85a025733914163d90846af462124db41a40f1ce97e1e0736a05e4f09fe9e78d72316753317dabea28d50906631f634431a39384a332d66fa87352ff497f8

\??\pipe\LOCAL\crashpad_2168_FKAKNHBNXCSTCSVU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7c16971be0e6f1e01725260be0e299cd
SHA1 e7dc1882a0fc68087a2d146b3a639ee7392ac5ed
SHA256 b1fa098c668cdf8092aa096c83328b93e4014df102614aaaf6ab8dc12844bdc0
SHA512 dc76816e756d27eedc2fe7035101f35d90d54ec7d7c724ad6a330b5dd2b1e6d108f3ae44cedb14a02110157be8ddac7d454efae1becebf0efc9931fdc06e953c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 acb84ffa06be6931cbac2e3c12967852
SHA1 3c8a33cb8211afd0dbea6cefa6cb31e367250f36
SHA256 4511663a9123cea434640fbfc4ad4fcfc786cc91eb88ddd29e4472b19254749b
SHA512 d3d0259c66b5b7685b5c10cc8cb6597acae3b761aa448c08f557e5572d6460ed32f358aec5156c08d1cfcbb0921684eafc21bb655aa1a4044ed60641c292a0a9

memory/1476-35-0x00007FFDE0DB0000-0x00007FFDE1872000-memory.dmp

memory/1476-36-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmp

memory/1476-42-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmp

memory/1476-41-0x0000016AB70C0000-0x0000016AB70D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3f696dac220bf6bd8ac591d3b7af72d3
SHA1 450cf03f8269990140ccfba9b3a96e49c2592623
SHA256 0b189c057b6294634fa107ce87a1d532d781533bbece6629ab90b540ad948e71
SHA512 2e1092c90427123dd81f879bde19be53c176ceee2f1a168836a23e03a264c7396ce7a1ff3d4ba6ca0b27df43091b136d5121589cf6cd6c3c90d2a350afbdc0ad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bb8c79c26fb23dfa0fba31ecdd811934
SHA1 5b5d6bf17f535b800b7c16a38011c2c8dc4e866f
SHA256 b423562eb6257f694f1975926202a62052626e13908ac2ca096e6d76fcf276d6
SHA512 e5d5a7ff14b357bad31da922ad4dd890c1404e269824bd6171cedfd704e59f010a21da2c8d317d14bb4eaac5d6dcdc622a3f52b877a6f5954ff282ddb313203b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1747558366f47a41b9865e613d9472d4
SHA1 302588578368863564debfc7cc78ff8c9ffc26eb
SHA256 85346fc260e40b27af0b024aa34c215cd752cacb040338ec80957c509cf6bf79
SHA512 63cd1b2bd4dbe253656ee921bd6efe26e4f08a64e9072c844f61e6ae1ceb6bdb76b74b19a9a3239c14302562d2fadf47ddb61d9387c75c3fa8c044afa8d965c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 35172d8552672a5862abe74938e4b806
SHA1 a2e7b6ac6e408fa01d3a0886a3b0f23b14a34bf3
SHA256 6a06b1a770615254a0f85d8884869e8a18221c5836e472c4d38834b3b26d2e95
SHA512 4bcb316bdaec0be255ce1ff6b596f4c40a2a51d1e7841198e336d1bb370644052c612321ad43527b372b5b0759546dd4279119f0da60ec38acce0cb09e89344d

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 01:31

Reported

2024-05-01 01:35

Platform

win11-20240426-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E0

Network

Files

memory/3288-0-0x0000000000B60000-0x0000000000B80000-memory.dmp

memory/3288-1-0x0000000005280000-0x00000000052C2000-memory.dmp

memory/3288-2-0x0000000005740000-0x00000000057DC000-memory.dmp

memory/3288-5-0x0000000005680000-0x0000000005686000-memory.dmp

memory/3288-4-0x0000000074FC0000-0x0000000075771000-memory.dmp

memory/3288-3-0x00000000056E0000-0x0000000005708000-memory.dmp

memory/3288-6-0x0000000005840000-0x000000000589E000-memory.dmp

memory/3288-7-0x00000000058A0000-0x00000000058F6000-memory.dmp

memory/3288-8-0x0000000005910000-0x0000000005920000-memory.dmp

memory/3288-9-0x00000000057E0000-0x00000000057E6000-memory.dmp

memory/3288-10-0x0000000005810000-0x0000000005816000-memory.dmp

memory/3288-11-0x0000000005970000-0x00000000059AC000-memory.dmp

memory/3288-12-0x00000000059E0000-0x00000000059FA000-memory.dmp

memory/3288-13-0x0000000005960000-0x0000000005970000-memory.dmp

memory/3288-14-0x0000000005960000-0x0000000005970000-memory.dmp

memory/3288-17-0x0000000006670000-0x00000000072A8000-memory.dmp

memory/3288-18-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

memory/3288-19-0x00000000072B0000-0x0000000007856000-memory.dmp

memory/3288-20-0x0000000005D90000-0x0000000005E22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aPjMR\aPjMR.dll

MD5 0b0e63957367e620b8697c5341af35b9
SHA1 69361c2762b2d1cada80667cd55bc5082e60af86
SHA256 bd9cdcfaa0edecdb89a204965d20f4a896c6650d4840e28736d9bd832390e1c5
SHA512 07d0e52c863f52ecb3d12fab9e71c7a18d54cbedb47250bee7e4297ff72ed793c23a2735c48090c261fe4633d53d03e305c1338dfc881bb86874d1633ff6ecee

memory/3288-28-0x0000000074720000-0x0000000074721000-memory.dmp

memory/3288-27-0x000000007471F000-0x0000000074720000-memory.dmp

memory/3288-29-0x000000000B3E0000-0x000000000BFCC000-memory.dmp

memory/3288-30-0x0000000001390000-0x000000000139A000-memory.dmp

memory/3288-31-0x0000000006580000-0x00000000065D6000-memory.dmp

memory/3288-32-0x000000000C1D0000-0x000000000C3C4000-memory.dmp

memory/3288-33-0x0000000005910000-0x0000000005920000-memory.dmp

memory/3288-34-0x000000000E920000-0x000000000E986000-memory.dmp

memory/3288-35-0x0000000074FC0000-0x0000000075771000-memory.dmp

memory/3288-36-0x0000000005910000-0x0000000005920000-memory.dmp

memory/3288-37-0x0000000005960000-0x0000000005970000-memory.dmp

memory/3288-38-0x0000000005A00000-0x0000000005A10000-memory.dmp

memory/3288-39-0x0000000005910000-0x0000000005920000-memory.dmp

memory/3288-40-0x0000000005910000-0x0000000005920000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-01 01:31

Reported

2024-05-01 01:35

Platform

win11-20240419-en

Max time kernel

90s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe

"C:\Users\Admin\AppData\Local\Temp\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x64.exe"

Network

Files

memory/3076-0-0x0000000000E60000-0x0000000000E80000-memory.dmp

memory/3076-1-0x000002A75AF90000-0x000002A75AFD2000-memory.dmp

memory/3076-2-0x000002A75B010000-0x000002A75B038000-memory.dmp

memory/3076-3-0x000002A742780000-0x000002A742786000-memory.dmp

memory/3076-4-0x00007FFA4A8C0000-0x00007FFA4B382000-memory.dmp

memory/3076-5-0x000002A75B240000-0x000002A75B29E000-memory.dmp

memory/3076-6-0x000002A75B2A0000-0x000002A75B2F6000-memory.dmp

memory/3076-7-0x000002A75B230000-0x000002A75B240000-memory.dmp

memory/3076-8-0x000002A740F60000-0x000002A740F66000-memory.dmp

memory/3076-9-0x000002A740F70000-0x000002A740F76000-memory.dmp

memory/3076-10-0x000002A75B190000-0x000002A75B1CC000-memory.dmp

memory/3076-11-0x000002A75B040000-0x000002A75B05A000-memory.dmp

memory/3076-12-0x000002A75BF40000-0x000002A75CB78000-memory.dmp

memory/3076-13-0x00007FFA497A7000-0x00007FFA497A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

MD5 2f1a50031dcf5c87d92e8b2491fdcea6
SHA1 71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA256 47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA512 1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

memory/3076-21-0x00007FFA4A0B9000-0x00007FFA4A0BA000-memory.dmp

memory/3076-20-0x00007FFA4A0B8000-0x00007FFA4A0B9000-memory.dmp

memory/3076-22-0x000002A75D380000-0x000002A75DF6C000-memory.dmp

memory/3076-23-0x000002A75BC30000-0x000002A75BE24000-memory.dmp

memory/3076-24-0x00007FFA4766D000-0x00007FFA4766E000-memory.dmp

memory/3076-25-0x000002A75B230000-0x000002A75B240000-memory.dmp

memory/3076-26-0x000002A75B230000-0x000002A75B240000-memory.dmp

memory/3076-27-0x00007FFA47684000-0x00007FFA47685000-memory.dmp

memory/3076-28-0x00007FFA4A8C0000-0x00007FFA4B382000-memory.dmp

memory/3076-29-0x000002A75B230000-0x000002A75B240000-memory.dmp

memory/3076-30-0x000002A75B230000-0x000002A75B240000-memory.dmp

memory/3076-31-0x000002A75B230000-0x000002A75B240000-memory.dmp