Analysis
-
max time kernel
237s -
max time network
238s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-05-2024 04:53
Static task
static1
URLScan task
urlscan1
Errors
Malware Config
Extracted
toxiceye
https://api.telegram.org/bot5536756167:AAFMcQrFbMZMBynbrtZUudaOT9ndCJXIqT4/sendMessage?chat_id=2024893777
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation win-xwarm-builder.exe -
Executes dropped EXE 3 IoCs
pid Process 3060 win-xwarm-builder.exe 4664 xwarm-rat-builder.exe 4168 Update.exe -
Loads dropped DLL 1 IoCs
pid Process 3540 XHVNC.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/3540-490-0x0000000006EA0000-0x00000000070C4000-memory.dmp agile_net -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 23 raw.githubusercontent.com 21 camo.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 xwarm-rat-builder.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz xwarm-rat-builder.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1324 schtasks.exe 1136 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2540 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4804 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 828 msedge.exe 828 msedge.exe 1396 msedge.exe 1396 msedge.exe 1628 identity_helper.exe 1628 identity_helper.exe 3200 msedge.exe 3200 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 1676 msedge.exe 4032 msedge.exe 4032 msedge.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4168 Update.exe 4168 Update.exe 4168 Update.exe 4168 Update.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4664 xwarm-rat-builder.exe 4168 Update.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeRestorePrivilege 2688 7zG.exe Token: 35 2688 7zG.exe Token: SeSecurityPrivilege 2688 7zG.exe Token: SeSecurityPrivilege 2688 7zG.exe Token: SeDebugPrivilege 3060 win-xwarm-builder.exe Token: SeDebugPrivilege 3624 Win-XwormRat-builder.exe Token: SeDebugPrivilege 4804 tasklist.exe Token: SeDebugPrivilege 4168 Update.exe Token: SeDebugPrivilege 4168 Update.exe -
Suspicious use of FindShellTrayWindow 57 IoCs
pid Process 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 2688 7zG.exe 5052 NOTEPAD.EXE 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 3540 XHVNC.exe 4664 xwarm-rat-builder.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 1396 msedge.exe 4664 xwarm-rat-builder.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 2092 OpenWith.exe 208 OpenWith.exe 3540 XHVNC.exe 3540 XHVNC.exe 4168 Update.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1396 wrote to memory of 4864 1396 msedge.exe 82 PID 1396 wrote to memory of 4864 1396 msedge.exe 82 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 2988 1396 msedge.exe 83 PID 1396 wrote to memory of 828 1396 msedge.exe 84 PID 1396 wrote to memory of 828 1396 msedge.exe 84 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 PID 1396 wrote to memory of 4432 1396 msedge.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/0x77ff/Byte-Stealer1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb1f3c46f8,0x7ffb1f3c4708,0x7ffb1f3c47182⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵PID:2988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:82⤵PID:4432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:2984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:3536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵PID:3388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:3096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5456 /prefetch:82⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:12⤵PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵PID:640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5884 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:12⤵PID:3772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,5397189685919277471,1590828954104139047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1696 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:640
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4248
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4496
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Byte-Stealer-1.3.1\" -spe -an -ai#7zMap19918:98:7zEvent48481⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2688
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\FormatUnpublish.js"1⤵PID:3612
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Byte-Stealer-1.3.1\buildExe.bat" "1⤵PID:3024
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2092 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Byte-Stealer-1.3.1\Logger.py2⤵
- Suspicious use of FindShellTrayWindow
PID:5052
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:208
-
C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\XHVNC.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3540
-
C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\Win-XwormRat-builder.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe"C:\Users\Admin\AppData\Local\Temp\win-xwarm-builder.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"3⤵
- Creates scheduled task(s)
PID:1324
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpBA58.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpBA58.tmp.bat3⤵PID:1776
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 3060"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
C:\Windows\system32\find.exefind ":"4⤵PID:4836
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
PID:2540
-
-
C:\Users\Static\Update.exe"Update.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4168 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Static\Update.exe"5⤵
- Creates scheduled task(s)
PID:1136
-
-
-
-
-
C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe"C:\Users\Admin\Downloads\XWorm-RAT-main\XWorm-RAT-main\XWorm RAT V2.1\xwarm-rat-builder.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4664
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
Filesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5537551b0b2407b8743637c13e2ebdfb2
SHA145c03d172680454c4443bc955f83de5ebe1a3b33
SHA2568c5f2321be64df26d2c0a9664cbf494d3f4ce9b7552eb1efa6903463d5bb422e
SHA51250cc578688d1ec3b6d42d8711df6c54b0b667ebc779fd9f7ed54c7664f3af7a147d54f459bd3b6ddaf8f7fef58101d0c20604c2a378aeaceae6d5bf2775cb935
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD58607c1bbd7cf7317fc998461677b3c5b
SHA121b74399fade6dc196e25fb29bd8db62d955dc87
SHA256a97cf7f324214ce6e13e95fa090d8c13664ef06b216b7d83d9b784904d83674c
SHA512f35ad41792232ea8952381f8f6c313fd2c34e84e8b8616538361f2117ab7880892ee0e2b3852901c385b54cb2b4b8aef77d78c4e577331bc62c4cdbc2b8a2d9a
-
Filesize
573B
MD5b83fd52731b5bcb3ca5d3fdd07cd2c79
SHA13d57744a3cf0fcf5d742fd4522068d42d9a8c41f
SHA25664a49262d2532e8f0260ac66aa059ba483dbf6c4979220534f7c7ea601bd170e
SHA512dfcf9d33bf5e3d44d0cd4cf09d660b53a94d1101f45b86d994e928f25e5e187eee068e409bd5c2bc91444a3902f5cac31df9ffb866193a3e489eb946c9f846ed
-
Filesize
6KB
MD5a428c6e1c7b3ed52f7e4a0b9463dfe55
SHA1e0ba66c90a2fbaa0b2306f940214eb6fdb3baf38
SHA256ac2beba894563d1f3195996fe15efda6fa28d3a3f31d2312ca2ee8ed17a55563
SHA512ab77ec8a8d346e0f8990bd019b2d7d4048cbf4b0a7487e06d2964764da228c0879235ca920ed7e0b7d8df1ee555fccd8640ca2775ecb3414e1538f9a27133e57
-
Filesize
6KB
MD5b99b5aff7e4b2a1eb478739ff551ea03
SHA17d95ed8d115950ea353f37a9dd02a84233579f32
SHA256406cbe8107b4d5376a1e846930373ca731844e181442a9eb89acc6b9e5ad66ae
SHA512822e6b202ed34ccce27e684da5eccce936fd535d6275a50f81abbc20596a357d73321b0672178f0b0bc353f19819180cd67ded425981d628911b6a585ef947fc
-
Filesize
6KB
MD587d5c8ffd3d0d709e7f7e19b76ca91b0
SHA16a4d34ef7e3251d419c65f3e1bb6ed26dda2daa7
SHA25692d691c26e45aa43d64bbe3e900e196529283dc91ae05c6ece3816a6925e879e
SHA512f131dcf0734618187c2d51a9479a2ddb374d7cfb8b2995d44a05fd8520d2ec602c31695f58d16c23ee1de5afa1796b0c2dd496b3421167c72e7b2404865c82a7
-
Filesize
6KB
MD5d3c517d2ba724a9e7f6fd96fa220704e
SHA151a0d98ae53edb8aeec44ab794d4ad5d63e606f2
SHA25683eb69623a1ddfad9abb9954b8e2d14eb85d4cf1981a7c555942f22e9b2145ff
SHA51290832dde13ca6360ce70c91eb411e7cfa249661105632728ad1c04a52f2ceaa085a551faa982ba26e8da335d5e636f36fb9d4e4c0d6c887ea5ee62fe53bbd1a1
-
Filesize
1KB
MD5372ba489f9230f663f64342b6604b2ef
SHA1004933b38b908b2abb351f185bb00407eeeaabe5
SHA256f1c51692841e8fe57f04954655ca37419f0d6706a78f59224b039a4c9a585a40
SHA5125fe84eb7a8c9948804dc68abdef67c094d784baed499f2b60c709ea0c42031973033c350bb4f19fc7c81aa0cc1f03a26d2220466395dcb9eb5b3be89cef64ff9
-
Filesize
1KB
MD505843ab5ddd5529c91b77074d53679bb
SHA1a5e224a478f7cf9e98e2a50b21b4ee16fd7be417
SHA256032ef10839133a3297a1f96468927e92e072d87a572b055b5864709116ccd97a
SHA51296d8c454b9347afeba8b39a521cc28b82f7ebd5b114f4edd5ca1238bf2f3cb18ba9d0ecdc42c5a7ec529411ea09d73f56c0c8162eb7c76448ad1ebecd250f92f
-
Filesize
1KB
MD585c8b36f4feb1c3b7d3736df77c8edb8
SHA1814891f8ef8ea2bae1ded112c4c61b9567bcac30
SHA2568224bbc43e170d9cc2db2c70817be01c837a6960c278aa1dcd76050ab67776db
SHA5121e070cec26c41b5c9dfb120838c7e947330cda818258c41fa448c0202a597393048a544646e8faf35798ad992f388faf4733ec9a56fac6dd5fa39694e35c870f
-
Filesize
1KB
MD5fe333cee0a3ccc3bfca7bd2e6f45ebce
SHA159e3d7c928c73f2c77d3c5f9eeb35e9f9f5c1531
SHA2560802dae252a9de197bb08f7cefa6ac67bd46b45f6ad4841a2a015146854370f1
SHA512ae3f769bf035abad057ea2edce471ec244005033c7b5c06a52621b3719952a83b40856bd3afc76648df5ab937ea01464e9eb99f8f73ad9ec8c31dbfe7d68d68d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD513e8a6a0d1de2fb297b9cb829ebc8e9d
SHA1b633d2a123716be00a188db2eaaff00c148bc9ac
SHA256280245d5314379c54f3cdf14dfdcb798db718fb14a8fbca6e18a4facd7949219
SHA5123761a5515e573cf43f6987baf732999ff4cb99e796969d6fedd073903b9554185334073ede4a4060666eb2abe1ff5e7852c0245b475735d7b87ef89d75215b4f
-
Filesize
12KB
MD5a8d81f17d96152a14e14151d3e5b75c0
SHA1630ed034fce02c28c027f802dd505abc8033d349
SHA2560500538cd26a800c366e5877dc1962a2e2ea6b5a02b693f4a7e33d9a6de84aa8
SHA51241df998a0fdb1b125fd58a68704dc30cfee833a86bd0734ef281eae96234551030224597d79f5eef2617726e82eb2558ff3ad45358f37740c7747d6eccc287c3
-
Filesize
11KB
MD51ba0a0e873b657409f329f549dde96b2
SHA19949093a8d7d467521e2dbbb9471dbe295b8df73
SHA25659a0693cbfeb0aba3f13ac69cf14039e0e3d2657440097977f006369cc96ebd7
SHA512b2b4fd985c59c2c463d3ae712bc774e524ac66b99bc128545858437f74ef09cf34990fb4f68ccd65e262deab6055003f6c0cc4e39ce3f93cc1384502aff371ab
-
Filesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
Filesize
195B
MD52163b0f972053758766e0033e0906c41
SHA1addef9ad9234a46992bea332bba18b4ed94b8502
SHA256b06d5ccafedead890e60badec65aafa0774d1a4546248af1d29818a91d4d99c2
SHA5128664483dc6869702ad7ad8868dff2be8d338b6295eb18e8695d2f18d3849e2d3270267914236a9185381158a1d1a8d1e033f38d93267b7a7a2f0d4d84e2afd9a
-
Filesize
127KB
MD5f6f686df785d0abdc66d1f90fa508c4b
SHA175f348132001df30cbad9c7cae2e2072fcaca38e
SHA25661b52af14fc66126a4e7f09b3cff7d3c09e5ad35acf23fb9ba43293fac0c995f
SHA5127daa425723caade3ec747fbe6e425e26bc419e1a7dccd6253770fe1a118a8b90e0f40f6cf4bdac259e68a0198a384ed1b5de7515958f5e17e4e35219b9077d77
-
Filesize
733KB
MD50904c967075086e1879eaf3c4fb88579
SHA1d61c3717644820c986c9f268377db1044e0da655
SHA25697edea8bc010bdce4a0d3a732e16bf1390fcfeba1845f87610927eeda2a4d5f6
SHA5126e65c9babc221f0c1acaaf031e2918efa07c7956d4ba9e4265f1cfe4273d04dbadc2718be4a82991b3a67fcb65e8ecf1e758b7efb77d4a8878908357b8741a12
-
Filesize
32KB
MD52c6958c6eae0d304d6e0c6589d994aea
SHA1c9d402a572fe0efeef6788c9769111cd097b4adc
SHA2569ec46a55c9cf3dd5cbb4b720c8880261dc79c62f61e5e9c328a846b27b07a012
SHA512e6e642936e2d5fb73fb834c0e71ef5b889e559f6b3c91e55acf1b3f4c3eb5eff2b2273c34c089f6affb44b3d65dd2388d0b6ba3d6a6ced0d6fe5056462e20ea4
-
Filesize
485B
MD5cf8fe53bb0caa1560661a15691814a4d
SHA1bd434b814986605929630d7ab3cd35fc840f3623
SHA2565c2266b0eb1735a2f1be564cb89e43f1a1df75add6c2195ef9ab38dffc64d34b
SHA512102e2636a76a61c2e54c671327ecc79c79867be4b159362c6f7597940c2a75f377b834edc7baec16e511d8e41e947f2b8c494d2afade1b7ca3e1180d294a8966
-
Filesize
33.7MB
MD53c583f36fdd166613ec8b5f81597e5e9
SHA1f3e9cbfb5749212f2d54f36b391b7d03bdd303a9
SHA2568f71cc2fc5fd1b3e16377f0ca36067467280f6a63f7924f3fad273717c1f505e
SHA512072931cc7b3812d7681c879169b0ba0a1981e0c23d3549e223e29331a24c4ec5249964d2c636ec07b0ba2c3e3c81c236e0ccaf3e40d373dc2a6adc235fbcfa6b
-
Filesize
6.5MB
MD5a21db5b6e09c3ec82f048fd7f1c4bb3a
SHA1e7ffb13176d60b79d0b3f60eaea641827f30df64
SHA25667d9b4b35c02a19ab364ad19e1972645eb98e24dcd6f1715d2a26229deb2ccf5
SHA5127caab4f21c33ef90c1104aa7256504ee40ff0a36525b15eb3d48940862346ccf90a16eef87c06d79b0ffd920beb103ed380eae45df8c9286768890b15ed1067c