Analysis
-
max time kernel
318s -
max time network
299s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12-07-2024 14:02
Behavioral task
behavioral1
Sample
XWorm V5.2.zip
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
XWorm V5.2.zip
Resource
win11-20240709-en
General
-
Target
XWorm V5.2.zip
-
Size
61.4MB
-
MD5
cd69a793cfd9e50998d5cf2e40c8701f
-
SHA1
a6d8de061db76a5c04e8c04f64417a5e3221b600
-
SHA256
1b418092ab7db0616964e4e6fa1b7d87c0e50bdec33f9825a19daaba8a5f4c2e
-
SHA512
dd334e71b8e2b6150829123d8fcffadfc350a00aacaff2395ebee4f4cf61b629bc457d65c6b6fb035d1c3bf3470fc2621a80bc43938b572e8a8b17eefd8422b0
-
SSDEEP
1572864:XXYrCTvb1MbQ0/4ZtmBb+Lj+v4IY1rnXTrCTvbGxRQ0/4WHb+LEbgUSiaG2FR:XcuMbJ/42a+4IY1rn3txRJ/4hH9GG
Malware Config
Extracted
xworm
5.0
127.0.0.1:7000
lJlmZOLkcJ7Q04G9
-
install_file
USB.exe
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\u53ku1sn\u53ku1sn.0.vb family_xworm C:\Users\Admin\Downloads\XClient.exe family_xworm -
AgentTesla payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3176-9-0x0000023075670000-0x0000023075864000-memory.dmp family_agenttesla behavioral1/memory/3496-235-0x000000000C450000-0x000000000C644000-memory.dmp family_agenttesla -
Loads dropped DLL 3 IoCs
Processes:
XWorm V5.2.exeXWormLoader 5.2 x32.exeXWormLoader 5.2 x64.exepid process 3176 XWorm V5.2.exe 3496 XWormLoader 5.2 x32.exe 4000 XWormLoader 5.2 x64.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/3176-0-0x0000023070570000-0x00000230711A8000-memory.dmp agile_net behavioral1/memory/3496-224-0x0000000006930000-0x0000000007568000-memory.dmp agile_net behavioral1/memory/4000-249-0x000001EC7E440000-0x000001EC7F078000-memory.dmp agile_net -
Uses the VBS compiler for execution 1 TTPs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
XWormLoader 5.2 x32.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 XWormLoader 5.2 x32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz XWormLoader 5.2 x32.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
XWormLoader 5.2 x64.exeXWorm V5.2.exeXWormLoader 5.2 x32.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWorm V5.2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWormLoader 5.2 x32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWormLoader 5.2 x32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWormLoader 5.2 x32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWormLoader 5.2 x64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWormLoader 5.2 x64.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWorm V5.2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 64 IoCs
Processes:
XWormLoader 5.2 x32.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\0 XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1" XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0 XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\0\MRUListEx = 00000000ffffffff XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000 XWormLoader 5.2 x32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\MRUListEx = 00000000ffffffff XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239} XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 000000000200000001000000ffffffff XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1" XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000800000007000000060000000500000004000000030000000200000000000000ffffffff XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\0 = 6000310000000000ec589970100058574f524d567e312e320000460009000400efbeec589970ec5899702e000000153502000000070000000000000000000000000000002a6cc900580057006f0072006d002000560035002e00320000001a000000 XWormLoader 5.2 x32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\SniffedFolderType = "Pictures" XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1 XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\0\0\NodeSlot = "15" XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257" XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0 XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1 = 7e00310000000000ec58987011004465736b746f7000680009000400efbee9586970ec5898702e0000006ee101000000010000000000000000003e0000000000f2e662004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 XWormLoader 5.2 x32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\0\0 XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202 XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1" XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\MRUListEx = 0100000000000000ffffffff XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\0\0 = 5000310000000000ec589970100049636f6e73003c0009000400efbeec589970ec5899702e00000033350200000007000000000000000000000000000000e519f900490063006f006e007300000014000000 XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202 XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\MRUListEx = 00000000ffffffff XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96" XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3" XWormLoader 5.2 x32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15 XWormLoader 5.2 x32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0 XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0 = 6000310000000000ec589970100058574f524d567e312e320000460009000400efbeec589870ec5899702e0000006934020000000a0000000000000000000000000000004af12f01580057006f0072006d002000560035002e00320000001a000000 XWormLoader 5.2 x32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\1\0\0\0\MRUListEx = ffffffff XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 XWormLoader 5.2 x32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\SniffedFolderType = "Generic" XWormLoader 5.2 x32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0" XWormLoader 5.2 x32.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 XWormLoader 5.2 x32.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exeXWormLoader 5.2 x32.exepid process 3356 msedge.exe 3356 msedge.exe 4028 msedge.exe 4028 msedge.exe 688 identity_helper.exe 688 identity_helper.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
XWormLoader 5.2 x32.exepid process 3496 XWormLoader 5.2 x32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
XWorm V5.2.exeXWormLoader 5.2 x32.exeAUDIODG.EXEXWormLoader 5.2 x64.exedescription pid process Token: SeDebugPrivilege 3176 XWorm V5.2.exe Token: SeDebugPrivilege 3496 XWormLoader 5.2 x32.exe Token: 33 1532 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1532 AUDIODG.EXE Token: SeDebugPrivilege 4000 XWormLoader 5.2 x64.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exeXWormLoader 5.2 x32.exeXWorm V5.2.exepid process 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 3496 XWormLoader 5.2 x32.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe 3176 XWorm V5.2.exe -
Suspicious use of SendNotifyMessage 25 IoCs
Processes:
msedge.exeXWormLoader 5.2 x32.exepid process 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 4028 msedge.exe 3496 XWormLoader 5.2 x32.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
OpenWith.exeXWormLoader 5.2 x32.exepid process 2356 OpenWith.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe 3496 XWormLoader 5.2 x32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XWorm V5.2.exemsedge.exedescription pid process target process PID 3176 wrote to memory of 4028 3176 XWorm V5.2.exe msedge.exe PID 3176 wrote to memory of 4028 3176 XWorm V5.2.exe msedge.exe PID 4028 wrote to memory of 2432 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2432 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 4428 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 3356 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 3356 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe PID 4028 wrote to memory of 2136 4028 msedge.exe msedge.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\XWorm V5.2.zip"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWorm V5.2.exe"1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdbafd46f8,0x7ffdbafd4708,0x7ffdbafd47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4629323098707569730,827901386344473248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdbafd46f8,0x7ffdbafd4708,0x7ffdbafd47183⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x32.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u53ku1sn\u53ku1sn.cmdline"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A61.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8FEA6D54C7BE48598096D22C6A92781.TMP"3⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a0 0x4641⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x64.exe"C:\Users\Admin\Desktop\XWorm V5.2\XWorm V5.2\XWormLoader 5.2 x64.exe"1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD554aadd2d8ec66e446f1edb466b99ba8d
SHA1a94f02b035dc918d8d9a46e6886413f15be5bff0
SHA2561971045943002ef01930add9ba1a96a92ddc10d6c581ce29e33c38c2120b130e
SHA5127e077f903463da60b5587aed4f5352060df400ebda713b602b88c15cb2f91076531ea07546a9352df772656065e0bf27bd285905a60f036a5c5951076d35e994
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD52f842025e22e522658c640cfc7edc529
SHA14c2b24b02709acdd159f1b9bbeb396e52af27033
SHA2561191573f2a7c12f0b9b8460e06dc36ca5386305eb8c883ebbbc8eb15f4d8e23e
SHA5126e4393fd43984722229020ef662fc5981f253de31f13f30fadd6660bbc9ededcbfd163f132f6adaf42d435873322a5d0d3eea60060cf0e7f2e256262632c5d05
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD5d15da93450a5673b34de6213acb1ace6
SHA15215a129e4932f74ed909ee30d38ef04faacc3d1
SHA256f3608b852bddd21a75f2e9bc3e0ab994e824e2d6c1aaeb466c9dabc72ce3d769
SHA512bbc322292e43a4dad8af1a67f8b18d7a3ff0d7176b47a0ef263554d805f775e10b26bf869d23ad7b384be5e3f1c92f0454b81852ee4aeb6d548df931b3db2578
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
442B
MD5d909d6e9ec5b3749c364e8e071732f45
SHA191315f9534b2afdba7e06f967e8eafde8ce733cd
SHA25630fa00dfff4a877e3de10328092e24acdfd4b463d6986edc455e45b1543dfa0f
SHA5120d603ee841d8970754bf8d13732d9d742881580ff93e6b2fde89c7847df0bcf8805a77cdc4f3ef7e590646b8e1e86542863757345b42de3c93b9dbc35969b5b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ec240603b49c4d252d1105652b090b22
SHA1ae7fb38f78041d108b861116f9057aedcfe9980d
SHA256aee7ae90ae44b212719c28a8da06be3cea4271100ec2dccfac3d499813d00bd7
SHA5128da94de51462f1923ab156b7c854ca538682540794eed1bfad99b421181a790984e2e911f82ae8d9e546e411a1ff9c1f8cca9149ca5740048f6b469991cab641
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52e6fca3dd8e204f6b40dee9993718471
SHA1b9d1dda6826c3c3899eff4f9f732e73a6fc91cd1
SHA256ad607fc8457ad077c5171e224849cc60f814e4e80f0b7f1b0dcaff2aebf6dc0b
SHA5128fb17cbe79bdb0760ae1f4afc772ea78a9f3a06d3f3ec9a54ef2b529d505bf44d18f2ba41070438f28327ad48c35ab228d5e8499fe27a9f5918be81379d217f6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c56d9511ca84540b828eb2ffd9de7aab
SHA19a7057f98a17c17ca76404dafd95cc51d17e087b
SHA25619d8dc01c33a1cb1c4346081d53868efc9612ed96cb749d86c3be7ff3ba8c988
SHA512bc9b08125ab361cf4165ea359f4a5aa826ce1cc70d4744b44b928db63a8ead444df23ab86faadd3deffeaefeec578faa13afccac2816f136f2ffec45da1e20fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD591caf675067e0007b2023d2d810e5146
SHA1a01724a164b8462dedd5d3e57d7e524c6bb28971
SHA256e43c14d1f76e2235f54209ffd28227242d0ddb038b1bede4b355ed05158b200a
SHA512020b228bccea28bddcc2602675a9b0fa1d65315e26a33bf4d4f67eeb47668afbc385cc4241631cb7053f5e1f4b320528d7b312097522382f534cb42eb5074c03
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5de8aef7ec5d065475854fbf92c587c3c
SHA19050fb4ae8871dad6e92a555473f379e04060c66
SHA256b94b97fb5c9e43a6798309394cfdae71741119212a1504350c0f2b59ad69aae3
SHA5127f74c42d85047dd9c27866f76d310b70e68e64c00ef2561792f3011561aa60a6b1e04b3b45b712513680398f20294728bbe2d65a26db39da3b7a9f26aea8ef06
-
C:\Users\Admin\AppData\Local\Temp\RES3A61.tmpFilesize
1KB
MD57b695e4bdc12183cf75bc6b945425395
SHA11cbefd2ed156343f143a4a3b5b89496aa29f8fe0
SHA25682b5695d39b5e1d873ac3bd8c4f3cbf336e0a79b150cc34612cb2be5013dd77c
SHA512c35c8d23157a11d4a22e0d3305fd922f1b57b88e64dffc3b017f1645d6625cf4f322b20a5ee6aa0d84a314790a7df4fd9c07451fac4aa7da61e9c6f1ca271e64
-
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dllFilesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
C:\Users\Admin\AppData\Local\Temp\aPjMR\aPjMR.dllFilesize
84KB
MD50b0e63957367e620b8697c5341af35b9
SHA169361c2762b2d1cada80667cd55bc5082e60af86
SHA256bd9cdcfaa0edecdb89a204965d20f4a896c6650d4840e28736d9bd832390e1c5
SHA51207d0e52c863f52ecb3d12fab9e71c7a18d54cbedb47250bee7e4297ff72ed793c23a2735c48090c261fe4633d53d03e305c1338dfc881bb86874d1633ff6ecee
-
C:\Users\Admin\AppData\Local\Temp\u53ku1sn\u53ku1sn.0.vbFilesize
77KB
MD5b00c9315636e2eedff72eb0cb4fc2afa
SHA17064d856dbdebed2003e1acf909c30696a5dcd02
SHA25612acc294c22872afaa8a13083521875067bae6546e62fe9f90a43408adb80b4b
SHA51231f70f70e8268bb038dbae63b74d42c9400239e1ffba171a81359f9a1c54be5d2e1c8ef2ebef46fd0f172b11fcd9f5a1cd69223f12bceda7cf3c61254808694e
-
C:\Users\Admin\AppData\Local\Temp\u53ku1sn\u53ku1sn.cmdlineFilesize
292B
MD5e0e4e8d82caf1aef895e40c9ef81dfca
SHA13dd21aab6568d08325f6323a7318bbd35afceebf
SHA25629530c7c074c91412ce71922ad32d7b6230bf3c883f126608558b856a2db78b3
SHA512dc49bdeb3e528f92b0be878b3ed36aa509a15c79b1ec6361ccced22915294087dd61916e47e980461730bd3729f7947bb46f71fde70cb0c47db3d46dbefe32b7
-
C:\Users\Admin\AppData\Local\Temp\vbc8FEA6D54C7BE48598096D22C6A92781.TMPFilesize
1KB
MD5d40c58bd46211e4ffcbfbdfac7c2bb69
SHA1c5cf88224acc284a4e81bd612369f0e39f3ac604
SHA25601902f1903d080c6632ae2209136e8e713e9fd408db4621ae21246b65bfea2ca
SHA51248b14748e86b7d92a3ea18f29caf1d7b4b2e1de75377012378d146575048a2531d2e5aaeae1abf2d322d06146177cdbf0c2940ac023efae007b9f235f18e2c68
-
C:\Users\Admin\Downloads\XClient.exeFilesize
33KB
MD5855318f36359cf34867802c5cf89cd81
SHA170d8de50c13b774540cc712cf59b016006271cd0
SHA2567484e5f9e4bfc4fd85bcd0034e266f9eecea0e2b1e61401264297a84ce046f8a
SHA51251367f24302017f68da0a586d1585900e61c49929fbb8151c8e21f2496ed3c2c03dbd6ea9756307583880bf2e8154715e36bc9afb5e025b2fb64f8fa0a36e09c
-
\??\pipe\LOCAL\crashpad_4028_STWCIVSYDXGBLAKZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3176-0-0x0000023070570000-0x00000230711A8000-memory.dmpFilesize
12.2MB
-
memory/3176-9-0x0000023075670000-0x0000023075864000-memory.dmpFilesize
2.0MB
-
memory/3176-8-0x0000023074880000-0x000002307546C000-memory.dmpFilesize
11.9MB
-
memory/3496-220-0x0000000005CA0000-0x0000000005CBA000-memory.dmpFilesize
104KB
-
memory/3496-215-0x0000000005AB0000-0x0000000005B0E000-memory.dmpFilesize
376KB
-
memory/3496-218-0x0000000005B90000-0x0000000005B96000-memory.dmpFilesize
24KB
-
memory/3496-219-0x0000000005C30000-0x0000000005C6C000-memory.dmpFilesize
240KB
-
memory/3496-216-0x0000000005B10000-0x0000000005B66000-memory.dmpFilesize
344KB
-
memory/3496-221-0x0000000005C20000-0x0000000005C30000-memory.dmpFilesize
64KB
-
memory/3496-224-0x0000000006930000-0x0000000007568000-memory.dmpFilesize
12.2MB
-
memory/3496-225-0x0000000007570000-0x0000000007B14000-memory.dmpFilesize
5.6MB
-
memory/3496-226-0x0000000006050000-0x00000000060E2000-memory.dmpFilesize
584KB
-
memory/3496-254-0x00000000155D0000-0x0000000015738000-memory.dmpFilesize
1.4MB
-
memory/3496-233-0x00000000050D0000-0x00000000050DA000-memory.dmpFilesize
40KB
-
memory/3496-234-0x0000000006840000-0x0000000006896000-memory.dmpFilesize
344KB
-
memory/3496-235-0x000000000C450000-0x000000000C644000-memory.dmpFilesize
2.0MB
-
memory/3496-236-0x000000000F460000-0x000000000F4C6000-memory.dmpFilesize
408KB
-
memory/3496-210-0x0000000000810000-0x0000000000830000-memory.dmpFilesize
128KB
-
memory/3496-217-0x0000000005A00000-0x0000000005A06000-memory.dmpFilesize
24KB
-
memory/3496-211-0x0000000005520000-0x0000000005562000-memory.dmpFilesize
264KB
-
memory/3496-212-0x0000000005A10000-0x0000000005AAC000-memory.dmpFilesize
624KB
-
memory/3496-213-0x0000000005970000-0x0000000005998000-memory.dmpFilesize
160KB
-
memory/3496-214-0x0000000005630000-0x0000000005636000-memory.dmpFilesize
24KB
-
memory/4000-240-0x000001EC7D500000-0x000001EC7D542000-memory.dmpFilesize
264KB
-
memory/4000-246-0x000001EC63500000-0x000001EC63506000-memory.dmpFilesize
24KB
-
memory/4000-247-0x000001EC7D7C0000-0x000001EC7D7FC000-memory.dmpFilesize
240KB
-
memory/4000-248-0x000001EC7D680000-0x000001EC7D69A000-memory.dmpFilesize
104KB
-
memory/4000-249-0x000001EC7E440000-0x000001EC7F078000-memory.dmpFilesize
12.2MB
-
memory/4000-245-0x000001EC63480000-0x000001EC63486000-memory.dmpFilesize
24KB
-
memory/4000-244-0x000001EC7D760000-0x000001EC7D7B6000-memory.dmpFilesize
344KB
-
memory/4000-243-0x000001EC7D700000-0x000001EC7D75E000-memory.dmpFilesize
376KB
-
memory/4000-242-0x000001EC63530000-0x000001EC63536000-memory.dmpFilesize
24KB
-
memory/4000-241-0x000001EC7D550000-0x000001EC7D578000-memory.dmpFilesize
160KB
-
memory/4000-239-0x0000000000540000-0x0000000000560000-memory.dmpFilesize
128KB