xworm | hxxps://gofile[.]io/d/3tkgBf

Analysis

max time kernel
146s
max time network
143s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10-11-2024 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/3tkgBf

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

147.185.221.22:56045

Attributes

Install_directory
%AppData%
install_file
RegEdit.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00280000000451ed-172.dat	family_xworm
behavioral1/memory/5320-243-0x0000000000900000-0x000000000091E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
5228	XClient.exe
5320	XClient.exe
5808	XClient.exe
6096	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
56	ip-api.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\193b3662-0e12-470f-80b1-58562162b7a2.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241110160555.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 230022.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe
4856	msedge.exe
4856	msedge.exe
4524	identity_helper.exe
4524	identity_helper.exe
1364	msedge.exe
1364	msedge.exe
5500	msedge.exe
5500	msedge.exe
5500	msedge.exe
5500	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5320	XClient.exe
Token: SeDebugPrivilege	5228	XClient.exe
Token: SeDebugPrivilege	5808	XClient.exe
Token: SeDebugPrivilege	6096	XClient.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 224	4856	msedge.exe	81
PID 4856 wrote to memory of 224	4856	msedge.exe	81
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 3264	4856	msedge.exe	82
PID 4856 wrote to memory of 2076	4856	msedge.exe	83
PID 4856 wrote to memory of 2076	4856	msedge.exe	83
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84
PID 4856 wrote to memory of 2992	4856	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/3tkgBf
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffbe74046f8,0x7ffbe7404708,0x7ffbe7404718
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:472
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6afa75460,0x7ff6afa75470,0x7ff6afa75480
    3⤵
    PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6328 /prefetch:8
  2⤵
  PID:2032
- C:\Users\Admin\Downloads\XClient.exe
  "C:\Users\Admin\Downloads\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5228
- C:\Users\Admin\Downloads\XClient.exe
  "C:\Users\Admin\Downloads\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,10463670792626441129,7129584873809699355,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6484 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3320

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5580

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5808

C:\Users\Admin\Downloads\XClient.exe
"C:\Users\Admin\Downloads\XClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2905b2a304443857a2afa4fc0b12fa24

SHA1
6266f131d70f5555e996420f20fa99c425074ec3

SHA256
5298bdb27d48c2c2b5e67bdd435445ef5b06d9b36c11394705b413ff3d0f51f3

SHA512
df85de0c817350d8ca3346def1db8653aaee51705822b4c4484c97e7d31282a2936fa516d68c298dcbbb293b044aa7101b3de0c7852c26e98ac6c91415162b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f5391bd7b113cd90892553d8e903382f

SHA1
2a164e328c5ce2fc41f3225c65ec7e88c8be68a5

SHA256
fd9710650fc6774ce452b01fb37799cd64d3cdc282ac693e918e38322349fe79

SHA512
41957bea3e09c2f69487592df334edc6e3e6de3ab71beb64d9b6d9ce015e02a801b4215344d5d99765abe8ab2396394ac4664fced9f871204453a79463cc7825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
9fa0ac64a7fceff5e2a5f401ca8e0ed4

SHA1
e756f3acd23466d23bb6c868f7006e83c0f07dd5

SHA256
7a4bfc1db804c87fb17980972ac1aa1fdb85839ce43dfa9cc20fa485454f83d0

SHA512
178ce29abe5c49c02c10d06d76e3e87c8ab923ccfe52ef88da1c3c736dd08c758ded06ae204fe8109a0cf7795b52487deef3b6f7989723225d8225d5727e1e35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
c3b23f8de7dffb6f4f5ecfa48a597de4

SHA1
51406250e1d3ed21359256438e1d520d1024d5fa

SHA256
5952fc7295f6f74f9b7003b965fd7ee2a0e7d73dc1a9f4d49d82572684a66fc2

SHA512
14e892d6ab872cb85394d2005319aec18a4b37a3649663febfbbe417635d5594367321386137a6d19bce964c9df80dd43b61470cb2f020c3dcecca214647e2b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
ab275d2f26e9f1f7bddfd70d4a6c83b0

SHA1
fc2f34a41fde8c1efefa22a4752ed10e05d535f8

SHA256
4f4d38c0d6fe7b3375b7ef066d3a80a7b04271803725757754253ec5dcd372bf

SHA512
f8d9fee45a9174ef588730aa31c01159fa0aeca2b1dd1d8c016a5697271e83339f6d503e321d28ee4797ab8ff282c7d3aa081370914b749c4b41c034b7b9c921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe589759.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1777990573d3aa97558c52604a94330a

SHA1
26341a0c7d355610a4cdadd9d13be54d42d1baa7

SHA256
6d3db8def332268eb3995f43ad999fbf8f6dced0e01022ed513cd8e56d13aa0b

SHA512
0822160bd5fa3bd26122228634899a9f4d6f96fb94c9663a2f5132e7c12784594ab3af9b4c6cd4b206633b351e4a9e050dae77221930f0df659ab77741850663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f83c53d7f62e87ce8c5866d6cb76522a

SHA1
a963a9f0a885b6b6ae338afd65d280303c611885

SHA256
ba24dfaa5fb2294a68233db460e798ef1fe5efbdb7188dc115ab870cec6b6230

SHA512
866bac2c7958a1e4b56b3c5581adc3370202a9eb5cccdb088b1b1ae460652634a9960ed2869ca418beaf18def8e7f05547d7f9cdfe09b4c5fc1bb98fff361839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a386ace3ec4c60222b13f0b686be11c0

SHA1
e5ee19ad5f3dde75aab1fc9addee60feb2fe68ac

SHA256
66575b7a5057b9b8e1afab2b1d073c14be9e7e7dc7947e3aeb4d7b57ebbe29f0

SHA512
1318dc9da6878e81f639f7847c4ad775bfd20bcfb770b8ab1a0e243d1542c82667297ca4b524371c36208956ad37bdebdc34edf03eb39cd4a096883287c9d082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7ad9709100fb43b77314ee7765b27828

SHA1
5cd0c406c08c9c1073b0c08169ccaffbd4ef6b98

SHA256
04b61824ffce6fdbae4e6a527ae58b85813226ee28fe4d631feb76b5f936a1a9

SHA512
fc55ee34b1107e298f2cfcb20dce42b5dbc98a7b68e72ed80a6ea594f66dff6f9e9cb70ad5ccbf5ad2171275f375abac1defd8dad4118afa280cd9c1d9f6a538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e122fc93c0ad25d45d09ba51a3e86421

SHA1
bb52a7be91075de9d85f4a4d7baeecc3167c871b

SHA256
a277c1c6fafd7a44b47d94e4bc3c0337a64a34d252e58722855aab09e6f52bee

SHA512
12787aebefd6a5e4584ec8747a78538f948a16b214bdf81302036ae89e2c4563027847236a4770c4f780a9ca0ed03f29b1577bfb6f11feffad85b7a625324bf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d1a44b74c9bd90c2522eef9925abe869

SHA1
e4fd4921a24b9c650616eebe6ae34f2af9895e68

SHA256
8acdefb820cd75779031dc0a87eb19f4a044ec00ca80d947ae73d91aa4194453

SHA512
a2855eb4b96b4be5c7daa926a6cdd2929aed6a6ab18ecfee0baaf99f662d35b432dda2a29429b62b4c9027f01814999286e30a8032ab3f15d1060b0edc88a278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b08495ebd20b07bd245031a6c79dd89a

SHA1
671e6060d17022acbde95f1724a6fe3f5d44fcf5

SHA256
51999aa5cf5f09f71369b9713ad431e6954a66cd7eb27b770323a087022bd169

SHA512
1ce946c42630edf97722269d0ef5649e6b86e70375b107d228c7d75ff266cd75e31636ff43d1ddd0ec097d0a270f9ebf1004bbe2ff2453cbff7590b22e564021

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
b80297a0907af44159db92ed749588d8

SHA1
249c88bda9a46cb054b7bbfcde1ade201643775a

SHA256
1a921b621981801ea95146b93fc259f3d6fe7c6b91e18d62aba70c492ef4c5ce

SHA512
06a08ea9b8e095944df31c596fc5be496673678e8d323f9f0d1db137697d0f54a31087a1537534fe155b8cf3bf5e562a6c63f4ffd38c56de0d3bf9c6c1e08939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
4cd988152f073d6d203b258eb7f833e7

SHA1
7bf9a31986451e05d9e6b1e8a096372d4162d6d5

SHA256
92376fbd08cc76693025fae246d56b2a38ba7865cc467c1fa99de89973529f38

SHA512
b46f6809439dff264211141cca8df8d83c94a1e71d12fda06e3515f992b3f4f96c6967a4928c4eeb5f1dcd9eba894a232083be7fa6b8636b9b33e4d3777297d2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 230022.crdownload

Filesize
93KB

MD5
97e11b4ca87aa728935552438cb659b1

SHA1
512c7883b40769e169286d35a6a0bfdc8cdc876d

SHA256
91fb7641c1ba16bb45cbb73689614d2d1fbd4379f6b40f76cddbcbc767a9c71f

SHA512
b1ec39ac951bc58767b2c4dc110bab9df117a41b7f4c25b4625eb929de87579c118de9e5d7b8b7cf03a6ed7e4f2f348b0bebe9620bf1dbd65fbe386d20cb7c85

Download Submit
memory/5320-243-0x0000000000900000-0x000000000091E000-memory.dmp

Filesize
120KB

Download