xworm | hxxps://gofile[.]io/d/hNhSPb

Analysis

max time kernel
1042s
max time network
449s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/hNhSPb

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c80-86.dat	family_xworm
behavioral1/memory/5616-226-0x0000000000E00000-0x0000000000E1A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	xxx.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xtremetoolkit.lnk	xxx.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xtremetoolkit.lnk	xxx.exe

Executes dropped EXE 22 IoCs

pid	Process
5616	xxx.exe
5984	xxx.exe
6012	Xtremetoolkit
4064	xxx.exe
1960	xxx.exe
1412	Xtremetoolkit
5192	xxx.exe
5116	Xtremetoolkit
1952	Xtremetoolkit
3748	Xtremetoolkit
4436	Xtremetoolkit
5404	Xtremetoolkit
5868	Xtremetoolkit
2788	Xtremetoolkit
6024	Xtremetoolkit
2108	Xtremetoolkit
4668	Xtremetoolkit
2260	Xtremetoolkit
2212	Xtremetoolkit
5352	Xtremetoolkit
5540	Xtremetoolkit
4148	Xtremetoolkit

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xtremetoolkit = "C:\\Users\\Admin\\AppData\\Roaming\\Xtremetoolkit"	xxx.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
57	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 263981.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5832	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5616	xxx.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3600	msedge.exe
3600	msedge.exe
1004	msedge.exe
1004	msedge.exe
1620	identity_helper.exe
1620	identity_helper.exe
3240	msedge.exe
3240	msedge.exe
5616	xxx.exe
5616	xxx.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	5616	xxx.exe
Token: SeDebugPrivilege	5984	xxx.exe
Token: SeDebugPrivilege	6012	Xtremetoolkit
Token: SeDebugPrivilege	4064	xxx.exe
Token: SeDebugPrivilege	1960	xxx.exe
Token: SeDebugPrivilege	1412	Xtremetoolkit
Token: SeDebugPrivilege	5192	xxx.exe
Token: SeDebugPrivilege	5116	Xtremetoolkit
Token: SeDebugPrivilege	1952	Xtremetoolkit
Token: SeDebugPrivilege	3748	Xtremetoolkit
Token: SeDebugPrivilege	4436	Xtremetoolkit
Token: SeDebugPrivilege	5404	Xtremetoolkit
Token: SeDebugPrivilege	5868	Xtremetoolkit
Token: SeDebugPrivilege	2788	Xtremetoolkit
Token: SeDebugPrivilege	6024	Xtremetoolkit
Token: SeDebugPrivilege	2108	Xtremetoolkit
Token: SeDebugPrivilege	4668	Xtremetoolkit
Token: SeDebugPrivilege	2260	Xtremetoolkit
Token: SeDebugPrivilege	2212	Xtremetoolkit
Token: SeDebugPrivilege	5352	Xtremetoolkit
Token: SeDebugPrivilege	5540	Xtremetoolkit
Token: SeDebugPrivilege	4148	Xtremetoolkit

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe
1004	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5616	xxx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 3948	1004	msedge.exe	83
PID 1004 wrote to memory of 3948	1004	msedge.exe	83
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 2284	1004	msedge.exe	84
PID 1004 wrote to memory of 3600	1004	msedge.exe	85
PID 1004 wrote to memory of 3600	1004	msedge.exe	85
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86
PID 1004 wrote to memory of 3504	1004	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/hNhSPb
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1fe846f8,0x7ffe1fe84708,0x7ffe1fe84718
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2240,2680285525439324994,568696297288795412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5576

C:\Users\Admin\Downloads\xxx.exe
"C:\Users\Admin\Downloads\xxx.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5616
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Xtremetoolkit" /tr "C:\Users\Admin\AppData\Roaming\Xtremetoolkit"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5832

C:\Users\Admin\Downloads\xxx.exe
"C:\Users\Admin\Downloads\xxx.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5984

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6012

C:\Users\Admin\Downloads\xxx.exe
"C:\Users\Admin\Downloads\xxx.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Users\Admin\Downloads\xxx.exe
"C:\Users\Admin\Downloads\xxx.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Users\Admin\Downloads\xxx.exe
"C:\Users\Admin\Downloads\xxx.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5192

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5404

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5868

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6024

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5352

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5540

C:\Users\Admin\AppData\Roaming\Xtremetoolkit
C:\Users\Admin\AppData\Roaming\Xtremetoolkit
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xxx.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
99882f37ad4a4d8530aa81dccf3294e6

SHA1
a1bc699370731d605d5b57f0a2091c61a87baec9

SHA256
2e6c4dff2fc9fe8bf12c186957cd597f98f218d16bc75715654ad84e01b868d3

SHA512
efbac28257551a6d625937833fc292393296c20ec2437d0d46509b6ff99829ff8dfda7af1a7033e0e67aef2911035ad06d3f3a72a8486b37884606e1e0a58924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
af70db1887381980b2e8b6cabbededc2

SHA1
b5259f04715316d365c733e90c8768a8f7aa68e6

SHA256
fbb070db6f3a8745c65d094352de10556b5fb45173b6aa56e5de9d016187b265

SHA512
67a439819258cc6e2bcdc3e9a75a3f270d411362094afd768301481c3e31c32e5200afd2ef06932eae855112ef08137d52e580ab3958f6ae71c2d1bca2889503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8ca33b1b197d1882341baa41eee49d3a

SHA1
01a17b747b9a1dacbf8d598d1f274575486af742

SHA256
d9827391c73603d5b0dc7ee420578eee2c1dfcc96f6a0302bf69f9bb81f45480

SHA512
de513c43da46d3e780520ef08c0d05f0f43c979615c2cb584fffecebf271a779eba4b3403369f80a16ea7f25cd3108074d405762950ed87a311dd688a016da48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bc005b27599ce411a9abac960a0bba3b

SHA1
00444fa5e5bcef5114c94d0b38ca14d40c27ab82

SHA256
9ba77069d3c0d24a0cb784bfdbc8677a85b832950a5936628ec433b49b462d62

SHA512
d2aae6d35abfce8b797c154d557d2b6979d05452ee2043eecd1bfc1e381c80f1548aa2fbb3264bea82dbb1122f55913f8edb221968cf28c694d5f6a5f26cbd5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d3ab5fbf7520c86e3ecf4d4c26ac4a90

SHA1
cc0e2279b5acb86e42e422828c3247bbcc374739

SHA256
066b2b33fe79f7d3c9d289382e8e76d2cede367367c1c588297487b847bb640d

SHA512
c80e8bfe763eda5975ac421b1b01b5ef54b9872d9b577b287a252b6e77162bbb5097d8d0c2c6b5892b05b19355f771a208c7d29eba5154ec220416ca6e6b0d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7678652302f5e565d8d102eb45036ce3

SHA1
191d736dfc08a8f20efbaed189576db9db1e842e

SHA256
a41c885bcb6bdd619c977a956e4336e0eecee3dc3feb740a5aabdb2f8eeb85a0

SHA512
6752767820825785e1c81b576d3a9b75610201ce74238891c7bbe211654ee43f485a91bd1e18729e88efece488d8beb9ac5acc65eb9d5bdee727d303ab420e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4e9b44635a2bfe417aede6ab87b9be29

SHA1
cd6e47ec1810f5c3e0530789e29d9958bf42984c

SHA256
7ac9e68d4d62c22b2532ae7de447aa463523960e1bfd5af8527e8bbd656fea81

SHA512
f81cfe8b4f8a70a90b79338d522e3a7357f12fc47a77a6cf730f6d056e61a16e09bc8dcd687f6c0860310b524b92ae1abd55ec4d157034be7aba4118e2b13b12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
628f6b1fba31442f9dbd0e293a45f1b5

SHA1
d56a211cb2154e4073089764825b2fcfb62af521

SHA256
9d1279c763d3e035cc426d11d7fdd3a5160bbf5ccb5eb7feda95dd64e09132dc

SHA512
310d04f953e23850560daa777d0c49026fbe19229a37495eff068893962d58c3c9a1b3fb3aac1c24b4d61361460145920752a94f624c9bcaa12f2301c403bd52

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 263981.crdownload

Filesize
76KB

MD5
1338e6d417f94705406e29513bd9d1a1

SHA1
1a34323538555e323f666bb661d317c579f02a2f

SHA256
0ef3595aadfafef6f755d346ed2bb8546613627b80ce7c36354160b9cb49099b

SHA512
7c62ae8aed08213f704cf383840fc05bcc282e61a4ad90e9f460e65c08e5b7ad612fbaea5fd30d12990bdb3731aa5fa4be0087e2842252f8d215cbcf5c4503f5

Download Submit
memory/5616-226-0x0000000000E00000-0x0000000000E1A000-memory.dmp

Filesize
104KB

Download