xworm | hxxps://gofile[.]io/d/4yaOMG

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000\Control Panel\International\Geo\Nation	XloaderCLICKTHISBEFORE.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XloaderCLICKTHISBEFORE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	XloaderCLICKTHISBEFORE.exe

Executes dropped EXE 3 IoCs

pid	Process
628	XloaderCLICKTHISBEFORE.exe
5220	XWorm V5.0.exe
5832	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
5220	XWorm V5.0.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x002800000004630e-700.dat	agile_net
behavioral1/memory/5220-702-0x000001C515B10000-0x000001C516582000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	XloaderCLICKTHISBEFORE.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
94	ip-api.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d523c1aa-ee9c-4176-baf3-3a9ea6886d47.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250118213543.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "3"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5272	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
1200	msedge.exe
1200	msedge.exe
2228	identity_helper.exe
2228	identity_helper.exe
5796	msedge.exe
5796	msedge.exe
5760	powershell.exe
5760	powershell.exe
5760	powershell.exe
5068	powershell.exe
5068	powershell.exe
5068	powershell.exe
864	powershell.exe
864	powershell.exe
864	powershell.exe
5396	powershell.exe
5396	powershell.exe
5396	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	firefox.exe
Token: SeDebugPrivilege	4876	firefox.exe
Token: SeRestorePrivilege	3860	7zG.exe
Token: 35	3860	7zG.exe
Token: SeSecurityPrivilege	3860	7zG.exe
Token: SeSecurityPrivilege	3860	7zG.exe
Token: SeDebugPrivilege	628	XloaderCLICKTHISBEFORE.exe
Token: SeDebugPrivilege	5220	XWorm V5.0.exe
Token: SeDebugPrivilege	5760	powershell.exe
Token: SeIncreaseQuotaPrivilege	5760	powershell.exe
Token: SeSecurityPrivilege	5760	powershell.exe
Token: SeTakeOwnershipPrivilege	5760	powershell.exe
Token: SeLoadDriverPrivilege	5760	powershell.exe
Token: SeSystemProfilePrivilege	5760	powershell.exe
Token: SeSystemtimePrivilege	5760	powershell.exe
Token: SeProfSingleProcessPrivilege	5760	powershell.exe
Token: SeIncBasePriorityPrivilege	5760	powershell.exe
Token: SeCreatePagefilePrivilege	5760	powershell.exe
Token: SeBackupPrivilege	5760	powershell.exe
Token: SeRestorePrivilege	5760	powershell.exe
Token: SeShutdownPrivilege	5760	powershell.exe
Token: SeDebugPrivilege	5760	powershell.exe
Token: SeSystemEnvironmentPrivilege	5760	powershell.exe
Token: SeRemoteShutdownPrivilege	5760	powershell.exe
Token: SeUndockPrivilege	5760	powershell.exe
Token: SeManageVolumePrivilege	5760	powershell.exe
Token: 33	5760	powershell.exe
Token: 34	5760	powershell.exe
Token: 35	5760	powershell.exe
Token: 36	5760	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeIncreaseQuotaPrivilege	5068	powershell.exe
Token: SeSecurityPrivilege	5068	powershell.exe
Token: SeTakeOwnershipPrivilege	5068	powershell.exe
Token: SeLoadDriverPrivilege	5068	powershell.exe
Token: SeSystemProfilePrivilege	5068	powershell.exe
Token: SeSystemtimePrivilege	5068	powershell.exe
Token: SeProfSingleProcessPrivilege	5068	powershell.exe
Token: SeIncBasePriorityPrivilege	5068	powershell.exe
Token: SeCreatePagefilePrivilege	5068	powershell.exe
Token: SeBackupPrivilege	5068	powershell.exe
Token: SeRestorePrivilege	5068	powershell.exe
Token: SeShutdownPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeSystemEnvironmentPrivilege	5068	powershell.exe
Token: SeRemoteShutdownPrivilege	5068	powershell.exe
Token: SeUndockPrivilege	5068	powershell.exe
Token: SeManageVolumePrivilege	5068	powershell.exe
Token: 33	5068	powershell.exe
Token: 34	5068	powershell.exe
Token: 35	5068	powershell.exe
Token: 36	5068	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeIncreaseQuotaPrivilege	864	powershell.exe
Token: SeSecurityPrivilege	864	powershell.exe
Token: SeTakeOwnershipPrivilege	864	powershell.exe
Token: SeLoadDriverPrivilege	864	powershell.exe
Token: SeSystemProfilePrivilege	864	powershell.exe
Token: SeSystemtimePrivilege	864	powershell.exe
Token: SeProfSingleProcessPrivilege	864	powershell.exe
Token: SeIncBasePriorityPrivilege	864	powershell.exe
Token: SeCreatePagefilePrivilege	864	powershell.exe
Token: SeBackupPrivilege	864	powershell.exe
Token: SeRestorePrivilege	864	powershell.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
3860	7zG.exe
1200	msedge.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe
4876	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4876	firefox.exe
5912	OpenWith.exe
3952	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 396	1200	msedge.exe	80
PID 1200 wrote to memory of 396	1200	msedge.exe	80
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 220	1200	msedge.exe	82
PID 1200 wrote to memory of 2500	1200	msedge.exe	83
PID 1200 wrote to memory of 2500	1200	msedge.exe	83
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84
PID 1200 wrote to memory of 4860	1200	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/4yaOMG
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff8322246f8,0x7ff832224708,0x7ff832224718
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2064
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x7ff7b6255460,0x7ff7b6255470,0x7ff7b6255480
    3⤵
    PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3944 /prefetch:8
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,9358348822350450042,810071284858997032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4756
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1900 -prefsLen 26921 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e99a76d-99a3-4c70-a9f3-259c593c852c} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" gpu
    3⤵
    PID:3076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 26799 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63444ab4-87ac-468e-adc3-90cb257a32c7} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" socket
    3⤵
    - Checks processor information in registry
    PID:4548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2892 -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 2960 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c6d8332-b96c-49d4-bf11-9e243fdc34a9} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" tab
    3⤵
    PID:2036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3924 -childID 2 -isForBrowser -prefsHandle 3944 -prefMapHandle 3940 -prefsLen 32173 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40828940-b77f-44d2-a5e4-3bdd37104c85} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" tab
    3⤵
    PID:5144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5104 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5124 -prefMapHandle 5108 -prefsLen 32173 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3435fdc2-af40-408e-94b0-879054c0334a} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" utility
    3⤵
    - Checks processor information in registry
    PID:5276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -childID 3 -isForBrowser -prefsHandle 5276 -prefMapHandle 5272 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4ef8034-04e1-436d-9733-b0d5b3fa92c6} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" tab
    3⤵
    PID:5440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 4 -isForBrowser -prefsHandle 5512 -prefMapHandle 5508 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8836cde-8b81-48f9-9bc7-b4aa7b0cc777} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" tab
    3⤵
    PID:5476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -childID 5 -isForBrowser -prefsHandle 5652 -prefMapHandle 5660 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {002499de-83fe-44df-a473-2747ccb93fa4} 4876 "\\.\pipe\gecko-crash-server-pipe.4876" tab
    3⤵
    PID:5516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5912

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\xtools\" -ad -an -ai#7zMap6223:72:7zEvent12823
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3860

C:\Users\Admin\Downloads\xtools\xtools\XloaderCLICKTHISBEFORE.exe
"C:\Users\Admin\Downloads\xtools\xtools\XloaderCLICKTHISBEFORE.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\xtools\xtools\XloaderCLICKTHISBEFORE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XloaderCLICKTHISBEFORE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5396
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5272
- C:\Windows\SYSTEM32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  PID:6076

C:\Users\Admin\Downloads\xtools\xtools\XWorm V5.0.exe
"C:\Users\Admin\Downloads\xtools\xtools\XWorm V5.0.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5220

C:\Users\Admin\AppData\Local\svchost.exe
"C:\Users\Admin\AppData\Local\svchost.exe"
1⤵
- Executes dropped EXE
PID:5832

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c2055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery