Analysis
-
max time kernel
47s -
max time network
54s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
18/01/2025, 21:49
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
xworm
IDKTOBEHONESTNIGAS-56344.portmap.io:56344
-
Install_directory
%LocalAppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x00280000000462ab-376.dat family_xworm behavioral1/memory/5040-378-0x0000000000E40000-0x0000000000E52000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1760 powershell.exe 252 powershell.exe 232 powershell.exe 3720 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation XloaderCLICKTHISBEFORE.exe -
Executes dropped EXE 2 IoCs
pid Process 5040 XloaderCLICKTHISBEFORE.exe 5004 XWorm V5.0.exe -
Loads dropped DLL 1 IoCs
pid Process 5004 XWorm V5.0.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x00280000000462ac-379.dat agile_net behavioral1/memory/5004-381-0x0000020A3EF10000-0x0000020A3F982000-memory.dmp agile_net -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 62 ip-api.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a55d1dff-5bc4-4846-9039-08d2f12b71e3.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250118214958.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWorm V5.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWorm V5.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWorm V5.0.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000_Classes\Local Settings msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2328 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 240 msedge.exe 240 msedge.exe 976 msedge.exe 976 msedge.exe 1696 identity_helper.exe 1696 identity_helper.exe 4268 msedge.exe 4268 msedge.exe 252 powershell.exe 252 powershell.exe 252 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeRestorePrivilege 940 7zG.exe Token: 35 940 7zG.exe Token: SeSecurityPrivilege 940 7zG.exe Token: SeSecurityPrivilege 940 7zG.exe Token: SeDebugPrivilege 5040 XloaderCLICKTHISBEFORE.exe Token: SeDebugPrivilege 5004 XWorm V5.0.exe Token: SeDebugPrivilege 252 powershell.exe Token: SeIncreaseQuotaPrivilege 252 powershell.exe Token: SeSecurityPrivilege 252 powershell.exe Token: SeTakeOwnershipPrivilege 252 powershell.exe Token: SeLoadDriverPrivilege 252 powershell.exe Token: SeSystemProfilePrivilege 252 powershell.exe Token: SeSystemtimePrivilege 252 powershell.exe Token: SeProfSingleProcessPrivilege 252 powershell.exe Token: SeIncBasePriorityPrivilege 252 powershell.exe Token: SeCreatePagefilePrivilege 252 powershell.exe Token: SeBackupPrivilege 252 powershell.exe Token: SeRestorePrivilege 252 powershell.exe Token: SeShutdownPrivilege 252 powershell.exe Token: SeDebugPrivilege 252 powershell.exe Token: SeSystemEnvironmentPrivilege 252 powershell.exe Token: SeRemoteShutdownPrivilege 252 powershell.exe Token: SeUndockPrivilege 252 powershell.exe Token: SeManageVolumePrivilege 252 powershell.exe Token: 33 252 powershell.exe Token: 34 252 powershell.exe Token: 35 252 powershell.exe Token: 36 252 powershell.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 940 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe 976 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 976 wrote to memory of 4856 976 msedge.exe 80 PID 976 wrote to memory of 4856 976 msedge.exe 80 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 4704 976 msedge.exe 82 PID 976 wrote to memory of 240 976 msedge.exe 83 PID 976 wrote to memory of 240 976 msedge.exe 83 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 PID 976 wrote to memory of 4264 976 msedge.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/4yaOMG1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff6f4b46f8,0x7fff6f4b4708,0x7fff6f4b47182⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵PID:4704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:82⤵PID:4264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:12⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:12⤵PID:2780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:12⤵PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:82⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:1936 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x24c,0x250,0x254,0x248,0x258,0x7ff6210f5460,0x7ff6210f5470,0x7ff6210f54803⤵PID:2600
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵PID:4016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:12⤵PID:3080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:12⤵PID:896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:12⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:12⤵PID:1772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4588 /prefetch:82⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,8094211964755135585,9952140209503622211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4268
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3296
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2276
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1608
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap14450:72:7zEvent116691⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:940
-
C:\Users\Admin\Downloads\xtools\XloaderCLICKTHISBEFORE.exe"C:\Users\Admin\Downloads\xtools\XloaderCLICKTHISBEFORE.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\xtools\XloaderCLICKTHISBEFORE.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XloaderCLICKTHISBEFORE.exe'2⤵
- Command and Scripting Interpreter: PowerShell
PID:232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
PID:3720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
PID:1760
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2328
-
-
C:\Users\Admin\Downloads\xtools\XWorm V5.0.exe"C:\Users\Admin\Downloads\xtools\XWorm V5.0.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Users\Admin\Downloads\xtools\XWorm V5.0.exe"C:\Users\Admin\Downloads\xtools\XWorm V5.0.exe"1⤵PID:2208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
152B
MD578789c91e16d10f550331b6172ea4751
SHA1aee25d6d200d75e8a0f753f888d19545278999c6
SHA256b91a0fcd45635ad28ba63d3c214d22a8c58f33965a8fff5aa72bff0bbe65fb24
SHA512ba1c51d05f1165e2044b94edf8520af3c20bde4eac62b730714da8a484ca691fddaa2f436debf78f60c4e60aab2f4cb2ced8448531b3bf2731d206af4863f815
-
Filesize
152B
MD520ce33649b0aa2e62230849d9203743c
SHA10a13c95b6bfec75d3dd58a57bdb07eb44d8d6561
SHA256482bd738c304fb1f7fafcf92f313f1faccf57164c944c38ae8d6d4727164d72c
SHA512332cf2a0a7fe494643b00ca829d0f49e9f0835f158dbc37ada16564a55eb60ccb1cee20e91f1caffa0a0229b85e43da41f508a356c36d9109cd8c3beae2a5620
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5f6a5902120c555fb98c5d53f224add57
SHA1bcb6db97b28551db4b563984e3077312db36f9b5
SHA256054cba173162b08db00e4d1b6aa82053ecbf4eb9b3d83933687d9a97107a9cfb
SHA512374450ca416c128ee5c91705a0fd9b4d885d643a2351effa258d1ff85e32ea4bbe3764e9e77229df5b2a107333844e0bc26b9e83efa3663330078ab7822f3e2a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD585f0fea34b9af1eeed05b90dd53eca75
SHA12980cf9949fb65688d15ab40d757acdf079b7429
SHA25629d976b832e1be5d7f8bf1296c839ea50dd5030e5ea17de23b0c57dc25192e00
SHA5128534606c00efee29df940cfe0867a9843e51beb7d2bceedc79d6d1895a4d2b7aaca539a51efcbf68f24559cce37eeaed5f3afc32848d232b288c0b7a9c86b627
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
399B
MD5d30838c1fb27edd999f89880a1247ecc
SHA1aa6fa7e48abe4f2b24722c0e564ac7f65c5d00da
SHA256021e64627445e078484686401ac14192217350049ce02b65bf9273644749c33b
SHA5120ec57b4dea0705a10fde0bd8a463e18594de6d89d850988428b2f47ad4c9e8fa8470dcae3237dddfd7d39966ece5fb8c816db49912e539c8d7c05d8e43f1bc06
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe584b1d.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD582c0c779e1db5326e179afef71b05eb3
SHA16084e0b93b08bd776b616d6309f7907716331c39
SHA25663f3a0ee30bca42b7961292098fa838404da5508deaeb0e7ed950a3d5b2d86c4
SHA512fae088480204216ada73e9aa5c87c2eddd26dd7600ecf658369a6b03f2367f712dbd75e97b81896640d41f98a77410ebb3a79318c7295e86b627a6c267b5b8b1
-
Filesize
6KB
MD5f41cd89cd30dda152c8d23ced86fb53f
SHA19d87e4d71d9723397be943211002259c19398634
SHA25664d9a316d5151e90120b72aeac0ab981d0a574e2b9d73d3a7ca5f59abba264ad
SHA512c6f918a83ccf9173e00d275b608ede0ba39d53017ecb1426cc061cbc7c9471c0ca3ff49e753eea66a3f99b1b51c004d65603de0649f73976f08bca60c5727637
-
Filesize
5KB
MD5f1cffdb39b13220f31779f95d5292de0
SHA145a7b563fe39eed9d1a03f8410104150c5faca15
SHA256c93be052dc6805c0b68edc0e98ef3c365b77ae2fbe0e53ac830741856077ef3f
SHA5124c055e8daa4eb9a46c4b6dd90494df2f6b32364e696545165a760d46e58f9e31b587435835dd7453de42a027ac93c1e2a314bc1a6801d85ed66fc0e7ca2db5ff
-
Filesize
6KB
MD5f447cfd3a011a59e96b09d2eeb3b72fb
SHA1ffe142007d4115deb74fc2f483abae5d4546569f
SHA25680b2709195ec32a104a884a85e04413017f3717422d25a75d47bf00e41242f69
SHA512e84c1b1e64a8d85a915e09438c3034342c5623beaa750a0f0f1ec6dbab6fda8bec864425856abe7a89c707be8361dd99d34460ac88fe8a5d2714d5920bcced4d
-
Filesize
24KB
MD5185080eb3d5b0a66db58e0095f8c331f
SHA1bff8dcc035b163b0c9ec6e4407733b86affef965
SHA256113641bc7ae03411b69562ecb967139fd6193ce3f49251ec79449317ace9d331
SHA51275ff3e926bb1a6bcbb6cca5b735511a0e3d203e7fb90416c3cdb0b03aafc9db16ce824e0f018ecf721166f589ff8d5fad6cfcb9287418716d50256348572a790
-
Filesize
24KB
MD5ed5208c1f808bc3060ee268b37756402
SHA1034686621c966a7ffbd112d425fa6fd600d0c664
SHA256f1101bcaf7c09312f161e9ee88255a6869fef1a8ff3dc11a8a46b425d444e710
SHA512beb4d264aed90cdd73646f674b9a9d7c659b0c11994401a96ade73e807ebf04b8166471d35aedb0e41acec52576c3ca7baf2c0b20782f1e7fbee57ba701804f5
-
Filesize
370B
MD5883f5ffe388b40fbcd344ebc25c7c318
SHA1ca3be2e6ba0a91c59a157495735201d5013f76ad
SHA2567e15f47abcd40eeb9776ee9833a7a8df3af92e71e7bff9525c889c61dec23b20
SHA512f80811e542ce27a84b0176b7d81ce4e31d6eee72c1773811bb7f96a55866c69b6f85543beca99be08e7868434d17f655e8c0c5830b8a3849d68213f18f8e74cb
-
Filesize
203B
MD54908c7c9ace9619c6c7305e4c8e4b359
SHA1175469009bc7c7bb7104d6dbaaf350bfaf4498b8
SHA256e9b0906eea1aa4690572d12363db057053f780bb50b1fb2774f14240caf6e153
SHA512189dccded139b465cee939b7e8d4e1d8d9c95a535dadc838a0a0e596ea88d4f39db7601af7fe223ed56ade6083cbf69a82f7375c07a18b2955759f62814da28f
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
10KB
MD5d07848e0fb1cceb7462f764ebc48285f
SHA153e4c7d7ced991a6f63f7cd6d8b455b4dfbb0a3a
SHA25603ee11a744ebf4ba885e5ba9c6abf1fb5b701697cb5081191f9c0052e1292828
SHA5125c6451ae74d694c246113a47eeac6a201a54ddd1c9afc8020a81fe7dec3484176a2c4ebd23c00e92c74eb30e318761aab6302f0ecae33c2f6cfc1e715504eb57
-
Filesize
8KB
MD564aa6d68af43210ce6667fbf7b50da5a
SHA1c1e1684cbff2c56684367179d3c294475da10e5a
SHA256f17a570b02a365c10cd8d77f52e1449b09930bf8fdc99236a564669f96b40c9e
SHA5123d42d12436ecd545be7c038067a12dbc8efb2287b7148e8e6788469cf5790e6a94f771863f22a8a40614aaea49dbd4d3a7707ecc94346d5f6bd7906fa1441974
-
Filesize
10KB
MD575ca4bdd4dbbd5096cf68c1205476e2f
SHA11e416935f928349f6a77a3ccf649a8cb8869b9e6
SHA256ade1c564859ff150be952aa331b3dcdef8f8c7a592f5f28d5bf99d16228b8d64
SHA512807135898cc613862948b0b0862493349c18bf243f5f861ba262de6c311dad57bcb0ab409d353e929cf4cb59739e885d4f0a47e67997bec5e74ae15d40ffd0ff
-
Filesize
264KB
MD55d5cbfa946d457df314fd3287d3fc306
SHA111f813c1c1994575f3cec424b104ce83d3d4d854
SHA256cb3f22f990de2249e738d7de785a6a010b3f697e3c506cf2f77013e13d41b82d
SHA512d28815053a50e662615e2f9171f7a7ca9ce6b6fea546c18e52bc3bcf33eea77a346e637f97ebd7d5bccf03769ed1e230615120988c95c8d14af54ca740bddd3e
-
Filesize
1KB
MD560b3262c3163ee3d466199160b9ed07d
SHA1994ece4ea4e61de0be2fdd580f87e3415f9e1ff6
SHA256e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb
SHA512081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af
-
Filesize
1KB
MD5378c281aae8ae248a24feb2d874d3083
SHA11c9f6725f2927026818d0824a86267f94e40d258
SHA2563881c1b79ae353defcced236b2be79f15dadc6b464e0098089b33c1794ec5f98
SHA5126c0ce7a9c0a1fc81b17e635e4a236fa3a461c35cbd377712695beb71120c37905ce2e2ec470188257568f82ce1fa426bda42b21115b38fdb10d07542140aaf29
-
Filesize
1KB
MD53f11d133f6e9a9fa54b24fefa5d18faa
SHA113fa2c0c792b2a1eba081f28615ae79e8736d23a
SHA2560c25a892fdfd94789e6ceb778c272a744774f6984e799f5e1e0c31321eac2523
SHA5121a8523c75b08d47dc2c364e9a91f41aeb7d2ae0cd57a32da7918d757f71c68c323d6355f9a15671b1b7b0ae4a8c950a7a84757ad37e43079831d9e599ae26343
-
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll
Filesize112KB
MD5a239b7cac8be034a23e7e231d3bcc6df
SHA1ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d
SHA256063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8
SHA512c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD512ddb6e9030c9b13a855e3d7ea67c2f9
SHA12492007559096499664e2bc23d84f1a19c2b3326
SHA256bba3225d3e473969f4f1dc108ac67790d98b9cce2e0c17640ec0f4407150e6ba
SHA5123c2d2eb6e2422358235250d41565afe39fc32cf718504546128546c3484ae24f1b3a2aa841bf87218077abf14d79631b3f13b8a304c74adc293e5db471d0d4c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD58b31367a03a01f7ad1bd423128125830
SHA1c29961276dee44de1b2ea00c13128282785e9a59
SHA25653a53f07d928c08a39ec79afc901a72b4013854eb596944f72535bee56891e65
SHA51212a3af5fb5cebec963f21767888aef722c50075a15999c68c348f3d28a3d638b15a1d30043f3ab21a6ef9fa16766ef717e922a8a11a67855d49bffc58631a995
-
Filesize
28.0MB
MD53cd2674b533c4f7cb19a63778e6ef061
SHA17ca2d629bd86230fa4ac7c64e8b48b7e65f22187
SHA2567e0c9cc09bcb0c89de68356443c21d9347ee37f12ec0cd0ed9ef6a018ff0e566
SHA51217833d614db5ac2c34c679ef0ae1c78935e2860ca9a5dbd38554ec2dd5395479a123a3a99577df66ec5254b717328ef80fa7bbe16448261d4b990d6352140397
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
10.4MB
MD5227494b22a4ee99f48a269c362fd5f19
SHA1d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9
SHA2567471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2
SHA51271070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0
-
Filesize
50KB
MD554bbc9fc29cdb36eeb9427a9d951b345
SHA1a0128285ca13f4045e851e2c24b354ffd71755f1
SHA25617fb272b6872924f874affa6d3b3d9adfb702bf28c64d924ea7c2c0c6c972275
SHA512e7f86d9bdba377461f0f778fdc4680b5177072b9dd7f688dbcedf14ba1961e5c3e821839077e2347616076e694658728bc4e1924cad3bf4247588b3e15e1266f