Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 13:23
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/koyaxZ/XWorm-v5-Remote-Access-Tool
Resource
win10v2004-20240611-en
General
-
Target
https://github.com/koyaxZ/XWorm-v5-Remote-Access-Tool
Malware Config
Signatures
-
Detect rhadamanthys stealer shellcode 4 IoCs
Processes:
resource yara_rule behavioral1/memory/5332-372-0x0000000002360000-0x0000000002760000-memory.dmp family_rhadamanthys behavioral1/memory/5332-373-0x0000000002360000-0x0000000002760000-memory.dmp family_rhadamanthys behavioral1/memory/2940-376-0x00000000021B0000-0x00000000025B0000-memory.dmp family_rhadamanthys behavioral1/memory/4360-383-0x0000000002160000-0x0000000002560000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 34 camo.githubusercontent.com 35 camo.githubusercontent.com 36 camo.githubusercontent.com 37 camo.githubusercontent.com 38 camo.githubusercontent.com -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
XWorm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 XWorm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID XWorm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI XWorm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI XWorm.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI XWorm.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
OpenWith.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 5612 vlc.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeXWorm.exeXWorm.exemsedge.exeXWorm.exepid process 4872 msedge.exe 4872 msedge.exe 4304 msedge.exe 4304 msedge.exe 264 identity_helper.exe 264 identity_helper.exe 2096 msedge.exe 2096 msedge.exe 5532 msedge.exe 5532 msedge.exe 5332 XWorm.exe 5332 XWorm.exe 2940 XWorm.exe 2940 XWorm.exe 2264 msedge.exe 2264 msedge.exe 2264 msedge.exe 2264 msedge.exe 4360 XWorm.exe 4360 XWorm.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OpenWith.exevlc.exepid process 5532 OpenWith.exe 5612 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
XWorm.exedescription pid process Token: SeShutdownPrivilege 5332 XWorm.exe Token: SeCreatePagefilePrivilege 5332 XWorm.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
Processes:
msedge.exevlc.exepid process 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 5612 vlc.exe 5612 vlc.exe 5612 vlc.exe 5612 vlc.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
msedge.exevlc.exepid process 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 4304 msedge.exe 5612 vlc.exe 5612 vlc.exe 5612 vlc.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
OpenWith.exevlc.exepid process 5532 OpenWith.exe 5532 OpenWith.exe 5532 OpenWith.exe 5532 OpenWith.exe 5532 OpenWith.exe 5532 OpenWith.exe 5532 OpenWith.exe 5532 OpenWith.exe 5532 OpenWith.exe 5612 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4304 wrote to memory of 3440 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 3440 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 2868 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4872 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4872 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe PID 4304 wrote to memory of 4264 4304 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/koyaxZ/XWorm-v5-Remote-Access-Tool1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2a3546f8,0x7ffb2a354708,0x7ffb2a3547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5520 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2460838002408745401,13830736473693616131,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4820 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\XWorm.rar"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\XWorm-v5-Remote-Access-Tool-main\XWorm.exe"C:\Users\Admin\Desktop\XWorm-v5-Remote-Access-Tool-main\XWorm.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\XWorm-v5-Remote-Access-Tool-main\XWorm.exe"C:\Users\Admin\Desktop\XWorm-v5-Remote-Access-Tool-main\XWorm.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\XWorm-v5-Remote-Access-Tool-main\XWorm-v5-Remote-Access-Tool-main\XWorm.exe"C:\Users\Admin\Desktop\XWorm-v5-Remote-Access-Tool-main\XWorm-v5-Remote-Access-Tool-main\XWorm.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5dabfafd78687947a9de64dd5b776d25f
SHA116084c74980dbad713f9d332091985808b436dea
SHA256c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c39b3aa574c0c938c80eb263bb450311
SHA1f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA25666f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5cccd53886faa78596e7b8fdbe5283974
SHA11192250dd9cdc7b06fb34787fc4500d1267af2de
SHA2566371e9c067b292de77f03eec83865a17ce7322c40c57224493dd3b96f114a7c8
SHA512b4fb5de0795175f5b4958153b938986f781c8a36d387b50046ca69401848f62bbc0de94e9b4d32a7a69d6902c6305ab41cf1e8742b08602a65fc5e2faa077a66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5e0fcfc9d1152c1bafdc21a31b976562f
SHA195bc4b25096e4ff1fee5674c6c6407890c2c0624
SHA256e724aefdb45b7b1a2e37135173ceebcb0cbe2c1a2abc218fb6aaeefad07d28b4
SHA512feded74a0d0b7c79d9decb5e2b26ec083830a8478d360c6966905bee49e2db3dffde375dd9ccb4f8e4cc57396293aba60450966afd371831ae3eec42b1b6aacd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
657B
MD54197a2d5f6a6c803589889474c63fa2c
SHA164eb7eb0ef18ea58f81f732da4f4923308ca25b3
SHA2566bf67c613ff8f27b56bd910e9226efb3fa242ceb75afaf182d7ff39db4680558
SHA5125d7b19d3df259519f917853b98d4a3c1bab62f982ba4b5baf11ee710fed2aa36d7adb9fffd155a9afe9dfa6cc5144f94945d833d9ca3cd84d49b00ee5699ea2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f7131c1ae201583641d95def4a3ac100
SHA168c7936894d17b0850fef9f8533d08edd28be7a9
SHA2560b24f09d4f068c4a035f83b6a69946cc8c483ce9670ba45725cc82da9a47837f
SHA512b1cdeeacd036b7d1d100d9a4be086c5194c9ff9f0d0b253cf357cd8ef1c7f6df464c7ee2403bf7c7ac6c8104c70f49ca419762f50b0925d1c3901af173f96b76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD538499dda31d7a8bb7fc12f406b90ee23
SHA1a0908e3a88f06d79bddb947c4a03f56cb7f676c9
SHA256872db9c866d041311f8fa2e237d29717e368a0bfcce56cf42580970ee9f66d2d
SHA512d17db6540682549c89fa8e5dee5dd77777edc4ebfa7de94345c0ea6047641c514ebb1626fcddeed7522b5d3efa14868b5faa38adc5203381ce146ecaacbb82f3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD55e18f151a5de138557448a153dbda43d
SHA1ad67af96bc88aab97474b2e4e07a45a381eb6a5d
SHA2565da09432c67c684f9b2e29782ad807e0ecc1634e3380fa10448fde2e0ab1661e
SHA512cc5a21f97bdf45e7c1520e3622a795b7424d2deb4f5d52b6087f23457d73cc971c895ba809e943be34e0d906004273c13cd7bcb65141687ea9974df173286dcb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5df1a69cd4de75491b736d88db3fb6b53
SHA1bc702e814bf0092cd1370815d88caf8e60316caa
SHA25650f895cd3ef975d806f1ee63992c2e8f60a6a4bd684ac0d53eaeda23ad261d78
SHA51237fe8d63b890287fe84980b264bbdb064cfe95976f1ab8f7fee74bb795b4759827b9ff4cb197bbe863a5d55bdb261ac26fb285e83d809e40ce8f86f1772b76cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD52130ea743fd9d6e674fb587a167fe7ff
SHA184fd1e97e9b478a75ea610c1b6dec9d937fda07d
SHA2567535d753c6a0612722969460f9c3a357598fe63668343b3cd8ef27a06294581a
SHA512bcc8936a1376cb1b73318078dae756d8e7d36d4049e4b6e1ee9d0a05c887cbcd28e22a3aa22bf6b16072ccbe71f3814ff95f20702d425f99eb60b5d0999e123e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD577952cbf4a6a39ad0bb586aefbcd3991
SHA1aa174356bf5c8e4a7797a1a574c6811098ace920
SHA256172453bd996efd1d9f639ee86a09eb4fc8aee3b2002dd53c78e501f59c555d66
SHA51227a94afe9a842eed5c8853018560bdc6f78307390e9c8067e924df3d06f079f08cc161e3c90dade8db2cbc961f40fc4290583bdd635991ca560881d793e94c7e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD556700ad87d190da4c3d454b6a0b8ab64
SHA1e0a41a7bdea6eab153ac8a98cc125794f7219355
SHA256b04cb4e47935e4fb3a711360d5b25eadc6cd809073eeaa3f680357d3afe9da09
SHA512acbed02fa593c43fab4b7e7239ca0b1fd1a1f5467f07b608c18343e3eac5c84da7ede9b294655a53b1af32e0d00c5c5443f4665744c6c5263069fb4ea11cf822
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578889.TMPFilesize
1KB
MD5db05638a7a3ad8769e724edfca6c191a
SHA1c5ab5f388ca0bc59a48d172a0e92427fffb7c2e6
SHA25606714b3244f5d30e07c53f2655cd864187196d2838b92e554ba83c8e6ae8af2e
SHA512456b093e43ad192d2a97bad0b8b155c7a66cd9e2530d5cc0f05beec8e4a3c8f157cfd6c766bf0501b844fb80acf7af851a5066002af9546a4f1cf61a1618dd1c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54fbaa25b04c904ce5048831d5fdcfa67
SHA11084de4a666f4fd1ff737093497a6b46a0c4ea77
SHA256bf56b93670ab7f3b657d993dd8d687fb84c952002191600002e42a7b928263b9
SHA512bd3ee1d057284db989406411ab851d408ce3cc096b2ad3182095a7e6c7f976b1e5beba9137b352e7400e76cb6a38bf8022383ebb568a8cd6d4ed1debd3d6c1a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD538dba75f8077103c55781e38feabd0b3
SHA1f7bc490858421509c9a837840c5986505d01bfcd
SHA2566fa58f02cb6095fd11cd6a86f1d1c53ef7aae02548289c3deb8e1038de904ec2
SHA51274a6053696e49761d00b8a440e4359963007426937ec23d7d3c753749838edf8e1811dd2ab9c2c4a2b844652e28df96e4a65c71c969a66918c90dd12392a60d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54ee3530c0ec41794703186b416758b5c
SHA1a5b125efb77b98b99fde6e07cace730292cf8de7
SHA256cb9968db5321edb74f3b1b5f01d7674cecba9db3ad09affe203a5a41b6d0ad3f
SHA51268537abdfa04c92fbb45b24bae480e7155bcf3cc3f3929ea1d103b539201a167cb170bfe0c44501f5aaa3d80c1b7531f69339bf0300bdc6c414a84e0acdc4035
-
C:\Users\Admin\Downloads\XWorm-v5-Remote-Access-Tool-main.zipFilesize
5.0MB
MD54009932a7e44d607b529598df00ff375
SHA1ff8bff1c6f707101215aee8d7ff315cba991001d
SHA25650505aa9a36faa076b8a6894297bc8fed02269938e6592b7b7be7c9c809897dd
SHA512b77816e1aaaf9a09155f91aa91070a099fcd09acec92c28ac6afa4bdf2abcec3d4e1eaa028efc4ff9b0999fc6b90ceaa71146d9023aaecc074a49945364c38de
-
C:\Users\Admin\Downloads\XWorm.rarFilesize
3.8MB
MD58845f7149b64a79343f12ee97b8d90ad
SHA1d48a4d2b00859e6e7e362e38a34190da60ff8550
SHA25617c103b0cd832139aded6213496300760f83abc7922d3829d10f09d422b2b348
SHA512132c47c287aad520e29c42debff6c2a847487323a57824e7b43f48fa5562d9b008c28b297fd3a260b108aebfd99246ed2fff5d38cc9fd52b3406a047aedd5bd9
-
\??\pipe\LOCAL\crashpad_4304_XAOEJKPILMNEDVNEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2940-376-0x00000000021B0000-0x00000000025B0000-memory.dmpFilesize
4.0MB
-
memory/4360-383-0x0000000002160000-0x0000000002560000-memory.dmpFilesize
4.0MB
-
memory/5332-371-0x00000000020A0000-0x00000000020A7000-memory.dmpFilesize
28KB
-
memory/5332-372-0x0000000002360000-0x0000000002760000-memory.dmpFilesize
4.0MB
-
memory/5332-373-0x0000000002360000-0x0000000002760000-memory.dmpFilesize
4.0MB
-
memory/5612-241-0x000002C27EC50000-0x000002C27FD00000-memory.dmpFilesize
16.7MB
-
memory/5612-240-0x00007FFB163A0000-0x00007FFB16656000-memory.dmpFilesize
2.7MB
-
memory/5612-239-0x00007FFB18C80000-0x00007FFB18CB4000-memory.dmpFilesize
208KB
-
memory/5612-238-0x00007FF7D0E10000-0x00007FF7D0F08000-memory.dmpFilesize
992KB