Analysis
-
max time kernel
126s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 13:45
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\Guna.UI2.dll family_agenttesla behavioral1/memory/4540-302-0x000001F7C9FD0000-0x000001F7CA1C4000-memory.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
XWorm V5.2.exepid process 4540 XWorm V5.2.exe -
Loads dropped DLL 1 IoCs
Processes:
XWorm V5.2.exepid process 4540 XWorm V5.2.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWorm V5.2.exe agile_net behavioral1/memory/4540-287-0x000001F7ACF30000-0x000001F7ADD0E000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
XWorm V5.2.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWorm V5.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWorm V5.2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin.7z:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 1760 msedge.exe 1760 msedge.exe 3932 msedge.exe 3932 msedge.exe 5828 identity_helper.exe 5828 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
firefox.exe7zG.exeXWorm V5.2.exedescription pid process Token: SeDebugPrivilege 3544 firefox.exe Token: SeDebugPrivilege 3544 firefox.exe Token: SeDebugPrivilege 3544 firefox.exe Token: SeRestorePrivilege 1804 7zG.exe Token: 35 1804 7zG.exe Token: SeSecurityPrivilege 1804 7zG.exe Token: SeSecurityPrivilege 1804 7zG.exe Token: SeDebugPrivilege 4540 XWorm V5.2.exe Token: SeDebugPrivilege 3544 firefox.exe Token: SeDebugPrivilege 3544 firefox.exe Token: SeDebugPrivilege 3544 firefox.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
Processes:
firefox.exe7zG.exemsedge.exepid process 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 1804 7zG.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
firefox.exemsedge.exepid process 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe 3932 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
firefox.exepid process 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe 3544 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 3684 wrote to memory of 3544 3684 firefox.exe firefox.exe PID 3684 wrote to memory of 3544 3684 firefox.exe firefox.exe PID 3684 wrote to memory of 3544 3684 firefox.exe firefox.exe PID 3684 wrote to memory of 3544 3684 firefox.exe firefox.exe PID 3684 wrote to memory of 3544 3684 firefox.exe firefox.exe PID 3684 wrote to memory of 3544 3684 firefox.exe firefox.exe PID 3684 wrote to memory of 3544 3684 firefox.exe firefox.exe PID 3684 wrote to memory of 3544 3684 firefox.exe firefox.exe PID 3684 wrote to memory of 3544 3684 firefox.exe firefox.exe PID 3684 wrote to memory of 3544 3684 firefox.exe firefox.exe PID 3684 wrote to memory of 3544 3684 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 856 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 1776 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 1776 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 1776 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 1776 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 1776 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 1776 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 1776 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 1776 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 1776 3544 firefox.exe firefox.exe PID 3544 wrote to memory of 1776 3544 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/DeathDealerSoftware/XWorm-V5.3/releases/download/XWorm/XWorm.V5.3.Optimized.Bin.7z"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/DeathDealerSoftware/XWorm-V5.3/releases/download/XWorm/XWorm.V5.3.Optimized.Bin.7z2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.0.508870931\2058482599" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc383b24-4006-4ba0-9e4b-fa7a45deaec5} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 1876 1a849a0e258 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.1.1871368751\368766922" -parentBuildID 20230214051806 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfdb0f6d-85c9-4993-80cf-63c5935f74b6} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 2484 1a83588b958 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.2.906265743\2003232832" -childID 1 -isForBrowser -prefsHandle 3044 -prefMapHandle 3040 -prefsLen 23133 -prefMapSize 235121 -jsInitHandle 1168 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {324fcba3-dfff-4a81-bd29-f5f45f1b76c7} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 3180 1a84cb38a58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.3.66710595\1557827053" -childID 2 -isForBrowser -prefsHandle 3972 -prefMapHandle 3968 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1168 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a22d4fb8-2226-4363-a442-432fe90d03a7} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 3984 1a83587ce58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.4.383032127\1281116602" -childID 3 -isForBrowser -prefsHandle 4996 -prefMapHandle 4992 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1168 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bfb9c9e-22ee-4e0f-bad7-6e685d8d7a2b} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 5076 1a8503a8158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.5.1497731959\196696968" -childID 4 -isForBrowser -prefsHandle 5248 -prefMapHandle 5244 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1168 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1614868e-f2fd-4aec-a749-89bb91a6ebbf} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 5164 1a8503a7e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3544.6.506927070\567676073" -childID 5 -isForBrowser -prefsHandle 5360 -prefMapHandle 5364 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1168 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {563fcc90-ea5e-41cc-9dda-5cb46c21e5c2} 3544 "\\.\pipe\gecko-crash-server-pipe.3544" 5276 1a8503a9058 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\" -spe -an -ai#7zMap4376:108:7zEvent60061⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWorm V5.2.exe"C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWorm V5.2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbe6d746f8,0x7ffbe6d74708,0x7ffbe6d747183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,3395129695481327657,9217986936235053474,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:13⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD503215af53dafae26e095c8abea1d98ae
SHA12e4b192e720fd12bd014fd511d5d1dda950a0bf7
SHA256d84db2d23036d7ce61b27815fa19aaa464b54e681eec8761f0462ffa66f1aa78
SHA51257a16512e27cdbf4ff2ba27b188b13311899109ac3489f01e29c281608c36bb0d7301a73f1b3d67c577bed7951ca5ff5656e8bb7f7ffb7a1159b4f74e94c1d8e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e8f37f4e96f12016f7eb154f5bfdd25c
SHA1dff0c75f2ff0ad3d53104e79655d6c4001ccb2f7
SHA256b0aca6570ab987a776cf7066155e57bbabd0e0f9839970974c45f29a2f3fae70
SHA51283d9985738a955f9c6a11a17f990ce55c46f6c78e5d006064a9fbb15fbaf85792231ddfe1719fada8044fe2f96b772d24f0d2b2d38849942751922bbad39566b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d0b242bc-5fe2-43c1-b94f-fcd02a432f1a.tmpFilesize
6KB
MD561fff0ef529d991158f92ee78bc6647c
SHA12975c3077d22cba12f0823c069d3fd0fa680620e
SHA256f0c6904fa44bce147c609f3d56e2ff84d984d8e576056b86df5045ac36392b5f
SHA51280f0bac17ad4389e4f30fd02abcafed561dcb2ba70e4cbbaddbf9a3e0363bfe4fc02fab2a0acf3c74209750abfda9181293c1d062e544f7d58594bc125b3928d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD545931d55b08857b8925289f8ac4b7fdf
SHA1ead7b731a9de360758a297c6ef1f360f63a77eba
SHA25663f58d4e83230abace79be2b12121022358899d3b5926251fb65eff2d96b0a68
SHA512dca507f0562f9156229df4de712695e7758649fb70c6e56da5cd4d2dc7553a9354611c1e55115f26ea21ad2e506aa6634b836d646c3b96c298101361d6dd7791
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD571989ae26b065027ba347c04da2a030e
SHA157329cdc478d98663c49221bb65215bd04082b63
SHA256c134be3f1fb99603393beeb9a4e63f4c3d2d9856836f3e938e3b3f7e40c5f513
SHA5123900dc8a28341cccb80aa60c2c2619fb2bf77ccbac214d921def35ddc9e848edfe7148d68dd376612b5b139293fca9488289c11f11dce372b0c45c05a4f2defd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmpFilesize
30KB
MD5588ab1f16b1a97ddc3502d0d9bb63e01
SHA1240d3abd8869f7696af9e6c2ad875b8678dbfa35
SHA256863cb087026e241b8cf3fd68d6dd74d569b5d6a39c085ba77b84a2b9c428118f
SHA512c03be05727a69e5d497c045600296b027ddb8be6f90fed48c6ee52a59eccf8f94299bb04e741692e35c509ed3c40b503ede77cb42d4516dcbd8affecde3d4fff
-
C:\Users\Admin\AppData\Local\Temp\RFZzY\RFZzY.dllFilesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.jsFilesize
7KB
MD57755df0d315df87ddff3cdd110b2e02e
SHA19aaca1b1c0341f0b940695a4bafe7c4f4ba5cbab
SHA256384f400c38d3d9a621bb021c53667bd21672bc40b072e269c54cdc2004ed3515
SHA5122324479e7c4f7d5c3bbc9371d83ad7dc6a346c9e2045ffc14bbc13ee342061ba8b17fe372dc8bc417f1a5d7ad4dc55541bf9508e579b00a888c1dc84826623ea
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.jsFilesize
6KB
MD5444b03b5e26d4400f362850aaddf05a3
SHA192a1b0d9b71831ffd3bf49fc82cb35b1b8526f04
SHA256430f533c079d32135ceab700b932854b0306ef3f1951fbebed4b86bbd44a61dd
SHA512c0cfac21a598f8b85d98a66b9e4e880f689873085ebe3a640ffcaf3863a7eb0c668456cb0fb8b069080b7216d1d72715bd4295651685bfeff79c05ab7199f996
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs.jsFilesize
6KB
MD56f4e93e83aa97fd52c5aa12ac7724685
SHA1505cb5e71d3120e967dbab4b8c22fb618346794c
SHA256563266b0bffaab9d7551d96d13e85b8d62d510ac503473ff8250f6ff43390851
SHA5129ca172bb354a1d8960df64a01a247ad3bbb7e9934d3c1305bec59d2beae7279f8b3dd23340e31a9367c14a880249f8d6c2003c27e511f0703db4d327531b71d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD541ac68f27d1cd29f6582a4e1676217ad
SHA147416e536d6fde0310115c236485013b928233ef
SHA256123be15bcd1019f3e72ed897c4a50c3e3189969d12c608cde845771bd6f76a15
SHA5124a08a53f59e7fc7a519ce216e6e813cb9aa93b1f1a77bb8799d4ad4ea119981cc1c1e3da2da46851279604d8a4e1461eca307005b2432d3415c3bde3c01427de
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
192KB
MD5c210faae758ba558d626ccf9af872071
SHA1447ba0d571f71345dec1bfefe6ef096f390ec399
SHA2564774fdf6a878ab856c382f1435640a12bf9b2bfd833f5250d5aa93f32aa78e65
SHA51252b61ae9db47d53e60051b32b9d89f22633de7cff14a4c5d7403033640aad720ad4904726a9a48c92ddb6476f586894bc35894e48b6a9d1b87796e4006c1119b
-
C:\Users\Admin\Downloads\XWorm.0RbDjHDz.V5.3.Optimized.Bin.7z.partFilesize
11.5MB
MD5227d0d65bc39980284cc93c1599c3f62
SHA14fc4d99d7247ca60bf0eb2ac64ab0aa2db033b2a
SHA256fa94f63945b0892acd91c8e235c36284160b95226aa04129c69abf2c2532f55a
SHA51209ab758c7bd83e275a67c9c7b248030eee5879e45f035bd384871cc586411b7ea3393c9dbb2ebbb2fa068fcd2d0e835a22a3b69cfcf962ddab4f61eaeb44ed7b
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin.7zFilesize
29.5MB
MD5187b25b9e02c2b5d01a70d9d1855dd7c
SHA1d0c7d39012ad0507239a3b060ea42cc13b22eb65
SHA256f26803b764a54a90852b7fd274d5ced7a8a58f1715d3ab4b96900ad4f9dd0410
SHA512bea5cec59d0ebee26a71c78dc38da47a25ea7932d119868caf82b5e4bbbcecd8969abea80ad41b65352f264ced33c457a041c0d9f321c272a8f913802ee254ed
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\GeoIP.datFilesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\Guna.UI2.dllFilesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\Icons\icon (15).icoFilesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWorm V5.2.exeFilesize
13.8MB
MD5897201dc6254281404ab74aa27790a71
SHA19409ddf7e72b7869f4d689c88f9bbc1bc241a56e
SHA256f41828bd13a3a85fdf7a1d688b21ce33d2015c3c5f46b4d92ab6ea8ea019e03a
SHA5122673cd7b927ffc22f3a4b4fbfcb1b4f576c416d67168e486e6d79fdd132129c9e244e36d7b7883a4a1ed51e993cc4384bf24f2fa3129584f2bd43fd16042de20
-
C:\Users\Admin\Downloads\XWorm.V5.3.Optimized.Bin\XWorm V5.3 Optimized Bin\XWorm V5.2.exe.configFilesize
183B
MD566f09a3993dcae94acfe39d45b553f58
SHA19d09f8e22d464f7021d7f713269b8169aed98682
SHA2567ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
-
\??\pipe\LOCAL\crashpad_3932_UOSDEKECKWAPKLXYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4540-287-0x000001F7ACF30000-0x000001F7ADD0E000-memory.dmpFilesize
13.9MB
-
memory/4540-295-0x00007FFBEDA40000-0x00007FFBEE501000-memory.dmpFilesize
10.8MB
-
memory/4540-304-0x00007FFBEDA40000-0x00007FFBEE501000-memory.dmpFilesize
10.8MB
-
memory/4540-286-0x00007FFBEDA43000-0x00007FFBEDA45000-memory.dmpFilesize
8KB
-
memory/4540-296-0x000001F7C9050000-0x000001F7C9C3C000-memory.dmpFilesize
11.9MB
-
memory/4540-394-0x00007FFBEDA43000-0x00007FFBEDA45000-memory.dmpFilesize
8KB
-
memory/4540-395-0x00007FFBEDA40000-0x00007FFBEE501000-memory.dmpFilesize
10.8MB
-
memory/4540-396-0x00007FFBEDA40000-0x00007FFBEE501000-memory.dmpFilesize
10.8MB
-
memory/4540-397-0x00007FFBEDA40000-0x00007FFBEE501000-memory.dmpFilesize
10.8MB
-
memory/4540-302-0x000001F7C9FD0000-0x000001F7CA1C4000-memory.dmpFilesize
2.0MB
-
memory/4540-303-0x00007FFBEDA40000-0x00007FFBEE501000-memory.dmpFilesize
10.8MB