Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24/01/2025, 11:40
General
-
Target
Microsoft Edge Extention.exe
-
Size
187KB
-
MD5
d84b7ea8c978dd822e5e777bba5cec0d
-
SHA1
4c7c51e2da136c46dd3788e7e7a559f8e02cd661
-
SHA256
cc63182619e0337324e6a5f31677e70f660d049ea0a8b4710e50e2692842497c
-
SHA512
a272501053bf03d28e3f1daf8d5dc4a811f5211a99c89bc45ddb0435294ebebf074cf78a959c6a8ee252d7001340b413a53b8db0af145dfcff6c51e3c5b57d22
-
SSDEEP
3072:amV+Wqa2anXobLhFEd3OVPXqvRUGKXs+S++7KFSbxeY+qDDrMX:amV+WqaxXobTEd0FGqStKEbxI
Malware Config
Extracted
xworm
republic-python.gl.at.ply.gg:26535
-
Install_directory
%Temp%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Stormkitty family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Edge Extention.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge Extention.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\XClient.exeC:\Users\Admin\AppData\Local\Temp\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffca0c446f8,0x7ffca0c44708,0x7ffca0c447182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4176 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4176 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6344 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3172 /prefetch:82⤵
- Modifies registry class
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,6586770741612264445,3047556432245186902,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\XClient.exeC:\Users\Admin\AppData\Local\Temp\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
-
C:\Users\Admin\AppData\Local\Temp\XClient.exeC:\Users\Admin\AppData\Local\Temp\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
67KB
MD569df804d05f8b29a88278b7d582dd279
SHA1d9560905612cf656d5dd0e741172fb4cd9c60688
SHA256b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608
SHA5120ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e
-
Filesize
62KB
MD5c813a1b87f1651d642cdcad5fca7a7d8
SHA10e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b
-
Filesize
19KB
MD51bd4ae71ef8e69ad4b5ffd8dc7d2dcb5
SHA16dd8803e59949c985d6a9df2f26c833041a5178c
SHA256af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725
SHA512b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863
-
Filesize
63KB
MD5226541550a51911c375216f718493f65
SHA1f6e608468401f9384cabdef45ca19e2afacc84bd
SHA256caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5
SHA5122947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516
-
Filesize
66KB
MD5f53b6d474350dce73f4fdc90c7b04899
SHA1b06ca246301a6aea038956d48b48e842d893c05a
SHA25628442a56b016bfade0e368929138aaaadfc36156734e8ec7a6325b3e58fddc25
SHA5127f275614052ebae8876ad28fc5d48e4f63ed9ebc610ed981f81377ea3ba4c49a2031ff771deb12adabcf33d4789ba35354c1e52524c067a9e7ce078703683f1e
-
Filesize
2KB
MD575100f119619a8f78caf9693f1b296b9
SHA1b622e010e1675341c42b33057032cbf56a885eaa
SHA2566d06f43d77802598e9eecb4ddca222057865d8ca02cb7f309f0da5a1aabf1fd3
SHA51206717028865d0f9e03575b812996cf131fd617c2ae08bd3930bb74b3b47499881a840da30207b40e4f54473af6a9f455d5f702536900ae0f25d3d53e2a9517a1
-
Filesize
2KB
MD5d1c4966a66e800b905303bf1b7726c31
SHA1ca8f5f088cc54f5ef766a21993e098f71c329708
SHA256aebba3024566466bbf409cdf2b89c5a89fe215f1a209b6b353654c1f6f9a4b26
SHA512ff30f0d511a082fea270b330c222e535894822ceabd736fd4aca0416ecdedf5eeb1e96e1528c1da3245ded6addd3e6ecc8d4d606b157db954578e232b2f8a52d
-
Filesize
36KB
MD5468f57e49a8e2342aa89bfd3fdb71fba
SHA190f6338ebb0dfd9ddf4b254dc7aa9b595a10cea6
SHA256c247f2f516b93e16391ec19b37cb8e4ff8907c3eaef291b747418d4d8a527cdd
SHA512ed84eca6ee7a9a5a2321528a9f283319d611cbd4b325e2e1d9e97bfc13415bd36cfc36da18cf11b97f431d0d434ce0064bd2cea702a69a7df1be510f1d7615f8
-
Filesize
124KB
MD5ea034209388defb584f84494fd8fb1b6
SHA1d95dc9759b9a8deb49d2b1925ca2336f854f7746
SHA2565558a131440f3884f64de2f2f50ca164e449966cca370b0c3ceb3816f5f20d84
SHA5120c7e15ce1d72b18fa19d0e4ed21a6a5bf40408826ad8251a481490773b240d299aa350b03fa59da1eb79de067abbfe5bf2dccfa1fcf7368990ceba833508283a
-
Filesize
8KB
MD543e3c5ed0a598aa8fc4dee39ce3f95ac
SHA10f12eeb7dc7ee68b55c972b7a88a1dbbc1d35ce9
SHA256b5fb8dc8bb5f7dd18a680d3b6522dea582a08580ea1371085cfc368c758f96f1
SHA5124b3a3ea39dd83016f5c09f1321cd9ec890eb0bfe7899cccfdf461a762cc919346760eefa1fd2a98cff6170cc351af2f2485b68c95db0816bba0aad34860e079d
-
Filesize
13KB
MD53abf497e8835f88b74786f4fe65da7eb
SHA1cf75427761b602749d8a942451184f8275d707ca
SHA256ceb7b3fada890a5f7b240e7d761e0e216f42aadb306078f5e000e6e4e37f177d
SHA5122e30829761446831952583b8195c9af65c028007763e4b5701e0936b9dfaf1e5821a8d9b73af76745f92072b5008fc2b1bb5426160b231b68886829b349eda66
-
Filesize
7KB
MD5d188d5d5619d4819948143a3006d591a
SHA19aefa2b7d3e7bf38256e7071e45bb97639e02db7
SHA256edf4989687182d924d2a178d9f49de25fc8656b731b3218e818f2ff206993e46
SHA5126660b0f842b487aacfa2183f61ab47bd8f003479f2833437269142978afbdd7c485517757be75220063bd77d5ba5c59379fe0b75df7af496d3f870b3e562f00a
-
Filesize
12KB
MD547ee5cc786610fc69d3e7195a49fc66c
SHA1c793dda392198cb0872f68cdd26d1fedd6ef8089
SHA25636b3cb6b67c4f3723f9dba51c126145ca1d2c471b7d06dff8ba5d917c9eabff7
SHA512d5fa425bf8367c55b42191a755954fb82a70e240d88e37573f79ff76f55483514b017ded1cbae3b3249baf1a619acf5aa0b87e9ddd2bda57e61ed965b178e1ba
-
Filesize
5KB
MD5c68f1f4c4f7df8c96ba47fe956b21fbd
SHA11e7a0981938fc7c1a8df3478fc29acc95472579b
SHA256dd72a0dd957bdd5666dfa84d43c3af1693239a4d7ebe9b5886e3cd3af7cfe4b1
SHA5127fe8b662e6f932dba33e400417f7d4663b90f6ff69c6114037cb7d6728f820366292eb144b2e4e2bc2471d5751123b3dc94bf2b8e44ae001dcc76624431f1602
-
Filesize
14KB
MD591b64dde2730ccdb8a39fa29e8eb1a90
SHA1b9364c214daa69a935983958803625e930cee145
SHA256580d141c88f6909fe76b3dc6302f1eb8211893895475fda91d9eaf4550eccd77
SHA5120aa97d7504f505280ae5020331eaf04e9660a1da26e8417a581a87a5cfe76836da741bf4fadafc42e70cc851918fb6fc0900c2cba8854a565be25fd50f357c31
-
Filesize
4KB
MD5c1a9c871483de4cf8cbddbb779b9220f
SHA1b8fedae772c0149c4d66de3b8fe0e343f47a9b70
SHA2564941055778e569274ba4644fdf2ef370705e073b92f53a13ed01eee45fcea2cd
SHA512a7df4086d1fd96ecec9f50fe21091d6e2d42b6e10266cd72db1cc30fdc5e59635f3e4dc4f7a2daf9a2d3811aed8b7f72dc6dd7b7193b998f33b031f6afecb1a8
-
Filesize
5KB
MD51d9982d612d24ba35ef6d14ad8a71b75
SHA12eddd579605af4932fa823f7a1a5b216701b4946
SHA2562be3eec2e004bbe2c3a24853d0f3d75521e57b760a00837a39e36b9de7f375cb
SHA512d223b466d952b35668e17973fd516c2be9c4d334da96ca1ca1231f3d7e31b6881cac9336df0e1b059a1ffc6df5c0abee6545678406b51dd51848ba92eea54da5
-
Filesize
4KB
MD536466b22d7160ac101f03bf59903bc6d
SHA119f28c553dd18dd1d28abb2a069e49d4dfeb3c14
SHA2566fa1cbc2ba1eb2d97fd96861499393f2e6404216c95c58a11d89b961e82c5edc
SHA51240334e13314257ffe11ae885f57816c4380ce3ffaab031783e666dc1ebc3743b306e27e99d223a118bea5a65a9c02bb2764e5d53fc55d61248339eef4e613eb0
-
Filesize
5KB
MD549a8c55badeef43c0afa1d0cca812e89
SHA1004151bd29951210828e24979d573f7a1c271da9
SHA256933d6014f5c1af661117c631dba5fa2539402942b0481544ae554b01c4b34208
SHA5121ab4dc13b703848f66a61488ae096c2733a16adc3205cf8dac791b6bc1c4068bdaee049299d6ed784b40f694089b5a3963ed9091f580f2a2063bf3af3e94bc4b
-
Filesize
2KB
MD5904f3bf8d00810f058435446b3cefe62
SHA144c5af09c9c54a3fdbe24d9428e8fd964060217a
SHA25615e4e147158c831ac14da0463ade3f829970208fa939fcfcebdb2707f0904516
SHA512559ee74920f0ea09f68077d33cae5b398be97243d4c9cfac58b13acd89fa06aa4d987bd597d5bdefe3a3708423bc78cfcd6a884a4c6edc2418752ee1f5f5844a
-
Filesize
116KB
MD5e111e6784fe8dca3aa5e86677d162638
SHA10003d1ba48822343c2ae3a67798d85701f5335a0
SHA2565706d76628b1598ef6e158a0762c1c5237cde9b484eca5ebf6d4943d24d5ba1c
SHA51290c98fec4b7cf15a49b635c62801c436af2d0fb60d7d591b426e029e2aa7114e83c2ac37eabd2ef4354a83521d0f522f8869f1ec4cc3c9f0d324b3c30f44a733
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD58778b026683ce2ed5be53040bb55c96b
SHA1459e8f8187c26e614a87b860c6fe2f3b23ba93b9
SHA256b1743c578ab7e7d25b3baec21aecdd3c4f955d8fd0da93911fd7fe436c859e6e
SHA512feee2597d2feb4ce175a92276e51b92e79df3af7a3b74d6aaa3ca52abb8c07cc41498179535db13b0fe9b75912d48d27fd4b702335ef27a407d37b12b2612d1f
-
Filesize
10KB
MD50270ef91ecb1342ca49ac2ab5ebfe8c2
SHA19034000d82502a6e5ed070a91e37adbad6b114a2
SHA256bd46436c9b67a396bccfb232616e4b753ce23c3afc500923d99e510a1ebd664c
SHA51264a38b06d3e814cacb703065bd495b2011c5b56e0e797cce08c2a8ffa5b6cdc680907f7f06bd6123a27ce832b15e92644184e1e71a0e0532534e2094ac0ed7b1
-
Filesize
187KB
MD5d84b7ea8c978dd822e5e777bba5cec0d
SHA14c7c51e2da136c46dd3788e7e7a559f8e02cd661
SHA256cc63182619e0337324e6a5f31677e70f660d049ea0a8b4710e50e2692842497c
SHA512a272501053bf03d28e3f1daf8d5dc4a811f5211a99c89bc45ddb0435294ebebf074cf78a959c6a8ee252d7001340b413a53b8db0af145dfcff6c51e3c5b57d22
-
Filesize
1KB
MD58bf83defb2db7a40850ff81cc0950635
SHA1635c62cdb51653d511f6791434e347a63940bdaa
SHA256af1e921d4d4e48c9ad9d623eea6e43088356bb8541e58f96589a294ef4e0b9ac
SHA51207c63c4a9789650a71dc0432a645cd3ea7d542cc56d54128d42e57e43420b155feb2305936294665061844626bc8729257f6ee09d5b12e5b14a6510666ab9587
-
Filesize
208KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
1.1MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB