Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
27/02/2025, 00:02
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
xworm
127.0.0.1:19297
6.tcp.eu.ngrok.io:19297
-
Install_directory
%Userprofile%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000400000001e64c-72.dat family_xworm behavioral1/memory/5436-135-0x0000000000080000-0x000000000009C000-memory.dmp family_xworm -
Xworm family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 52 848 msedge.exe -
Executes dropped EXE 6 IoCs
pid Process 5436 Synapse X Cracked by XP ZONE (1).exe 5808 Synapse X Cracked by XP ZONE (1).exe 5392 Synapse X Cracked by XP ZONE (1).exe 5868 Synapse X Cracked by XP ZONE (1).exe 5256 Synapse X Cracked by XP ZONE (1).exe 4076 Synapse X Cracked by XP ZONE (1).exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 69 ip-api.com 99 ip-api.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 58 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000009bdadcdb4c81db01c895a0fb5681db0195efee2dab88db0114000000 msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0" msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1" msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48" msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 msedge.exe Key created \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 908374.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 561051.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 848 msedge.exe 848 msedge.exe 528 msedge.exe 528 msedge.exe 4984 identity_helper.exe 4984 identity_helper.exe 5312 msedge.exe 5312 msedge.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 4668 msedge.exe 5360 msedge.exe 5360 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5360 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
pid Process 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 5436 Synapse X Cracked by XP ZONE (1).exe Token: SeDebugPrivilege 5808 Synapse X Cracked by XP ZONE (1).exe Token: SeDebugPrivilege 5392 Synapse X Cracked by XP ZONE (1).exe Token: SeDebugPrivilege 5868 Synapse X Cracked by XP ZONE (1).exe Token: SeDebugPrivilege 5256 Synapse X Cracked by XP ZONE (1).exe Token: SeDebugPrivilege 5396 taskmgr.exe Token: SeSystemProfilePrivilege 5396 taskmgr.exe Token: SeCreateGlobalPrivilege 5396 taskmgr.exe Token: 33 5396 taskmgr.exe Token: SeIncBasePriorityPrivilege 5396 taskmgr.exe Token: SeDebugPrivilege 4076 Synapse X Cracked by XP ZONE (1).exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 528 msedge.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5360 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 528 wrote to memory of 2912 528 msedge.exe 84 PID 528 wrote to memory of 2912 528 msedge.exe 84 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 3780 528 msedge.exe 85 PID 528 wrote to memory of 848 528 msedge.exe 86 PID 528 wrote to memory of 848 528 msedge.exe 86 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87 PID 528 wrote to memory of 1068 528 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/dmXlFM1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ebbe46f8,0x7ff8ebbe4708,0x7ff8ebbe47182⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵PID:3780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:82⤵PID:1068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:1496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:4740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:12⤵PID:1600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵PID:3292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5596 /prefetch:82⤵PID:2388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:12⤵PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6004 /prefetch:82⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4784 /prefetch:82⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:12⤵PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵PID:3768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵PID:3088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5312
-
-
C:\Users\Admin\Downloads\Synapse X Cracked by XP ZONE (1).exe"C:\Users\Admin\Downloads\Synapse X Cracked by XP ZONE (1).exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5436
-
-
C:\Users\Admin\Downloads\Synapse X Cracked by XP ZONE (1).exe"C:\Users\Admin\Downloads\Synapse X Cracked by XP ZONE (1).exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵PID:5764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:12⤵PID:6028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:12⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:12⤵PID:5880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:12⤵PID:2388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6932 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7000 /prefetch:82⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3612 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1164985118225775761,10087177936325546763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:12⤵PID:380
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1572
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3184
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5300
-
C:\Users\Admin\Downloads\Synapse X Cracked by XP ZONE (1).exe"C:\Users\Admin\Downloads\Synapse X Cracked by XP ZONE (1).exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5392
-
C:\Users\Admin\Downloads\Synapse X Cracked by XP ZONE (1).exe"C:\Users\Admin\Downloads\Synapse X Cracked by XP ZONE (1).exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5868
-
C:\Users\Admin\Downloads\Synapse X Cracked by XP ZONE (1).exe"C:\Users\Admin\Downloads\Synapse X Cracked by XP ZONE (1).exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5256
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5396
-
C:\Users\Admin\Downloads\Synapse X Cracked by XP ZONE (1).exe"C:\Users\Admin\Downloads\Synapse X Cracked by XP ZONE (1).exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56738f4e2490ee5070d850bf03bf3efa5
SHA1fbc49d2dd145369e8861532e6ebf0bd56a0fe67c
SHA256ca80bbae3c392e46d730a53d0ee4cfecbbe45c264ad3b3c7ee287252c21eaeab
SHA5122939edf5e6c34c9ea669a129a4a5a410fbbd29cd504dc8e007e9b3b3c7fbb9bea8c14d6177ac375d0c481995774a02d210328569231cb01db07b59452333b22b
-
Filesize
152B
MD593be3a1bf9c257eaf83babf49b0b5e01
SHA1d55c01e95c2e6a87a5ece8cc1d466cc98a520e2a
SHA2568786fd66f4602e6ed3fa5248bd597b3f362ffa458f85207eaa154beb55522348
SHA512885b09dd3072921f375eedb5f0575561adc89700ecfbe999bc3e5ea1d7cb45e19d85c5e420f2c0a12b428742e1110e66f4ceecbe5a6badddd36cc9e0aff48e52
-
Filesize
90KB
MD5089155bd7fe0036d253cb868ccc05c7c
SHA121ef7fc422c7746e743178706d4425687af5653c
SHA256ac2499041f86963a7a87a112d832ff8a4ef970b611c0925fc21b141649c74572
SHA512af687cb980644ae889615e85a198fe8e62c3b154e4d94d98c8dce0f7e10c60773a99020aeecadd1c939f338508541bab0672ebd65d8ac2a0116aff89ff92ce5e
-
Filesize
1.7MB
MD50a15c52faa5db00f34c58fc505fc536d
SHA1f1b51b31512480995a0e595b09b8ba9bdebe56e7
SHA25608ba14ef5cc9e9104bafff2b39ad005f3fceeee97399c841f20c3438c1bc40ab
SHA5128aeafe9d3de2f235949ead3d3f30ac6dda0935c6567ddb7ceebacecfa5663dcb3f154a076a162f7ed0dba390e1170c2e4cf2b4c7ab4b3f0587ff3d7b2b9ec2d3
-
Filesize
41KB
MD5e54a8e3ff39023a57b4d70bd012e9a9b
SHA1a1cdc7ca30c559ca8d74a36c77d8de88c7b83141
SHA2565b2082d4e78f090ac854cf92f5b295f6e2d1a3ac9cd2054837868fbc5f56db74
SHA5129758ba53d6515fd1a561b1d524b765e69c9c7c6b9bc593761b21d582d7d74e21ab3ec22a689b6fdd6f91b92df1e527e3f973e8c25219091be70ea96e990df1c0
-
Filesize
214KB
MD5d20fef07db1e8a9290802e00d1d65064
SHA171befda9256ed5b8cd8889f0eeab41c50d66e64e
SHA256f9cb4624d03224bfce50c4c0e484418acd462c249f38b4684e72b27a1f30144d
SHA512ad5b2c8df60027c6dd5104bb8c2357b04eb24d69245c607ff99a6f2a887f929428252ad793d9aaa8c903c7b1e1bf9653cd35f79747d5281e7e3d2c21fa828537
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD537a53fddf4ffcbf86920e22aac386bda
SHA16070acdfdd7a5930dffd78d07b8e65d28b95d022
SHA256ea55f70c9232de60f199598d8265e68d112b833116aff9c29244218f85fcb560
SHA512993268292705cd3584bd09d161baa955875835faac1405d46242742ae5c216a62306b05d65f33a5349038b66729f4f2b5a5bfc20debca1f3f5a440f79f7bc78a
-
Filesize
392B
MD54dd3287f37fa761e67f5df9f3050ed2c
SHA17b84004dcf41c786ba5d6887fa9246956672e772
SHA2562f693a4758ca8e853cb491eb6d2996ab121ac16ab0c047f919d8705988ce4809
SHA512229d47f35e0e6f5f537314bdd0c26b5ddf3c56e4da2ac42a073c9cdb74d1b34b60c5f80ad46b8640af7afa1c4b3550bc6bde787eed6ee46931598c87a4b761ea
-
Filesize
6KB
MD5b2454d3da586a2f671e623cbfe793cd4
SHA176c2edabd708c65efbff355cb27371745d8b3d8d
SHA2566f64f498cb66e7b959cb9d8ffcd1b935759085d929862e49e58965cba89d3968
SHA512771638c7491268678be0571d037480a2fae4685d11a67a62c7d2dad39d6019161469de926d4fba8dfd405e7d7973550072a4bbdcc34c56ffe3e79325377c6d45
-
Filesize
5KB
MD5cbdf699a62e5190f8d542989222f785e
SHA1dfe8ae66a67ba26538b72ec3e3c65ee85116b257
SHA2565bdca3a9a7fd039d8917d40674d3cc590fd54c7744e8201b4e27656bd3f69392
SHA5129c89140abc0c33b14e814407d916cb73af16ae099176d523f197e6e39c648c57fd473fe24aaa1975580651b522f4a32632735ed176ecafac1c86ab44c279fdff
-
Filesize
8KB
MD5f36df7213c24085a7e772020f9d61edd
SHA1cadd2e6c42729da39c9fa024b231f23d9ec93717
SHA2564b1c0add3aa60e21b0b6192674e6de45416904d13ecc83b1c2ab4ef746bf92be
SHA512ddf76d54e54e16642f605a9745ba49ba8e0275115c1a4367749aeb57237289946b36bb3bec3345af96929cd9ed468eab37569f6accf6122f664820f78e13f8ab
-
Filesize
6KB
MD5b7d19d83f19582584d05477a04058657
SHA13e55ef0ab63750c201b66cdd1bc91fd5114ce27f
SHA25623531636db35106666b5734e15c87c28ea490fa205c4c94720ef80a6c5db542d
SHA512a2475959937a8f51edbc774ffcf09dc412cc65ac3f2d716abfe4e31aea7bae56968b80bd12d9382ee3f57ada6e70d5bac6f24497402865557f6588d1fe393aa9
-
Filesize
8KB
MD5665eb43f1226a176c626cc78131b0e54
SHA1ca0e7a408d7dbcd846295692ec9172ceda33a259
SHA2562e3582baaea9f79581650f5be0d3801a43aa81e74cc6cd192e77ae46bf6d83b6
SHA5129547d09f80930e3f04f64a4c34af4ab4e84925d14c644e2ab0842d34142c1890874505a70ab396575cf3ab31633b51ecdd15e2e5895ca1b32431cf80b6b72611
-
Filesize
6KB
MD56a8c8e2a074bbf0662a27cf5b77585c5
SHA159db65d0546099c9e41b242e0f8939b76837970c
SHA256d19aed571af7f0505d4d89ec5852a37cd0fcf4365aa59ac733d40eeaaef98994
SHA51294e6579481a04fcdc1ffa6359703872e65978c20c44bcf2e445bf4b4ada40de125df83bf727d0b4594b583616f8269a66caba27c42c207c408ccd879bc2fb010
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5477e7eb1be2e0ab8712306981e630a01
SHA15db65cc0067e43afc1d8826f9930ecf1df86a363
SHA2565796c5510aa73ffcb51840b64b23a3f435b9b5fc1fe236c6ca6079060d34975a
SHA512931d595a3c94a3e4bab43ba6986288ce31e0606d35c240376bfcecf3347f8a6ffe2151a53f5c2aeda6c4ed1deaf9d8120bab955740830887a28785e608df938a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59b183.TMP
Filesize48B
MD54aa22933555150ce7d03a04225025707
SHA138b3c966c8233cf3750e10a6f082cc82478069ea
SHA25669e67bbe6015726b703b490372891572a75ceb95768edc802aaf1fb3bb114e5a
SHA512fa4b24e66ea2a6f80d65c584a3fbda5917446e363d83245e670b44512cca3a75d253a851ce28efbca43785cc686543d0fcdfd4f2c7e5ae53d2818ed90e025fff
-
Filesize
370B
MD5dc12183023aae62df6b53b287a8324ee
SHA1dc9c5f6eab052cad125ac786b7913098d19a6b64
SHA256fda61b502911a398e571c5c28c9bd1a24a16f1b420cf85eb3544d0df87fe9692
SHA5128934e5ba9d4d8eaae5f7a9f0d7147b8e4b9a92be964a8a22e3a3bb52afcf06de846add40c7c6b36cc0e41b1e4ee27322e7ddc6b58812746d9994dbd1dbb717b0
-
Filesize
1KB
MD5d8cb0ebae84c34ba82ece4938c45ed22
SHA121c67fa337a2ddc3dd0d0d7f73b9c0379c2ebbfa
SHA256a71fcae0153a5ab0ebbfde0a1da83ffbf3d2f000e4e185897c67cd928b1e5b92
SHA512caad2ae46001a7259fb5c35ffff94cda648c270b8a9734297f82791a4a7a4e805b728ac00bd4c0924abffb0e40f6d6b8ba0843b407ad1efc6e87ee4dacb6510f
-
Filesize
203B
MD549ddc48d338677aef326feb5d5ad940c
SHA16130dbd9395d68f9a0fb9112b047d71dad5f7fc3
SHA25698fa9df3c274489b306c9601c5539f62dc0fa997e5f33cdc8c788b45a2d27ade
SHA512da7c77f6f7af8a9ed5b166be2bf6a3fb9d76239da2b1d15f84dcbd9ee20938b01374a090865071172c1c13ac1dc562e9bfd988f25309b567dacaf7c1319b8be1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD544f83a13a46a7d4934a055640c207103
SHA131c115718e6898f63c6c79e91520045f88fe3e0c
SHA256aefed64f728da79093d1b86386621ae85889ea672640f7fa5c382846d9cb676f
SHA512f244f19ada8d5d446dac0d6f2d0d4cb35a0ea5adf3468b04774b89466ee688f11eb420523e7ea31bf8713a8365d2f97a05077654ef72f1837025877e3a527b86
-
Filesize
12KB
MD581b2087da71bec748af10976f8797a1c
SHA1f365d20bec9fece6adbbcf7b21227e3c51c1c0c1
SHA256cc8162a08588a78886e9f61bafc8fd31d7a202b84a41b374b227618547e2890e
SHA51272c9ebb95bec67df65901bdd671bf01212bae15b4fa21e829a37a4c46daeb75b08996cfa4cc4ef96f8932413ac72cc08ff0f16d08f84334335f80c2669c696fb
-
Filesize
12KB
MD5f7ebdeb822c7f6d9be216a530cdda77a
SHA16872c2d3d4840e956e08312320909f203e010f09
SHA256c445d1ab3182ceb9ced20b24cc90347f6883fbff3cd9412a5dc17004197216e9
SHA512acdb4a56b2ddbd94963cea0c6ab345bdc89988efe00bc027284633c2ace032a22b1397f25df2279b5afb0cccd483096930868b729dd09c8709082918f5c3c223
-
Filesize
10KB
MD5be813bc8de8ef69d10c70d8b7ab89da8
SHA132889cedc419ee1989852a85d5cbf4d7b3d0ec3c
SHA2560fee34291fa227946e6d05a8fbd79535e7206d19134c9f2c0e82c26d08cad0e5
SHA512cea71421e54dfefcd25b5f8c8bc753c9225eff81512b2f9503f6a1ab3cf7631fbc2adea21963e810edc486f37afdd476243d09dbe7d6f1073340bc54071693df
-
Filesize
12KB
MD5942fb670a1974f76b8242d530aa35ea6
SHA105ea51799f31adda11fd70d84f96a4a5a072fe10
SHA2560fab98eab33a6d6d4b52fcc1baee751f3e77088cd3ecef8c681894a945eaf8e5
SHA512fb18e9880c8f3aa95d3b713ce56d8ac5dd5b5b22be93056b94f9b3c393c9269bada2937acecdf4de4e96a0f27f37b05dc1154be0f6c274b5c95e19bf026a4d57