xworm | hxxps://gofile[.]io/d/wkL0Vs

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/wkL0Vs

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:33418

iraq-ny.gl.at.ply.gg:33418

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023d37-141.dat	family_xworm
behavioral1/memory/756-143-0x0000000000A80000-0x0000000000A98000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
756	Meth.exe
5548	Meth.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
81	ip-api.com
96	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1588	msedge.exe
1588	msedge.exe
3984	msedge.exe
3984	msedge.exe
2612	identity_helper.exe
2612	identity_helper.exe
2672	msedge.exe
2672	msedge.exe
2020	msedge.exe
2020	msedge.exe
2892	msedge.exe
2892	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe
212	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	4840	7zG.exe
Token: 35	4840	7zG.exe
Token: SeSecurityPrivilege	4840	7zG.exe
Token: SeSecurityPrivilege	4840	7zG.exe
Token: SeDebugPrivilege	756	Meth.exe
Token: SeDebugPrivilege	5548	Meth.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
4840	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 1672	3984	msedge.exe	84
PID 3984 wrote to memory of 1672	3984	msedge.exe	84
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 380	3984	msedge.exe	85
PID 3984 wrote to memory of 1588	3984	msedge.exe	86
PID 3984 wrote to memory of 1588	3984	msedge.exe	86
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87
PID 3984 wrote to memory of 1700	3984	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/wkL0Vs
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff678e46f8,0x7fff678e4708,0x7fff678e4718
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=904 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4304

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap19226:78:7zEvent27991
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4840

C:\Users\Admin\Downloads\Meth.exe
"C:\Users\Admin\Downloads\Meth.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4010a250h5757h4f3chadb1hb1c742a48410
1⤵
PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff678e46f8,0x7fff678e4708,0x7fff678e4718
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,17423246744902375004,1091843670404268919,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,17423246744902375004,1091843670404268919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2892

C:\Users\Admin\Downloads\Meth.exe
"C:\Users\Admin\Downloads\Meth.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25f87986bcd72dd045d9b8618fb48592

SHA1
c2d9b4ec955b8840027ff6fd6c1f636578fef7b5

SHA256
d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c

SHA512
0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4114bff967842ae3e2aa29e9f5301f2e

SHA1
bd91eb58d577ed4f2425443ad1695740e06cccec

SHA256
45f10159373242f55ce2d849146c2639d9eb5216a517041c8cb315694193ccf9

SHA512
560152c18692bffdbc354ba64917171ac4ed93ddd8855b1831605f5f6cc0d4647e0203e9dbd150025016c7b0081f422d5f33e9374250c03bbdc6021de8008cf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94bd9c36e88be77b106069e32ac8d934

SHA1
32bd157b84cde4eaf93360112d707056fc5b0b86

SHA256
8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27

SHA512
7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
be67eea737268ed7fde7c4acf1b93964

SHA1
ad119f989aefcc3cd4eb99758b1c784b3b61100f

SHA256
76bc15bbb8917569d47cb11f3db655d269be61fb60634f0bc37bff2a07cbeaff

SHA512
83480d1c39001680546c09d3e8eed359e0177b42b81571df82df54659ce6caae24121c925e6abb5b20e09266f76b19eca7dbde011292f52131d4c7c56d3d9c37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
5c859d9288a60d235b3cad2c36ab5670

SHA1
e51cad875defee4028accce6de5bde1b6ca94dc6

SHA256
3f28f1593628cfb46518b9252683e3a8b0bfb921021be4c6ae413f114ccbb517

SHA512
24c6cc4268ceff420cc3026217c35566680a05e584498278e7c479a03cf55f8461135c607a849600a117e1d59719e7eb6e289087575689556d90ca0a9671ea8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8532e0899e005af45edd8ac4fae52cf

SHA1
0f0ba554cc9d595fd7b0342c1415ef2042f491cf

SHA256
5aca31af8aecdd7a14a08b855dce3974d82b437372f68084716f53e369d9e424

SHA512
f5ab1e0b1935547e4da20f654be0696f4a7ac735ddaeece157eef1d3f3933d466fd4a94600d4403a1294db07d0858a8b9e20510e893d007e9173b17438b6fbf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bdb5794d82f79af26cf8d680e148aa1c

SHA1
82e58a39751fd579cf93d9fd4118bb8837b7248e

SHA256
1e0a8077b2cf6f40520ba948e07a65191a77c51bd8f7239c13612661f2ef8997

SHA512
75532a35d6b26b78fcff122aa36bb32d78352bf9403adabefb091bd15b3c2f6f64618d6f3ff5d66f10d22a72734bafb686b6ae4ced7cb326598c71ca5ba0ab59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
127b9928a785198150268fa996d39165

SHA1
26a6677b0c919a1f13109f75ede715cdf01eb354

SHA256
79fa4c7f52a893a7e240e04538ba7639b03bebd7cd95f4e46e3fcb604b7355a1

SHA512
708653dc213e35c59ba9d9ad044b5cc0fd2468482da675b08cd38ad879081b89167227919963df577ef3e6ae7c8c540dc8beeeabb0520b630c6d83bde58adeed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1028ad028bc0af737b207485272eaac9

SHA1
c8af7123a452279567205ff76ccf1809db4a381c

SHA256
05acce002e5abfcd9e0a12eaa85c73fc417d30e4d32b5f14ba3d758aa30102bf

SHA512
5526189a268d155e3d6c51b36959319e5ba45d295e66ebe2dd7fef92f0fb59833422566e1e24b4006a19a247da8bc6b213c84480361ac77038ae1a0273c14445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fcde5b6376a8089b31246b4717563720

SHA1
54877527a2a889704c1a7d75a27ce25d379524ac

SHA256
0065ba9fabcd3c6aa37e3141d3cf7ce77632acb216daa8079f591f547f7e6fe0

SHA512
6b99d4f614aa2d9451f6fccf4acdb2ca98a69b7f31387edc42005d538bc30b809f1e7c514a8831896f049a2cdb9f712e485ffb98bbca6c3f52f34d9b57740940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ae93aebb1371929da2d1cd1e150a3b9c

SHA1
219b4bc69b6ee929ebfcd3b0505f812965174484

SHA256
0d12c9e5d733bdb116b74f8077331dded8758e0cf136e77e52a76e3dd82c4ab6

SHA512
e20368411650981fff4fd8245aea0ea93a52b985a9a6e251ecc72922b8d3c3e5594e30a35ae93625ea6bada9cd8455cda45c823efb57819104aad25d63e15fe6

Download Submit
C:\Users\Admin\Downloads\Meth.exe

Filesize
72KB

MD5
30b8b59c17599244ea125aa16147a6a1

SHA1
e6a32c14113a73a58d27b1fc086e7064418e3881

SHA256
282baa06b0ca40b5d5f3e323ffd5c2240b9e529d90d85507020569a05eae7634

SHA512
2cf8a9eadee5b9ede7f853b131abe5569bf795efe26bc7182ba3c6402a3447cce87f964eeb417a27190d9a0acd16ef4829e5653339b90a854288742e881ab8e8

Download Submit
C:\Users\Admin\Downloads\Meth.rar

Filesize
42KB

MD5
2e75b15f1dae14074ede701cad8202f8

SHA1
da2c91d84b2fb593f62969072e6f7b483a19bf70

SHA256
a4991fc541c13766d9d17bd7da849750b92112e4d9f194e3f410b8ea808270bc

SHA512
161e905557dcfa19a655d3c5ee4e32ea31d733c1e5f9ce80c2b21c1d7f1094c030f3eede4b5fb17fbfc11f368963c566add12096f238ad83ceba25c43ee96a8c

Download Submit
memory/756-143-0x0000000000A80000-0x0000000000A98000-memory.dmp

Filesize
96KB

Download