Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
01/03/2025, 01:08
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
xworm
127.0.0.1:33418
iraq-ny.gl.at.ply.gg:33418
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023d37-141.dat family_xworm behavioral1/memory/756-143-0x0000000000A80000-0x0000000000A98000-memory.dmp family_xworm -
Xworm family
-
Executes dropped EXE 2 IoCs
pid Process 756 Meth.exe 5548 Meth.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 81 ip-api.com 96 ip-api.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1588 msedge.exe 1588 msedge.exe 3984 msedge.exe 3984 msedge.exe 2612 identity_helper.exe 2612 identity_helper.exe 2672 msedge.exe 2672 msedge.exe 2020 msedge.exe 2020 msedge.exe 2892 msedge.exe 2892 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe 212 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 4840 7zG.exe Token: 35 4840 7zG.exe Token: SeSecurityPrivilege 4840 7zG.exe Token: SeSecurityPrivilege 4840 7zG.exe Token: SeDebugPrivilege 756 Meth.exe Token: SeDebugPrivilege 5548 Meth.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 4840 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe 3984 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3984 wrote to memory of 1672 3984 msedge.exe 84 PID 3984 wrote to memory of 1672 3984 msedge.exe 84 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 380 3984 msedge.exe 85 PID 3984 wrote to memory of 1588 3984 msedge.exe 86 PID 3984 wrote to memory of 1588 3984 msedge.exe 86 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87 PID 3984 wrote to memory of 1700 3984 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/wkL0Vs1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff678e46f8,0x7fff678e4708,0x7fff678e47182⤵PID:1672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:22⤵PID:380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:82⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:12⤵PID:4964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:12⤵PID:1372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:82⤵PID:1016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵PID:4516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:1812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5580 /prefetch:82⤵PID:3480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:12⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:12⤵PID:4644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵PID:3864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:12⤵PID:3748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11797694470823582250,17671481574596243287,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=904 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:212
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1152
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4876
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4304
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap19226:78:7zEvent279911⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4840
-
C:\Users\Admin\Downloads\Meth.exe"C:\Users\Admin\Downloads\Meth.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4010a250h5757h4f3chadb1hb1c742a484101⤵PID:3624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff678e46f8,0x7fff678e4708,0x7fff678e47182⤵PID:2916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,17423246744902375004,1091843670404268919,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:22⤵PID:3412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,17423246744902375004,1091843670404268919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2892
-
-
C:\Users\Admin\Downloads\Meth.exe"C:\Users\Admin\Downloads\Meth.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD525f87986bcd72dd045d9b8618fb48592
SHA1c2d9b4ec955b8840027ff6fd6c1f636578fef7b5
SHA256d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c
SHA5120c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314
-
Filesize
152B
MD54114bff967842ae3e2aa29e9f5301f2e
SHA1bd91eb58d577ed4f2425443ad1695740e06cccec
SHA25645f10159373242f55ce2d849146c2639d9eb5216a517041c8cb315694193ccf9
SHA512560152c18692bffdbc354ba64917171ac4ed93ddd8855b1831605f5f6cc0d4647e0203e9dbd150025016c7b0081f422d5f33e9374250c03bbdc6021de8008cf9
-
Filesize
152B
MD594bd9c36e88be77b106069e32ac8d934
SHA132bd157b84cde4eaf93360112d707056fc5b0b86
SHA2568f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27
SHA5127d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5be67eea737268ed7fde7c4acf1b93964
SHA1ad119f989aefcc3cd4eb99758b1c784b3b61100f
SHA25676bc15bbb8917569d47cb11f3db655d269be61fb60634f0bc37bff2a07cbeaff
SHA51283480d1c39001680546c09d3e8eed359e0177b42b81571df82df54659ce6caae24121c925e6abb5b20e09266f76b19eca7dbde011292f52131d4c7c56d3d9c37
-
Filesize
391B
MD55c859d9288a60d235b3cad2c36ab5670
SHA1e51cad875defee4028accce6de5bde1b6ca94dc6
SHA2563f28f1593628cfb46518b9252683e3a8b0bfb921021be4c6ae413f114ccbb517
SHA51224c6cc4268ceff420cc3026217c35566680a05e584498278e7c479a03cf55f8461135c607a849600a117e1d59719e7eb6e289087575689556d90ca0a9671ea8e
-
Filesize
6KB
MD5e8532e0899e005af45edd8ac4fae52cf
SHA10f0ba554cc9d595fd7b0342c1415ef2042f491cf
SHA2565aca31af8aecdd7a14a08b855dce3974d82b437372f68084716f53e369d9e424
SHA512f5ab1e0b1935547e4da20f654be0696f4a7ac735ddaeece157eef1d3f3933d466fd4a94600d4403a1294db07d0858a8b9e20510e893d007e9173b17438b6fbf8
-
Filesize
5KB
MD5bdb5794d82f79af26cf8d680e148aa1c
SHA182e58a39751fd579cf93d9fd4118bb8837b7248e
SHA2561e0a8077b2cf6f40520ba948e07a65191a77c51bd8f7239c13612661f2ef8997
SHA51275532a35d6b26b78fcff122aa36bb32d78352bf9403adabefb091bd15b3c2f6f64618d6f3ff5d66f10d22a72734bafb686b6ae4ced7cb326598c71ca5ba0ab59
-
Filesize
6KB
MD5127b9928a785198150268fa996d39165
SHA126a6677b0c919a1f13109f75ede715cdf01eb354
SHA25679fa4c7f52a893a7e240e04538ba7639b03bebd7cd95f4e46e3fcb604b7355a1
SHA512708653dc213e35c59ba9d9ad044b5cc0fd2468482da675b08cd38ad879081b89167227919963df577ef3e6ae7c8c540dc8beeeabb0520b630c6d83bde58adeed
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
12KB
MD51028ad028bc0af737b207485272eaac9
SHA1c8af7123a452279567205ff76ccf1809db4a381c
SHA25605acce002e5abfcd9e0a12eaa85c73fc417d30e4d32b5f14ba3d758aa30102bf
SHA5125526189a268d155e3d6c51b36959319e5ba45d295e66ebe2dd7fef92f0fb59833422566e1e24b4006a19a247da8bc6b213c84480361ac77038ae1a0273c14445
-
Filesize
11KB
MD5fcde5b6376a8089b31246b4717563720
SHA154877527a2a889704c1a7d75a27ce25d379524ac
SHA2560065ba9fabcd3c6aa37e3141d3cf7ce77632acb216daa8079f591f547f7e6fe0
SHA5126b99d4f614aa2d9451f6fccf4acdb2ca98a69b7f31387edc42005d538bc30b809f1e7c514a8831896f049a2cdb9f712e485ffb98bbca6c3f52f34d9b57740940
-
Filesize
11KB
MD5ae93aebb1371929da2d1cd1e150a3b9c
SHA1219b4bc69b6ee929ebfcd3b0505f812965174484
SHA2560d12c9e5d733bdb116b74f8077331dded8758e0cf136e77e52a76e3dd82c4ab6
SHA512e20368411650981fff4fd8245aea0ea93a52b985a9a6e251ecc72922b8d3c3e5594e30a35ae93625ea6bada9cd8455cda45c823efb57819104aad25d63e15fe6
-
Filesize
72KB
MD530b8b59c17599244ea125aa16147a6a1
SHA1e6a32c14113a73a58d27b1fc086e7064418e3881
SHA256282baa06b0ca40b5d5f3e323ffd5c2240b9e529d90d85507020569a05eae7634
SHA5122cf8a9eadee5b9ede7f853b131abe5569bf795efe26bc7182ba3c6402a3447cce87f964eeb417a27190d9a0acd16ef4829e5653339b90a854288742e881ab8e8
-
Filesize
42KB
MD52e75b15f1dae14074ede701cad8202f8
SHA1da2c91d84b2fb593f62969072e6f7b483a19bf70
SHA256a4991fc541c13766d9d17bd7da849750b92112e4d9f194e3f410b8ea808270bc
SHA512161e905557dcfa19a655d3c5ee4e32ea31d733c1e5f9ce80c2b21c1d7f1094c030f3eede4b5fb17fbfc11f368963c566add12096f238ad83ceba25c43ee96a8c