Analysis
-
max time kernel
118s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 16:36
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
xworm
18.ip.gl.ply.gg:7988
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral1/files/0x0009000000023286-305.dat family_xworm behavioral1/memory/436-313-0x0000000000F00000-0x0000000000F1C000-memory.dmp family_xworm behavioral1/memory/436-350-0x000000001BBE0000-0x000000001BBF0000-memory.dmp family_xworm -
Executes dropped EXE 6 IoCs
pid Process 436 XBN.exe 872 XBN.exe 5000 XBN.exe 5532 XBN.exe 5620 XBN.exe 5704 XBN.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 181 ip-api.com 195 ip-api.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings 7zFM.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 5072 msedge.exe 5072 msedge.exe 3528 msedge.exe 3528 msedge.exe 432 identity_helper.exe 432 identity_helper.exe 1620 msedge.exe 1620 msedge.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4132 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 4132 7zFM.exe Token: 35 4132 7zFM.exe Token: SeSecurityPrivilege 4132 7zFM.exe Token: SeSecurityPrivilege 4132 7zFM.exe Token: SeDebugPrivilege 436 XBN.exe Token: SeSecurityPrivilege 4132 7zFM.exe Token: SeDebugPrivilege 872 XBN.exe Token: SeSecurityPrivilege 4132 7zFM.exe Token: SeDebugPrivilege 5000 XBN.exe Token: SeSecurityPrivilege 4132 7zFM.exe Token: SeDebugPrivilege 5532 XBN.exe Token: SeSecurityPrivilege 4132 7zFM.exe Token: SeDebugPrivilege 5620 XBN.exe Token: SeSecurityPrivilege 4132 7zFM.exe Token: SeDebugPrivilege 5704 XBN.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe 3528 msedge.exe 4132 7zFM.exe 4132 7zFM.exe 4132 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe 3528 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3528 wrote to memory of 3212 3528 msedge.exe 85 PID 3528 wrote to memory of 3212 3528 msedge.exe 85 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 3720 3528 msedge.exe 87 PID 3528 wrote to memory of 5072 3528 msedge.exe 88 PID 3528 wrote to memory of 5072 3528 msedge.exe 88 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89 PID 3528 wrote to memory of 4848 3528 msedge.exe 89
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://oxy.name/d/CdMh1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe83246f8,0x7fffe8324708,0x7fffe83247182⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:82⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:12⤵PID:4776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵PID:4312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:12⤵PID:4728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:82⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:2140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵PID:1788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵PID:804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:12⤵PID:1072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:12⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:12⤵PID:3396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5788 /prefetch:82⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:12⤵PID:804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,18194850904988275985,15820720188272233967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1848
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4960
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1056
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Roblox Cheat.zip"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4132 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO420965F7\Пароль.txt2⤵PID:1056
-
-
C:\Users\Admin\AppData\Local\Temp\7zO42006F18\XBN.exe"C:\Users\Admin\AppData\Local\Temp\7zO42006F18\XBN.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
C:\Users\Admin\AppData\Local\Temp\7zO4203A718\XBN.exe"C:\Users\Admin\AppData\Local\Temp\7zO4203A718\XBN.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Users\Admin\AppData\Local\Temp\7zO42065318\XBN.exe"C:\Users\Admin\AppData\Local\Temp\7zO42065318\XBN.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
C:\Users\Admin\AppData\Local\Temp\7zO420F72F8\XBN.exe"C:\Users\Admin\AppData\Local\Temp\7zO420F72F8\XBN.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5532
-
-
C:\Users\Admin\AppData\Local\Temp\7zO4200BFE8\XBN.exe"C:\Users\Admin\AppData\Local\Temp\7zO4200BFE8\XBN.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5620
-
-
C:\Users\Admin\AppData\Local\Temp\7zO420EDAE8\XBN.exe"C:\Users\Admin\AppData\Local\Temp\7zO420EDAE8\XBN.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
Filesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize888B
MD524c64c28cdf4bdfbfdbeb587be348bfa
SHA1aacaed2c4f914d4283933c71f5722d569882ebd1
SHA256a4179c2cdb025e9e09df6d5758d0b659fb36b768aa06500cc737f1a5148b5385
SHA512ad91bdc68eda84cd206d65b5214405d39132dc78f8bcea57bbc71581e5eaebb4c3a2dff6bc8adc040397200348d97dfa1c1c373132387da5c597db0d629059fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_oxy.st_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
2KB
MD53e013ab75276767f4640295c6a7fbf04
SHA118fcdf5fb8c394b1aeb83747782f64d41bc387dc
SHA256e26a813dd0d41c230f9c49d3dfa2912030f1353662229c80fbcb19180acd1b69
SHA512b35a8c7d9dd17d0ae6259ed34726e4e0c18cbca09dfa980208ac39f62e84f18b964a06253bcf941df76a0ac21e9fe279bb630e7e4895de5601235a6936b86c1c
-
Filesize
6KB
MD51fe0a3896bd65ad23aaaafa7439e5b2c
SHA10bfa3f6f36b5d9d182a0b5bb86411398fe4f2225
SHA256e0888b78bb8c3aa4a2e80ef1a05a9aadf032bb68b9eacff9dc8cea6f306937f8
SHA512ba7a66fc17b3d6aa10ee498b1f136beb6e49b687c4d62d5a4f67a1bdf935b0b4cd0d4c97f332715e0491e674325813de603fd6581299578c57f029a1fb684b42
-
Filesize
8KB
MD5a46403b7b5ddc22d8585840be48a5d9e
SHA13cea85b0714d7f9ddab6fe5196294abb4a08fc76
SHA2562a80ee1d2345976cf828121cf19943a870807212d7dec0ba86bf1c114b9c8f2d
SHA512a0cf91ddd5d246290d8372880ac1ac6ec7b937976b3b6f0e893f2d3a322bb02b01590334916b4585e1f4bc74dc62faa7b0f2b74e0a7cc7dce77e6f6f9d099017
-
Filesize
8KB
MD56f37e1de6043de097173c039cd2482bc
SHA1d93b47b37c6ddd244fedf1493086fa9b5ab5c8f0
SHA2567b82f317e337e15bb7c23417b3bb710846ef503fbc29fce319e3e0fbf613a617
SHA5123580b0c75e0c32d79ea38c4ad604c9ec4c5a8c50e5546fd5061330715eeced5675df3f04b693250672def9743a7a1858a82dc272c9be4cac19e08d94d8b6d466
-
Filesize
8KB
MD54b48f47a42942d9250bfd9958d33feb1
SHA1483edc6fa68a6f2e8e0ea37199de73a5cca5cd2a
SHA256f2b305d39e0a34b1703ada55168529cb551843ee3efc64c94ee1743e083bb0cd
SHA512bec079d67491ed903c58f3dfafae55a966b8cba4d9614ad1d73b4e3db15737f71fb06ebbdc9f70142edf756fabb4eed0835487da84a5954828a53a8a6a0cf764
-
Filesize
2KB
MD56aef72009c46b9de28f58b478fac6f53
SHA1452ec20235c861eabf1f228179c17d240e358a8c
SHA25670e6d0c174be5e6a328dd80a5c181e96f26ace3a927861d9474d48d3fd2ba5c0
SHA512991a8aeca718d21a3048746e00e8489d79468dea36179bb848a20ce3eca2b850afac7c3ea2838254ee99efc38aff9a30f655b5bcc24c580481bceaffe4b43b43
-
Filesize
2KB
MD5843fb019804bcd021b129435be3bb8c9
SHA11e1c983efed39868318faf4bd8314fab6bcba670
SHA25659d1a6199dcb51ecd2ed1e45ef67f3e28219fee23af9402dbbad81004f14d3f2
SHA512513fc7d1208feb7c4d4763afb0a29c4b45b339d714fe2009c5d175b599598d5146ac0fe65456e8eb9bf60786f59d1053c0dc26b2d1b4911283334ce5c830591d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5945bb67782bc41d3b38b9708fd718c13
SHA1f817b6f9f3a855c5c898de628ba07a3edb91f323
SHA256c7e3cacdcb16c05f29f0c6cb988aa9fccaf202a68fa01c912cb156bd3f6ad3fc
SHA512e3373a64210ca7b2f7bdb7a699b30f48f07deba1174a06138ce6df0cac42ea2d4d67b775460c3f919d5c29a5895c9f854eb8104f0c6bb636208315774a561924
-
Filesize
11KB
MD5260aaa8e284a39d64974f337fe99c76b
SHA1ef3831ee8295074face80ebf3372b61ca2e91266
SHA256a5230ba8d67e569bcaed4cd3d747e9680cc408a678e773cfd501baac6d5aea7f
SHA512ee8196309added6fd5c3c990443e534254ebbfa622eb7a10decb60529e111f73586d793e7ee35afc0b3588939aad07f8c3b581abfd90fe90b9368bfc684960d1
-
Filesize
11KB
MD5673ca93a6bc25c48df292477c64fa296
SHA1a08205674a94d38735f7d878a36f8ae9d9643d31
SHA2569931bef0d7bb0a6d075cd69b36e634d76416d31120d14361ea74c8358e1b3420
SHA51243bd0a642bd468bfc8ddd9d02cd9ddac6bfa495a81b9279ce7f2f356ada92756504a07756e6ef876f3a7914d673cd29ec6793240462f645db9b302ec9bb41331
-
Filesize
86KB
MD57d2f209505446a983e351cc4ae9065ff
SHA1f180d9f5704bd01d0d9498ad6f6ec4bff7565c65
SHA256dab6c1af2a7c4dc1ea1b4b163b1e53657502cb347df28e265874b635aaa49f3e
SHA512ead7917c923f1c639443ce09efa4ffe3e0a400184bc57a4d693cdb804d2612badc4cc8c6b8edda97a1b857534b30dfdd59bf886676bea68801fc155187fcc45f
-
Filesize
8B
MD5957981fb7200394fa7c0a11300c6f074
SHA11be0d470922fd41662ef3aadd7ac8c075f2226b7
SHA256503853cff57033cf26415c602644de3a2acc13ee5c1e731d34e5b2bdf7ab6618
SHA512dea36c2d9e2cc23afa4da840bf41616983689e395807f5db640f4890febbe2db605a20dfc6fc44796a1331e2b1cbf9a091933a5cf6bc6c1fea7d3dc24dce14b9
-
Filesize
8.3MB
MD56a9a5f31a96c20e85e22cb045776980a
SHA13cb2fdce732325762042d825f17aec7cfd848977
SHA25677bff8fca26c5ead9ceae8825a168ce9d20da3a3bc2559d18fec0924ed89dc62
SHA5121002193605d184936ad75df4198ad6d79b52c2be38c215d2ae8eb1033c700e4bb655a9507ab6492fe995b4ab1094f2bf46dd58e4551dcd05d0ec708a2ed7f534