Analysis
-
max time kernel
70s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 18:26
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
xworm
18.ip.gl.ply.gg:7988
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000700000002326a-278.dat family_xworm behavioral1/memory/5136-286-0x0000000000FC0000-0x0000000000FDC000-memory.dmp family_xworm -
Executes dropped EXE 2 IoCs
pid Process 5136 XBN.exe 5832 XBN.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 187 ip-api.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1424 msedge.exe 1424 msedge.exe 4108 msedge.exe 4108 msedge.exe 3004 identity_helper.exe 3004 identity_helper.exe 5016 msedge.exe 5016 msedge.exe 4820 7zFM.exe 4820 7zFM.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4820 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeRestorePrivilege 4820 7zFM.exe Token: 35 4820 7zFM.exe Token: SeSecurityPrivilege 4820 7zFM.exe Token: SeDebugPrivilege 5136 XBN.exe Token: SeSecurityPrivilege 4820 7zFM.exe Token: SeDebugPrivilege 5832 XBN.exe Token: SeDebugPrivilege 6044 taskmgr.exe Token: SeSystemProfilePrivilege 6044 taskmgr.exe Token: SeCreateGlobalPrivilege 6044 taskmgr.exe Token: 33 6044 taskmgr.exe Token: SeIncBasePriorityPrivilege 6044 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4820 7zFM.exe 4820 7zFM.exe 4820 7zFM.exe 4820 7zFM.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 4108 msedge.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe 6044 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4108 wrote to memory of 5036 4108 msedge.exe 85 PID 4108 wrote to memory of 5036 4108 msedge.exe 85 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1788 4108 msedge.exe 86 PID 4108 wrote to memory of 1424 4108 msedge.exe 87 PID 4108 wrote to memory of 1424 4108 msedge.exe 87 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88 PID 4108 wrote to memory of 4164 4108 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://oxy.name/d/CdMh1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe87b846f8,0x7ffe87b84708,0x7ffe87b847182⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2292 /prefetch:22⤵PID:1788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:82⤵PID:4164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:3708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:2716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:12⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:12⤵PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:12⤵PID:3064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:82⤵PID:556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:12⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:12⤵PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4976 /prefetch:82⤵PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:12⤵PID:1780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:12⤵PID:5260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:12⤵PID:5268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:12⤵PID:5464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,3098676957612257811,9236405983099070331,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:12⤵PID:5472
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4564
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1780
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1360
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Roblox Cheat.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4820 -
C:\Users\Admin\AppData\Local\Temp\7zO4D2EF197\XBN.exe"C:\Users\Admin\AppData\Local\Temp\7zO4D2EF197\XBN.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5136
-
-
C:\Users\Admin\AppData\Local\Temp\7zO4D20A8E7\XBN.exe"C:\Users\Admin\AppData\Local\Temp\7zO4D20A8E7\XBN.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5832
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize230B
MD51d7bb1b8937ccf663be159f37f090c7a
SHA1fe58b4cb6ccb142085ce67080c2192ccb72704ff
SHA256b8cabb97c709d9bd08aa1332efa0d66aa4f30bfbf810dbe1416aa5341113ca2d
SHA51293e0a90115111bee07619e5fb1f52b8248c02df97faa07aea956e132a701bcb753936d0a8895365715c97199d06bd18e5997d65a746af6f3bedde17d625ca846
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize330B
MD53ffd66c254b5d99807b20818007fca1e
SHA18bbb38a132effaa857f46548b5a6a0e9b27c1347
SHA256693028265604cc39d21108d0cff926ac515c74052c44184038e82582a7d23512
SHA512eba656c6be7857c80a11fa562b370d5a2503e60f23953b3e4bd8df4206bf2d3e7cf1781632f06b2ba691df8b51c3020ae7ba1fd10112cc4b6f4a32d196ba65dc
-
Filesize
152B
MD59ffb5f81e8eccd0963c46cbfea1abc20
SHA1a02a610afd3543de215565bc488a4343bb5c1a59
SHA2563a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA5122d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597
-
Filesize
152B
MD5e1b45169ebca0dceadb0f45697799d62
SHA1803604277318898e6f5c6fb92270ca83b5609cd5
SHA2564c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize888B
MD5efbe1bab796e62503361ebb78e9848f9
SHA18cbfed38f621526cbb91fd1fd55a61cb69e0f07f
SHA2568207ac0b2998d7068c2a6718d3c047e9a908c2c0616256e26b8ec81f5070ae19
SHA51233e680a75fad4b4b826e47abad1d0eb83290ccfddc8ac1909f593a3a606fd64b73e257ad12a7e966ad1bb272ba6bead8bd31d56e70547d793e686e879fae0044
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_oxy.st_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
2KB
MD5aca6534452552b5226e0f57b38a57454
SHA15ccb5f981db513e555a988f6ef05d85ea3d11e20
SHA256848f3b0ac29943991016c85cc4584a48c806cb19f834005f50eacd182604ba2d
SHA512aeda58d361cd51a0e92f676ba55188400b18e8fe3e6f20ea97fc8cd4219b388fe3b5c6f3b599e642328042c90b9fbda1979895a031540f835285370d8f785baa
-
Filesize
6KB
MD55f987a45e6af5707a8abf374aa6a6706
SHA1b3c415b46a87928af07e58ebe5e9644b7aef2a3a
SHA256c563adac0a59e2a276ee426ff9ee44cafc9ca80f0602ae00fe0319fb3280e803
SHA51263ae2b64b012631602385f6b2fc53bbacec031380bc2931bd749a7cacd74bff9c4abc443cfc70fcfdf0d2dc6302dfe34c2f2f6bd4b50129c794b0c5055c2e57c
-
Filesize
8KB
MD5f8c80551a068d6e6f05c462163e5e346
SHA158af6e2d9cd42d2380097f7f9ecd3715c5ab01e5
SHA2561401fbf501895fdb1c271132c8ed7a20698e271b2fcb52ce30538c7faf8313b3
SHA512390998cea0962bcc60c56e60836d5908ac1246bbabaa5065d714be17527660a14a858b322444437d4de0fc6a28920fd8383e5f1652e10dcb0354cfa2c76117b3
-
Filesize
8KB
MD578290e85013cadc458c989554b991d67
SHA1836c85a43aecaf0a26179f76ce5315111a432eb6
SHA256e63dffee595174c1e34153545da37f271b3358ebbe041a47623ac07af0bcde30
SHA51246d53a84b0165a553e1b91ab4b9497a6610d3c65235f82c32429cfd8e4be3f5fd0ff85c720b3727da4c4487a2ffce67efd7aa5f39a10c7f8ef1ef6ede80598a8
-
Filesize
8KB
MD5b66bc2c64731c7b5088b0e93bfc97e38
SHA1ddb12d6306bfdc4b552ee3ad91f07ab8e33d7f2b
SHA25618536f7f2671bad2dc189a93225cb2fd809ada27f8a0d5d3171041644df2dd88
SHA5120bddf9613407fa690a3b2172cf0418243f31e23f06b4f11c53de677b55f91660313d9130961037bedb40b8b84d7915490dedb151166c088c57b99daf75385205
-
Filesize
2KB
MD5ba57868e54fcdbf08e284ad5aab72ba8
SHA1d8a9251c1ba980194bb7ed3af7ebc3a6fc1c46bc
SHA2569f8d7f6df1155ecc1777eb2d747eea5af82ae668d79ba074d6123efc087476c7
SHA51228144f9b31544b51bdcac1420fcf9aeb901cad3f76373e74f89086876a3bba105fe948b6b36324c33fce2097f16b0c37727b177a52cdb2a71b4da44d1ed74ae7
-
Filesize
2KB
MD599bfcd2e056bde08c8b9ffd60d8b54f5
SHA1fb6bbbe65b6c3394ec92743a81b88c20770c23b6
SHA2561abbeb4e261b7ac785f9d98df9cd854bafaa85880fa0b512c486578476e885d0
SHA512f1e603682bdc1883c01e1b7a3ed9a12e91020b855a82fbc13f4a8c93ba716a889c308b7c75faf14f5ce2745ed2e99a7622c6625aed3212e2ace10fdc808c662d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5ef52287eb9de246dc913748d5adbe95c
SHA1f5925702559d00a1b826dc0bb828d828bd408bf3
SHA2562f6f139644f198906bffca6bcdb7db8fee4dc56fa9bd2aac1f44defe11be7c51
SHA512f449e4010dfaec16f1288cae06c7d6d5b56b78d87ccb575df0a6c4b3c1d9ad92baa89e967c7a3174c307362fd3429ec90256f1fe90ec82f623ac9365d50d3b47
-
Filesize
11KB
MD511f33e5bdac8b08b564e71ac57322d24
SHA1680cc3bb83952a70f041b921fa54e62a3376a8c5
SHA256af44a592b93c6d5a49825b3bd097b6ad7fead4b1a856b8ad4a1bbb6780a1583f
SHA512c88f0178b6488ec90b82bfc5355dc5e849d0d3ad974a4569ee82ecefb83bc9fb40d8201328b4aab9e503871cdbd7d34d480aff7a86687cccc9fe81b272300a0f
-
Filesize
11KB
MD50305f6f21c01f9adf4a854f2179ff484
SHA1c3290b0c3839b4913b4037af60b870461e1f9703
SHA2560065c9a8558ce5df13aab25743fff7d6de581d83150de9dadae39b97ee675c71
SHA51284b1f9df483d62d55b06501568ced9f2b910770562e7b06ab54ebc57887ef0c72c87a61aab79800871c82c67dd01d4c88d4ca76b56839b9251a316fc710acf85
-
Filesize
86KB
MD57d2f209505446a983e351cc4ae9065ff
SHA1f180d9f5704bd01d0d9498ad6f6ec4bff7565c65
SHA256dab6c1af2a7c4dc1ea1b4b163b1e53657502cb347df28e265874b635aaa49f3e
SHA512ead7917c923f1c639443ce09efa4ffe3e0a400184bc57a4d693cdb804d2612badc4cc8c6b8edda97a1b857534b30dfdd59bf886676bea68801fc155187fcc45f
-
Filesize
8.3MB
MD56a9a5f31a96c20e85e22cb045776980a
SHA13cb2fdce732325762042d825f17aec7cfd848977
SHA25677bff8fca26c5ead9ceae8825a168ce9d20da3a3bc2559d18fec0924ed89dc62
SHA5121002193605d184936ad75df4198ad6d79b52c2be38c215d2ae8eb1033c700e4bb655a9507ab6492fe995b4ab1094f2bf46dd58e4551dcd05d0ec708a2ed7f534