Analysis
-
max time kernel
99s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 00:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://disk.yandex.ru/d/myj542RouD_tfQ
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
https://disk.yandex.ru/d/myj542RouD_tfQ
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
https://disk.yandex.ru/d/myj542RouD_tfQ
Resource
win11-20240426-en
General
-
Target
https://disk.yandex.ru/d/myj542RouD_tfQ
Malware Config
Extracted
xworm
https://pastebin.com/raw/qrQPCaGK:1
-
Install_directory
%Temp%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/qrQPCaGK
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\Neverlose Crack.exe family_xworm behavioral2/memory/532-267-0x0000000000ED0000-0x0000000000EE6000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 624 powershell.exe 5632 powershell.exe 2120 powershell.exe 5472 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Neverlose Crack.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Neverlose Crack.exe -
Drops startup file 2 IoCs
Processes:
Neverlose Crack.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.lnk Neverlose Crack.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.lnk Neverlose Crack.exe -
Executes dropped EXE 3 IoCs
Processes:
Neverlose Crack.exeNeverlose Crack.exeupdatepid process 532 Neverlose Crack.exe 680 Neverlose Crack.exe 5184 update -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Neverlose Crack.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\update" Neverlose Crack.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 133 ip-api.com -
Drops file in Program Files directory 1 IoCs
Processes:
7zG.exedescription ioc process File created C:\Program Files\7-Zip\Neverlose Crack.7z.tmp 7zG.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exeNeverlose Crack.exepid process 1760 msedge.exe 1760 msedge.exe 2376 msedge.exe 2376 msedge.exe 4376 identity_helper.exe 4376 identity_helper.exe 4300 msedge.exe 4300 msedge.exe 624 powershell.exe 624 powershell.exe 624 powershell.exe 5632 powershell.exe 5632 powershell.exe 5632 powershell.exe 2120 powershell.exe 2120 powershell.exe 2120 powershell.exe 5472 powershell.exe 5472 powershell.exe 5472 powershell.exe 532 Neverlose Crack.exe 532 Neverlose Crack.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 3216 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
7zFM.exe7zG.exeNeverlose Crack.exepowershell.exepowershell.exepowershell.exepowershell.exeNeverlose Crack.exeupdatedescription pid process Token: SeRestorePrivilege 3216 7zFM.exe Token: 35 3216 7zFM.exe Token: SeRestorePrivilege 1648 7zG.exe Token: 35 1648 7zG.exe Token: SeSecurityPrivilege 1648 7zG.exe Token: SeSecurityPrivilege 1648 7zG.exe Token: SeSecurityPrivilege 3216 7zFM.exe Token: SeSecurityPrivilege 3216 7zFM.exe Token: SeDebugPrivilege 532 Neverlose Crack.exe Token: SeDebugPrivilege 624 powershell.exe Token: SeDebugPrivilege 5632 powershell.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeDebugPrivilege 5472 powershell.exe Token: SeDebugPrivilege 532 Neverlose Crack.exe Token: SeDebugPrivilege 680 Neverlose Crack.exe Token: SeDebugPrivilege 5184 update -
Suspicious use of FindShellTrayWindow 41 IoCs
Processes:
msedge.exe7zFM.exe7zG.exepid process 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 3216 7zFM.exe 2376 msedge.exe 3216 7zFM.exe 1648 7zG.exe 3216 7zFM.exe 3216 7zFM.exe 3216 7zFM.exe 3216 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe 2376 msedge.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
Processes:
OpenWith.exeNeverlose Crack.exepid process 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 5648 OpenWith.exe 532 Neverlose Crack.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2376 wrote to memory of 5092 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 5092 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 2680 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1760 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1760 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe PID 2376 wrote to memory of 1328 2376 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/myj542RouD_tfQ1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc002046f8,0x7ffc00204708,0x7ffc002047182⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:82⤵PID:1328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:3572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵PID:1656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:82⤵PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5736 /prefetch:82⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵PID:2560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵PID:5804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:12⤵PID:6112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:12⤵PID:4432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4184486451259003627,4198062133859469323,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1780 /prefetch:12⤵PID:2624
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1460
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1520
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5648
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3216 -
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap27715:92:7zEvent24720 -ad -saa -- "C:\Program Files\7-Zip\Neverlose Crack"2⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1648
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2460
-
C:\Users\Admin\Desktop\Neverlose Crack.exe"C:\Users\Admin\Desktop\Neverlose Crack.exe"1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Neverlose Crack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Neverlose Crack.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\update'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'update'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5472
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "update" /tr "C:\Users\Admin\AppData\Local\Temp\update"2⤵
- Creates scheduled task(s)
PID:5888
-
-
C:\Users\Admin\Desktop\Neverlose Crack.exe"C:\Users\Admin\Desktop\Neverlose Crack.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:680
-
C:\Users\Admin\AppData\Local\Temp\updateC:\Users\Admin\AppData\Local\Temp\update1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5555b93d18cbfadcc1578924288093094
SHA1eae812f57ceadd0f2efaafa88f4658c8418c34ac
SHA256bffba1cb15a35f11e1a7521efd5b2e2bd12fca1955c9373e2c0c7c50d5f80b1d
SHA512886c48721e1ce6ff887b65877df181446665be2695e9591a5c4f2249156e119039fa533ea36f5fa485ef180e30fa7a20cadc044b63f660f1d780b4141014411e
-
Filesize
2KB
MD59c172d22fbbdafe12dfc5c909edea107
SHA19961cfc5a51f1d375186fc64bf98214bdc0cf2df
SHA256315439a1131019ecb316a0344395624965a961baff563be19221620e6e3dc18d
SHA512d459ca5a3abd05b5bff39056065e786eec0260cb83b03c774ab0b98f07dfc8ef7dd5db5f37c569ac0d531ebd640c6dc0aaefc407d357280e07b011e982b91e2d
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
56KB
MD56a398c523b4af71cc52ccac6368818a4
SHA162227e5498db7cd86e0b6e68dd2530dec33905e0
SHA2560375bff344824419266a6621456ddbec01cd642035d6389f03c6d6ec299d81db
SHA512882621913e323b9c89fb68561bf78f104e629e1741245fbe2d0a8b8a9404d5ed961106f9e717f040cbd145ef901b1e8b0b787786a79eb2b15d4e3c597e3c2580
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize576B
MD5ef1646ef288346eef6baafbfd4bac4d0
SHA1f9b89dcc921e040dd8bd9db6dc51f3a17c28a939
SHA2565653004278cb4a4258c8d315e7a93eaab77d13bee889492f59372c3105517b84
SHA5128c5360e257c45bf1f45b59b5b64aafeee4a83761bb3bc15e36faca03c0deec527a62da0ac5508e3de5863d7b116c653a2321ba6bd51b194a49c69e080ab4d90a
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
785B
MD5e5cce09f90559669977cd4dae060c626
SHA1576f8bd39dcfa6dda96bc82dfbc17ffd48d31389
SHA2564a383e615acf3dc761f08c2d03031b7ad4a4fe7316c99b0bbeb3474989fb4fb6
SHA5122d38220fe7ea73698bd05112565114b2abf375aaa2e11eb8182f8f93c25ea27b20948d1b3b9cdf1cca1d99bad86a7710a3a2e948c8afdefd043de18dc68aba93
-
Filesize
6KB
MD50c30f5382fb8a2f813442feb47aa4bb0
SHA1dcf423d4f8760324f7e6c0d587e0434c3842e4d5
SHA256caec804b944b4bda17a0a3572f6675fedae215d0ee3e4973878c66c9eba53d4b
SHA5127336525096a5bd24b86261b6d1f9f476ecf718230aa8cb145feb80a1273173fa5c74b681db1e2a915d5d8e17dc9ebfe38b82c7795be3ecf553aa66445c5d9005
-
Filesize
5KB
MD56a523d0c337e52c488a9711c818a082c
SHA114f4b5be6adf2646852190e3912bc8d5ed944200
SHA2568e90c6769953fc187292c7f8861a9f975178ba50f5b01d495b59ce0437edb85b
SHA512a1f54b18c471934d0742e2acaf5ff4016acff2935769cfca3849a4dd5055fca72454188a95e0374c03c3885f78fd75841e9306158467497f755300bdb00d6c6d
-
Filesize
6KB
MD5ed30a2114c2357bc3c99b75f6145c61a
SHA1b8f109999c39fe674da258da5f0fcb25c4a3dca3
SHA2564d284ec2be609f7ea02ec27613e91d03b65692777f5684d7dc37ae01af778784
SHA512360f5ed9dd906b7a5f3bf909c6c45437a8a89acfd41fa5361f6647645c26729420c2ed89e86e1460166d5057e007d351306213010510abc10db74d2b3e80b672
-
Filesize
1KB
MD5c347baef1e04bedcbcc6f4c03bfc9476
SHA17e88e1b8478adad3842b102e94574a1d019a64f2
SHA2564207ca6fbfbc1d4fe208e5238e4c23fe6ce95884627ad0db37007878604c7363
SHA512c664e46afeb2b3abeb3c74a4ae7b9f95c80bbf0b709a5d03f17b1c8ac44daae82380a18ac8f3186a623322173e84eef557b052afa2b11ed72f11420af790d29c
-
Filesize
1KB
MD592bfff556e94d3375271ba75cca122c4
SHA1b4769a4e1aaeac4daa1af72a202184d5d196e5a5
SHA2562b29dfd7136b76ca81a4b810d109f7de8868aa58986e519e118f99d6a94fe32e
SHA51238c9b74de948fed9d17038f0771775e24ad54074bf06678de2028ed1d58e9b450cb4d1c5cbafd6d6c744108dc58562a36e4d15a13b92b4732f011f2787cd53d6
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
11KB
MD5a7b06a63580a0809632a5c6235437299
SHA1dc3c7f6754e3ffe74a9d063dfa2f3013879a0b24
SHA25617e8b31e3758e59d8ac31ec980e74f7783304360628658c9d6e403cfa9e5f13b
SHA51299842936fe6d57ee16313108def4273b64a3c4ef015d90a9539624409c175055427d58a180547a18c720b3e62282ad81a8c77a6df28326b96dc1055270a58d42
-
Filesize
11KB
MD5ad87100199834c8369efcd7724010438
SHA1e1815153968b4032328939019e05d2eeb0a78ec8
SHA2560b1403e051ce0f69bde056d7aa528140667bf66b4c864f7bcf625e6bd31cb6ca
SHA5121f956cc97d65c02842614a304cb0c292ec68808236d2d633a542730962a34624dd4db781b48e1fbc5d28d67a9526628d6eb9323ceb472f4151f56e1a36d389cf
-
Filesize
11KB
MD52891919a6629c50355b04f982b5f7616
SHA18df6615fc3fbee4d62395d6ddedb509d58bd7ab5
SHA2565ae079892cc290411d989f08d67a773723aea160908181c387e01b7d1436baae
SHA512c6d9de036cb9a3fa8b6206bce2a6e150ae17e6b6e6450bf0972bdd86dca2f9c8517c1b09769271f30d6fe032d7fec8786f24fa85882b154290da3e7daa670a11
-
Filesize
944B
MD56a422ceaef22287db5a6673e418abd82
SHA1f806b7ac8aa45631b0a557f5a40a396a5ddee23c
SHA2567c95718aee8255f063bfb64896eaccac1ffe549066c549d80ace8aaf23ff22b1
SHA512b6dbc918af666418ac260b5f6502fe66d77141f78c277bda8e548f5975a3e0ba4f12f5c3124508f2228b0041daf3546a94a41a0a183be24fc22feeb98750003d
-
Filesize
944B
MD5da5c82b0e070047f7377042d08093ff4
SHA189d05987cd60828cca516c5c40c18935c35e8bd3
SHA25677a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA5127360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b
-
Filesize
944B
MD5dd1d0b083fedf44b482a028fb70b96e8
SHA1dc9c027937c9f6d52268a1504cbae42a39c8d36a
SHA256cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c
SHA51296bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
66KB
MD52b9f27cfc35e8d403fae01859dcde5aa
SHA1165793d418bd35f989ebc1b5b1ab6bfc14d49abc
SHA2562eabcae0963af836dfec8875af7a6005e98022380732107f7b777e4997106667
SHA51290895da83ee18d0c8a7bb96f2e4b4c04b40377f4f901e51fa9aeff156db2c278a702c8afc79104461c4df7870804e4d7b7b3dc26abbe5ede3b829b7460d20382
-
Filesize
36KB
MD5cd5fcedad76ad30087eae3ff0fdda276
SHA1a3af37505d9aa7d5f8003baac762740c142d2d3d
SHA25678e93124b75ab446c7d71c271caefae214ed6c04d6da459ed5616cddb3c46297
SHA512b7c258eed1a21a6d3989077f1e2eac2a02f222f893247daf5e4c0d85b6496c038a2caeda89a22d44d72eceecd2bf1cb8f73bcbbcaf105c8b0f77f8ae90e3398a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e