Analysis
-
max time kernel
615s -
max time network
622s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01-07-2024 16:34
Errors
General
-
Target
RobloxCheat.exe
-
Size
61KB
-
MD5
1173330bc76af605137db64a6377f523
-
SHA1
09713c6e32cc1304dcb40604a1695d7830ceffe3
-
SHA256
f9893dff26df005089614d3b3f3de8b9a9b1a67cd2081345c1973f420350eac7
-
SHA512
57baf32951fb5f23758154eee655773de8d1a11552a97ea8bf52368c2d8d4869ef410ed76f29575aebb09e5454bd5844863fbdeb05952f2b0e76091712b32b24
-
SSDEEP
1536:oHdD3qptlFkbr9H8pV2Vi6lMVOElJJuJXc:Kxq3kbrx8pMVeOElJcJM
Malware Config
Extracted
xworm
amount-acceptance.gl.at.ply.gg:7420
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 10 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 33 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RobloxCheat.exe"C:\Users\Admin\AppData\Local\Temp\RobloxCheat.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RobloxCheat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RobloxCheat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\schsvu.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c start cmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd4⤵
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mxsldb.bat" "2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vvrclu.bat" "2⤵
-
C:\Windows\system32\taskkill.exetaskkill /im explorer.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
C:\Windows\system32\cmd.execmd3⤵
-
-
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe /f /s /t 02⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1032,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:81⤵
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.0.503611068\1973945199" -parentBuildID 20230214051806 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d41a1d87-c955-43df-bd2d-fa29d50753e0} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 1880 28e7fe08058 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.1.745794337\1573520733" -parentBuildID 20230214051806 -prefsHandle 2420 -prefMapHandle 2408 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3edd05c2-2560-4589-8072-57c9d9cd0a27} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 2432 28e0356bd58 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.2.1047876611\938270731" -childID 1 -isForBrowser -prefsHandle 2956 -prefMapHandle 2952 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fd8f077-3ab4-417f-871b-b57649ba8266} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 2968 28e05e0c458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.3.320946451\729401568" -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3632 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01367b8b-fc72-4ab5-8f79-18d74d7f5c83} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 3664 28e08377a58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.4.1782027154\2006954396" -childID 3 -isForBrowser -prefsHandle 5136 -prefMapHandle 5092 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b48207d-ba18-4392-92b4-c588d5911b2e} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 5132 28e09ede058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.5.1966947657\299799723" -childID 4 -isForBrowser -prefsHandle 5292 -prefMapHandle 5296 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8103d0bd-460f-47c7-a016-f2b0587764e3} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 5280 28e09edf258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.6.1175810372\1844528047" -childID 5 -isForBrowser -prefsHandle 5564 -prefMapHandle 5560 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7bbc4aa-1a08-4776-a40a-3495c8d947de} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 5572 28e0a5abb58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.7.1726157364\647273771" -childID 6 -isForBrowser -prefsHandle 5872 -prefMapHandle 5868 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c36b0069-7670-4dde-8060-2b37553bf7f4} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 5832 28e0bb39e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.8.1211395687\363577610" -childID 7 -isForBrowser -prefsHandle 5980 -prefMapHandle 5988 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d08978e-82cc-48fc-ac38-304dd77f10a6} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 5972 28e0bb3c258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.9.1564196401\1115218540" -parentBuildID 20230214051806 -prefsHandle 6308 -prefMapHandle 6304 -prefsLen 27776 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fa9795d-94a7-40ab-a63f-b48d7611ac76} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 6292 28e0be5be58 rdd3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.10.1396310755\950038227" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6324 -prefMapHandle 6320 -prefsLen 27776 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee041544-17b2-411a-8c2e-071f1e252bb8} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 6332 28e0beb2558 utility3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4292.11.480808880\309884120" -childID 8 -isForBrowser -prefsHandle 6784 -prefMapHandle 6792 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1284 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {da061409-beee-4967-a4ad-f56f4819368d} 4292 "\\.\pipe\gecko-crash-server-pipe.4292" 6804 28e0c349258 tab3⤵
-
-
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=4728 /prefetch:81⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svchost.exeC:\ProgramData\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa389d055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD51173330bc76af605137db64a6377f523
SHA109713c6e32cc1304dcb40604a1695d7830ceffe3
SHA256f9893dff26df005089614d3b3f3de8b9a9b1a67cd2081345c1973f420350eac7
SHA51257baf32951fb5f23758154eee655773de8d1a11552a97ea8bf52368c2d8d4869ef410ed76f29575aebb09e5454bd5844863fbdeb05952f2b0e76091712b32b24
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5e60eb305a7b2d9907488068b7065abd3
SHA11643dd7f915ac50c75bc01c53d68c5dafb9ce28d
SHA256ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135
SHA51295c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b
-
Filesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
Filesize
23KB
MD5401395e816090f1d38450a1302aa2e2b
SHA1f0941633293a5a88f4aada38c6c51105091e5384
SHA2562fd149b987041854a71397d089882af98b355c8198b3582161c931cfd62345cb
SHA512715eef6286fa8ed37e7761abb2cc87e945ff843567a571064d367070f1a12c4f422b97e15238397d0596bd2ca463b10d2922215a82c45754a9175cfc821c8706
-
Filesize
13KB
MD5a672167428948ee03fda1f705604c215
SHA1a71eadb6f480767c17b2f3e0827458b9be71c8e9
SHA2563cae8e2147828ba9b2a8e4193b2a8ce7ba55d34ed26e4232875f93c7d2629e07
SHA512053dee09db72fb266d56f21c970739b13a55597c83263cb13e307865789cff76ff275826a293ceba46851b29856d25c4f13f6799eee2263252c3ac622825a8e2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
27B
MD51e6df7de30802acf3416101eca22ec1f
SHA1c42cf8ef0cbd35c6c22e39a9af7990d80a2b5670
SHA256eaee51673113c02285289083f6f4b9565369a13ebde9cc51673fe03abe97d9cd
SHA5124bb9a7324f4a085c0e78344f5a3eaebebdd01850feb05f5ef154eeefb2530e356a609b8c46e2b191ed5b0d8b6dcc1fdded42124721c3d8d6f2d78cd12630b0c9
-
Filesize
22B
MD5c5b094cf51e0ac6889d1c6d8184d0c90
SHA14a9c231222f816fc19d6ac6567cbccf8dd92c362
SHA256c72c30d505e611afdc46d571141d1bcf78414cb6b09e24b3189950b3e47a5b05
SHA512a8bcb267503b4d02ccaf39bbac02ee486eda4e320bd71d6deba5eccc7c7602d552ed733af838b64d7b37204925c2619d5169b2c88847eda010c008ddba0f4131
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
51B
MD5cbfffb87479b53144737f7fa4148bf8d
SHA133ab72c34538eeb1e00d79b7375f7cdadf98cc2b
SHA256590a3129e4f591643ae15e6128661de495a35f05f8015670c96eda8f3b76498e
SHA51248e88adbb8b80395f2b5fafc388b2d2649bbe8a5c17e5e6966cd2d615b3f3edc6ae3c3e6586fd178d59f3a3b6fa7ed03409beb1f22b155c60507aebcac6372a7
-
Filesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
Filesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
Filesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
Filesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
Filesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
Filesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
Filesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD5a0b347cc228bf9358b0d32bc70479ab1
SHA12ae1f5ea36621ad944711a4ccf2bba74286d2dc9
SHA2569d6e8f27ae1c4b75b4ee7b1521a9e5900772cfa8bd8bee2976136643bc4b8bc0
SHA51206cf2a6f857ab3f4924e03be1a68f538f1699befd87fab9902522a1093291933998c4f1de7e52844e3bdfdd957056d1b1b6054dc68e60ca4f3cd590d51206fa3
-
Filesize
10KB
MD55dfd356653cc816402841b6a8a171519
SHA185ee04a71e05d324742ebffb0859342baf2047a3
SHA2565b249f4a4f35cc00c0095adff2778b7bdcef25b6f97f4b2dc2a033181c584d24
SHA512a4fb6485359d1614c4eaa9117e6078b67925eaf7e1c4aa596956b09be6ab7252fc6d991c6da02537201c8977ce0cb6cd5a7a2a53ec4781ac1501d8d38b44f11c
-
Filesize
9KB
MD5844ef26e6adb47c3c53f4c77e2232be3
SHA114900ecec66204de0979bcbe0f48541dddf6729d
SHA25689e426ac257acce43cc1a2ab1177b5a12d585e4433db3bbd56fa011c3581122c
SHA512653d0a8dd565bd91b5c80349997fd2911ff35b9e3aa04825f614c05c831b2edd66da3d51a9e175e50bff7a337242a2bc35f49533b3af9922a8c50c65f51330d3
-
Filesize
7KB
MD5c95117a23f17e77372c2f47e1543454d
SHA1231288cba8f49d8fbb508272241dd5d609d8d023
SHA256272f2d3ab3091aabbd4d1c118143a85f590a994322994935c4a4c26a5e3b7245
SHA512f8e5bf620ff0458617a1b0bea2fca873d213c01b02180ca808af08a6499e1b8b7ae4c8ade0132f7c9bfbb630b6252981a7d4f9b43bc8fd2baec8c4933e8f4338
-
Filesize
7KB
MD5d8fd85fff132d798d014b4ded7f8b0bd
SHA136764e75d86458a26c2ad4ebd85f772b4518fc0c
SHA256923bef398c490888e98a6253acc5b17d259282913e4e14a0c59ec78ebbf8d1fb
SHA51206da202daf0c7a9cea9cd44faac7bbf3717b84a472e5fb48837e7736f96daa6944b2e1ffae883da00df441897749a88d9dfe63a76a15521fd13effbc9378d271
-
Filesize
10KB
MD5253f51a7f240752826107021a4103fde
SHA1f59abcf45c0be81d9a11e9d96c1e6d68196c1e57
SHA256c42b804c620f176b9aecba1d2726751edb12f79bb2d67f0c9749cbd0735bf5e6
SHA512447755f8b0937d66b1118df245d354f3e7d4cf35cabc2fbf6cc47d1680c4afbbc764dcf9da7bdbd8982f7ee986334e72a9b0dac8567dd846688c51a2e10957d2
-
Filesize
3KB
MD5efb35be378283db834722989f9ae8eb2
SHA11cc511019f531e446b31f356f39656fa0c914dcd
SHA256bd85b2da443f1fa162e83f40ab06918283c6bc990da4426e630282fa4430293b
SHA5120b9159076859dc604e5f760ddcb36ef31e023eca1d1d18633546b94651e10ec0be262009bde3a1b25feddf546e1ca84a0d9cc44cdd5ba6933564e0fd5b28a2b1
-
Filesize
1KB
MD531bda7612654961dd2ece28dfe99437e
SHA11fc9899aa75fcf8698aefdc94eafd5735173c778
SHA256fe3a0ee4717006d4a9079c080610d06831909f7c1d409fcc2a0dae436be82c09
SHA512eb12489e98eff9d854136b6df4caa541cbfe640c536a43e6f54f2a1c7c01971cb371cdfd828cd6402c59853097077aff009db4fd037c46b5641ab2025ea17b15
-
Filesize
3KB
MD5bf0f8836635193d52eded0e117a8916e
SHA1aab72d8a7764256ac86f386262b989c08d3eb177
SHA256df923ae202eff696a309cd3d297e85b45dd22ee2607cef577eb69ed0417f402a
SHA5127c1706e66aac1b21175bccb78fa17b7566d98f49863b21c0e9246546f4dbfcbe8d60a016e751c0cd64d1655ca99eeade05979d58ab1e4044d0499b406e786568
-
Filesize
192B
MD52a252393b98be6348c4ba18003cc3471
SHA140f75302fcbe4a8ac2e33a8d9daf801abc2a9598
SHA25604cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee
SHA51207af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198
-
Filesize
3KB
MD55b0f165bbdb71faa1bb5b26c4f022e96
SHA1704bbe81e0d8370e675246e1cbb347bf8599aa45
SHA256b95a445bd9d295276e8423f1ad3fc50c740512a634f2115364217544bc87d44f
SHA5126c521b2c55135ec98f79193bf9c62b73cfb1801cdeed03a9871878f677aacea46cae165a4290682768ca1c1192dff2e87b63c39228164d72d2c7abbe732f8d20
-
Filesize
48KB
MD5d2c452d197560a5de719aac3f4b222db
SHA13e58ac43b3a36d518ae28e35865f8a3ecb6bc5b8
SHA256e5d735760cad3a71c1dff8cd855c2aed4266b089ff09fa8ba997cf65f025515d
SHA512705feeb8b06d272b51f935281ce1b7df9d704ab75014651660363fef16d469362ff194fd42f33bd7bd1db1474fec162471074eb0269b78a8624324c7efd95a81
-
Filesize
192KB
MD5058df786c387debe4bca196f2d406e0f
SHA111fa2d330feab1989e1bfd44e810c405449e9642
SHA25697e26ef8ca3a71131771605e3174d09d8847f6ea950fcde1a91c463cd1c40f5d
SHA512a459f6f713eb224fda72b7e647b2b74e7238591ca2c4413e6809c8e14261377f1bb83cb55d12f2d26ef3d0c7fd7d3391c73947d31e7828d69e5357e37b9d33dc
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
88KB