Malware Analysis Report

2024-11-16 13:34

Sample ID 240526-s4x8bacc75
Target pornhub.exe
SHA256 ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca83463a0b08d1a04d19a0a28e11e6a8123753061a91e21dbf09a1aba55e1526

Threat Level: Known bad

The file pornhub.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Xworm family

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 15:41

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 15:41

Reported

2024-05-26 15:44

Platform

win10-20240404-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pornhub.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\ProgramData\\Chrome.exe" C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3508 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4664 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4664 wrote to memory of 4604 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 1516 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4604 wrote to memory of 4848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\pornhub.exe

"C:\Users\Admin\AppData\Local\Temp\pornhub.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pornhub.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pornhub.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.0.65561302\974666775" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1688 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b472684b-5978-46bb-abae-f6d9c031a52e} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 1796 1677bed0158 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.1.2009978888\1533454162" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ed61d75-046b-42dd-b408-47f0dc99e40f} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 2152 1676ff6f858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.2.793737724\1704977890" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2700 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {77c8b9cf-158a-4ec4-b3e6-119c0ee64874} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 2692 16702cb8558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.3.438245170\1800960304" -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 3504 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba649d18-4247-40cc-b15a-252907faa9f9} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 3496 167008fa658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.4.137159032\1638134915" -childID 3 -isForBrowser -prefsHandle 4080 -prefMapHandle 4076 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de0bee18-0810-48dd-b540-160cb489a2d7} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 4092 1670300fe58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.5.780020215\1910889039" -childID 4 -isForBrowser -prefsHandle 4796 -prefMapHandle 4780 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {60ac9b9c-e2eb-4aa7-9654-080ddbd88b1f} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 4804 1670329fb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.6.1845768467\1971945075" -childID 5 -isForBrowser -prefsHandle 4920 -prefMapHandle 4924 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce8520d1-e8c4-418e-bb0b-176599cfd13d} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 4912 16704f8c058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.7.1226406622\1142837431" -childID 6 -isForBrowser -prefsHandle 5108 -prefMapHandle 5112 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f21cf5fe-f5de-4574-96ab-aa06140f6e73} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 5096 16704f8de58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.8.985399268\1830031175" -childID 7 -isForBrowser -prefsHandle 2632 -prefMapHandle 4960 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dc45e2d-b4ae-4797-9d82-59c8e54d276f} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 1652 16706706258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.9.224315821\434547114" -parentBuildID 20221007134813 -prefsHandle 4208 -prefMapHandle 5748 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9a9c19d-cc54-431c-a28f-2110defa1fd6} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 4184 16704a7e458 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.10.629507646\1741374541" -childID 8 -isForBrowser -prefsHandle 4104 -prefMapHandle 5756 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bd6153a-4c33-40b9-a8c5-464653a79bcb} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 5768 167070f0058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4604.11.195892538\735245328" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5940 -prefMapHandle 5944 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73445504-ba1c-4d88-a60b-2c24c6fd4c16} 4604 "\\.\pipe\gecko-crash-server-pipe.4604" 5952 167071efe58 utility

Network

Country Destination Domain Proto
US 8.8.8.8:53 character-estimate.gl.at.ply.gg udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
N/A 127.0.0.1:49989 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 44.237.65.238:443 shavar.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 push.services.mozilla.com tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 238.65.237.44.in-addr.arpa udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
N/A 127.0.0.1:49995 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.178.22:443 i.ytimg.com tcp
GB 142.250.178.22:443 i.ytimg.com tcp
GB 142.250.178.22:443 i.ytimg.com tcp
GB 142.250.178.22:443 i.ytimg.com tcp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.178.22:443 i.ytimg.com udp
US 8.8.8.8:53 163.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 22.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 encrypted-vtbn0.gstatic.com udp
FR 172.217.20.206:443 encrypted-vtbn0.gstatic.com tcp
FR 172.217.20.206:443 encrypted-vtbn0.gstatic.com tcp
FR 172.217.20.206:443 encrypted-vtbn0.gstatic.com tcp
US 8.8.8.8:53 encrypted-vtbn0.gstatic.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 encrypted-vtbn0.gstatic.com udp
FR 172.217.20.206:443 encrypted-vtbn0.gstatic.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
FR 142.250.75.238:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 194.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 206.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
FR 142.250.75.238:443 youtube-ui.l.google.com udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
FR 142.250.178.130:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 static.doubleclick.net udp
FR 142.250.178.130:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 130.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
FR 216.58.214.170:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
FR 142.250.178.130:443 googleads.g.doubleclick.net udp
FR 142.250.179.110:443 encrypted-tbn0.gstatic.com tcp
FR 142.250.179.110:443 encrypted-tbn0.gstatic.com tcp
FR 142.250.179.110:443 encrypted-tbn0.gstatic.com tcp
FR 142.250.179.110:443 encrypted-tbn0.gstatic.com tcp
FR 142.250.179.110:443 encrypted-tbn0.gstatic.com tcp
FR 142.250.179.110:443 encrypted-tbn0.gstatic.com tcp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
FR 142.250.179.110:443 encrypted-tbn0.gstatic.com udp
FR 142.250.75.230:443 static.doubleclick.net tcp
FR 216.58.214.170:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 110.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 170.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 230.75.250.142.in-addr.arpa udp
FR 142.250.75.230:443 static.doubleclick.net udp
US 8.8.8.8:53 static.doubleclick.net udp
US 8.8.8.8:53 static.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
FR 216.58.214.170:443 jnn-pa.googleapis.com udp
FR 216.58.214.170:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 172.217.20.174:443 play.google.com udp
US 8.8.8.8:53 174.20.217.172.in-addr.arpa udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
NL 2.18.121.197:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 197.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 142.250.178.142:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 142.250.178.142:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1---sn-aigl6ney.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 142.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 166.183.194.173.in-addr.arpa udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp

Files

memory/3508-0-0x00007FFAEF893000-0x00007FFAEF894000-memory.dmp

memory/3508-1-0x0000000000D30000-0x0000000000D4C000-memory.dmp

memory/1076-6-0x000001B8D8B00000-0x000001B8D8B22000-memory.dmp

memory/1076-9-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

memory/1076-10-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

memory/1076-11-0x000001B8F1110000-0x000001B8F1186000-memory.dmp

memory/1076-12-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwdpg32l.0wz.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1076-41-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

memory/1076-48-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

memory/1076-52-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3df03b7292eeda72e97180e347b03cf3
SHA1 6dcf07eba6cbefa06b5ca7cc458e2e87d18fb750
SHA256 a3b2aa06d843fcb2399f1d529737e59b2beeb20519bd80035c2033dac646a52f
SHA512 1d458b231c87f3a70031284430a63553e2739e9bd406d8a04a4f9d9b19ab4f97b4e785b41e2e530321767e8d7f6c12c2299078335491dfb205669f749ab29cb6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ffcd54dd827958b88e7857046a01199e
SHA1 dd2f0f6481938dd32b56509388a411140a969f56
SHA256 55404ea7250cb00233f801b1bb39ede1d6259c74edcb1ca1e9ca4726bc529c0e
SHA512 c114fc486b76c5200923f575dc51c7994f9816c74babad2a7543b03d20801895e9ccae3d47dd0a79fa70c1796591ef5b34b555b7636f44fa364211d93d9f05d4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 03cc07fcae677bd98a01df26de18b9d8
SHA1 964c92925cc8573ca714ca209b37eaf0c57e6bdf
SHA256 8ff34a2cfe096bf1b2318184b9ffdc4af114cb792dfce5b6f971893c1c6fac52
SHA512 00590e6e42239912e1d815ad937cf61fd81cff97b0ddc7dba3a8edbc772293b50f538b514c789ea3463421278dbaebd4cb164dbadd8b99bc5621811223f0eb7a

memory/3508-187-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

memory/3508-188-0x00007FFAEF890000-0x00007FFAF027C000-memory.dmp

C:\Users\Admin\Desktop\ConvertFromTrace.vdx

MD5 0da67631e74dcfb5ebe8bd34906e2bb1
SHA1 526aa368befb5da15df74285df4e553a7e5c5e69
SHA256 c8abbbdf6f6b12a869667167ca3eea41d176371d802fa87a4cdf0ad446811a16
SHA512 0b29612a246a42d2cba38fc3a5d2b93f93d4ce3d21c70e9c47d7d24ca153ea0c12293e66adb493b12a30085d4b5131198ca9f9645300da999b53187abab57310

C:\Users\Admin\Desktop\DenyFind.dxf

MD5 7d7d6b328041c014dbf0dd839f5d52c8
SHA1 5889cf643583dbe340bc907cb0d327808422afdb
SHA256 a726731da87d2f7021626fba239f02ef158ce78ec1d6a023d9b6f37a7f32dfa7
SHA512 2b7fd6e109e1656dad05c6fc4b7346a5c15b95c4e0632d3340190935ab9d02f25dfd7293c62f9b0ca52c59434de5ef86b823e380e324616134bb23a65ef75ba5

C:\Users\Admin\Desktop\DisconnectStep.svg

MD5 660f2f7d5538d4d7c4a923e927c7c178
SHA1 e766506820dfc13a8c8a8c635f334b268c4e0d08
SHA256 d14314f800e44156114ac57b342b9b6a680804be4c5ea35115891e1f486e9125
SHA512 1d789a4174709d552f982ae4103a43f36a3188c9777d321f70c25f9756092c8f689e8206cf6f5bb7b0dc5ab5fd64f504941d751c326f51ac491e557aa530105a

C:\Users\Admin\Desktop\EnterPop.dwfx

MD5 fdb68a6c677b0e598002d1a6730c73fb
SHA1 12b99218f722fa786e70333cd130a4df2bc83964
SHA256 f553911a4a7f412a96366fe3bbd388c3f5ae46603a295eb3c5904985156c5071
SHA512 a799c43ef5d170a3e8b10fb918e17c32244c8fbecb5d1bb45d3ab77af14b20c92832cf9a1bf5fa22a8a85b570d2e7d11aefd947f42b9c9f6f022d59ac596fc99

C:\Users\Admin\Desktop\EnableClear.crw

MD5 c26ba60af9929673b0dc015e60783ea3
SHA1 9ef8d6340dcdb2a5ec64da61c9c8b9cfbbc0923d
SHA256 82610c5a89000e24c635306bd6f064b2b269fa97a08e10e02360dc92cce86e28
SHA512 2ded22030561e7bcbfc1074e29fd0d99785906eb4d9417e42184f6317e846ce192ebb53b013f1bb34d0166f7ec3ca77785105b095c6fdcee28d04e233191a171

C:\Users\Admin\Desktop\HideUndo.txt

MD5 d319151f302da4b8be6ef3cde3bc0d8c
SHA1 9336cbefbd4028b06257a878790eda6463570196
SHA256 64db0852fc2cebd6e461562442b0b1b97873008d1a575ca853bece004391590f
SHA512 92edac20cbed7cb50e460c6e0f543da3cb794d1529284d92470678a3dda75675db836d413a167d3f14e4310f3e0255d2749de04466888114143b405bfd3eb2d0

C:\Users\Admin\Desktop\InstallInvoke.mp4v

MD5 ff80266f63451e4233ba38b99bc4d328
SHA1 0ec9be28dc7d2c1f13e480be44231e66d477546b
SHA256 8f76959b6e9cffc1254eb25c2f5d9c645b41a207290e1431ecba5f331df0a7df
SHA512 0fc3aefd724472d8f8364e7c3ccf04245d0d8a08bfcd85569f0b008f852e712785578e5a555ad5adbf1b5e960fb4b330a9a2c6d41b9c64510e00a55c831f707a

C:\Users\Admin\Desktop\OptimizeReceive.dib

MD5 295d89bfe71ea3171b130b149b29ca66
SHA1 74a792bb109c453b0923e5ef4a61ae63b7d6ae4e
SHA256 d87c9d7ec0ae19411b6f087e652876cb0c9d2dac8773f1b5b478018a0f0d7cb3
SHA512 22f1d62f10bedb7c4810bac2268a3a08444d14c1f07c4ad77f48ce3b1822100ade0bf50f6d84d440d30db5aab21379ac75d25c37de9b2817c9c29fb2bc4324af

C:\Users\Admin\Desktop\LimitSwitch.TS

MD5 c88b10548288c98e2bad7460ade86015
SHA1 e0e73519d3348761a92e73a826fbe6d9c16afae9
SHA256 c39863494d0850ad17b494722ac378f242483ad2bd29309eb7b2aed678382f3d
SHA512 426b41acf4b934d919a698447761ee3f3da9f260539e6f02f912a3ffff45c527be9b5210e32ceebf098b164a39cbbb9cff18225384ea6c5f1fb5247f178b6c34

C:\Users\Admin\Desktop\StopUnpublish.avi

MD5 6ecde1f1b65e9dbf863b783e1eecdc76
SHA1 318e4d6b6d8fb6d0bffecb3deeeeba5947f895a6
SHA256 9dd2d0a2ef81cc5f06d99736c4e1ef818806c7622825d73e6f5057972959ca79
SHA512 5ff5f3ae558337c937c43b7f73c95ae07e1c4ade4ee2d16fe71ac8d6e61b613877bfcc0308acde82474ba1ca42019d839c5075097dcdc3bfa9ce608db98e3994

C:\Users\Admin\Desktop\StopRegister.ini

MD5 a81d8d2e5bd893b006b3e2b085ec667f
SHA1 6edad61a0c225ac5a9f0eee73281519c76e0b2ea
SHA256 4fd0e19bb8d3c688d18548eb697f24f0addcf3db5658a463e25cc40e0da962e7
SHA512 e1419d37047664c06ae46b3fda11087f5fa067e759db3bdee01fee3ec8b1402ccd481ebf7761cc5630124593c46ee373f4131664797374bb56580a201fe2ef55

C:\Users\Admin\Desktop\SelectDebug.php

MD5 19518a17cb26955b73a14ab559617bdf
SHA1 421c3770d2013224ef4354a7ca46010c4fc93660
SHA256 58df27d876957eddf64050d1005c9feb4804af7e7091914481e8539e5d634851
SHA512 f44afb8b12c3310f5238e2ec281c80b9531b3a74c7e87a7ede277770f37cd2b33fc612f87e3c7caec7f5755611755f294bacce71331f4a6a067548f79855db15

C:\Users\Admin\Desktop\SearchDeny.vbs

MD5 8a10bcdd0bf52e9a83ad166eb67be4e4
SHA1 9eae5fd44d91db471728f88d3e1277ce01de61fe
SHA256 a8069518e27e4c4cd7ee7a29ed2b792a0f2852cd186a25b92f1606d88321cef3
SHA512 7cd2cbd81ca393dd9acf6fe5527c3ab9c6380de0455e0f6e525c35e3778ba095ab85e5182d9cca0658221c9e2d7a74b7d25d3cc212c7a81dec0596bcd72a3749

C:\Users\Admin\Desktop\RevokeRepair.cr2

MD5 92767c8595b51bbc73fb0da95269ac9e
SHA1 a83ab91fca4e8de8675fe6b2bf870624d0a4605d
SHA256 10c363fab712cef1768a41d4af258a4933af6f5cfbf9b329f9357b9d25fd4cbd
SHA512 7b5c98008e9fb04649a0a3f754549bff2f9a5654779e5ec1360e59bc71043d181c4076ca2515620b1fdd68b9f9d31e86820ec30ab675531021234fdacae75c57

C:\Users\Admin\Desktop\ResumeUnregister.hta

MD5 2f840a77ae6175fc45a605819612f64e
SHA1 023dbd1a5a5dc89644dbbd149c7e43333e5cf885
SHA256 7dddb253c6f2583845deb10edcef9d9af91f37bc3da54e64c7df1a816cbff08a
SHA512 fab81c8517c438606907972778bede87e11d8ca20a77345d2d98b91c42c34655d9ad60be6fcba5797b2b5102dd4f3fe04d0ad17c3dcf0a329202d54274fa4df8

C:\Users\Admin\Desktop\ResolveCompress.inf

MD5 10104564a11ca79864edfed359d4fbe5
SHA1 db198896a4909c07f34ca666df6ee0cccd0d42a6
SHA256 0c7bbc79414a15862e8f02b2b91708d231b90344775aa15533a1d8960f7df3f0
SHA512 f9e7bd6d53a0e29ee27a50ff6e4217f8b07435459ef099fe480da0c2e71d21f330bf7a4f62965b0441f98f8795f3f37511c94a3daade564e855b734e0f7ec0d6

C:\Users\Admin\Desktop\PublishSwitch.mp4

MD5 0e78f81c8efa781da701702cf3afa032
SHA1 752601a9770d777d7347b397a5df547cf0a04ef0
SHA256 1c2ebd2467d1eaa33bae67a738ef78aa117293965cb200d754d1d9266062994e
SHA512 9b92d174ccd1cb583f95cd2b69978351f9c745053774df618ce3f6fce89f895a903443a67ac6bcef857728ac165aae0ffb142cae176b4982eeed75482fcf8d69

C:\Users\Admin\Desktop\SyncSkip.avi

MD5 1a9735d6667e321c91e8abadf1e3bafa
SHA1 2540df704a0aea72b014c82d5687c9d414428e06
SHA256 70299e860f5bb1a125f5ee9192148839fc8e7f7ced0712cdd947af963e8e2e62
SHA512 3635d473a04301a09c829cee8527c26638ff400631c7fcee9520f7ffa59285d23afcdd8f7ad13ececab0418e5898a3492e12cf188aa3e500f8c269065b0dcfa2

C:\Users\Admin\Desktop\WaitInstall.lnk

MD5 13eb344d5411e56ec83b74372c3f6bd6
SHA1 916a2c95a7d29740f1bb7a8aa252eff8efae6566
SHA256 66e2881e3f6eee7498fa8c758d45b601dbcdd98719ff680dbad814bf42eb3d07
SHA512 db7027216d9cb94a0483d7a577f0b683dc2373fef47298a654ae7d62e9b04df969ffdeffbd88ba60ce33931aad107c20e13306915c52bdf430325f721d793de4

C:\Users\Admin\Desktop\SyncResume.asx

MD5 511aa4197951d849d87462738b3b90ea
SHA1 e51cf38577652515e6463e71e48f8dbdd6354c57
SHA256 fe19a0639d70654c036aa3d707e17de863b658f796b9a8b4c69e4dfed3138a29
SHA512 f144616753b44edec0b00222eb59695640394132bde81a4285c14932c6233304fd4f2f862cb67f236c4df5dc6652829437730301e5df2fd6375be34264d3bbfa

C:\Users\Public\Desktop\Acrobat Reader DC.lnk

MD5 6f1e4b9ce0fee4ac3d5bbb48745d5717
SHA1 fde19343a446e9f917a5440a1fb31cf9faf4e1aa
SHA256 2c74ee14a4b44682ca938f99f40157f266bfe31e37dca4b1d56b3eadc1d1aee2
SHA512 e96980b3303329dcc882588c147a01d238b92600972a1dc59bcded4aa525341c5b5604e5ce3cadec0c49e6586f4cd6b93b693ae1b6dcedb79a0b65f5000d7c59

C:\Users\Public\Desktop\VLC media player.lnk

MD5 db4639b8d64bc676737a319e004888f9
SHA1 ec227b223a8af743aef253c5b0d9ba7a06a66d6b
SHA256 7a230783076133d02e4bc487853f4f73711b654be36752164157ee8da5ea6d49
SHA512 3dbe30edd55253425d7e004dc8a16c818aba26f03a7d67d3154165f98c78c670cbc7bcaacb23697d4087fd5f78b9f823b6a53ddff68a3ab2cebd1b8fd441db50

C:\Users\Public\Desktop\Firefox.lnk

MD5 059b0fcb8926d3575b1e75e4e9651ec8
SHA1 9f15e121c9940fecf10b83b42c2b68dd0b3f95f5
SHA256 02045f6f7a5e9ebe593e9a31cbd56c104a037857614be176c361bce229f7abc0
SHA512 22514bdda4b816ef633a4b7a9e1bda32e1098a66988a9ae2b08a75bba7d83ac760bda0af52f6c6b8ed439ae9f124f7d0f0113751a5c27f32200b1d95000c64f9

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 17d1e9be8c3e0a93a91eec279f118465
SHA1 57856a34eddcff41d327a9e29cc35ee28d272e88
SHA256 6277e131e69c7fb06bd900d6163707b6e832fe3cb2952368b354d16fcb999033
SHA512 1461845bd7e6823e82c979ec42921fe297fe8a3e0a37643ef4655931b9ba03f92588ffe5bf9768a05833f64267d9e24c4ee191982f9c7c34e4f9ba1f135ad1f3

C:\Users\Admin\Desktop\CheckpointProtect.m1v

MD5 e911d5061fed57806a94a208b9114a17
SHA1 bac9d8ff9c960b9cb1f68b51b207488650c81e5c
SHA256 e89f1d2899a044dd6e8346879d0dca269290d1353571bcc935df319336b2d59f
SHA512 d2285c67e62937f510bfa6da9951bf22d87d25345894013eb5b8d475bcc75761bd7ed2e10f174472d755ff7bc1bfbe80ba3dc650ccc52ed24226b61ef94d4ef2

C:\Users\Admin\Desktop\StepUnprotect.TS

MD5 e389ddf177c129da892be16e23bbb9e1
SHA1 f655e81f75af1ae087b26a56a3a0cbcd60bd4a5c
SHA256 e9b9c60b606a5ab48be67e41a18110fe3b54aa4fa1edaaa2ac13f73a4e926328
SHA512 be6c4cadd0a6ceeece949d0f8e5c2a413da00aa8dd9a8d433877e8bd7d1dd21f62791eace48f4df2b92224fd242b052234d872db786801578687cf8976961671

C:\Users\Admin\Desktop\PushReset.3g2

MD5 a623796146e6485d2b13205d47fd2415
SHA1 ad3379338688f3dfbdf87710c74a5045f60f6d0a
SHA256 8552a6421cb4b93cc34f84edc5552561f81e0c6fad2ff2794e77be71b0f3d093
SHA512 b91b12f34961e8f7a77589e2077a7633f84bf545f62f7efc00ae358dc9413e924e25a477567d04cb39e6559635fb49e043f878c7a318e0640eeff6f6fe7bb706

C:\Users\Admin\Desktop\ExitClear.scf

MD5 9ec1f17961ea08f47cdb4e1552a13e97
SHA1 9e769d137954febcb40e78063aa9a9fe53e073d6
SHA256 cea902ccdd222ce8885476e6b0364956f8e3629cd614c3c05568a89cddf543c5
SHA512 01e4a06ada7efadbe7272fe15af47cc1212e8003487dc093b0bf8f653d45554e643d707ec8e5e865ba9ee1150ae105ee2d223741d996e5813770ef281c74a61e

C:\Users\Admin\Desktop\WriteInvoke.wm

MD5 fdb4a269238f136cb1f64c33cb0bd783
SHA1 720f7c8841253726fe50fa4fee37710ca447a593
SHA256 b4e4a690fbcb1aa64f619f47cb399c2dd86d87e26863e66f7dc4c31e9e31a867
SHA512 2dbceebd9a5a9953f7aad573ae5d80af97ac482e3f7ffa6863fb961a10087d2a95708e37b263ae2f8fdce04064af405d470df62f095a044683555fc54d076862

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\2039f202-ff63-4624-b19e-de3f4112357e

MD5 80e190ead2ad5aa2b73a5d55fab7fcfc
SHA1 176a7a5dea773b96c26b8cb660643a3798189fa8
SHA256 fa7aea8a6a8ad255635bd35fd53c2d4a2efd82bebba6ca1c2a560e7d3c4ea442
SHA512 a54a4e3faaa4bd713921239c4b0c98d4bb32bdf24ac4eba0f44ca7a9395d20c5749514c04d7290e2e7d6f541c65d2703f3493cf94d77a16c51d5c77138b68974

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\c1bfb18f-8506-4d9f-b92e-b635bdcb1e11

MD5 b36713939f4b70ec25c7b612d51721b2
SHA1 8629377ea070f3a4fb7f7ea489a98c4244c425c4
SHA256 e120e6ad3bd808efae8cae7aef761b3d28eabc46b4801dfa9ce7720d5268b872
SHA512 d0b11b5a9248bb3de73a1aefa46f5fc6acc90c41ff4f1a211304f4ea0761c7d3ac848e89bde7f312b8d7801d2a1dfc3eadda3fb7251f4cf84660289f03f6eeaf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

MD5 678382b730e0f5aac919f0431ca52364
SHA1 f48d445b92663a6a55975f9a4704db2f78865bbe
SHA256 bf320d1a0c11b025512e393c20486a47689ea2df6979a330fc9d2b636aa7e1a5
SHA512 5943f154c3225b02aeb3db49ba49221ba9e395e60c8a7b29a4f61e3601b69db70b35c3d66b8bc5d2cbf2ef0df6183dec4c19e653644edc6246f4dc016f113138

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

MD5 48e70e627459afc3eb24dffe216a690a
SHA1 fa5c8d1b942d4a2ff7d7dcc74b941da03dc28492
SHA256 bdc176f73a82c972cd32a53f7d6d4c88e2eca12a800dc60a2d068f72fa7e7305
SHA512 dc013ceb43207da668eb16ec626e5d9adf3b73db9b3753cc6a05a64cb7250cc6f9926e04d34b29c1763513578ac10417ad82bdc366ffb55ae515c50fde45cf93

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 7f868e557b098795d645df9ea302427f
SHA1 001f3306144559b4049a8ab139b4139f51e59c0e
SHA256 b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5
SHA512 56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 a552d729e0774e3f38a9747c3e7de4ff
SHA1 6f74e2708f2fffd9d69ad10e8f526b89da11e7c2
SHA256 a779506ef649add3a3b704b11fa8fcabb1426d2335e6c63452c20da6ef24c6cf
SHA512 151643b8face85e45f92038bf8f9dd33adabf8f9e8591fd1417e83cd11bb2490c11372f57d2475c7412aa23f2ad7c3c74ad4187ca53d4f49a43fcc9eb94f16b9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 5e2f273ee3f26e100332dcb28ed18eaf
SHA1 73f19c35508030440f2df57b36502aa556b1f59d
SHA256 298b338ea56cd0ab7554b2fcc65c8e11d780c31cb8855d1857cc35280821bfed
SHA512 b4abfd3349fe859dcf25eed875196cbafcd1cbf020e7264f14b0cd87d5baf9660448ce37844b1309efd50c8ec587c20da7b1a82c8b5a305abed4e175188e86d4

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\3706

MD5 4874273708b329665351e8898662f3ea
SHA1 a8271ef039b5258de0a1888fc1ab432292cc2cc8
SHA256 251422b381c3a9859f51d0813d557da85fa10973d7db0cde0f4808873dc12abb
SHA512 bd101e2234020c09de40bc312a3834c8e7d481f21e03348ed0104bf9b8171b7f4ac906acf05aa4c0ba4190c5c2bd30170a8816fb4efb820adc9e11d69813b47f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\31862

MD5 459e73884a6d5a55b06f66f3748493a1
SHA1 2b548c7e5e8451623fcb2ce798cbc157ce4ee00d
SHA256 d9d413c67364dbf98ca4dd5941723310485c36d4822bfe64e6abcd7c5a571b30
SHA512 62b69004c5f20d828d6010d056b43b10a0319878ef86eae335c1aed561b55835a512492086aac03e5dd2f08abcf06647c6138b30577bbf1c8d1e2d69a825b7e2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\18799

MD5 3e71e8da5d551801ed2d8a5d2a69b93f
SHA1 cbcd22b0eb2ab924fa0ca8e173d660c53f87df67
SHA256 99ecc1a0bb78d5a9e1ede139aa5c420f38a1cef7b08a32be052ff9bf508b46c3
SHA512 a783d7953676a4f771148803d1f2f5695ee3138f1c1e55db585cac756ad6040a2470b5e75176fde399e836c4e26db45f7700357ab9f92fda1e48dcbcba015794

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\21840

MD5 ffa98abec1cd058ac77b4707c5019c23
SHA1 f890beb0f37450f7f81328efdf61c8f789882fcc
SHA256 9bc78d92034d211da8bb0be4862b533bcbf4d26dd00f800286f31d2ffa36e921
SHA512 ed56dbf7020b309425d42d3dba8eb99fe24a6d4d940f4eb5aa15a7c158417cb6b6f25c9d88fbfe7673119c59e342b3c607a8aba2654a7cb9ddf81e347c2f552c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\21616

MD5 f1089602ae8f6a99a7b4f021b6c2cb1a
SHA1 2e6d1f62c57ef41964735033fac43d0ce8175e11
SHA256 52da9e67f8a0768ec335881da2b9915a23ae8731b0e6747146e0421c3752179e
SHA512 c805b34615285abb1b3732cf0cb7673472adcc0e8375bc8632d10e1aa2d175fac2495c5f8f330e7095db2ef25db6c1baf1bfe305719f477cc298f55308b9783c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\21650

MD5 2cc770b3a14bb958eba5c904e196a9de
SHA1 32f0ab3a59b3d4a1c07ecd3866d5f50cfa7d6c02
SHA256 47c40a0b7ac3561cbfb312709d9a2ceae7879b68bb6d30a131725a58808c4bc4
SHA512 378c9e61c5c779ca4d7d87d13dca47ea0d52a17c0ae3d554fc91760da29751b9e773ba6da1d7049dc6b643ad2d4ddddcb983fd68b5eeec0fa4955d0783970efb

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\11653

MD5 7fa1bba94908d44e221e5a7a91b4e647
SHA1 f2cd7a4d378cc4ffaa2722d80024b794228c3870
SHA256 9e3092004bd23dd874849f6e09efdeb0af44e20c689bdf0369771e0f32f4080f
SHA512 a3725dfa927ae5459245f271c2a02d71a4611e3d6a607f089b294787fdc2278a111de9670b0463f2d282e99684ec53c85e7a316de87a7744d0219ebdbf04c102

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\31583

MD5 13fbe801c1ad70a6b88484623effca06
SHA1 6a65b1147bb0edf8d862709ba086af9abfc22a73
SHA256 b8246b5e3e1935de66782a7892e9e2f763fdc2a63350362cf958d678cb3bcc5f
SHA512 1b574c6a31bc0fb34d9593dd87f984ddece2d167a9176fdf3e1c4c34c13cde71255c0b03ccf82ede42d4b681b33c8a5beea89f448da05515e1670ca831925fbd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\18072

MD5 e875e80d1ca157fa33d33fdc86c93fd0
SHA1 d3fc9c7694a147e0d49b601170c92a1dc1cec23c
SHA256 38a8641f92b3f37ae55413c0fd2f60b9551ddad994c2aa1cd3dfb922c4419da8
SHA512 d34e7c3727bcec7196c82a49e21ad8ee33b4093f089807ea5bcce956eea87788f276b4b50e8f54e33cf9c9ca90cac6240e029de0e20cf7852198bbc43d4be298

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\28542

MD5 5c8523edaff8cd24e111e735a47dd0ac
SHA1 7fd940d74c29fec166528e752e469d01c53eba72
SHA256 fd08542992d7435e233dce7067037381f1642543f0afda3a588e0f1f3f558d90
SHA512 40dd54387fa921a62eb919824734de788f65339ab608c4ec111802fa2c252c32389b38a00add6e9ebb112b000813f14016974eb182a6c2dcda126f6d0cbb279d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\25276

MD5 5a2c3234d645258487faf165c6137727
SHA1 63a5b410d1b344d56e15aa4f583d0bdb92c2e47f
SHA256 e48921e9ab4e289a597d3382d2d4e6b2b78edc8c5a6382d3f93fc1ab002d2954
SHA512 56e7929e28ea971f97af679f9b1641f268ac0ec4f16c88d0bdd4ea972e9a19107d6b1e61b2c7a8d1bb3cf7328bb8fd0ebadf64e190320d531a96fd8f60fc16d1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 922d69a3142032cbbc3af5a0d027be43
SHA1 4c766ec2dd83d9ca1a6e50a8afeec1d17a28d7a8
SHA256 c49f11f737c555758cba508b6e6ed2f2c8561ef3b5c506075eba0a401184c05a
SHA512 c9bc1cb67de823014ae51366b3e0e39259b253cbfb91a6f8585d265de91cd27f1cc39734794bd59db908527ba22356d837586d09bfd2f4821b243a9c0df6bcf4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 28cba90ad814ffea902f2d0b3864777f
SHA1 e123c0895f52ba86b8b7520eb983c81fafd37521
SHA256 4f0dacd4383d39da115748b4614436a1b95fe84da14814bae38e3be1f3ce6fd5
SHA512 750ef68c6e0658a1ebabd45ab1bd5a53b49fee0dea565963717b65dafc2313eeb4342a6de414924f9c8ce82f7766d52be8b632d963385cae4826f8edae5667d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 bcca65a489811c5ec11b9621d1eacf42
SHA1 12e336d2ba9cc0ada739935d05c7c1c1b659cfde
SHA256 d29da7d252a4074016b8da18dbc9a8c5b2628ba8ddc14697415635cc918231ef
SHA512 e346055ed51e2cb94f7455ef9fce2f4273e45fc2c0ec455e641630c91eb32700e1b603d5e2ba477862dc84693839246ce8720e3707659072fd7d0cf40a98c115

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 545992bcc3657be95fa22ae18cdf8807
SHA1 441c85f5864b6b86aaaa0c1e516d1da21c7d3c46
SHA256 0baef5a6540bfc1143b1eb8f3ec9603cdc5a556b4c4a0892c7592ca81680f6e3
SHA512 ba7f47574d4e6836c225901db43cb6f5140f33a17271ca9acdff45355f4237896da3bdeb1ecfc1029989f42f43ad1c9c98edd8a4334bacf48cfa895ec5f19cc7

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 15:41

Reported

2024-05-26 15:44

Platform

win7-20240221-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\pornhub.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\ProgramData\\Chrome.exe" C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2904 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\pornhub.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\pornhub.exe

"C:\Users\Admin\AppData\Local\Temp\pornhub.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\pornhub.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'pornhub.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Chrome.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 character-estimate.gl.at.ply.gg udp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp
US 147.185.221.19:61192 character-estimate.gl.at.ply.gg tcp

Files

memory/2904-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

memory/2904-1-0x0000000000FE0000-0x0000000000FFC000-memory.dmp

memory/2948-6-0x0000000002590000-0x0000000002610000-memory.dmp

memory/2948-7-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

memory/2948-8-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 5d56f29f3a2afb560ecf73a9607d7139
SHA1 3ecc10a517295bec0038aedd9d0d0b42b8d456cd
SHA256 d722044abee8c77949728b20c487f38aad09f763fde45edf79f95ad65f88198e
SHA512 e261172c5be24986c84d147bc3b8283c41ee0d22ff7eca330294649909694861f7b35425164b91cb50952e038dcc23548375a497fc87d25f966fa472cf401879

memory/2612-14-0x000000001B220000-0x000000001B502000-memory.dmp

memory/2612-15-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

memory/2904-30-0x000000001B210000-0x000000001B290000-memory.dmp

memory/2904-31-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

memory/2904-32-0x000000001B210000-0x000000001B290000-memory.dmp