Analysis Overview
SHA256
bf12eff51a065e756ce601388a6b5ac843cb9a91e9fbb46411526336307a3937
Threat Level: Known bad
The file XClient.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Xworm
Contains code to disable Windows Defender
Detect Xworm Payload
Disables Task Manager via registry modification
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Drops startup file
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Looks up external IP address via web service
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 22:05
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 22:05
Reported
2024-05-27 22:10
Platform
win10v2004-20240226-en
Max time kernel
286s
Max time network
300s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Client | N/A |
| N/A | N/A | C:\ProgramData\Client | N/A |
| N/A | N/A | C:\ProgramData\Client | N/A |
| N/A | N/A | C:\ProgramData\Client | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\ProgramData\\Client" | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 4.tcp.eu.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 4.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 4.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 4.tcp.eu.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Client | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Client | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Client | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Client | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Client'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\ProgramData\Client"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4116 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
C:\ProgramData\Client
C:\ProgramData\Client
C:\ProgramData\Client
C:\ProgramData\Client
C:\ProgramData\Client
C:\ProgramData\Client
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.0.1409180262\1364088634" -parentBuildID 20221007134813 -prefsHandle 1804 -prefMapHandle 1908 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e159e5f-16c9-4b4b-b270-aa7ae8a89ca3} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 1980 250499d7c58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.1.1926013305\2037404044" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2356 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23763eec-5da1-48e6-bbe7-094e3a9be036} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 2380 25035c6fe58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.2.1630156154\2089713398" -childID 1 -isForBrowser -prefsHandle 3164 -prefMapHandle 3140 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13731a46-5fa8-4025-a825-f3d2b43f415a} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 3172 2504d990d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.3.1764977422\749822093" -childID 2 -isForBrowser -prefsHandle 3420 -prefMapHandle 3508 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e893053-708b-4463-8dde-7c4ce34f4b50} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 2528 25035c6a258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.4.1180942285\579095590" -childID 3 -isForBrowser -prefsHandle 3764 -prefMapHandle 3760 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {857990d2-7865-46ca-9174-dcfd6ba6b517} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 3776 2504dea7558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.5.764870878\473282255" -childID 4 -isForBrowser -prefsHandle 5140 -prefMapHandle 5136 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4bc6b5b-794d-4500-a71c-cc8be29738f0} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 5152 2504fde9e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.6.378133453\1673239597" -childID 5 -isForBrowser -prefsHandle 5292 -prefMapHandle 5296 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6319e42a-f223-43c2-a850-201008109138} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 5284 25050188b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2692.7.653559658\548118137" -childID 6 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1468 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bebbcc75-c957-4d93-9690-1f41bfee2ce7} 2692 "\\.\pipe\gecko-crash-server-pipe.2692" 5476 2505018b258 tab
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" config wuauserv start=auto
C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" start wuauserv
C:\ProgramData\Client
C:\ProgramData\Client
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 3.127.253.86:17118 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 86.253.127.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| DE | 3.127.253.86:17118 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.253.86:17118 | 4.tcp.eu.ngrok.io | tcp |
| DE | 3.127.253.86:17118 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 142.250.179.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 35.158.159.254:17118 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 254.159.158.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:49943 | tcp | |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 44.230.111.112:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.111.230.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:49949 | tcp | |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 3.127.59.75:17118 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 75.59.127.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| NL | 2.18.121.79:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| FR | 142.250.178.142:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | 79.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.178.250.142.in-addr.arpa | udp |
| FR | 142.250.178.142:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r1---sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1---sn-aigl6ney.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | r1.sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.166:443 | r1.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | 166.183.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 4.tcp.eu.ngrok.io | udp |
| DE | 3.121.139.82:17118 | 4.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 82.139.121.3.in-addr.arpa | udp |
| DE | 3.121.139.82:17118 | 4.tcp.eu.ngrok.io | tcp |
Files
memory/2136-0-0x00007FFE94223000-0x00007FFE94225000-memory.dmp
memory/2136-1-0x0000000000D10000-0x0000000000D46000-memory.dmp
memory/2136-2-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/3684-3-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/3684-4-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xggl5rpj.nvf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3684-14-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/3684-15-0x000001AE6F000000-0x000001AE6F022000-memory.dmp
memory/3684-16-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/3684-17-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/3684-20-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e8478294527bc11b50f13186fc7c114e |
| SHA1 | 4f183fdc2b56fdaea9001248fc89aa748af257c4 |
| SHA256 | dde84811ceb2d1ebcf5b3d6128d0ccce673bb1a5324bffd444300a00c60f32a5 |
| SHA512 | 72bda9eb9a4199043bbf538af4a30eea44e23efeafcaa0ad9e83ab18ed37823fafe8d4e833afe5f686c30f2ed46cce2ecf16c34bf6a2f4cdc09e711568197655 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8f659389c6e21eb0c627fbae833500c7 |
| SHA1 | ae632f1e4af08587934ff168155b30e2b28d7475 |
| SHA256 | a12763453f79453dd8f25f0c90d001ffb5d409ec698491666c9f076c6bc60d8c |
| SHA512 | f4849e0b1d6ab3d4dd054f590a359af8dd1b9d3df2ad78033ad1a59ebafb1ca96aa76fa9061a466d74e8e3266dc882818d79db47908b21ca3ef8be20e427d327 |
memory/2136-58-0x00007FFE94223000-0x00007FFE94225000-memory.dmp
memory/2136-59-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp
memory/2136-60-0x000000001E690000-0x000000001E6CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5ABD.tmp
| MD5 | 1b942faa8e8b1008a8c3c1004ba57349 |
| SHA1 | cd99977f6c1819b12b33240b784ca816dfe2cb91 |
| SHA256 | 555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc |
| SHA512 | 5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43 |
memory/2136-65-0x000000001E8D0000-0x000000001E8DC000-memory.dmp
C:\ProgramData\Client
| MD5 | ce50eeb08cdedaa930d55452f65d932e |
| SHA1 | fab3c35751ffeab8f7de8111136e8277a7bd8e0a |
| SHA256 | bf12eff51a065e756ce601388a6b5ac843cb9a91e9fbb46411526336307a3937 |
| SHA512 | de972e02b2041c2ee24778623ccabf6c5db85775b2266994e2ab1c4237bc033ab649cf7f2960f58e8f731db0882045654f85bae131877493d64053979057cc50 |
memory/2136-69-0x000000001E090000-0x000000001E0C6000-memory.dmp
memory/2136-71-0x000000001E0C0000-0x000000001E170000-memory.dmp
memory/2136-72-0x000000001FC50000-0x0000000020178000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/2136-75-0x000000001F720000-0x000000001FA70000-memory.dmp
memory/2136-76-0x000000001C600000-0x000000001C60E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\3bf63b3a-3249-448f-aa1a-070fc7b4e89e
| MD5 | 0374c1c7e520d547c1081ecabb904c42 |
| SHA1 | e5e5f1463598767d3ca97191245fbe144adba216 |
| SHA256 | bb67b4be3f8dc76dbcc697e1f83d635642bac1b78e32b1f5826e4ad3fe17013f |
| SHA512 | 2689c16cdf96e3519030309f41ddc6cc92816ea16226d8349eb3fde319c0051c53c6e0663bb508dd583e36ee5cc78d4c1fece63029e4b81aeb4b6fae55151851 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\f025edb6-2821-4ba6-b566-ba0fa438ad51
| MD5 | 129fc40d408e2ae30e8a9996b02b7f8f |
| SHA1 | 850055388cf811cfa56a9f999e22386929ca6c9f |
| SHA256 | 6be5003c4dfaac97dd2d521ce756aeae7d64078be8ce56dcd7f7fab2e6dd4d9e |
| SHA512 | 4df8cee5fb5477f697be0bfa1981c78e1afc366da5fbdfcd27ab0107aee76d95cc05ca76d266de9f5c34f9e41f2ac585d851867245fbd8ac8eedbf93e5edee66 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 89b1f1cfb1a88df88a0ef378cad79257 |
| SHA1 | f8387f51ed9aacfd94bff0156d882d58c6e715e4 |
| SHA256 | c82e0c68e2f87716b999c4f9e27ceb517d0335f3fcec77ff562e29fb33643de5 |
| SHA512 | 60e22e0443999fb275ef66f0697561814542b1812ec5dff95b0f6035fef6d946cff9794c8f2ea7f4617766f98516979e9ac0b75b7eb104b3f6d48ab61b8dfc66 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
| MD5 | 580ddfac0734406242f415e2b228bd36 |
| SHA1 | 54c3d178d4c2923a65f801964bc0d393bcbb3179 |
| SHA256 | e5633bc0a1c0b13bf271c4bea6b61795fc1af623b78b75a39948206bfc156ee3 |
| SHA512 | b006f58336ad61eeec56a3d75c1d1b456738b88c1f469f7c121ef211920d16ac488c75ce2dd99ba8af496667a6df85a86f5b3712af91d7166bd3d5db14675eaf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
| MD5 | 8c2b132c858c86cad9b782919bb702ba |
| SHA1 | a38a14a0ff5ca4b8b6103aa21e830f60c5340827 |
| SHA256 | 82a88d8b87be7b6aeabb5b03fb232dce89d2dffb1609c53eae635e6035a74a5a |
| SHA512 | 50197a8ba995441d3f6df1798c12cb780d2ea61191efc75f1fd0ee5036a76dc8fbdb858e1c620d1faca999d96f8f1791c903d852318ec30b2b4db7ec30672163 |
memory/2136-171-0x000000001C610000-0x000000001C61A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | e479d229de10913fae930ac8f6961131 |
| SHA1 | 1a1d26975c1bf9276db26169afbee8481cb32985 |
| SHA256 | fe9dbb8bae4a61a04654060a4c4d5ba19b174850f042ea2c626edf82cc873081 |
| SHA512 | 04a9b44dd0b1e9314d3607271ff33f2ca177691845e6603f7c4e36967ddca10f370e7c0afa4818915babd3da89353a77d7b11835a44a6059ff48f63f18ad9e16 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
| MD5 | 7b7e862979643baf2527f49d2e634144 |
| SHA1 | f91ccba541ee38a99dc0b4f9c6992b1fa0a112aa |
| SHA256 | e2e903514c63e5fddae4c01562c368d7e6b24ff5c85a5d9b905eeeb9d806a850 |
| SHA512 | 21eca0c17ee55d04a8c460cd1872088e2a34421610652299fd57df0f9122151f400554ba934ed4c720fb33a91b580f6b42c7a79484ff961afb7083bc83382c58 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649
| MD5 | d65b89c50c7db2e5df68edbaee67b8bc |
| SHA1 | 73b794043ef4f7e967d88fc09427c750a1353b62 |
| SHA256 | 4e4086f549b67ecca7396bc17f34cd9e249ad5622a5f069abada429d8e9ebd53 |
| SHA512 | 81bf32cbd54196e057dcbfb6ecb93b3a28df0ba7cc2062bfe0c54ebfd1746f7848a8c58a2f8681ca11a55412735aa09026fdf40b83e315aa42fccb52051ea33a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js
| MD5 | f1bddaf2ce485ae354b6d8395535bc45 |
| SHA1 | 9a5ad551f4e36b965b4210f577df93b837c09489 |
| SHA256 | 8b830c3a33604274863685c4f656345775d8fbca36623c54d1e970c4e14034ae |
| SHA512 | 31a1f5f854173167b503074c345d9f3eabbf7c4587f9230c5320a694eb9e9b802b668efa1b430b487aecb75f2fef38142113b0a2f38b14e3c15a33dbbcf74145 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
| MD5 | e26560aaf28ff98afcb680db3dd625d9 |
| SHA1 | 97288d04cdbb7c4138e35087371c1f14ca595cdc |
| SHA256 | 4b273d7c1da81e6696063d2301b26eb583c8b273f301a2659f26e9870e827014 |
| SHA512 | 384735181768bd3608a61eb476a65bfd1c0bcc6c0bab3f583a5f24ef3c5c6007380b32190f21a57ea7342e5b11884d1515583f5e5272fccb691bc761d90002d8 |
memory/2136-1066-0x000000001C430000-0x000000001C4BE000-memory.dmp
memory/2136-1521-0x000000001C400000-0x000000001C40A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore.jsonlz4
| MD5 | a39d432d8bb508411d03e576d5259530 |
| SHA1 | 98fb94b6a2e50b514f811f0649efc1505b338a9c |
| SHA256 | ba7bfc253a1363f68d1f48b3e77f106832b2cfc6c9818007ad1750ffec786587 |
| SHA512 | 403a92ca784a53405ed79aa2a56c532316eea0045d30959028851bf19d59ba1778dc4c3ba41feb72057f91f6cf36c61f9e31b201f505c4b3095b3d207c057a69 |