Analysis
-
max time kernel
1794s -
max time network
1795s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-05-2024 20:07
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
XClient.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
XClient.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
XClient.exe
Resource
win11-20240508-en
General
-
Target
XClient.exe
-
Size
59KB
-
MD5
d172c0a4ae3e8cef6a0a910bde62e195
-
SHA1
51139fc633fe81a66c8ed55081f92ec5256bd0bd
-
SHA256
94b65da2b5cc3728547f892a46e9c48c5d54477d10ea8e210304593acd3568e7
-
SHA512
d82c930a42fd623aeee51007453d201e96110b546f1fb34080fc6d4c1488d71b3828f5f1833d347993444e4d332aa00fbb7b8922fce676d220375470ad0fa467
-
SSDEEP
1536:9vv68xQQodoW8YTK6uDkbrfSVxwXSOqQ+k:1vjWQoGJYTK6CkbrfHSOqQ+k
Malware Config
Extracted
xworm
length-desert.gl.at.ply.gg:58023
%AppData%:9
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4924-1-0x0000000000B80000-0x0000000000B96000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\9 family_xworm -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9.lnk XClient.exe -
Executes dropped EXE 31 IoCs
Processes:
999999999999999stnqqf.exe999999999999999pid process 212 9 4372 9 2108 9 3896 9 4108 9 3544 9 1092 9 5068 9 3508 9 3652 9 11492 9 11568 9 11736 9 11820 9 11936 9 12012 stnqqf.exe 12144 9 12200 9 3872 9 4992 9 2292 9 4376 9 3572 9 2996 9 4572 9 5164 9 5240 9 5392 9 5504 9 5600 9 5700 9 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\9 = "C:\\Users\\Admin\\AppData\\Roaming\\9" XClient.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exeXClient.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 XClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier XClient.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
XClient.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion XClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate XClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName XClient.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
XClient.exe99firefox.exe9999999999999999999999999999description pid process Token: SeDebugPrivilege 4924 XClient.exe Token: SeDebugPrivilege 4924 XClient.exe Token: SeDebugPrivilege 212 9 Token: SeDebugPrivilege 4372 9 Token: SeDebugPrivilege 4188 firefox.exe Token: SeDebugPrivilege 4188 firefox.exe Token: SeDebugPrivilege 2108 9 Token: SeDebugPrivilege 3896 9 Token: SeDebugPrivilege 4188 firefox.exe Token: SeDebugPrivilege 4188 firefox.exe Token: SeDebugPrivilege 4188 firefox.exe Token: SeDebugPrivilege 4108 9 Token: SeDebugPrivilege 3544 9 Token: SeDebugPrivilege 4188 firefox.exe Token: SeDebugPrivilege 1092 9 Token: SeDebugPrivilege 5068 9 Token: SeDebugPrivilege 4188 firefox.exe Token: SeDebugPrivilege 3508 9 Token: SeDebugPrivilege 3652 9 Token: SeDebugPrivilege 4188 firefox.exe Token: SeDebugPrivilege 11492 9 Token: SeDebugPrivilege 11568 9 Token: SeDebugPrivilege 11736 9 Token: SeDebugPrivilege 11820 9 Token: SeDebugPrivilege 11936 9 Token: SeDebugPrivilege 12144 9 Token: SeDebugPrivilege 12200 9 Token: SeDebugPrivilege 4188 firefox.exe Token: SeDebugPrivilege 3872 9 Token: SeDebugPrivilege 4992 9 Token: SeDebugPrivilege 4188 firefox.exe Token: SeDebugPrivilege 2292 9 Token: SeDebugPrivilege 4376 9 Token: SeDebugPrivilege 3572 9 Token: SeDebugPrivilege 2996 9 Token: SeDebugPrivilege 4572 9 Token: SeDebugPrivilege 5164 9 Token: SeDebugPrivilege 5240 9 Token: SeDebugPrivilege 5392 9 Token: SeDebugPrivilege 5504 9 Token: SeDebugPrivilege 5600 9 Token: SeDebugPrivilege 5700 9 -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 4188 firefox.exe 4188 firefox.exe 4188 firefox.exe 4188 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 4188 firefox.exe 4188 firefox.exe 4188 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4188 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XClient.exefirefox.exefirefox.exedescription pid process target process PID 4924 wrote to memory of 4588 4924 XClient.exe schtasks.exe PID 4924 wrote to memory of 4588 4924 XClient.exe schtasks.exe PID 3592 wrote to memory of 4188 3592 firefox.exe firefox.exe PID 3592 wrote to memory of 4188 3592 firefox.exe firefox.exe PID 3592 wrote to memory of 4188 3592 firefox.exe firefox.exe PID 3592 wrote to memory of 4188 3592 firefox.exe firefox.exe PID 3592 wrote to memory of 4188 3592 firefox.exe firefox.exe PID 3592 wrote to memory of 4188 3592 firefox.exe firefox.exe PID 3592 wrote to memory of 4188 3592 firefox.exe firefox.exe PID 3592 wrote to memory of 4188 3592 firefox.exe firefox.exe PID 3592 wrote to memory of 4188 3592 firefox.exe firefox.exe PID 3592 wrote to memory of 4188 3592 firefox.exe firefox.exe PID 3592 wrote to memory of 4188 3592 firefox.exe firefox.exe PID 4188 wrote to memory of 3940 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 3940 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 2416 4188 firefox.exe firefox.exe PID 4188 wrote to memory of 96 4188 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "9" /tr "C:\Users\Admin\AppData\Roaming\9"2⤵
- Creates scheduled task(s)
PID:4588
-
-
C:\Users\Admin\AppData\Local\Temp\stnqqf.exe"C:\Users\Admin\AppData\Local\Temp\stnqqf.exe"2⤵
- Executes dropped EXE
PID:12012
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:212
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.0.818781048\1353417191" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea9ca815-ec1b-4eb7-859e-6323b522fd8a} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 1780 20c7dfec158 gpu3⤵PID:3940
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.1.1361113494\2025406105" -parentBuildID 20221007134813 -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59898eb1-a6a9-4e39-8218-937b14449942} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 2136 20c73070a58 socket3⤵PID:2416
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.2.541735846\1769704188" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2920 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {777497a8-d36e-4259-a417-2f7bbb7ed55f} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 2956 20c02397958 tab3⤵PID:96
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.3.2011323863\664684091" -childID 2 -isForBrowser -prefsHandle 2876 -prefMapHandle 3480 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35cb7f02-c623-463d-acf6-b3d97e3b1bf4} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 3492 20c00b95c58 tab3⤵PID:216
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.4.870827776\1252508252" -childID 3 -isForBrowser -prefsHandle 4208 -prefMapHandle 4204 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c423f1d2-825d-4264-b117-1c401d795f34} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 4216 20c03faa558 tab3⤵PID:2232
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.5.1689002513\109970340" -childID 4 -isForBrowser -prefsHandle 4856 -prefMapHandle 4848 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcda37e6-4e7a-4b7f-9eee-d498e07af091} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 4868 20c0459cb58 tab3⤵PID:2992
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.6.995046989\860672092" -childID 5 -isForBrowser -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f0a81f3-a31a-4e10-8d3e-fb50912b453a} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 5028 20c0459c258 tab3⤵PID:4696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.7.1688104317\461682386" -childID 6 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e71766a0-8e0e-4f03-8270-9b3b37377940} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 5212 20c0459a758 tab3⤵PID:3028
-
-
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:11492
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:11568
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:11736
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:11820
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:11936
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:12144
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:12200
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3572
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5164
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5240
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5392
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5504
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5600
-
C:\Users\Admin\AppData\Roaming\9C:\Users\Admin\AppData\Roaming\91⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
Filesize
11KB
MD5ccf67232fe8301c1b547ad50715a8d5b
SHA1b579df2bff656175248f6ec11d950f275ba0880b
SHA25666ece82ff63f121fa6aba232f7b05d669318db628c6278567f1ae0743ef83a55
SHA51261be8d14eaff322bd2ed7e9f986d4146ff52551c337e84e4493c6efb13f3e136ae967dee5d22e13ac9f118e9f619275fa3032293bfa3a2764d637d56d41f7ca2
-
Filesize
11KB
MD500cfdf389ce68f598d4ca46a5abf3773
SHA1041aefc1c4c32f28b8eb786227e9a445e7d5a82f
SHA2567b07cc4a6b4737f0e52a33f6dbf123b719d6180944564f2bdba62e0770885bee
SHA5122ce12fcaecd66c3808e8ae8123e10039b1af6b71d7daccbd1686cfdac15d2f7e626b65588b5e12eff7f3c8efef0fca4f0ba9aa78e5feb3babe3c3af774e622ed
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649
Filesize13KB
MD5aacd80a34dbfb37e0ed31a65ba87373b
SHA18241efc1164476df8e2c65e1a2343888c29fc35d
SHA25650f9f1843a5f56d73416a3c6b7605aac4f6b4466fcc836ad1ece32dcf164e184
SHA5123b42fcf28d0d6c5d7c0493e6e6d92459dc762bcb601985f991b6897392c2bd2747590a5f4dfb916d15db85f5533a1535868697d0d9c4763103e8735e02cdc225
-
Filesize
95KB
MD590d4d1e028d8be79482699f0a23eca1e
SHA11bb39ea5ddf177aab34a990ade5bd316b85f4dda
SHA25603c10771abb8cd2ad13402826d8f69dee1f2637063d75613ece28ac557a842c4
SHA512f710d67ad1beb2f9fb4e5a61d8e2fba2b28c0f7a390ee907e1c47f9396501e60062ef66459dd6ec2962e517c642f29c323c08522e477afb7f616b062bfd31617
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
Filesize
59KB
MD5d172c0a4ae3e8cef6a0a910bde62e195
SHA151139fc633fe81a66c8ed55081f92ec5256bd0bd
SHA25694b65da2b5cc3728547f892a46e9c48c5d54477d10ea8e210304593acd3568e7
SHA512d82c930a42fd623aeee51007453d201e96110b546f1fb34080fc6d4c1488d71b3828f5f1833d347993444e4d332aa00fbb7b8922fce676d220375470ad0fa467
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize5KB
MD5318e299884b2b38273e1b9b17745be92
SHA127732ce01d50d445fec4f61b26ad58cc27039caf
SHA256110be5104b83817b7e4c23ec3837b9fd4a1dcfc7af7a6915f3cb514792c598a6
SHA5124c841c8a477acaba8634f5185c258d41c4fd99e5b55da039207915efb621aa754bd6c3b9f976dc5dc998df9e3fb71d6ea58f7f53a8a26045d54333d0254b4f26
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\SiteSecurityServiceState.txt
Filesize372B
MD57aa4c37bcf97ee0332b5fe178cc5589c
SHA1abbd30de394aaad91be807e2337735301d9e71c5
SHA2564e65d75b32e1e2759d71c772a73dbe5f8d89ec730af9336e18566c172c873628
SHA512f7627543609687dd5c164742f964907ed938fbd79ce03fc8a290c723062fd149340f8e7d7df4562f1f0202a2e5edae234f45af4e1e22636f2f548d38127c96f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\bookmarkbackups\bookmarks-2024-05-30_11_+ftwiIQfjYtrlniJNZ3V4g==.jsonlz4
Filesize945B
MD55454384ec38638981ce5e67157b8f07d
SHA120da940d1b48d7c555b5f7d050fcc26b9fcaa217
SHA256faa28431b2b70bce1f1552ef63266622ee731b9a30a3b314c9b6d6e0bdc07e11
SHA5125526c70002b23f106dbb494742fce905cba27979f8bf8f2a92832232fb34b6bf873043f0b54f88567250f358e5fdd93438f5211318ee303ad71615ea85d1f2f6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\broadcast-listeners.json
Filesize216B
MD51670a00283d35686e596627157aa6bd9
SHA1c44d13c52d780a6c6bbe5f54ad2651a700264791
SHA256575baef038cd227b653b17e4a396812b2f287de922f6443b967a668f6a80fafc
SHA512e1c1ad457dc6406012218946e3fd2a776cc9ec403885ba679e44ad42dc7f2ef839ddb07e6078b2426493e551cf8ce792c4e69c1917fe57b85f81de0a50d46b12
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD557ac06e512c7eac07f0c6c7eb91d8491
SHA17fb5c99980e33efcf5673f5908638323c96db771
SHA25642843d175ebb7de3c666d966d4fdcedb2815a69d2d7118e60882ed263ff95529
SHA5124e08ce57525bfabae7e6dd3c263cab912a3babd1f1be1f79b7fb59a6c7ea6f5b4a08c7d1f9a823715c5dc1f80756522c86ecd8459a7e0d3ece7691937a2ef4b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\37ce38f0-4ce7-4910-b4f2-258a7d2ca6f5
Filesize746B
MD5f65f3923eca43d418a8d1d3e3f4fc213
SHA1a1e92467a5041ff341a1d7045f4f3e159056cf67
SHA2562cb0bbf485f30bcd7e8a7f2b06bbb6fdd03426c7983ef53299b22ee2dbd2963a
SHA512e65354b32389bfb31508ebbafbfa985aeba5e9c0577088aeb37bdd021dd92bd94406ae1db9c4ed9f9684aa6f49578bf2e77750e62b79c254cba9430723d9337c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\7a5e7c69-872e-47ad-88c1-f65866979aaf
Filesize11KB
MD53ac961808a8161f92cff7d14c19cf836
SHA12e218f4a70716aa2276adad74ec81a65131dc907
SHA256a15f0450b269c9394aaedec29e608f3032ddea029eedce559e83aa53e7500864
SHA512e8d2c64c1c04f5b8ac28bca00f6449d0d21fa0a791351659edcf491f14c01c3ff07a23a33f2123a05c23c9a652a659fe2b5bc20a833fedc7f53c1045401b67e4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\extensions.json.tmp
Filesize34KB
MD55a7aeb959001e385367a9e24baabd158
SHA1f9af7cd87f397728c04eb3448cdedc44421946bd
SHA2560242df1fc3f9d535b2a59caf141c25f2a1d91843b988933070e86682b2d15df2
SHA51277ba2e0e56eba85fe0b8936424e68704d5b186386ae9f12b0f1f4f7a9c2beea308ff5178c402f28ac61013317214a5a67dc7ebb698e735578dc35423c71b401b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
9KB
MD577b7ddc07ed4e5e47284dfec55a8b810
SHA1599245404e1d6b692e6fd20b76e252ef5ecb20cb
SHA256a0b3bb5e56f20625f4f1eb07296efff35b901106dd81da346de8b5855489be58
SHA512523eaebd0a4ed6034b2adb5a8dc0c8721bf8428e1f281f2c2ba69a0a9425c5d60a0e2d82a95ed6e650c5470ec6781bf412e50798db659c34fcc27d075dd9754c
-
Filesize
8KB
MD5e34477ea7275b02d40d2942c031591a0
SHA1249b47356013cfc8a4610832d17757283cf24532
SHA25676c90df72c93f9f87fa41a38d6416436d798060a03a182c0b71435d14ecec356
SHA512fdc727106b1d6e24b3358e1879536e7d9eb390ad320f5d83b90178af0a863d565a7491bca2f4d6016a02a6c76c4bffbc77eadecc7cca338bed1f87364785b4b3
-
Filesize
6KB
MD53e870a17eec8cda72b08515fb90f9853
SHA1ce1fa73aafbd758a33b78ffb5ac3dbc86b75a536
SHA2560d8b44141e78812aad99023a519f7bbffd300c71ac397e41a1187df9f45adeb5
SHA5126fb097b5b5dbcb0dc38b184a73ff0d415e97cd53e4fb2f4e4d6663b511ce875b52bdbd5a49a7dd6e2d4f85ac3c77e157946d76f23a5a0f2f66d8e0029e845362
-
Filesize
9KB
MD505aa1c9ce9e3e90c300b06de2029bb63
SHA130e60219d27b7fc70c52bde50fed86e0237d156e
SHA2563c05e111349b956c033bdeeba8d81b886e6883b2703067c22d0c0f2ce09b7c95
SHA512af85e395ad164307d5ab100531c29eec930c4a77cc105839a3c0d3246f5340e38e116150aa92d30b8b0dee3f1807f4625e8f4c8b7805655f65ebf4002f63b297
-
Filesize
10KB
MD5fa7455b4c7db8035ea833e220e342615
SHA11d376c14baa2824c87738be5eaf210aef51ac2d3
SHA2563ad9a7caa46fbfbcdfb3a37d6cd6ad8201c7ae6ae8aa7d48603fd27ad3cf0400
SHA512b4bd90f5d3cf05eaaebd1b40c44c81e2e5f57795c71fdd15fc173500da6b326daafbd67e35bf8a073ff9828c7ded32ce9e2359d34b0e567215149a65438c97cf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5c4ed9a4b643e0fbe2a92daf92a21b37a
SHA19ff9d9d38f2212ac336ad854035ebb661449e599
SHA256e76e58b566e18b91a0368fa0020c03887a08a3fd73ef09171ad1bed262fd9218
SHA5129daa22b64467a896b014ce520ae1a7c37b1f7e3a75a1e4b64c5b198c005118208dfbc6792be4989628cd52d108ca7dce40b86b8ead6fcd5aea1564cd74de6a43
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize7.9MB
MD5d13942cb02edd287d6b3015b05ed9dba
SHA1f56eff6bd7a0fe7bd1e969a873851b8f85736447
SHA25672ac5fdd955df2d4f541869fd4cb0d888f388ec58cd95b24664d728f9aeda19a
SHA512533bc191584cb27c04e882219a9c62f57dbc5ff7d02401f45be60497f7f51d59f30ce32f5b87ae8e29835f035f00ec3f5ed0e390be9282a8bf5bdb3052aa5377
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\targeting.snapshot.json
Filesize3KB
MD588fdbfbd7340b77a4da1e54ac7716e47
SHA1751c69300c76c666795a154b0bfbd5b81340bc65
SHA2566c16de1b99b355f8ac621ea3d56fc582d5803481e31190ae96df3a82c8e542ea
SHA512a6fdd3404cf21d65d6f09d3bbdf60653b1fe2e7c843492829d2217127d6a14def99bed3894605dfe2e06f80412cd88005cf134f5cdec2d7945acf8f72126d15c