xworm | 9c71d9c7194e47cba06aa8e3fd6d8fc10cf4199bf5a93967ddf7d1cac345d9b0

Analysis

max time kernel
299s
max time network
301s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09/07/2024, 08:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Roblox.soft.exe
Size

208KB
MD5

8836cfa5b42391f7f726111f95eb1286
SHA1

6ae38fefc80d36d314edc4f21a04659c3d0416f9
SHA256

9c71d9c7194e47cba06aa8e3fd6d8fc10cf4199bf5a93967ddf7d1cac345d9b0
SHA512

4e8570e0b2cb363f1fa820b66c7da38b9361770d447dbef88018cb1666cdd768c92d838149d0c829e1becec4a2d2d1ccd93e813c88aeb56c513982df59b28854
SSDEEP

3072:HsBmjoFb9LmOuq8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLnJ:HYb9BUhcX7elbKTuq9bfF/H9d9n

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:3782

21.ip.gl.ply.gg:3782

Mutex

ZeU3qSaRXnLlIWu0

Attributes

Install_directory
%Userprofile%
install_file
system.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1972-1-0x00000000009B0000-0x00000000009EA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1476	powershell.exe
1720	powershell.exe
5088	powershell.exe
2236	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	Roblox.soft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	Roblox.soft.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\system.exe"	Roblox.soft.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1476	powershell.exe
1476	powershell.exe
1476	powershell.exe
1720	powershell.exe
1720	powershell.exe
1720	powershell.exe
5088	powershell.exe
5088	powershell.exe
5088	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
1972	Roblox.soft.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	Roblox.soft.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeIncreaseQuotaPrivilege	1476	powershell.exe
Token: SeSecurityPrivilege	1476	powershell.exe
Token: SeTakeOwnershipPrivilege	1476	powershell.exe
Token: SeLoadDriverPrivilege	1476	powershell.exe
Token: SeSystemProfilePrivilege	1476	powershell.exe
Token: SeSystemtimePrivilege	1476	powershell.exe
Token: SeProfSingleProcessPrivilege	1476	powershell.exe
Token: SeIncBasePriorityPrivilege	1476	powershell.exe
Token: SeCreatePagefilePrivilege	1476	powershell.exe
Token: SeBackupPrivilege	1476	powershell.exe
Token: SeRestorePrivilege	1476	powershell.exe
Token: SeShutdownPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeSystemEnvironmentPrivilege	1476	powershell.exe
Token: SeRemoteShutdownPrivilege	1476	powershell.exe
Token: SeUndockPrivilege	1476	powershell.exe
Token: SeManageVolumePrivilege	1476	powershell.exe
Token: 33	1476	powershell.exe
Token: 34	1476	powershell.exe
Token: 35	1476	powershell.exe
Token: 36	1476	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeIncreaseQuotaPrivilege	1720	powershell.exe
Token: SeSecurityPrivilege	1720	powershell.exe
Token: SeTakeOwnershipPrivilege	1720	powershell.exe
Token: SeLoadDriverPrivilege	1720	powershell.exe
Token: SeSystemProfilePrivilege	1720	powershell.exe
Token: SeSystemtimePrivilege	1720	powershell.exe
Token: SeProfSingleProcessPrivilege	1720	powershell.exe
Token: SeIncBasePriorityPrivilege	1720	powershell.exe
Token: SeCreatePagefilePrivilege	1720	powershell.exe
Token: SeBackupPrivilege	1720	powershell.exe
Token: SeRestorePrivilege	1720	powershell.exe
Token: SeShutdownPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeSystemEnvironmentPrivilege	1720	powershell.exe
Token: SeRemoteShutdownPrivilege	1720	powershell.exe
Token: SeUndockPrivilege	1720	powershell.exe
Token: SeManageVolumePrivilege	1720	powershell.exe
Token: 33	1720	powershell.exe
Token: 34	1720	powershell.exe
Token: 35	1720	powershell.exe
Token: 36	1720	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeIncreaseQuotaPrivilege	5088	powershell.exe
Token: SeSecurityPrivilege	5088	powershell.exe
Token: SeTakeOwnershipPrivilege	5088	powershell.exe
Token: SeLoadDriverPrivilege	5088	powershell.exe
Token: SeSystemProfilePrivilege	5088	powershell.exe
Token: SeSystemtimePrivilege	5088	powershell.exe
Token: SeProfSingleProcessPrivilege	5088	powershell.exe
Token: SeIncBasePriorityPrivilege	5088	powershell.exe
Token: SeCreatePagefilePrivilege	5088	powershell.exe
Token: SeBackupPrivilege	5088	powershell.exe
Token: SeRestorePrivilege	5088	powershell.exe
Token: SeShutdownPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeSystemEnvironmentPrivilege	5088	powershell.exe
Token: SeRemoteShutdownPrivilege	5088	powershell.exe
Token: SeUndockPrivilege	5088	powershell.exe
Token: SeManageVolumePrivilege	5088	powershell.exe
Token: 33	5088	powershell.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
3424	firefox.exe
3424	firefox.exe
3424	firefox.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe
3404	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1972	Roblox.soft.exe
3424	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1476	1972	Roblox.soft.exe	74
PID 1972 wrote to memory of 1476	1972	Roblox.soft.exe	74
PID 1972 wrote to memory of 1720	1972	Roblox.soft.exe	77
PID 1972 wrote to memory of 1720	1972	Roblox.soft.exe	77
PID 1972 wrote to memory of 5088	1972	Roblox.soft.exe	79
PID 1972 wrote to memory of 5088	1972	Roblox.soft.exe	79
PID 1972 wrote to memory of 2236	1972	Roblox.soft.exe	81
PID 1972 wrote to memory of 2236	1972	Roblox.soft.exe	81
PID 780 wrote to memory of 3424	780	firefox.exe	87
PID 780 wrote to memory of 3424	780	firefox.exe	87
PID 780 wrote to memory of 3424	780	firefox.exe	87
PID 780 wrote to memory of 3424	780	firefox.exe	87
PID 780 wrote to memory of 3424	780	firefox.exe	87
PID 780 wrote to memory of 3424	780	firefox.exe	87
PID 780 wrote to memory of 3424	780	firefox.exe	87
PID 780 wrote to memory of 3424	780	firefox.exe	87
PID 780 wrote to memory of 3424	780	firefox.exe	87
PID 780 wrote to memory of 3424	780	firefox.exe	87
PID 780 wrote to memory of 3424	780	firefox.exe	87
PID 3424 wrote to memory of 1852	3424	firefox.exe	88
PID 3424 wrote to memory of 1852	3424	firefox.exe	88
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89
PID 3424 wrote to memory of 3296	3424	firefox.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Roblox.soft.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox.soft.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Roblox.soft.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Roblox.soft.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:780
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.0.1126597839\1999984819" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1716 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e45d67a4-2eca-4178-a982-038c6d76061f} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 1800 23849ecfb58 gpu
    3⤵
    PID:1852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.1.1287873718\1772427014" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7321d6b-ce8b-424c-bca2-7fe5e94b7a19} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 2152 2383ef6f858 socket
    3⤵
    - Checks processor information in registry
    PID:3296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.2.1691013521\1210925369" -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 3012 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb4c378f-b0e0-4ff0-b3bc-8ca99c014da5} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 3184 2384e09b358 tab
    3⤵
    PID:2676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.3.389978312\230479794" -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8987a7fa-3455-465e-a9ec-304037c26715} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 3632 2384e65aa58 tab
    3⤵
    PID:4968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.4.1796701936\352824105" -childID 3 -isForBrowser -prefsHandle 4376 -prefMapHandle 2952 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89c941e7-d3f6-4a66-af7d-592cb7ac1f5a} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 4380 2384fe77d58 tab
    3⤵
    PID:3412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.5.118244546\598169956" -childID 4 -isForBrowser -prefsHandle 4848 -prefMapHandle 4852 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {456e0ab4-a7fe-4ef0-885d-368db4e190d7} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 4868 2385061c558 tab
    3⤵
    PID:4504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.6.1837474576\724168283" -childID 5 -isForBrowser -prefsHandle 5024 -prefMapHandle 5028 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ffffdea-37d3-4a01-b727-ea5986b0254b} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 4988 2385061b958 tab
    3⤵
    PID:1944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3424.7.2121568070\1687414964" -childID 6 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1328 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a93314f0-e9f4-4366-9125-c2f9d5809aee} 3424 "\\.\pipe\gecko-crash-server-pipe.3424" 5196 2385061cb58 tab
    3⤵
    PID:3176

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b720c70c62eaffafd0baf1633ed267de

SHA1
d0ebe6b3676565ef72be941b14698124f4210778

SHA256
fe60300354de3a049525eae42d514a62d23a63debccb755e6c97ff38e20eedf2

SHA512
5066bc95310117e9cb1786d7fa6c7e43d70356ba246d364fe762a0c3a201a07e322602f548da694b379b6927c85b09c2fcfe4de0643da1ba4a50e8571e7a0b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fab0343b7290b693fd81b8bf80688bee

SHA1
d9c1c47a5f8fc2397ba4434a51d138b684534f02

SHA256
91eaafc2aaa0fca5fe1d1d8deda5d78c7b1c7fed0fc85d30c8a77dea1182d147

SHA512
bebbcd54f93697f57fcf433c98c5e543cfa4082bdd19d5f6ec4f1f3e35de97094e3dab6f531b4ccd25b99e1582021605fc33d52ed463829c0e181dc3072cc77b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c47b66bad8af138b4e3d8d9b61e957b5

SHA1
9dde56e6eea0da9b28fdb5115160a6dfb6e40cca

SHA256
7bcd7b4114d1db27e43f92dab19da10f678b66443edfa3e1b2c948e997271a31

SHA512
22f1e0b8beb4567f6a978a2415459c31f35bd3d938f9fb6cced49df2505254969cc43663fd121885ef43a005b4f6fd01bcccc1a58d02d95ef8a033e9dfe3f78e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

Filesize
13KB

MD5
2f75bf021c90639c01ea1faad6dd1837

SHA1
52b6dfd19123e0c0dbfb56db763eb7c1296e4831

SHA256
d3cb36d3ece1a1b21c27fdd121a63d85e9227a84ef52f38d6f39a4384bffafe3

SHA512
fefc185f383f0e9d21909b0ab205af4a5ead626edd66a1109a74642ea25eb1002d0ee1dbd58689f81ed42685ec97813e241b4576e686e1da99bce021d434255d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yghfk5sz.ts2.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
696e379440d320b24a0f8e28610eed23

SHA1
5d599c27d9b102f49e1af30ec33b0394e3093814

SHA256
8fd789a631987e482ec45a0f5c89ce7854f6db379da6c8e8014ac4f41979319a

SHA512
c29750f11c07215153784b741ad8aa86893b0756cf8ae0d30b1222de0279b653c30e034ee0fcae4247ce25e8014749beb3921d5960e3514d819f02ed20e9e14b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\6c9f2a79-2b16-4fc9-900f-bbd329e608c1

Filesize
10KB

MD5
a84dddb281a9bbb7f480213aa52b8f8a

SHA1
a8af1dc89922f4849b3a47c40ca95a0b3e31a093

SHA256
fc60e730fc7f3c8aaa7e708a4532646798245ed6f3894b421bf52e27e5b14a28

SHA512
81a7681a4c335c475ec17ddbe072ed121f2a6d2fca49963fe8dd3e02da3a97435748e14b819a2f5cd9de6003c8f2aa1fc8a36f023d7a4b73af263b4b4f92bb4c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\d6bf54d9-fc0a-4b7f-9a11-412f7554fd25

Filesize
746B

MD5
252790aa494f17182627312960c65e67

SHA1
9ab2b03f04a28e626f8aad3cbddd09fe2fe488ac

SHA256
58560f0f3211b27c8fe8a414a5297cda7482b6658605b2fdca1ec051288438b9

SHA512
e5ff9a48036c2f285648e8ea64e4defc040e0c99b5386e5530de39e0e76c0ed38785a56d5ff8627f47b10c97b57d816dd6c6b5037b05285ad603ad899b15a32c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
6KB

MD5
5caaeaa809bbfc225b3a5945f870852a

SHA1
b95ee3269d567c92fe02eca44cf924091a7fbb50

SHA256
314dccaccaffc78ad3a4083bf49ace527ef342b4f7b0c09807aaf9ddd75de3d1

SHA512
859a8c325723115fab7f8e36cce82c7bf2bfe432f2a1313bbef8cc1d6e57b08f333c27fa9a972cd887ec9529db76b5f1106873362cd47857e4c78d5c30915dc5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
7KB

MD5
6c3ae5bc72cb63416b3b02d21867285b

SHA1
a91f5399c72572c3e8f7c80896e1f812fb308cf8

SHA256
8b6679be7954ab13321a0817b99bd1b88b58298e4731c063aa63588068ba9b3c

SHA512
51e9a97657d98b647ca91bdc740a4c1e7af34d5df83b10301aae0d41705c364a125dedeffbae014ad593928d52c64b9d0ef9ea112e381d7d931dd839600920b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js

Filesize
6KB

MD5
58f60148e4d61828b777e75506e53689

SHA1
13ff6ee6a19740da3401a1419803f54c3e773a16

SHA256
7b28cdd32011be8a96b2b74611838ce659e810aa65f57b01a5771bd118a88ff1

SHA512
003fb201160c1661225201c0d0889a89ea560bb56ee013ec289a4eb992dde69c96369706d46994dce0e1d568e1c4f42e1ca20df75b675c2667210e3fb0f88f6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
7feba05e5eda56a2f9a8018f2bade337

SHA1
cbaedd2d6392e67c4733fb624cb725b75c39a27f

SHA256
d6b2e45f2fd88e081f405c698dbd3e1e357ba5c0e65574f395c750f727feef3b

SHA512
972af3eb40288bfb79c8fc0fd36bcb9005e38b9167bd24cdd633ace9ee46861bdc74d616d4af69f8e40b4a7f27672debd99556b229ea876980e16ae439f3c5aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore.jsonlz4

Filesize
896B

MD5
b690786021dcf666059cd6eaa655ed4b

SHA1
be8a8278f00127713c8e8ae4c79654bb9074cbe9

SHA256
452bd88a49af5e69135d6ac017836eedfafcfec8412ecb7ea6c0bcb33e415070

SHA512
609a1fae14c29a6a3241a087d8b3c1a4ef699f3cd97ecd504871b608f0dfa73af678cc93bb9fe59c5f3a43c041d42b67f0a97bca175603efc8f9d7cb6dc53c31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
0d0013d9708d9fef539adc917f5b87f6

SHA1
5e071e6b4d8abf007c8bb78ee948caf5bb0439e1

SHA256
f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b

SHA512
851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388

Download Submit
memory/1476-12-0x000001EE75910000-0x000001EE75986000-memory.dmp

Filesize
472KB

Download
memory/1476-8-0x00007FFA85F80000-0x00007FFA8696C000-memory.dmp

Filesize
9.9MB

Download
memory/1476-7-0x00007FFA85F80000-0x00007FFA8696C000-memory.dmp

Filesize
9.9MB

Download
memory/1476-6-0x000001EE75700000-0x000001EE75722000-memory.dmp

Filesize
136KB

Download
memory/1476-9-0x00007FFA85F80000-0x00007FFA8696C000-memory.dmp

Filesize
9.9MB

Download
memory/1476-52-0x00007FFA85F80000-0x00007FFA8696C000-memory.dmp

Filesize
9.9MB

Download
memory/1476-41-0x00007FFA85F80000-0x00007FFA8696C000-memory.dmp

Filesize
9.9MB

Download
memory/1476-48-0x00007FFA85F80000-0x00007FFA8696C000-memory.dmp

Filesize
9.9MB

Download
memory/1972-0-0x00007FFA85F83000-0x00007FFA85F84000-memory.dmp

Filesize
4KB

Download
memory/1972-1-0x00000000009B0000-0x00000000009EA000-memory.dmp

Filesize
232KB

Download
memory/1972-188-0x00007FFA85F80000-0x00007FFA8696C000-memory.dmp

Filesize
9.9MB

Download
memory/1972-187-0x00007FFA85F83000-0x00007FFA85F84000-memory.dmp

Filesize
4KB

Download
memory/1972-186-0x00007FFA85F80000-0x00007FFA8696C000-memory.dmp

Filesize
9.9MB

Download