xworm | 45e0996bc0c167dc427891ecc287d98cab9a5157ec74803c8873c435067f42f7

Analysis

max time kernel
100s
max time network
109s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-11-2024 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dsad.bat
Size

122KB
MD5

966f3ad6d9f5ad03afbef0a7917cbede
SHA1

5c62ed021daefb494d236017d5cd5110928942a0
SHA256

45e0996bc0c167dc427891ecc287d98cab9a5157ec74803c8873c435067f42f7
SHA512

0774869e64b20dbfa503a65b3c40b0e1ef15cfba16078a9526da7bacf46a69636be2bf52dc20ee6f502d59dabd76ddf6a088ce85e931b20f4e9094017a7821ae
SSDEEP

3072:PX5WdgyknI18fbSRFmj53iT4GgV/POVuAQDXiriToJl0:PX557y+bz53iKOV9QDYi0Jl0

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

left-noon.gl.at.ply.gg:60705

Attributes

Install_directory
%AppData%
install_file
US11B.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000045048-159.dat	family_xworm
behavioral1/memory/2292-162-0x0000000000060000-0x000000000007A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4860	powershell.exe
3164	powershell.exe
2788	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	sms8944.tmp

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sms8944.lnk	sms8944.tmp
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sms8944.lnk	sms8944.tmp

Executes dropped EXE 2 IoCs

pid	Process
1836	bdzyqzk78j.exe
2292	sms8944.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sms8944 = "C:\\Users\\Admin\\AppData\\Roaming\\sms8944.tmp"	sms8944.tmp

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
2320	certutil.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000_Classes\Local Settings	OpenWith.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3164	powershell.exe
3164	powershell.exe
2788	powershell.exe
2788	powershell.exe
4860	powershell.exe
4860	powershell.exe
2292	sms8944.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	sms8944.tmp
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeIncreaseQuotaPrivilege	3164	powershell.exe
Token: SeSecurityPrivilege	3164	powershell.exe
Token: SeTakeOwnershipPrivilege	3164	powershell.exe
Token: SeLoadDriverPrivilege	3164	powershell.exe
Token: SeSystemProfilePrivilege	3164	powershell.exe
Token: SeSystemtimePrivilege	3164	powershell.exe
Token: SeProfSingleProcessPrivilege	3164	powershell.exe
Token: SeIncBasePriorityPrivilege	3164	powershell.exe
Token: SeCreatePagefilePrivilege	3164	powershell.exe
Token: SeBackupPrivilege	3164	powershell.exe
Token: SeRestorePrivilege	3164	powershell.exe
Token: SeShutdownPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeSystemEnvironmentPrivilege	3164	powershell.exe
Token: SeRemoteShutdownPrivilege	3164	powershell.exe
Token: SeUndockPrivilege	3164	powershell.exe
Token: SeManageVolumePrivilege	3164	powershell.exe
Token: 33	3164	powershell.exe
Token: 34	3164	powershell.exe
Token: 35	3164	powershell.exe
Token: 36	3164	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeIncreaseQuotaPrivilege	2788	powershell.exe
Token: SeSecurityPrivilege	2788	powershell.exe
Token: SeTakeOwnershipPrivilege	2788	powershell.exe
Token: SeLoadDriverPrivilege	2788	powershell.exe
Token: SeSystemProfilePrivilege	2788	powershell.exe
Token: SeSystemtimePrivilege	2788	powershell.exe
Token: SeProfSingleProcessPrivilege	2788	powershell.exe
Token: SeIncBasePriorityPrivilege	2788	powershell.exe
Token: SeCreatePagefilePrivilege	2788	powershell.exe
Token: SeBackupPrivilege	2788	powershell.exe
Token: SeRestorePrivilege	2788	powershell.exe
Token: SeShutdownPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeSystemEnvironmentPrivilege	2788	powershell.exe
Token: SeRemoteShutdownPrivilege	2788	powershell.exe
Token: SeUndockPrivilege	2788	powershell.exe
Token: SeManageVolumePrivilege	2788	powershell.exe
Token: 33	2788	powershell.exe
Token: 34	2788	powershell.exe
Token: 35	2788	powershell.exe
Token: 36	2788	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeIncreaseQuotaPrivilege	4860	powershell.exe
Token: SeSecurityPrivilege	4860	powershell.exe
Token: SeTakeOwnershipPrivilege	4860	powershell.exe
Token: SeLoadDriverPrivilege	4860	powershell.exe
Token: SeSystemProfilePrivilege	4860	powershell.exe
Token: SeSystemtimePrivilege	4860	powershell.exe
Token: SeProfSingleProcessPrivilege	4860	powershell.exe
Token: SeIncBasePriorityPrivilege	4860	powershell.exe
Token: SeCreatePagefilePrivilege	4860	powershell.exe
Token: SeBackupPrivilege	4860	powershell.exe
Token: SeRestorePrivilege	4860	powershell.exe
Token: SeShutdownPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeSystemEnvironmentPrivilege	4860	powershell.exe
Token: SeRemoteShutdownPrivilege	4860	powershell.exe
Token: SeUndockPrivilege	4860	powershell.exe
Token: SeManageVolumePrivilege	4860	powershell.exe
Token: 33	4860	powershell.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe
1920	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2292	sms8944.tmp
4756	OpenWith.exe
1920	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 2320	4268	cmd.exe	83
PID 4268 wrote to memory of 2320	4268	cmd.exe	83
PID 4268 wrote to memory of 1836	4268	cmd.exe	84
PID 4268 wrote to memory of 1836	4268	cmd.exe	84
PID 1836 wrote to memory of 2292	1836	bdzyqzk78j.exe	86
PID 1836 wrote to memory of 2292	1836	bdzyqzk78j.exe	86
PID 2292 wrote to memory of 3164	2292	sms8944.tmp	88
PID 2292 wrote to memory of 3164	2292	sms8944.tmp	88
PID 2292 wrote to memory of 2788	2292	sms8944.tmp	91
PID 2292 wrote to memory of 2788	2292	sms8944.tmp	91
PID 2292 wrote to memory of 4860	2292	sms8944.tmp	93
PID 2292 wrote to memory of 4860	2292	sms8944.tmp	93
PID 2292 wrote to memory of 4392	2292	sms8944.tmp	95
PID 2292 wrote to memory of 4392	2292	sms8944.tmp	95
PID 2696 wrote to memory of 1920	2696	firefox.exe	109
PID 2696 wrote to memory of 1920	2696	firefox.exe	109
PID 2696 wrote to memory of 1920	2696	firefox.exe	109
PID 2696 wrote to memory of 1920	2696	firefox.exe	109
PID 2696 wrote to memory of 1920	2696	firefox.exe	109
PID 2696 wrote to memory of 1920	2696	firefox.exe	109
PID 2696 wrote to memory of 1920	2696	firefox.exe	109
PID 2696 wrote to memory of 1920	2696	firefox.exe	109
PID 2696 wrote to memory of 1920	2696	firefox.exe	109
PID 2696 wrote to memory of 1920	2696	firefox.exe	109
PID 2696 wrote to memory of 1920	2696	firefox.exe	109
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110
PID 1920 wrote to memory of 4160	1920	firefox.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dsad.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\system32\certutil.exe
  certutil -decode C:\Users\Admin\AppData\Local\Temp\bdzyqzk78j.txt C:\Users\Admin\AppData\Local\Temp\bdzyqzk78j.exe
  2⤵
  - Deobfuscate/Decode Files or Information
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\bdzyqzk78j.exe
  C:\Users\Admin\AppData\Local\Temp\bdzyqzk78j.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\sms8944.tmp
    "C:\Users\Admin\AppData\Local\Temp\sms8944.tmp"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sms8944.tmp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sms8944.tmp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\sms8944.tmp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4860
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sms8944" /tr "C:\Users\Admin\AppData\Roaming\sms8944.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe "C:\Users\Admin\AppData\Roaming\sms8944.tmp"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c38e5a14-d38c-4646-8ce7-711863da6dbd} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" gpu
    3⤵
    PID:4160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfea12e9-8e2f-44a6-b761-2a6c21ec3085} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" socket
    3⤵
    PID:4544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2916 -childID 1 -isForBrowser -prefsHandle 2508 -prefMapHandle 2780 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ed505e3-93dc-4890-a162-3cc763aefff7} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" tab
    3⤵
    PID:556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -childID 2 -isForBrowser -prefsHandle 4372 -prefMapHandle 4368 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15ab25cc-b40c-4743-9fd5-7736d1e56bc7} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" tab
    3⤵
    PID:3448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5076 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4960 -prefMapHandle 5020 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8438288f-0c16-4524-ad17-9f925a02c8a6} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" utility
    3⤵
    - Checks processor information in registry
    PID:5312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 3 -isForBrowser -prefsHandle 5540 -prefMapHandle 5536 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e079e9ae-5c8d-4d64-90a9-043d4b57928c} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" tab
    3⤵
    PID:5676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 4 -isForBrowser -prefsHandle 5496 -prefMapHandle 5392 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5252b70-ad43-447f-8a5a-251c52a4c66f} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" tab
    3⤵
    PID:5688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5844 -childID 5 -isForBrowser -prefsHandle 5852 -prefMapHandle 5856 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1028 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fda69fa9-0372-426d-89b6-8f48bf5a5d6d} 1920 "\\.\pipe\gecko-crash-server-pipe.1920" tab
    3⤵
    PID:5700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6d1b8bb34838ccf42d5f69e919b1612

SHA1
20e9df1f5dd5908ce1b537d158961e0b1674949e

SHA256
8a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491

SHA512
ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c06ccaa916be037512b5ad5da60c6429

SHA1
ffce5e21705bb9ac199c63b6a87416325f5e1b0b

SHA256
c248bdcbef3a11b9bd88919b794a75a99ff4026adf170552c09f523ca7bdc0bd

SHA512
074a425736dec16a85b020d9ba557c48867ab74cdb0f04b5b3b0cc42ba4d34649c663b2d70906ccd5bc36f8b85b121595ed06fdfa86c3206ec92460bb3ad0d0f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
df33640bb11769edcafcd5ff8c324735

SHA1
775d9a1c3410ff24d395af4c6198d2c594750061

SHA256
4de7f0e01ea251d6aaf2c71bf78baa4b28b2a5d409fc22c302f8229f66ef0cff

SHA512
b6034c1ce3e1b902de8611d1c9519f3b60c443be64b6d39f19cf2b6c079213d1e723691928aeadcc0dc81357f59bc0b4e5db94bb423ccb676a03eb78a571d6c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
1f7960f0f3b2be3a7608d15046a40efd

SHA1
9203678119ae67da361a893b4d48f2a34f08eba1

SHA256
dbfdc54690ec1a8050dd8a26ea287f121d3d17b230ed6d0dbe327c73f305f4ad

SHA512
8f9569b9ce6471ace2cf96e778be2e2bdd1266dd8fc359a9cf639446cd1446f62a84d3738ad7f232bf3a0e4ea7ed6a531ebac44c6f7020aa02f691381832c097

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\cache2\entries\755C5E21902B85B047E204DC57E22B0E2EC33924

Filesize
13KB

MD5
ec538939745663dd0d59c32ec3581072

SHA1
d3412de76bb50178856be6c216c89a2ed1ab8cf1

SHA256
7811f54b9f27ecf6ac7dcfbe7166f80ef609d4a8c6d6f6583d582325946a7e48

SHA512
8fab32325c3e79cc820ae0f23ec59fb555d6915cb4b9a5c2b52d0e97387a304b5763dbbffc42c46a17d8464ba453a3f59a5dde331d7eafcf3b66db7b74cb271d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rm4suhp2.jss.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdzyqzk78j.exe

Filesize
89KB

MD5
c708b4e6749fe2bea4c7a6881f2d21fc

SHA1
1264556923d27d0266a1a34a305c9c5deded08c0

SHA256
4454446918edc9730718e4ce610986706f14b03c0c2c1cb2eab6d774ef73d581

SHA512
6886a023e040edeafdc59c07bbcf1b97329e9dbe63b098ef16004dcc5b5a9644e431221cf9b37b4612f1ac14d548b0df1c538f998e44ba8f93a8a10cbeffef44

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdzyqzk78j.txt

Filesize
119KB

MD5
7f70cd0d872ebbfc9917850c310ca541

SHA1
cd957a542f30964e8943550ce52b07b2ffcb5676

SHA256
70a42df8f7ea2080973d351d99324be090bfb58b91d6d708313828a7a3d2e53a

SHA512
c96e9726d34dee24c734e81af7e35cf8153aa853d91890dbe8e6311e9019886c39bfa7a6da86f78d7c20ac0ed1e509906bd572abb3def986d7ef8272d8305b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdzyqzk78j.txt

Filesize
7KB

MD5
62f0045a3133367c21b17f3b71579fa7

SHA1
20f1fa70407b6ca8033eea474e3ddbd99267497f

SHA256
5f7ea73166179fce0372fd66af291abaa25f67affcf4e5bc41eb248905c88ef8

SHA512
4a457bef7fb05a289ea088dd34132065f1d45b117450b6fbfc766b9b10d708f9d2a3fec30477e5172e49cf0714ff3be4743f48831ba50cb8a8c74af7b94b9e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms8944.tmp

Filesize
76KB

MD5
c01f551edc26c87f9060358f75bf227d

SHA1
3755e4043a98bbe6efff60f2442c29373049052a

SHA256
6f588a5b0a111fb296e01c7633b65c3904acb094feafced2c8f174e7d3013c1f

SHA512
dc919d689b4965f8df64d63f64bb289bd82bee2a2ca273835d55765e8bd69046b130fa931efad54e46de4bd5508503e6d3fb3d2fa6e493dbf88787b56de0770a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sms8944.lnk

Filesize
771B

MD5
7f8eaa5a8de62c279036f4269c3b42ea

SHA1
0f9f3e3fe5649faadb238dfaef309a7e62067b33

SHA256
8851b41d172849c2e8976ca06a3b198243aa9ebbf1ef11712cd9dd9e7fcd53e7

SHA512
69e8557ce55d3538d2cb5e16f573dcc826dfdb5b10e34b6624097cb0beecb928e44b1af457b1538eabee891d9fbe2478933b3d71acf49ef49f1f288f6d9e3798

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\AlternateServices.bin

Filesize
7KB

MD5
33cf25d42d3c6d35674d5f6e0adf45f9

SHA1
bdc0f6e93d14a49a90f3065b93c8ebb91939c63d

SHA256
3d49c9e471a5c27991bb7c0615edfc17c398167a82c1c0948d719082629923bf

SHA512
56f8875bbfedb2aea112cf525f79b23fd5b9d4a3f464ac8e34575ed84bbad184a9d918a8d331e5fe66160cb5b17dd857c2311ed1d093694db923dab77db9a6a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
582910e2a0bea1ecb0ebb3091f45c429

SHA1
7cee7d2568afc710ccb5aa0be54b372d38e494cc

SHA256
5b06ca4fb7fba515fcf13d944b2c76c0416d34b4327d3f5e5286da94eef8aa0f

SHA512
98c3f098072985c9a48f76127a5186758a7fb089c25c6ef19a2e0aac20b286486e2830fe5af38928a2e845a78dd96817847cc3651fd892cf85e2e75a8ff10e7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
528f076443ab4baafb42842708eb6b94

SHA1
28d4e2c9a9a67b0816a16c400edc68dc8b2a267c

SHA256
e1fa412937aa6b1b7d1f04efc9a709d247870f6b76b67c4504fb0ee7d74ac98c

SHA512
a69371bf5baac8559c56a6dc8ac67994e24c00d7db8cf57326356e4de6559b2eb743a811cd90e25c338f0fb0580c8648ec81bfbc89ccba816cf9dda32211a280

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\61b8e3c7-bb25-4b18-a450-ebadf8d76e9d

Filesize
26KB

MD5
a5d6f0b55b7b566c0082e6fc3a1b2cb0

SHA1
bdcd02a6ff37fab8773ca51a5fb4cd625137581b

SHA256
a8ea90895087aa2fff10ffbc11ec32a0cbb26f733b92e956d64752b6ff4ac357

SHA512
934b24c088ed5cba6b790460e7c01699f20ccc82edc6cbb212f7a818021b4efe1f7202472c90375577ff2f4b6f14167fc69b6737b14bd6db83bd4313d9c216f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\7c12efe5-059d-4c21-9717-eea54583146d

Filesize
671B

MD5
838c0dae339e6f56ce5f8f70a693f8d8

SHA1
e14535fda33f762f6a728c02e3af1192d2e4449b

SHA256
e3ffa2ead553b4fbb8d18e2f1cf2f76a941f4867b9fac7c309039e0800e90bdf

SHA512
01f3ef64b10baf5b169b32b4ad88827fbbf84684ba1a926cdde7cbe0cd69a963a18287ce510b4498959d656fdc0809297997b2ec932654cc22af08cc78cb5a6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\aca60a4c-3f96-4ea4-84d4-3aee4c1fd3fb

Filesize
982B

MD5
de4254bdab307ffcdd102fabbda6a1e2

SHA1
76c7b27575c7e3c2ceb929f6ef2af015ee3e4047

SHA256
73b15efabff8d93591f3fa3eb23a540abfaaca0f0e8df6bc196bff3bf1d62b26

SHA512
df685340c7d6990f5d1118ba2417604f566a5e2b92b7422879282b2c4c61b489357380207d13d9cf66dbe45389d7a236cc7c5dee63d7438bc49dd7bcfb3db4f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs-1.js

Filesize
12KB

MD5
f9112c741c3d2577e3036f1f63475b56

SHA1
5ef3b668f5596b01ed447f8533290de703baa5ce

SHA256
2a11580cedf6ab813a83562448cd6562d400870b53a1863b9e71e76e92aad7b8

SHA512
5683590d094b11b301a88b1ded58962151faec6a2c02e5f9c695391c28641e1d00141b757671b611b63346760280146bfc7af92ea4652038f25374558228c2d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs-1.js

Filesize
16KB

MD5
6baa80d8e56efb65774592ba626e25e8

SHA1
438812fdb9da8ab341b15bfbebfc96e823d35298

SHA256
a4984043e92144336cbace69d24abdf79ab86011c9d095e511a319f58f6216b7

SHA512
2525df19fbda98692dc6cac10cd9a416865d16fc573b7ddc3440b40235a623e6179ee94a43d9d6fd0701f644bff778014e9f41ac1dc2e28131a169df37cf261a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs.js

Filesize
10KB

MD5
396d561ded19a417d0ded0ee6ca645f6

SHA1
1053e111b1f9d4b765d34e769052674a3883ab39

SHA256
0ca1835678934e888071dc6488ac3cf620c34a55ad0c2d42474c67e51f4841c9

SHA512
11598224284826cf83cda38a27f0bf294353736cb0875870f358588a193f25cb4c50de2c3a858083360a089ad1bdd3ea4907cb9c199f257ed7e798d7153d02c3

Download Submit
memory/2292-162-0x0000000000060000-0x000000000007A000-memory.dmp

Filesize
104KB

Download
memory/2292-163-0x00007FFC36910000-0x00007FFC373D2000-memory.dmp

Filesize
10.8MB

Download
memory/2292-208-0x000000001D130000-0x000000001D13C000-memory.dmp

Filesize
48KB

Download
memory/2292-201-0x00007FFC36913000-0x00007FFC36915000-memory.dmp

Filesize
8KB

Download
memory/2292-207-0x00007FFC36910000-0x00007FFC373D2000-memory.dmp

Filesize
10.8MB

Download
memory/2292-161-0x00007FFC36913000-0x00007FFC36915000-memory.dmp

Filesize
8KB

Download
memory/3164-169-0x0000022D430B0000-0x0000022D430D2000-memory.dmp

Filesize
136KB

Download