Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01-07-2024 11:30
General
-
Target
XClient.exe
-
Size
56KB
-
MD5
8ce0fbc6a03e34c4a6e0f526df77607e
-
SHA1
37c79d70a2f9f5f79d1194a0e9b2c5763f4f14b4
-
SHA256
4a6979fd1860a2876e587fefc9a838c1b9c54625ea927260a6b628d6972f4e7f
-
SHA512
be6c8b31f5ec044353b6228af243d17f2470b5a536fc4c353c90e149354e8ff60f2e5edef51e28dbec47a093c8dac777cdd7d4c826f08e732f5632aff6c8ba6b
-
SSDEEP
768:gkjmsmfXz+TkuL3GPSw7xSuSop7TlbUSEYOANAL61bdO9h4ostF:gKmsmve3GPSUBtpdbUXYiL6bO9K
Malware Config
Extracted
xworm
127.0.0.1:24978
second-represent.gl.at.ply.gg:24978
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 58 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff93f0ab58,0x7fff93f0ab68,0x7fff93f0ab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level2⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff7c494ae48,0x7ff7c494ae58,0x7ff7c494ae683⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4964 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5036 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4756 --field-trial-handle=1924,i,2542188704967441510,1720732769893990856,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4e00c059h943bh45a3ha78fha98389280c281⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff938546f8,0x7fff93854708,0x7fff938547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,11655611526482981639,1812132934780704134,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,11655611526482981639,1812132934780704134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,11655611526482981639,1812132934780704134,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch -contentTile -url 0 https://word.office.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff938546f8,0x7fff93854708,0x7fff938547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,12318865696374145671,10974846442225748396,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,12318865696374145671,10974846442225748396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,12318865696374145671,10974846442225748396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12318865696374145671,10974846442225748396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12318865696374145671,10974846442225748396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12318865696374145671,10974846442225748396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,12318865696374145671,10974846442225748396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:12⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5872.0.951831163\1176126428" -parentBuildID 20230214051806 -prefsHandle 1780 -prefMapHandle 1772 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b2d0916-1c38-4b92-9c4f-2489e135af60} 5872 "\\.\pipe\gecko-crash-server-pipe.5872" 1868 1b65700e058 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5872.1.2112315610\488125247" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2436 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17f0e59b-61b8-41d9-b60c-55792b5a7fcf} 5872 "\\.\pipe\gecko-crash-server-pipe.5872" 2452 1b64a285358 socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5872.2.2018651387\1163855934" -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 3016 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1220 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {823b154c-6e6d-4d11-8468-4eef73bc92b3} 5872 "\\.\pipe\gecko-crash-server-pipe.5872" 2912 1b6598f4258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5872.3.1247988039\854034135" -childID 2 -isForBrowser -prefsHandle 3692 -prefMapHandle 3688 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1220 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {539b3aec-cd86-454f-bc9f-faf413b6fa94} 5872 "\\.\pipe\gecko-crash-server-pipe.5872" 3700 1b64a276258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5872.4.1895831511\889123005" -childID 3 -isForBrowser -prefsHandle 4956 -prefMapHandle 4952 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1220 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54c8270c-7ae8-4c2c-a136-f2cc1ce03d0e} 5872 "\\.\pipe\gecko-crash-server-pipe.5872" 4920 1b65dd6e758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5872.5.1073859770\771849417" -childID 4 -isForBrowser -prefsHandle 5080 -prefMapHandle 5084 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1220 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3085a8d9-fcb2-42f3-acb9-bc11dbd7106f} 5872 "\\.\pipe\gecko-crash-server-pipe.5872" 4964 1b65dd6f658 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5872.6.1757250339\1392733380" -childID 5 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1220 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ff85431-f05f-44f6-95f0-75489a9b0df8} 5872 "\\.\pipe\gecko-crash-server-pipe.5872" 5276 1b65dd6ed58 tab3⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CloseWait.DVR-MS"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
811B
MD56b3e8269cae5cfab0c294411aa0aa798
SHA1603e4931799407b6038fe2badd0a1d3cb2452216
SHA2561de7fad961ee7fee151ec6848bc15ca4a0820353a4290e997cbffaaac3c6b3c5
SHA51254e21b9c045c601145d7e8133c03aecbaff7f6ad918d7afc6f14b596d335d86022415d9601f87355d8d0eaaff7f422ab00e077469d1c0a15f9082e742f20f266
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5f8d5daca5f6417e1e2a5362ab226060d
SHA17dca1681be52c5d6a0d144f28271809add7bb8e9
SHA256db452094bd507a462a2c3dc93e4085ade4c27d76889ad440a636445b7d625306
SHA512b8bbf78fa81ad3011df3c9fe28d1d028fad67533c187f4f3f3a5cfa89568ad3692a5ee65bce38dbff1122a710d3e69add2c10eef03489bd0dca27cedb1d64466
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
257KB
MD5daa59d13248b1bdadcd28d33de1217e1
SHA10602836f418c57d4422309fca7a87ff35eef9472
SHA2565762ac9bf62dc4c8efb5547ce517a2d69e7c445fe655b5e024764398c1d75ef2
SHA512029d934649b9c437c1b54d5bf2761016381588932f3b484c8cd9fe1f6954971435bce74d163b0b09e3fd51856eb2c257197c33919fcfc3c10409b28d2390607b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
257KB
MD5dd59103793a2b715a06dc390ad01fa34
SHA1e88a5a7a70132efa2479e2a2a554c94eec440bd5
SHA25613f1205d1efb398b544e5615ac988da18ac2d3c7bc93f0840bab87968e191e4a
SHA51256890172af94abd384c96bf0fdb954d79620a25b8ee7e1f9bd32250b3d43e30117cb48e1c097a84c20e363f57e325d2284a60dcede37037993c9460693e5a996
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
257KB
MD511cfa3532d8e94744fe183bb5f19c72f
SHA1d871d0d1f908caa67023458c6cd747aa2d3f7d97
SHA256e0f21ccb5ac649e1ccf54c4e9e427eda9f533264eee74ff5cb29bf621cdd9dea
SHA5129bb0f24e6bb625eabe439720302c8373a2d4e70514baf160d96a205591fe4bf823ac590d38f15c0213ccd82a734af748890d6945bf99d36eebe58a26e123f8cd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f50a091b253172037dd77531196b8e6a
SHA17b7f973390d1ca3ab838fbadd952031b92cf2f2c
SHA256518fbb4abc9695517fc23bc4e93b866318f41deef16b265c3d3d11e3a4855225
SHA5120f650bbaa413b1a4bed72de2420104e9d032e47bd3a06e8a7c9b93d24ff1770d1dd9775d09931410da99e6c77ec5c5f0982dec6fcbd77d4939f413aeee447856
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\84aefb38-8539-4473-bbeb-fa0a73973e74.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
61B
MD54df4574bfbb7e0b0bc56c2c9b12b6c47
SHA181efcbd3e3da8221444a21f45305af6fa4b71907
SHA256e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA51278b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c9f5fde729a11497338fbb81f105cc94
SHA14d6d864dac4ba46ec109aeea2e724e5e53d29571
SHA2560d81d136997cf0b5e7688adcb3794ec6fd66d339e79b8132e5c9ce473607c1b0
SHA51211810105c6f450826c93c41932a84b618378e194b0ebfc87e0eaef2fad34e61865f2ebf9aceea655db95a68c01115c235b5bb86e3a9e274550c6b0b22b7f28ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD52c67792be209d393fd9d5fc857b5f913
SHA1f360db739807723b862dc9e2c91f7513943dd3ca
SHA256eaa2e15c927b13466e88091ebd47463969f07725b4b3ee0b2738c0c3d761948a
SHA512ad9106620713e0807ba6282da1b329dafdcb904306894ac0c5fc4d6bc029a8e0f4b8c6c3e6bb619e9580f695bfc140e58bdbb32fa70b0fe1b7a19c944a4dbfbf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD5723af4c51f5952e2e320322538fdbca5
SHA16bc1df2931c34e2b4a9ddb836919c36cade072df
SHA2562f0be5b1f9d260b0c2648d4f569dbf8e1a0955379597ddb4dc30930ac78017ea
SHA512c5e5807d1481eb0798adf45d7602f39ef7f376deb4ef27ccb84eb25e37fa2c38ce1ac2ab5d45a6c10364ad7b999526b097849b585d4bd7d891b7c540af2b8e84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
323B
MD50e24d058861848742447c7d5c74ebc25
SHA1efca6664675619f528eef9da58468e7b812f9b66
SHA2566d0e40e55c33b5d185328b2b84eea8ae4a5a96c474d8ddd4fae310783bc02b99
SHA5127e7d7dde9cfc6753776520be18498238c65830641e782d46a4a1a285b698ba7352a166cb978f52340d8f7e44648cbd5f4f1c5d79d964503750e5639b87a4ec75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5c58aa4e9228d3501404b043c0ef9d253
SHA1ac1a834ff82b55f718d9853be67335d01ed9833e
SHA256a502fa92307e715ea336eb26e655340e7c41946740ac360696ad4f56ce1e7988
SHA512eedb314a2b9ad5edf1a8b866a4b62b7066668582f963c661db808a46064786ec810bb71d04c409ee2c7f7102540cc7cb99c7d578ce85209ff7e68c4915190179
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5bd8d1d64910905f912cb31364d4a58e4
SHA103e59cc7074b74c69c2773a86ad4e0fa46db5527
SHA256ddf44f92a64b9f6929ebc7dbab6d15b7c33215f5e0fcd7b47fe1dd02d576b985
SHA512b636d6048c5da5bfcd4ae6d27bf285ccd806af6de8f884c2376e84738de4e6e1c427d0dcf45c3bf78fc6ac712cc5bab063078f35d913d5ba0573dc27cb7e7fda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmpFilesize
27KB
MD50cffff6e312deaa9d3794f6eb1576bcc
SHA1df81d8e28278e02a4906abe22165f15ff92aa2b1
SHA256baa330739342960ad4f04c486985b4356c5c23c781e01e6eea99fcc380e73acc
SHA512e137b475ad3c59a0ecf94a034a8cfcfd7f6e083627399354ad06e8969f899457b90d888f1dc50a4d1b8e3f74bfc243ed49f0f8bfc0a8ddf977767051b5df27c8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_koyg0kuv.wc5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.jsFilesize
7KB
MD5c96ca87911b8e5ace200a43682409749
SHA1a0068dc99674224303f249c8656c559c1a67502c
SHA256a78678131a671bc6cf15a036841cf159e9852a1ff6ecabe8a01b6f5ece576970
SHA512ca9c3f9a15d8b98c6dd7e24e2a54a1c5a63a4991eccf870219a62c864063f3365c7c51d52942bc8da1341c772f81096858b14879100781ca7531dd81a7e9a4ff
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4Filesize
903B
MD52a92dae6837b02aa37c3a70b82a05877
SHA16b713a81e5dc8832fa5a82c1ea011cf04d71a901
SHA256a10a382a3f8fd67fedf881dafc640de25a0a6afa12f64ef5ea3b6ab366d60a0d
SHA512cef45341c1228331ee646e61df8797a940c72e9421e03cb684756579e37bfc52d1ee36e8b51df504d6f12822992948183b96d020ef50fd7e80da2c4fa453f47b
-
\??\pipe\crashpad_464_MLLNYHXAQFBZAQZOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3292-0-0x00007FFF98773000-0x00007FFF98775000-memory.dmpFilesize
8KB
-
memory/3292-2-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/3292-54-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/3292-1-0x0000000000940000-0x0000000000954000-memory.dmpFilesize
80KB
-
memory/4792-8-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/4792-18-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/4792-13-0x0000024A0E5B0000-0x0000024A0E5D2000-memory.dmpFilesize
136KB
-
memory/4792-14-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB
-
memory/4792-15-0x00007FFF98770000-0x00007FFF99231000-memory.dmpFilesize
10.8MB