Analysis
-
max time kernel
71s -
max time network
91s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15/03/2023, 02:16
Static task
static1
Behavioral task
behavioral1
Sample
service.exe
Resource
win7-20230220-en
General
-
Target
service.exe
-
Size
283KB
-
MD5
cc9cbbfa9ccc9cefe75253c65ad22405
-
SHA1
f126e2c4431a9eacab858316eaf031fb5e7bc9f1
-
SHA256
4d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
-
SHA512
bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17
-
SSDEEP
6144:7gZiAEAO0sByNsAal3gVAWgS7/OhwjKfqZK:7gZXEAO/BUdG3gVdt7KnfqZK
Malware Config
Extracted
https://pastebin.com/raw/vNcCt60A
Extracted
asyncrat
1.0.7
Default
Mutex
-
delay
3
-
install
true
-
install_file
csrss.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/3Z9zi18j
Signatures
-
Async RAT payload 5 IoCs
resource yara_rule behavioral2/files/0x0001000000023117-184.dat asyncrat behavioral2/files/0x0001000000023117-185.dat asyncrat behavioral2/memory/3380-187-0x00000000006F0000-0x0000000000706000-memory.dmp asyncrat behavioral2/files/0x000900000002311c-196.dat asyncrat behavioral2/files/0x000900000002311c-197.dat asyncrat -
Blocklisted process makes network request 3 IoCs
flow pid Process 31 5112 powershell.exe 34 5112 powershell.exe 36 5112 powershell.exe -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4560 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation service.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation tmp6DD0.exe -
Executes dropped EXE 2 IoCs
pid Process 3380 tmp6DD0.exe 4876 csrss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4908 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3976 timeout.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings service.exe Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 5112 powershell.exe 5112 powershell.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe 3380 tmp6DD0.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 5112 powershell.exe Token: SeIncreaseQuotaPrivilege 5112 powershell.exe Token: SeSecurityPrivilege 5112 powershell.exe Token: SeTakeOwnershipPrivilege 5112 powershell.exe Token: SeLoadDriverPrivilege 5112 powershell.exe Token: SeSystemProfilePrivilege 5112 powershell.exe Token: SeSystemtimePrivilege 5112 powershell.exe Token: SeProfSingleProcessPrivilege 5112 powershell.exe Token: SeIncBasePriorityPrivilege 5112 powershell.exe Token: SeCreatePagefilePrivilege 5112 powershell.exe Token: SeBackupPrivilege 5112 powershell.exe Token: SeRestorePrivilege 5112 powershell.exe Token: SeShutdownPrivilege 5112 powershell.exe Token: SeDebugPrivilege 5112 powershell.exe Token: SeSystemEnvironmentPrivilege 5112 powershell.exe Token: SeRemoteShutdownPrivilege 5112 powershell.exe Token: SeUndockPrivilege 5112 powershell.exe Token: SeManageVolumePrivilege 5112 powershell.exe Token: 33 5112 powershell.exe Token: 34 5112 powershell.exe Token: 35 5112 powershell.exe Token: 36 5112 powershell.exe Token: SeDebugPrivilege 3380 tmp6DD0.exe Token: SeDebugPrivilege 4876 csrss.exe Token: SeDebugPrivilege 4768 firefox.exe Token: SeDebugPrivilege 4768 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4768 firefox.exe 4768 firefox.exe 4768 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4768 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1864 wrote to memory of 1832 1864 service.exe 86 PID 1864 wrote to memory of 1832 1864 service.exe 86 PID 1864 wrote to memory of 1832 1864 service.exe 86 PID 1832 wrote to memory of 5112 1832 WScript.exe 87 PID 1832 wrote to memory of 5112 1832 WScript.exe 87 PID 1832 wrote to memory of 5112 1832 WScript.exe 87 PID 5112 wrote to memory of 4560 5112 powershell.exe 97 PID 5112 wrote to memory of 4560 5112 powershell.exe 97 PID 5112 wrote to memory of 4560 5112 powershell.exe 97 PID 5112 wrote to memory of 3380 5112 powershell.exe 98 PID 5112 wrote to memory of 3380 5112 powershell.exe 98 PID 3380 wrote to memory of 1992 3380 tmp6DD0.exe 99 PID 3380 wrote to memory of 1992 3380 tmp6DD0.exe 99 PID 3380 wrote to memory of 3236 3380 tmp6DD0.exe 101 PID 3380 wrote to memory of 3236 3380 tmp6DD0.exe 101 PID 3236 wrote to memory of 3976 3236 cmd.exe 103 PID 3236 wrote to memory of 3976 3236 cmd.exe 103 PID 1992 wrote to memory of 4908 1992 cmd.exe 104 PID 1992 wrote to memory of 4908 1992 cmd.exe 104 PID 3236 wrote to memory of 4876 3236 cmd.exe 105 PID 3236 wrote to memory of 4876 3236 cmd.exe 105 PID 2532 wrote to memory of 4768 2532 firefox.exe 117 PID 2532 wrote to memory of 4768 2532 firefox.exe 117 PID 2532 wrote to memory of 4768 2532 firefox.exe 117 PID 2532 wrote to memory of 4768 2532 firefox.exe 117 PID 2532 wrote to memory of 4768 2532 firefox.exe 117 PID 2532 wrote to memory of 4768 2532 firefox.exe 117 PID 2532 wrote to memory of 4768 2532 firefox.exe 117 PID 2532 wrote to memory of 4768 2532 firefox.exe 117 PID 2532 wrote to memory of 4768 2532 firefox.exe 117 PID 2532 wrote to memory of 4768 2532 firefox.exe 117 PID 2532 wrote to memory of 4768 2532 firefox.exe 117 PID 4768 wrote to memory of 4384 4768 firefox.exe 118 PID 4768 wrote to memory of 4384 4768 firefox.exe 118 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 PID 4768 wrote to memory of 4816 4768 firefox.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4560 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\service.exe"C:\Users\Admin\AppData\Local\Temp\service.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\attrib.exe"C:\Windows\system32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4560
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe"C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'6⤵
- Creates scheduled task(s)
PID:4908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF198.tmp.bat""5⤵
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\system32\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
PID:3976
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4876
-
-
-
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.0.632713011\1673088192" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28a98fc4-5551-49a4-82fc-1e37100ee8eb} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 1932 1ad5e6ec258 gpu3⤵PID:4384
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.1.1654518729\1874500889" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09e4a683-8420-4dfa-a304-20befaa509a6} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2332 1ad51670758 socket3⤵PID:4816
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.2.1045902809\531703940" -childID 1 -isForBrowser -prefsHandle 2852 -prefMapHandle 2996 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72650503-f3bf-4997-aff4-245b01766510} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 3124 1ad61fd3758 tab3⤵PID:5460
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.3.608619865\1424478353" -childID 2 -isForBrowser -prefsHandle 3952 -prefMapHandle 3948 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c18e48ff-ef76-4d44-807d-fbcff98fd3c1} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 3964 1ad6337b558 tab3⤵PID:5656
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.4.342650432\480264199" -childID 3 -isForBrowser -prefsHandle 3844 -prefMapHandle 4336 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {274c9739-175f-410b-86c7-b3abb7ff49ce} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4120 1ad63b57058 tab3⤵PID:5772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.6.542533137\591240270" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 4992 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {732f8a83-98fa-4f04-a455-12fd2e52338e} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5096 1ad64b91e58 tab3⤵PID:2220
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.5.5989472\670693918" -childID 4 -isForBrowser -prefsHandle 4984 -prefMapHandle 4952 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {377b7663-d4a6-4ceb-9ba2-01eb9ddac2c5} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4992 1ad64b8eb58 tab3⤵PID:1944
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.7.1337911745\1257909608" -childID 6 -isForBrowser -prefsHandle 5388 -prefMapHandle 5392 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e10d2fe3-6f5e-4dfb-b204-461f32ba10d6} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5404 1ad5162f058 tab3⤵PID:4952
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.8.1338445598\1344592524" -childID 7 -isForBrowser -prefsHandle 5608 -prefMapHandle 5604 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddbf59cb-044b-4ca3-9ad2-bb0b3ed9ec53} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5620 1ad64964258 tab3⤵PID:4716
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.9.220620353\675854212" -childID 8 -isForBrowser -prefsHandle 5884 -prefMapHandle 5804 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21122cb0-c6df-40e5-8816-bc2b2240c3bc} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4320 1ad51662e58 tab3⤵PID:3872
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.10.1427892112\1614766521" -childID 9 -isForBrowser -prefsHandle 2896 -prefMapHandle 5528 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6af933ee-9ec2-4ced-8922-89f3fbcf1e8c} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5272 1ad60758858 tab3⤵PID:5544
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.11.928876294\482638547" -childID 10 -isForBrowser -prefsHandle 4480 -prefMapHandle 4492 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2e97e5c-807e-4ec8-b9f4-49d9d8714431} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4456 1ad63cb2958 tab3⤵PID:5628
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.12.1694043196\1372067298" -parentBuildID 20221007134813 -prefsHandle 6016 -prefMapHandle 6104 -prefsLen 26930 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d305030f-4d69-4bba-b87b-b9fd61c3d68b} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6096 1ad63caca58 rdd3⤵PID:4476
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.13.88034416\46627564" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6228 -prefMapHandle 6224 -prefsLen 26930 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec2630f8-3221-480a-b88e-28a1034b5de1} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6176 1ad66970c58 utility3⤵PID:1372
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.14.861335527\1117332027" -childID 11 -isForBrowser -prefsHandle 6448 -prefMapHandle 6416 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {101d0449-8fae-41b5-9664-b81014617069} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6456 1ad64962158 tab3⤵PID:5620
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.15.1020053502\1019942760" -childID 12 -isForBrowser -prefsHandle 6420 -prefMapHandle 6424 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd7d2f69-e783-46bc-9411-417d302d8a92} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6588 1ad66eb9e58 tab3⤵PID:6000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.16.1102546654\1024827853" -childID 13 -isForBrowser -prefsHandle 6872 -prefMapHandle 6780 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5c728a8-e538-4316-ad7b-c4a9c16df1fb} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6820 1ad61f82758 tab3⤵PID:3860
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp
Filesize158KB
MD5b3a0db2044ea20932b47c4706c2b1b18
SHA1d6850d0c95412f48474ff76a6dae99763761dc63
SHA2560a936eea42ffefdcf5d2e0bc55f37dbc9fdf97a2db064e3306aa0a7e6d582b65
SHA512092d20dfab1e3c1427c10b4040e2b745c4050f4ec8c94549e454e632cbf97dcc5fc11cbbf3fe35d3bd7fa71b7a9c9ce6adcc395a62fc77e139fdc793f57f9685
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\366C6F0FE64B4EBEDB07B5FDDBEDDD7B639F489D
Filesize58KB
MD50301b4d7d5b6a118a60cf438bd58fbe8
SHA17fc49d51a27f9ce2130d6d261a67be14ec4ad06c
SHA256f38a6a0478cf2068740a58ab39de05ffcba442c0a71498cca1a5f09359312f83
SHA51222c5ff7187883aca0d154cbecba305caca7be544bd4fe850175e8b018038769c0b023427e8ace38d4c255945501595c443a7188b1e4e1f9d7df1e09c1f90f5e9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\6D81B26E0A25001159E4CC6044D6457153EA5C01
Filesize17KB
MD57bb61a208cbdda825c0c9e6778685077
SHA134c22f50bef7670bb28bf59becb384d6fbb70208
SHA2562b096a8f23a929e20e863add923ef4daa47a094b6007568680442644d56f5b5b
SHA512c27828888e96e47df19e9d963bf759c7a482e103e306d0ee4b8a9bae9e280ce413b6ea5eb0040092ea0793f6979ab730258317d2107c06813eadb8d833d088b1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\822D3475915FF1FD065AE9B7C94CAC38BAF38F99
Filesize18KB
MD553c8c197582f8d8ec92825ef5ebd3d0f
SHA1a7cb1d9fd119ffab0041f830a049600ee7737e63
SHA256bcaced52f3a3ac2210ba19c5a82bf88b4e034a404b5bd0c0b4a7dd348fda81fe
SHA5126c87a658ea8cbb8e62f2cb9cd777bbd4a820be6b6754c2319d3f55bf23f4136dd31dba67ec51e78b605d29dd2feacf3cc022e5f4a2dcdde59fefa2006564bf6f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\A48562B06EA3ECE8F16D1B2F544E3D934FD0BA28
Filesize23KB
MD59f04918cbd86e210c407eea90c77da2a
SHA189d9298a65451a134d3960710a117026d7bf5fc3
SHA2560617ea36fde3314406a3f6c9b88e6e1d0f17eea6c0534f6e617884d238c3ef8a
SHA5128607a0846a5890c2acebbb946bd8609595843f0ba4b8ffd13a179d8d804373d6ca7c19abf9d1baad793573b25b86592e5359d8a2aa28818d75fde0bdf22fdf2c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\BE5B95A2C7BBBCB2AE301D63F2E5473378B07340
Filesize24KB
MD5e4f3976a813abb49c0985716e6c30942
SHA1ac7aebbb142fecb89cf84c8d211a2b7da102aa8e
SHA256fa9d731ae4ce3b6a079e032f8bd22bc1f29baf942703d8e0c59437f49bfadcb5
SHA512d16e6b3cf4a75a2dd240652622aaf6c9ee4572814690b09822dc761ac9a8c04a32624ed070fb6a3249798fb5e5a0ac5c5ed7ee95781ef513372fa60db91af644
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\FEE1168BECB60A2DFAFD0F745560F244EED96138
Filesize23KB
MD527f97762f251adb3014284a25c6f1bb0
SHA15fa04714949e8191f85bb4ef540798f94674cd29
SHA256f82a651bf751ba7e54427b458ada5a032b2a3a63354dfeb563da9330e807f10d
SHA51254fdc9945a947880fe6aa735f2531d19b7a85e5a2159410948882f6e9389e5435216deee16faa15d93ea522b64b13553c621f8434f44689f89fa249326d76127
-
Filesize
147B
MD5e04e55d2e6cc3d920631fdc5d6dcc1ce
SHA12c4dbcff71f8678623a7c197440ec281804dc5a5
SHA256f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb
SHA5129511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998
-
Filesize
797B
MD5eb9c76ab230c2b8527d504429d7aca20
SHA1ca4fc2fcb5023fa8398fc5a0c15e7ad23a61e8cb
SHA256f985277690d6c85a064bc5d494d20d0774fb5017eaf7874685378c538bd49dbf
SHA512f791797d8301242f2334767153ae7133193cee75538ce38b9d5fa5b60388428a8808c22eb08dd070f6f7e3ce556cf1f04883285eaa44ddf8aba1bd67886429c2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f
-
Filesize
149B
MD5fe473f7e2aeaa16a9987e236f10c56ca
SHA1a1056a23223515d8accdaa933ad6f28528183ecb
SHA2562b712f73463cde21248bec035ad7a8925b3afb97c8032c40654ae993c45ec2b6
SHA512395dbdac22611eea770c6d947dbbfa91ff850b2cce7c0a6275054d3343d1c498e490798447f1396a1e481056651b75e7d6125f5aa59029a0dae62234f7d73cc4
-
Filesize
6KB
MD535c16387c51de4ea676c0e9b71ae6b6c
SHA17d6d65ddffb2ae9c5302c3eb7690115c1e19212f
SHA2569dddbb7bb3361913863439bcd66615a1b7e8199e2bdc040182f13b967a04825d
SHA512ba103758a94bda00720b0d02b4146c682b5845e274744826363907fc8e54c5ae3f7f0a64f33273671ddba417633efe9bc6d242ca96fd2c04603893a8e217e0c5
-
Filesize
6KB
MD566c64f8a6f0b008306a4803aa7e06801
SHA1c80a7c3a3d8e9aa3ad40e1d2f649002125038aaa
SHA25609a5077298deb9e05df70bf43e0f13aad9519bc617281a5ab371f60965c7ac25
SHA512aa5c63c24e48e9ce2dfd3d081e410522f458ff35e683781c4a033053c9b53b922731b09dcfef80115ac1bb6ad7bc1c3b9ca24ac9fd75265360de368e401f8b62
-
Filesize
7KB
MD5b56a339de41b13aae47d22253269fc0f
SHA103af96a4fd06a7ddaeecfa4c485345fecd005bac
SHA256df0e70044767a689b3d1b36c28bb0724c5d94bb4e260a35a671dc12eab410c74
SHA51296ef10e89a8966154fae4842de47152d5d25343dec64223b1ed7c386a8d35ce78ad7a453c592267fe39aafa74a0bc62339969334814edbc648915000d43d907e
-
Filesize
6KB
MD5f73e52d124620d05267ba934f3b312d3
SHA134121aa291d9f88b3e8e3a2fa37cb1c06cac2d30
SHA256fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7
SHA5124ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD55249f5fdf7023819b70d23d026db5a22
SHA1c974877951ae1c4caa2534ff1725a866a2fe5f8a
SHA256be16fbf2fcfcb8422b76004c5295ee3d5cec7b837ae8a0a5b74b97202c5d03d3
SHA5127f049ec67a346e12bd07a1b85d9d1f2103ed29c81697f56f65a7ea5cf57a398e3a1f532823f49d90785a798dc506f8aae19e626a48e4abf3961bae6f85b9a4f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5543f6a62c9d729d6ad43bc7b76bfc19f
SHA19dac797615e30cca43bd1defdea3f7f1fb2fd3b9
SHA256099b22b11ca21f717d4723947aec14062dba7ee4525ad938cd98aa72d72f1fca
SHA5122522c61a3520f6ef851ea5c3a84d7453651f347605b64433b62db321076f7c1566b441ba1c7f92ed6b1fd7917034a73a67565f3fb4c0360f0f12a7e0bf388408
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f
-
Filesize
63KB
MD5d2053aeb9216c3040b40e67d72578669
SHA13a33aab579e13bac21c4966b4e2491cee400155f
SHA2568bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA5128baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f