Analysis

  • max time kernel
    71s
  • max time network
    91s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/03/2023, 02:16

General

  • Target

    service.exe

  • Size

    283KB

  • MD5

    cc9cbbfa9ccc9cefe75253c65ad22405

  • SHA1

    f126e2c4431a9eacab858316eaf031fb5e7bc9f1

  • SHA256

    4d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c

  • SHA512

    bbc779e3daf6d9dcf249ba59d99feb34a62fe7f381d74b608fcc8719806eef88a04491983623417c9560f2dfc4858f6e8ec12362cf93e57ca3a78e1984ba2e17

  • SSDEEP

    6144:7gZiAEAO0sByNsAal3gVAWgS7/OhwjKfqZK:7gZXEAO/BUdG3gVdt7KnfqZK

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://pastebin.com/raw/vNcCt60A

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

Mutex

Attributes
  • delay

    3

  • install

    true

  • install_file

    csrss.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/3Z9zi18j

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 5 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\service.exe
    "C:\Users\Admin\AppData\Local\Temp\service.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps1
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5112
        • C:\Windows\SysWOW64\attrib.exe
          "C:\Windows\system32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4560
        • C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3380
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1992
            • C:\Windows\system32\schtasks.exe
              schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'
              6⤵
              • Creates scheduled task(s)
              PID:4908
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF198.tmp.bat""
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3236
            • C:\Windows\system32\timeout.exe
              timeout 3
              6⤵
              • Delays execution with timeout.exe
              PID:3976
            • C:\Users\Admin\AppData\Roaming\csrss.exe
              "C:\Users\Admin\AppData\Roaming\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:4876
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.0.632713011\1673088192" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28a98fc4-5551-49a4-82fc-1e37100ee8eb} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 1932 1ad5e6ec258 gpu
        3⤵
          PID:4384
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.1.1654518729\1874500889" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09e4a683-8420-4dfa-a304-20befaa509a6} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2332 1ad51670758 socket
          3⤵
            PID:4816
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.2.1045902809\531703940" -childID 1 -isForBrowser -prefsHandle 2852 -prefMapHandle 2996 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72650503-f3bf-4997-aff4-245b01766510} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 3124 1ad61fd3758 tab
            3⤵
              PID:5460
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.3.608619865\1424478353" -childID 2 -isForBrowser -prefsHandle 3952 -prefMapHandle 3948 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c18e48ff-ef76-4d44-807d-fbcff98fd3c1} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 3964 1ad6337b558 tab
              3⤵
                PID:5656
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.4.342650432\480264199" -childID 3 -isForBrowser -prefsHandle 3844 -prefMapHandle 4336 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {274c9739-175f-410b-86c7-b3abb7ff49ce} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4120 1ad63b57058 tab
                3⤵
                  PID:5772
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.6.542533137\591240270" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 4992 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {732f8a83-98fa-4f04-a455-12fd2e52338e} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5096 1ad64b91e58 tab
                  3⤵
                    PID:2220
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.5.5989472\670693918" -childID 4 -isForBrowser -prefsHandle 4984 -prefMapHandle 4952 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {377b7663-d4a6-4ceb-9ba2-01eb9ddac2c5} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4992 1ad64b8eb58 tab
                    3⤵
                      PID:1944
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.7.1337911745\1257909608" -childID 6 -isForBrowser -prefsHandle 5388 -prefMapHandle 5392 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e10d2fe3-6f5e-4dfb-b204-461f32ba10d6} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5404 1ad5162f058 tab
                      3⤵
                        PID:4952
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.8.1338445598\1344592524" -childID 7 -isForBrowser -prefsHandle 5608 -prefMapHandle 5604 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddbf59cb-044b-4ca3-9ad2-bb0b3ed9ec53} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5620 1ad64964258 tab
                        3⤵
                          PID:4716
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.9.220620353\675854212" -childID 8 -isForBrowser -prefsHandle 5884 -prefMapHandle 5804 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21122cb0-c6df-40e5-8816-bc2b2240c3bc} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4320 1ad51662e58 tab
                          3⤵
                            PID:3872
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.10.1427892112\1614766521" -childID 9 -isForBrowser -prefsHandle 2896 -prefMapHandle 5528 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6af933ee-9ec2-4ced-8922-89f3fbcf1e8c} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5272 1ad60758858 tab
                            3⤵
                              PID:5544
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.11.928876294\482638547" -childID 10 -isForBrowser -prefsHandle 4480 -prefMapHandle 4492 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2e97e5c-807e-4ec8-b9f4-49d9d8714431} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4456 1ad63cb2958 tab
                              3⤵
                                PID:5628
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.12.1694043196\1372067298" -parentBuildID 20221007134813 -prefsHandle 6016 -prefMapHandle 6104 -prefsLen 26930 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d305030f-4d69-4bba-b87b-b9fd61c3d68b} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6096 1ad63caca58 rdd
                                3⤵
                                  PID:4476
                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.13.88034416\46627564" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6228 -prefMapHandle 6224 -prefsLen 26930 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec2630f8-3221-480a-b88e-28a1034b5de1} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6176 1ad66970c58 utility
                                  3⤵
                                    PID:1372
                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.14.861335527\1117332027" -childID 11 -isForBrowser -prefsHandle 6448 -prefMapHandle 6416 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {101d0449-8fae-41b5-9664-b81014617069} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6456 1ad64962158 tab
                                    3⤵
                                      PID:5620
                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.15.1020053502\1019942760" -childID 12 -isForBrowser -prefsHandle 6420 -prefMapHandle 6424 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd7d2f69-e783-46bc-9411-417d302d8a92} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6588 1ad66eb9e58 tab
                                      3⤵
                                        PID:6000
                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.16.1102546654\1024827853" -childID 13 -isForBrowser -prefsHandle 6872 -prefMapHandle 6780 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5c728a8-e538-4316-ad7b-c4a9c16df1fb} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6820 1ad61f82758 tab
                                        3⤵
                                          PID:3860

                                    Network

                                          MITRE ATT&CK Enterprise v6

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp

                                            Filesize

                                            158KB

                                            MD5

                                            b3a0db2044ea20932b47c4706c2b1b18

                                            SHA1

                                            d6850d0c95412f48474ff76a6dae99763761dc63

                                            SHA256

                                            0a936eea42ffefdcf5d2e0bc55f37dbc9fdf97a2db064e3306aa0a7e6d582b65

                                            SHA512

                                            092d20dfab1e3c1427c10b4040e2b745c4050f4ec8c94549e454e632cbf97dcc5fc11cbbf3fe35d3bd7fa71b7a9c9ce6adcc395a62fc77e139fdc793f57f9685

                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\366C6F0FE64B4EBEDB07B5FDDBEDDD7B639F489D

                                            Filesize

                                            58KB

                                            MD5

                                            0301b4d7d5b6a118a60cf438bd58fbe8

                                            SHA1

                                            7fc49d51a27f9ce2130d6d261a67be14ec4ad06c

                                            SHA256

                                            f38a6a0478cf2068740a58ab39de05ffcba442c0a71498cca1a5f09359312f83

                                            SHA512

                                            22c5ff7187883aca0d154cbecba305caca7be544bd4fe850175e8b018038769c0b023427e8ace38d4c255945501595c443a7188b1e4e1f9d7df1e09c1f90f5e9

                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\6D81B26E0A25001159E4CC6044D6457153EA5C01

                                            Filesize

                                            17KB

                                            MD5

                                            7bb61a208cbdda825c0c9e6778685077

                                            SHA1

                                            34c22f50bef7670bb28bf59becb384d6fbb70208

                                            SHA256

                                            2b096a8f23a929e20e863add923ef4daa47a094b6007568680442644d56f5b5b

                                            SHA512

                                            c27828888e96e47df19e9d963bf759c7a482e103e306d0ee4b8a9bae9e280ce413b6ea5eb0040092ea0793f6979ab730258317d2107c06813eadb8d833d088b1

                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\822D3475915FF1FD065AE9B7C94CAC38BAF38F99

                                            Filesize

                                            18KB

                                            MD5

                                            53c8c197582f8d8ec92825ef5ebd3d0f

                                            SHA1

                                            a7cb1d9fd119ffab0041f830a049600ee7737e63

                                            SHA256

                                            bcaced52f3a3ac2210ba19c5a82bf88b4e034a404b5bd0c0b4a7dd348fda81fe

                                            SHA512

                                            6c87a658ea8cbb8e62f2cb9cd777bbd4a820be6b6754c2319d3f55bf23f4136dd31dba67ec51e78b605d29dd2feacf3cc022e5f4a2dcdde59fefa2006564bf6f

                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\A48562B06EA3ECE8F16D1B2F544E3D934FD0BA28

                                            Filesize

                                            23KB

                                            MD5

                                            9f04918cbd86e210c407eea90c77da2a

                                            SHA1

                                            89d9298a65451a134d3960710a117026d7bf5fc3

                                            SHA256

                                            0617ea36fde3314406a3f6c9b88e6e1d0f17eea6c0534f6e617884d238c3ef8a

                                            SHA512

                                            8607a0846a5890c2acebbb946bd8609595843f0ba4b8ffd13a179d8d804373d6ca7c19abf9d1baad793573b25b86592e5359d8a2aa28818d75fde0bdf22fdf2c

                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\BE5B95A2C7BBBCB2AE301D63F2E5473378B07340

                                            Filesize

                                            24KB

                                            MD5

                                            e4f3976a813abb49c0985716e6c30942

                                            SHA1

                                            ac7aebbb142fecb89cf84c8d211a2b7da102aa8e

                                            SHA256

                                            fa9d731ae4ce3b6a079e032f8bd22bc1f29baf942703d8e0c59437f49bfadcb5

                                            SHA512

                                            d16e6b3cf4a75a2dd240652622aaf6c9ee4572814690b09822dc761ac9a8c04a32624ed070fb6a3249798fb5e5a0ac5c5ed7ee95781ef513372fa60db91af644

                                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\FEE1168BECB60A2DFAFD0F745560F244EED96138

                                            Filesize

                                            23KB

                                            MD5

                                            27f97762f251adb3014284a25c6f1bb0

                                            SHA1

                                            5fa04714949e8191f85bb4ef540798f94674cd29

                                            SHA256

                                            f82a651bf751ba7e54427b458ada5a032b2a3a63354dfeb563da9330e807f10d

                                            SHA512

                                            54fdc9945a947880fe6aa735f2531d19b7a85e5a2159410948882f6e9389e5435216deee16faa15d93ea522b64b13553c621f8434f44689f89fa249326d76127

                                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs

                                            Filesize

                                            147B

                                            MD5

                                            e04e55d2e6cc3d920631fdc5d6dcc1ce

                                            SHA1

                                            2c4dbcff71f8678623a7c197440ec281804dc5a5

                                            SHA256

                                            f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb

                                            SHA512

                                            9511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998

                                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\service.ps1

                                            Filesize

                                            797B

                                            MD5

                                            eb9c76ab230c2b8527d504429d7aca20

                                            SHA1

                                            ca4fc2fcb5023fa8398fc5a0c15e7ad23a61e8cb

                                            SHA256

                                            f985277690d6c85a064bc5d494d20d0774fb5017eaf7874685378c538bd49dbf

                                            SHA512

                                            f791797d8301242f2334767153ae7133193cee75538ce38b9d5fa5b60388428a8808c22eb08dd070f6f7e3ce556cf1f04883285eaa44ddf8aba1bd67886429c2

                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k0nsjjk5.5b2.ps1

                                            Filesize

                                            60B

                                            MD5

                                            d17fe0a3f47be24a6453e9ef58c94641

                                            SHA1

                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                            SHA256

                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                            SHA512

                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                          • C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe

                                            Filesize

                                            63KB

                                            MD5

                                            d2053aeb9216c3040b40e67d72578669

                                            SHA1

                                            3a33aab579e13bac21c4966b4e2491cee400155f

                                            SHA256

                                            8bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df

                                            SHA512

                                            8baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f

                                          • C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe

                                            Filesize

                                            63KB

                                            MD5

                                            d2053aeb9216c3040b40e67d72578669

                                            SHA1

                                            3a33aab579e13bac21c4966b4e2491cee400155f

                                            SHA256

                                            8bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df

                                            SHA512

                                            8baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f

                                          • C:\Users\Admin\AppData\Local\Temp\tmpF198.tmp.bat

                                            Filesize

                                            149B

                                            MD5

                                            fe473f7e2aeaa16a9987e236f10c56ca

                                            SHA1

                                            a1056a23223515d8accdaa933ad6f28528183ecb

                                            SHA256

                                            2b712f73463cde21248bec035ad7a8925b3afb97c8032c40654ae993c45ec2b6

                                            SHA512

                                            395dbdac22611eea770c6d947dbbfa91ff850b2cce7c0a6275054d3343d1c498e490798447f1396a1e481056651b75e7d6125f5aa59029a0dae62234f7d73cc4

                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

                                            Filesize

                                            6KB

                                            MD5

                                            35c16387c51de4ea676c0e9b71ae6b6c

                                            SHA1

                                            7d6d65ddffb2ae9c5302c3eb7690115c1e19212f

                                            SHA256

                                            9dddbb7bb3361913863439bcd66615a1b7e8199e2bdc040182f13b967a04825d

                                            SHA512

                                            ba103758a94bda00720b0d02b4146c682b5845e274744826363907fc8e54c5ae3f7f0a64f33273671ddba417633efe9bc6d242ca96fd2c04603893a8e217e0c5

                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

                                            Filesize

                                            6KB

                                            MD5

                                            66c64f8a6f0b008306a4803aa7e06801

                                            SHA1

                                            c80a7c3a3d8e9aa3ad40e1d2f649002125038aaa

                                            SHA256

                                            09a5077298deb9e05df70bf43e0f13aad9519bc617281a5ab371f60965c7ac25

                                            SHA512

                                            aa5c63c24e48e9ce2dfd3d081e410522f458ff35e683781c4a033053c9b53b922731b09dcfef80115ac1bb6ad7bc1c3b9ca24ac9fd75265360de368e401f8b62

                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

                                            Filesize

                                            7KB

                                            MD5

                                            b56a339de41b13aae47d22253269fc0f

                                            SHA1

                                            03af96a4fd06a7ddaeecfa4c485345fecd005bac

                                            SHA256

                                            df0e70044767a689b3d1b36c28bb0724c5d94bb4e260a35a671dc12eab410c74

                                            SHA512

                                            96ef10e89a8966154fae4842de47152d5d25343dec64223b1ed7c386a8d35ce78ad7a453c592267fe39aafa74a0bc62339969334814edbc648915000d43d907e

                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js

                                            Filesize

                                            6KB

                                            MD5

                                            f73e52d124620d05267ba934f3b312d3

                                            SHA1

                                            34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30

                                            SHA256

                                            fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7

                                            SHA512

                                            4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4

                                            Filesize

                                            1KB

                                            MD5

                                            5249f5fdf7023819b70d23d026db5a22

                                            SHA1

                                            c974877951ae1c4caa2534ff1725a866a2fe5f8a

                                            SHA256

                                            be16fbf2fcfcb8422b76004c5295ee3d5cec7b837ae8a0a5b74b97202c5d03d3

                                            SHA512

                                            7f049ec67a346e12bd07a1b85d9d1f2103ed29c81697f56f65a7ea5cf57a398e3a1f532823f49d90785a798dc506f8aae19e626a48e4abf3961bae6f85b9a4f7

                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4

                                            Filesize

                                            4KB

                                            MD5

                                            543f6a62c9d729d6ad43bc7b76bfc19f

                                            SHA1

                                            9dac797615e30cca43bd1defdea3f7f1fb2fd3b9

                                            SHA256

                                            099b22b11ca21f717d4723947aec14062dba7ee4525ad938cd98aa72d72f1fca

                                            SHA512

                                            2522c61a3520f6ef851ea5c3a84d7453651f347605b64433b62db321076f7c1566b441ba1c7f92ed6b1fd7917034a73a67565f3fb4c0360f0f12a7e0bf388408

                                          • C:\Users\Admin\AppData\Roaming\csrss.exe

                                            Filesize

                                            63KB

                                            MD5

                                            d2053aeb9216c3040b40e67d72578669

                                            SHA1

                                            3a33aab579e13bac21c4966b4e2491cee400155f

                                            SHA256

                                            8bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df

                                            SHA512

                                            8baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f

                                          • C:\Users\Admin\AppData\Roaming\csrss.exe

                                            Filesize

                                            63KB

                                            MD5

                                            d2053aeb9216c3040b40e67d72578669

                                            SHA1

                                            3a33aab579e13bac21c4966b4e2491cee400155f

                                            SHA256

                                            8bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df

                                            SHA512

                                            8baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f

                                          • memory/3380-189-0x000000001C9F0000-0x000000001CA00000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/3380-187-0x00000000006F0000-0x0000000000706000-memory.dmp

                                            Filesize

                                            88KB

                                          • memory/4876-198-0x000000001F500000-0x000000001F576000-memory.dmp

                                            Filesize

                                            472KB

                                          • memory/4876-199-0x000000001F4A0000-0x000000001F4BE000-memory.dmp

                                            Filesize

                                            120KB

                                          • memory/5112-159-0x00000000075C0000-0x0000000007656000-memory.dmp

                                            Filesize

                                            600KB

                                          • memory/5112-182-0x0000000005230000-0x0000000005240000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/5112-181-0x0000000005230000-0x0000000005240000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/5112-180-0x0000000008FC0000-0x0000000008FC8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/5112-179-0x0000000008FD0000-0x0000000008FEA000-memory.dmp

                                            Filesize

                                            104KB

                                          • memory/5112-178-0x0000000008F80000-0x0000000008F8E000-memory.dmp

                                            Filesize

                                            56KB

                                          • memory/5112-177-0x0000000008780000-0x000000000878A000-memory.dmp

                                            Filesize

                                            40KB

                                          • memory/5112-176-0x000000007F020000-0x000000007F030000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/5112-175-0x0000000008650000-0x000000000866E000-memory.dmp

                                            Filesize

                                            120KB

                                          • memory/5112-165-0x000000006F6E0000-0x000000006F72C000-memory.dmp

                                            Filesize

                                            304KB

                                          • memory/5112-164-0x0000000007750000-0x0000000007782000-memory.dmp

                                            Filesize

                                            200KB

                                          • memory/5112-163-0x00000000088D0000-0x0000000008F4A000-memory.dmp

                                            Filesize

                                            6.5MB

                                          • memory/5112-162-0x0000000007CA0000-0x0000000008244000-memory.dmp

                                            Filesize

                                            5.6MB

                                          • memory/5112-161-0x0000000006BB0000-0x0000000006BD2000-memory.dmp

                                            Filesize

                                            136KB

                                          • memory/5112-160-0x0000000006B60000-0x0000000006B7A000-memory.dmp

                                            Filesize

                                            104KB

                                          • memory/5112-158-0x0000000005230000-0x0000000005240000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/5112-156-0x0000000006600000-0x000000000661E000-memory.dmp

                                            Filesize

                                            120KB

                                          • memory/5112-155-0x0000000005230000-0x0000000005240000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/5112-154-0x0000000005230000-0x0000000005240000-memory.dmp

                                            Filesize

                                            64KB

                                          • memory/5112-149-0x0000000005FF0000-0x0000000006056000-memory.dmp

                                            Filesize

                                            408KB

                                          • memory/5112-143-0x0000000005F10000-0x0000000005F76000-memory.dmp

                                            Filesize

                                            408KB

                                          • memory/5112-142-0x0000000005780000-0x00000000057A2000-memory.dmp

                                            Filesize

                                            136KB

                                          • memory/5112-141-0x0000000005870000-0x0000000005E98000-memory.dmp

                                            Filesize

                                            6.2MB

                                          • memory/5112-140-0x0000000002CE0000-0x0000000002D16000-memory.dmp

                                            Filesize

                                            216KB