Malware Analysis Report

2025-08-10 17:44

Sample ID 230315-cp5e3sch8t
Target service.exe
SHA256 4d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c
Tags
asyncrat default evasion rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d19771fb289f892626b1b04c120f53d69492ec87df2bfd6809dd6fce8662c3c

Threat Level: Known bad

The file service.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default evasion rat

AsyncRat

Async RAT payload

Downloads MZ/PE file

Blocklisted process makes network request

Sets file to hidden

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Delays execution with timeout.exe

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-15 02:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-15 02:16

Reported

2023-03-15 02:17

Platform

win7-20230220-en

Max time kernel

28s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\service.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\service.exe

"C:\Users\Admin\AppData\Local\Temp\service.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps1

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs

MD5 e04e55d2e6cc3d920631fdc5d6dcc1ce
SHA1 2c4dbcff71f8678623a7c197440ec281804dc5a5
SHA256 f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb
SHA512 9511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998

memory/584-63-0x0000000002770000-0x00000000027B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\service.ps1

MD5 eb9c76ab230c2b8527d504429d7aca20
SHA1 ca4fc2fcb5023fa8398fc5a0c15e7ad23a61e8cb
SHA256 f985277690d6c85a064bc5d494d20d0774fb5017eaf7874685378c538bd49dbf
SHA512 f791797d8301242f2334767153ae7133193cee75538ce38b9d5fa5b60388428a8808c22eb08dd070f6f7e3ce556cf1f04883285eaa44ddf8aba1bd67886429c2

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-15 02:16

Reported

2023-03-15 02:17

Platform

win10v2004-20230220-en

Max time kernel

71s

Max time network

91s

Command Line

"C:\Users\Admin\AppData\Local\Temp\service.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\service.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\csrss.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\service.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1864 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\service.exe C:\Windows\SysWOW64\WScript.exe
PID 1864 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\service.exe C:\Windows\SysWOW64\WScript.exe
PID 1864 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\service.exe C:\Windows\SysWOW64\WScript.exe
PID 1832 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1832 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1832 wrote to memory of 5112 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 4560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\attrib.exe
PID 5112 wrote to memory of 4560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\attrib.exe
PID 5112 wrote to memory of 4560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\attrib.exe
PID 5112 wrote to memory of 3380 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe
PID 5112 wrote to memory of 3380 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe
PID 3380 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe C:\Windows\System32\cmd.exe
PID 3380 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe C:\Windows\System32\cmd.exe
PID 3380 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe C:\Windows\system32\cmd.exe
PID 3380 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe C:\Windows\system32\cmd.exe
PID 3236 wrote to memory of 3976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3236 wrote to memory of 3976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1992 wrote to memory of 4908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1992 wrote to memory of 4908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3236 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\csrss.exe
PID 3236 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\csrss.exe
PID 2532 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2532 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2532 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2532 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2532 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2532 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2532 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2532 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2532 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2532 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2532 wrote to memory of 4768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4384 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4768 wrote to memory of 4816 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\service.exe

"C:\Users\Admin\AppData\Local\Temp\service.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Unrestricted -nologo -command .\service.ps1

C:\Windows\SysWOW64\attrib.exe

"C:\Windows\system32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe

C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe

"C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF198.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Roaming\csrss.exe"'

C:\Users\Admin\AppData\Roaming\csrss.exe

"C:\Users\Admin\AppData\Roaming\csrss.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.0.632713011\1673088192" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28a98fc4-5551-49a4-82fc-1e37100ee8eb} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 1932 1ad5e6ec258 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.1.1654518729\1874500889" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {09e4a683-8420-4dfa-a304-20befaa509a6} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 2332 1ad51670758 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.2.1045902809\531703940" -childID 1 -isForBrowser -prefsHandle 2852 -prefMapHandle 2996 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72650503-f3bf-4997-aff4-245b01766510} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 3124 1ad61fd3758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.3.608619865\1424478353" -childID 2 -isForBrowser -prefsHandle 3952 -prefMapHandle 3948 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c18e48ff-ef76-4d44-807d-fbcff98fd3c1} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 3964 1ad6337b558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.4.342650432\480264199" -childID 3 -isForBrowser -prefsHandle 3844 -prefMapHandle 4336 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {274c9739-175f-410b-86c7-b3abb7ff49ce} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4120 1ad63b57058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.6.542533137\591240270" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 4992 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {732f8a83-98fa-4f04-a455-12fd2e52338e} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5096 1ad64b91e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.5.5989472\670693918" -childID 4 -isForBrowser -prefsHandle 4984 -prefMapHandle 4952 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {377b7663-d4a6-4ceb-9ba2-01eb9ddac2c5} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4992 1ad64b8eb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.7.1337911745\1257909608" -childID 6 -isForBrowser -prefsHandle 5388 -prefMapHandle 5392 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e10d2fe3-6f5e-4dfb-b204-461f32ba10d6} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5404 1ad5162f058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.8.1338445598\1344592524" -childID 7 -isForBrowser -prefsHandle 5608 -prefMapHandle 5604 -prefsLen 26834 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddbf59cb-044b-4ca3-9ad2-bb0b3ed9ec53} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5620 1ad64964258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.9.220620353\675854212" -childID 8 -isForBrowser -prefsHandle 5884 -prefMapHandle 5804 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21122cb0-c6df-40e5-8816-bc2b2240c3bc} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4320 1ad51662e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.10.1427892112\1614766521" -childID 9 -isForBrowser -prefsHandle 2896 -prefMapHandle 5528 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6af933ee-9ec2-4ced-8922-89f3fbcf1e8c} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 5272 1ad60758858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.11.928876294\482638547" -childID 10 -isForBrowser -prefsHandle 4480 -prefMapHandle 4492 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2e97e5c-807e-4ec8-b9f4-49d9d8714431} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 4456 1ad63cb2958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.12.1694043196\1372067298" -parentBuildID 20221007134813 -prefsHandle 6016 -prefMapHandle 6104 -prefsLen 26930 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d305030f-4d69-4bba-b87b-b9fd61c3d68b} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6096 1ad63caca58 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.13.88034416\46627564" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6228 -prefMapHandle 6224 -prefsLen 26930 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec2630f8-3221-480a-b88e-28a1034b5de1} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6176 1ad66970c58 utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.14.861335527\1117332027" -childID 11 -isForBrowser -prefsHandle 6448 -prefMapHandle 6416 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {101d0449-8fae-41b5-9664-b81014617069} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6456 1ad64962158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.15.1020053502\1019942760" -childID 12 -isForBrowser -prefsHandle 6420 -prefMapHandle 6424 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd7d2f69-e783-46bc-9411-417d302d8a92} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6588 1ad66eb9e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4768.16.1102546654\1024827853" -childID 13 -isForBrowser -prefsHandle 6872 -prefMapHandle 6780 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1492 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5c728a8-e538-4316-ad7b-c4a9c16df1fb} 4768 "\\.\pipe\gecko-crash-server-pipe.4768" 6820 1ad61f82758 tab

Network

Country Destination Domain Proto
DE 162.19.139.184:2222 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 filebin.net udp
NO 185.47.40.36:443 filebin.net tcp
US 8.8.8.8:53 situla.bitbit.net udp
NO 87.238.33.7:443 situla.bitbit.net tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 36.40.47.185.in-addr.arpa udp
US 8.8.8.8:53 7.33.238.87.in-addr.arpa udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 7.tcp.eu.ngrok.io udp
DE 3.124.67.191:15121 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 191.67.124.3.in-addr.arpa udp
US 52.152.108.96:443 tcp
US 20.189.173.12:443 tcp
DE 3.124.67.191:15121 7.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 234.238.32.23.in-addr.arpa udp
N/A 127.0.0.1:49834 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 35.241.9.150:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 35.83.5.171:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 54.148.119.23:443 push.services.mozilla.com tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 35.241.9.150:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 239.237.117.34.in-addr.arpa udp
US 8.8.8.8:53 221.5.120.34.in-addr.arpa udp
US 8.8.8.8:53 150.9.241.35.in-addr.arpa udp
US 8.8.8.8:53 171.5.83.35.in-addr.arpa udp
US 8.8.8.8:53 191.144.160.34.in-addr.arpa udp
US 8.8.8.8:53 23.119.148.54.in-addr.arpa udp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 8.8.8.8:53 2ch.hk udp
US 104.26.11.242:80 2ch.hk tcp
US 8.8.8.8:53 2ch.hk udp
US 8.8.8.8:53 2ch.hk udp
US 104.26.11.242:443 2ch.hk tcp
US 8.8.8.8:53 242.11.26.104.in-addr.arpa udp
US 104.26.11.242:443 2ch.hk udp
US 8.8.8.8:53 2ch.hk udp
US 8.8.8.8:53 2ch.hk udp
US 8.8.8.8:53 2ch.hk udp
US 8.8.8.8:53 jsn.24smi.net udp
US 172.67.5.129:443 jsn.24smi.net tcp
US 8.8.8.8:53 jsn.24smi.net udp
US 8.8.8.8:53 jsn.24smi.net udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 129.5.67.172.in-addr.arpa udp
US 8.8.8.8:53 counter.yadro.ru udp
US 8.8.8.8:53 counter.yadro.ru udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 counter.yadro.ru udp
RU 88.212.201.198:443 counter.yadro.ru tcp
US 8.8.8.8:53 198.201.212.88.in-addr.arpa udp
N/A 127.0.0.1:49842 tcp
US 8.8.8.8:53 2ip.ru udp
DE 195.201.201.32:80 2ip.ru tcp
DE 195.201.201.32:80 2ip.ru tcp
US 8.8.8.8:53 2ip.ru udp
US 8.8.8.8:53 2ip.ru udp
DE 195.201.201.32:443 2ip.ru tcp
US 8.8.8.8:53 32.201.201.195.in-addr.arpa udp
NL 8.238.20.126:80 tcp
DE 195.201.201.32:443 2ip.ru tcp
US 8.8.8.8:53 ipv6.2ip.io udp
US 8.8.8.8:53 200.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 226.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 110.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 216.58.208.98:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 partner.googleadservices.com udp
US 8.8.8.8:53 partner46.googleadservices.com udp
US 8.8.8.8:53 partner46.googleadservices.com udp
NL 142.251.36.2:443 partner46.googleadservices.com tcp
GB 216.58.208.98:443 googleads.g.doubleclick.net udp
NL 142.251.36.2:443 partner46.googleadservices.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
NL 142.250.102.155:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
NL 142.250.102.155:443 stats.g.doubleclick.net udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
NL 142.250.179.193:443 tpc.googlesyndication.com tcp
NL 142.250.179.193:443 tpc.googlesyndication.com tcp
US 8.8.8.8:53 www.googletagservices.com udp
NL 142.250.179.193:443 tpc.googlesyndication.com udp
NL 142.251.39.98:443 www.googletagservices.com tcp
US 8.8.8.8:53 98.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 162.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 2.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 155.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 www.googletagservices.com udp
US 8.8.8.8:53 www.googletagservices.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
NL 142.251.39.98:443 www.googletagservices.com udp
US 8.8.8.8:53 193.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 163.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 csi.gstatic.com udp
JP 142.250.206.227:443 csi.gstatic.com tcp
US 8.8.8.8:53 csi.gstatic.com udp
US 8.8.8.8:53 csi.gstatic.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.208.110:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
JP 142.250.206.227:443 csi.gstatic.com tcp
GB 216.58.208.110:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-5hne6nzy.gvt1.com udp
NL 172.217.132.166:443 r1---sn-5hne6nzy.gvt1.com tcp
US 8.8.8.8:53 r1.sn-5hne6nzy.gvt1.com udp
US 8.8.8.8:53 r1.sn-5hne6nzy.gvt1.com udp
US 8.8.8.8:53 227.206.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.208.58.216.in-addr.arpa udp
JP 142.250.206.227:443 csi.gstatic.com udp
NL 172.217.132.166:443 r1.sn-5hne6nzy.gvt1.com udp
US 8.8.8.8:53 adclick.g.doubleclick.net udp
US 8.8.8.8:53 www.questtips.com udp
NL 81.171.31.78:443 www.questtips.com tcp
US 8.8.8.8:53 www.questtips.com udp
US 8.8.8.8:53 www.questtips.com udp
US 8.8.8.8:53 adclick.g.doubleclick.net udp
US 8.8.8.8:53 in.questtips.com udp
US 8.8.8.8:53 adclick.g.doubleclick.net udp
NL 81.171.31.78:443 in.questtips.com tcp
US 8.8.8.8:53 in.questtips.com udp
US 8.8.8.8:53 in.questtips.com udp
NL 142.251.36.2:443 adclick.g.doubleclick.net tcp
US 8.8.8.8:53 166.132.217.172.in-addr.arpa udp
US 8.8.8.8:53 78.31.171.81.in-addr.arpa udp
NL 142.251.36.2:443 adclick.g.doubleclick.net udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
NL 81.171.31.78:443 in.questtips.com tcp
NL 81.171.31.78:443 in.questtips.com tcp
NL 81.171.31.78:443 in.questtips.com tcp
NL 81.171.31.78:443 in.questtips.com tcp
US 8.8.8.8:53 securepubads46.g.doubleclick.net udp
US 8.8.8.8:53 securepubads46.g.doubleclick.net udp
NL 172.217.168.194:443 securepubads46.g.doubleclick.net tcp
NL 172.217.168.194:443 securepubads46.g.doubleclick.net udp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 194.168.217.172.in-addr.arpa udp
NL 172.217.168.194:443 securepubads46.g.doubleclick.net udp
NL 142.251.36.2:443 adclick.g.doubleclick.net tcp
NL 142.251.36.2:443 adclick.g.doubleclick.net udp
US 8.8.8.8:53 afs.googleusercontent.com udp
NL 142.250.179.193:443 afs.googleusercontent.com tcp
NL 142.250.179.193:443 afs.googleusercontent.com tcp
US 8.8.8.8:53 googlehosted.l.googleusercontent.com udp
US 8.8.8.8:53 googlehosted.l.googleusercontent.com udp
NL 142.250.179.193:443 googlehosted.l.googleusercontent.com udp
US 8.8.8.8:53 a46c46e4831ffdf0ab0c42342e7261c7.safeframe.googlesyndication.com udp
NL 142.250.179.161:443 a46c46e4831ffdf0ab0c42342e7261c7.safeframe.googlesyndication.com tcp
US 8.8.8.8:53 pagead-googlehosted.l.google.com udp
US 8.8.8.8:53 pagead-googlehosted.l.google.com udp
NL 142.250.179.161:443 pagead-googlehosted.l.google.com udp
US 8.8.8.8:53 161.179.250.142.in-addr.arpa udp
NL 142.250.179.193:443 googlehosted.l.googleusercontent.com tcp
NL 142.250.179.193:443 googlehosted.l.googleusercontent.com udp
US 93.184.220.29:80 tcp
NL 8.238.20.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\config.vbs

MD5 e04e55d2e6cc3d920631fdc5d6dcc1ce
SHA1 2c4dbcff71f8678623a7c197440ec281804dc5a5
SHA256 f641a99ec7e549970c81d724766f2a60ff031a5ec92aa6fc84228c82eeb4b4eb
SHA512 9511fe4dc599187f4539b8cda476550c54e86cbfcaca339a5db12e980ec322bf488d7458bf76089aa1d845f164f7ddb8adea017923d9a4930b9e821b7a4ae998

memory/5112-140-0x0000000002CE0000-0x0000000002D16000-memory.dmp

memory/5112-141-0x0000000005870000-0x0000000005E98000-memory.dmp

memory/5112-142-0x0000000005780000-0x00000000057A2000-memory.dmp

memory/5112-143-0x0000000005F10000-0x0000000005F76000-memory.dmp

memory/5112-149-0x0000000005FF0000-0x0000000006056000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k0nsjjk5.5b2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5112-154-0x0000000005230000-0x0000000005240000-memory.dmp

memory/5112-155-0x0000000005230000-0x0000000005240000-memory.dmp

memory/5112-156-0x0000000006600000-0x000000000661E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\service.ps1

MD5 eb9c76ab230c2b8527d504429d7aca20
SHA1 ca4fc2fcb5023fa8398fc5a0c15e7ad23a61e8cb
SHA256 f985277690d6c85a064bc5d494d20d0774fb5017eaf7874685378c538bd49dbf
SHA512 f791797d8301242f2334767153ae7133193cee75538ce38b9d5fa5b60388428a8808c22eb08dd070f6f7e3ce556cf1f04883285eaa44ddf8aba1bd67886429c2

memory/5112-158-0x0000000005230000-0x0000000005240000-memory.dmp

memory/5112-159-0x00000000075C0000-0x0000000007656000-memory.dmp

memory/5112-160-0x0000000006B60000-0x0000000006B7A000-memory.dmp

memory/5112-161-0x0000000006BB0000-0x0000000006BD2000-memory.dmp

memory/5112-162-0x0000000007CA0000-0x0000000008244000-memory.dmp

memory/5112-163-0x00000000088D0000-0x0000000008F4A000-memory.dmp

memory/5112-164-0x0000000007750000-0x0000000007782000-memory.dmp

memory/5112-165-0x000000006F6E0000-0x000000006F72C000-memory.dmp

memory/5112-175-0x0000000008650000-0x000000000866E000-memory.dmp

memory/5112-176-0x000000007F020000-0x000000007F030000-memory.dmp

memory/5112-177-0x0000000008780000-0x000000000878A000-memory.dmp

memory/5112-178-0x0000000008F80000-0x0000000008F8E000-memory.dmp

memory/5112-179-0x0000000008FD0000-0x0000000008FEA000-memory.dmp

memory/5112-180-0x0000000008FC0000-0x0000000008FC8000-memory.dmp

memory/5112-181-0x0000000005230000-0x0000000005240000-memory.dmp

memory/5112-182-0x0000000005230000-0x0000000005240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe

MD5 d2053aeb9216c3040b40e67d72578669
SHA1 3a33aab579e13bac21c4966b4e2491cee400155f
SHA256 8bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA512 8baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f

C:\Users\Admin\AppData\Local\Temp\tmp6DD0.exe

MD5 d2053aeb9216c3040b40e67d72578669
SHA1 3a33aab579e13bac21c4966b4e2491cee400155f
SHA256 8bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA512 8baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f

memory/3380-187-0x00000000006F0000-0x0000000000706000-memory.dmp

memory/3380-189-0x000000001C9F0000-0x000000001CA00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF198.tmp.bat

MD5 fe473f7e2aeaa16a9987e236f10c56ca
SHA1 a1056a23223515d8accdaa933ad6f28528183ecb
SHA256 2b712f73463cde21248bec035ad7a8925b3afb97c8032c40654ae993c45ec2b6
SHA512 395dbdac22611eea770c6d947dbbfa91ff850b2cce7c0a6275054d3343d1c498e490798447f1396a1e481056651b75e7d6125f5aa59029a0dae62234f7d73cc4

C:\Users\Admin\AppData\Roaming\csrss.exe

MD5 d2053aeb9216c3040b40e67d72578669
SHA1 3a33aab579e13bac21c4966b4e2491cee400155f
SHA256 8bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA512 8baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f

C:\Users\Admin\AppData\Roaming\csrss.exe

MD5 d2053aeb9216c3040b40e67d72578669
SHA1 3a33aab579e13bac21c4966b4e2491cee400155f
SHA256 8bd23941838cd09c9e3aba327a8ab6e8d78f2d5325ec790ec30e2963420ab2df
SHA512 8baf916842fc62aa743ca62851130d9552da8c3edc90d8b468bd154454bc643bb9d6474301a5414bccdd381d743b0dcaccb9683f7571b9f06d216a3ee754518f

memory/4876-198-0x000000001F500000-0x000000001F576000-memory.dmp

memory/4876-199-0x000000001F4A0000-0x000000001F4BE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js

MD5 f73e52d124620d05267ba934f3b312d3
SHA1 34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30
SHA256 fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7
SHA512 4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp

MD5 b3a0db2044ea20932b47c4706c2b1b18
SHA1 d6850d0c95412f48474ff76a6dae99763761dc63
SHA256 0a936eea42ffefdcf5d2e0bc55f37dbc9fdf97a2db064e3306aa0a7e6d582b65
SHA512 092d20dfab1e3c1427c10b4040e2b745c4050f4ec8c94549e454e632cbf97dcc5fc11cbbf3fe35d3bd7fa71b7a9c9ce6adcc395a62fc77e139fdc793f57f9685

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

MD5 35c16387c51de4ea676c0e9b71ae6b6c
SHA1 7d6d65ddffb2ae9c5302c3eb7690115c1e19212f
SHA256 9dddbb7bb3361913863439bcd66615a1b7e8199e2bdc040182f13b967a04825d
SHA512 ba103758a94bda00720b0d02b4146c682b5845e274744826363907fc8e54c5ae3f7f0a64f33273671ddba417633efe9bc6d242ca96fd2c04603893a8e217e0c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5249f5fdf7023819b70d23d026db5a22
SHA1 c974877951ae1c4caa2534ff1725a866a2fe5f8a
SHA256 be16fbf2fcfcb8422b76004c5295ee3d5cec7b837ae8a0a5b74b97202c5d03d3
SHA512 7f049ec67a346e12bd07a1b85d9d1f2103ed29c81697f56f65a7ea5cf57a398e3a1f532823f49d90785a798dc506f8aae19e626a48e4abf3961bae6f85b9a4f7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

MD5 66c64f8a6f0b008306a4803aa7e06801
SHA1 c80a7c3a3d8e9aa3ad40e1d2f649002125038aaa
SHA256 09a5077298deb9e05df70bf43e0f13aad9519bc617281a5ab371f60965c7ac25
SHA512 aa5c63c24e48e9ce2dfd3d081e410522f458ff35e683781c4a033053c9b53b922731b09dcfef80115ac1bb6ad7bc1c3b9ca24ac9fd75265360de368e401f8b62

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\822D3475915FF1FD065AE9B7C94CAC38BAF38F99

MD5 53c8c197582f8d8ec92825ef5ebd3d0f
SHA1 a7cb1d9fd119ffab0041f830a049600ee7737e63
SHA256 bcaced52f3a3ac2210ba19c5a82bf88b4e034a404b5bd0c0b4a7dd348fda81fe
SHA512 6c87a658ea8cbb8e62f2cb9cd777bbd4a820be6b6754c2319d3f55bf23f4136dd31dba67ec51e78b605d29dd2feacf3cc022e5f4a2dcdde59fefa2006564bf6f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\6D81B26E0A25001159E4CC6044D6457153EA5C01

MD5 7bb61a208cbdda825c0c9e6778685077
SHA1 34c22f50bef7670bb28bf59becb384d6fbb70208
SHA256 2b096a8f23a929e20e863add923ef4daa47a094b6007568680442644d56f5b5b
SHA512 c27828888e96e47df19e9d963bf759c7a482e103e306d0ee4b8a9bae9e280ce413b6ea5eb0040092ea0793f6979ab730258317d2107c06813eadb8d833d088b1

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\366C6F0FE64B4EBEDB07B5FDDBEDDD7B639F489D

MD5 0301b4d7d5b6a118a60cf438bd58fbe8
SHA1 7fc49d51a27f9ce2130d6d261a67be14ec4ad06c
SHA256 f38a6a0478cf2068740a58ab39de05ffcba442c0a71498cca1a5f09359312f83
SHA512 22c5ff7187883aca0d154cbecba305caca7be544bd4fe850175e8b018038769c0b023427e8ace38d4c255945501595c443a7188b1e4e1f9d7df1e09c1f90f5e9

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\A48562B06EA3ECE8F16D1B2F544E3D934FD0BA28

MD5 9f04918cbd86e210c407eea90c77da2a
SHA1 89d9298a65451a134d3960710a117026d7bf5fc3
SHA256 0617ea36fde3314406a3f6c9b88e6e1d0f17eea6c0534f6e617884d238c3ef8a
SHA512 8607a0846a5890c2acebbb946bd8609595843f0ba4b8ffd13a179d8d804373d6ca7c19abf9d1baad793573b25b86592e5359d8a2aa28818d75fde0bdf22fdf2c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\BE5B95A2C7BBBCB2AE301D63F2E5473378B07340

MD5 e4f3976a813abb49c0985716e6c30942
SHA1 ac7aebbb142fecb89cf84c8d211a2b7da102aa8e
SHA256 fa9d731ae4ce3b6a079e032f8bd22bc1f29baf942703d8e0c59437f49bfadcb5
SHA512 d16e6b3cf4a75a2dd240652622aaf6c9ee4572814690b09822dc761ac9a8c04a32624ed070fb6a3249798fb5e5a0ac5c5ed7ee95781ef513372fa60db91af644

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4

MD5 543f6a62c9d729d6ad43bc7b76bfc19f
SHA1 9dac797615e30cca43bd1defdea3f7f1fb2fd3b9
SHA256 099b22b11ca21f717d4723947aec14062dba7ee4525ad938cd98aa72d72f1fca
SHA512 2522c61a3520f6ef851ea5c3a84d7453651f347605b64433b62db321076f7c1566b441ba1c7f92ed6b1fd7917034a73a67565f3fb4c0360f0f12a7e0bf388408

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\FEE1168BECB60A2DFAFD0F745560F244EED96138

MD5 27f97762f251adb3014284a25c6f1bb0
SHA1 5fa04714949e8191f85bb4ef540798f94674cd29
SHA256 f82a651bf751ba7e54427b458ada5a032b2a3a63354dfeb563da9330e807f10d
SHA512 54fdc9945a947880fe6aa735f2531d19b7a85e5a2159410948882f6e9389e5435216deee16faa15d93ea522b64b13553c621f8434f44689f89fa249326d76127

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

MD5 b56a339de41b13aae47d22253269fc0f
SHA1 03af96a4fd06a7ddaeecfa4c485345fecd005bac
SHA256 df0e70044767a689b3d1b36c28bb0724c5d94bb4e260a35a671dc12eab410c74
SHA512 96ef10e89a8966154fae4842de47152d5d25343dec64223b1ed7c386a8d35ce78ad7a453c592267fe39aafa74a0bc62339969334814edbc648915000d43d907e