Analysis
-
max time kernel
114s -
max time network
117s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
30/10/2024, 01:03
Static task
static1
General
-
Target
OptiFine_1.19.4_HD_U_I4.jar
-
Size
6.7MB
-
MD5
2e58bf463ec7e9964fe381a5afc17da1
-
SHA1
40a44c00d4f06ba82e97b8eb71aab3823f4e9d93
-
SHA256
2c010bcae341cf1003c194a4b566a0cb0c8dff2443d2f9fbd9e7a2d9abc8af6a
-
SHA512
94d0673370168322cc6ba5ae7bc9ad5d5c4246aa10f8929239dedc25639255c807c32ea248ee751c42aed9ca61cf37ab391d7d3a9ba57bc643e091c9ef4009d1
-
SSDEEP
98304:+4T54pxq3gbAuFu0Lw6jEKuBj036dh1KyMH9vPMDNgPjDbHA:+4TCxq3gtFuiWKufdh1jA9H7LPg
Malware Config
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x00280000000451ab-708.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 1540 AsyncRAT.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 107 camo.githubusercontent.com 108 camo.githubusercontent.com 95 camo.githubusercontent.com -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133747238348072357" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 37 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0100000000000000ffffffff AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\NodeSlot = "4" AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 = 7e003100000000005e598d0811004465736b746f7000680009000400efbe575938725e598d082e000000060904000000020000000000000000003e00000000005b8b1c004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff AsyncRAT.exe Set value (str) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\MRUListEx = ffffffff AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 AsyncRAT.exe Set value (str) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 5a003100000000005e599a0810004173796e635241540000420009000400efbe5e598d085e599a082e00000040510400000029000000000000000000000000000000023519014100730079006e006300520041005400000018000000 AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\MRUListEx = 00000000ffffffff AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 AsyncRAT.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 AsyncRAT.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 1528 chrome.exe 1528 chrome.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 1540 AsyncRAT.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1540 AsyncRAT.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2128 firefox.exe Token: SeDebugPrivilege 2128 firefox.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe Token: SeShutdownPrivilege 1528 chrome.exe Token: SeCreatePagefilePrivilege 1528 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 4012 7zG.exe 1540 AsyncRAT.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 2128 firefox.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1528 chrome.exe 1540 AsyncRAT.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe 2148 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1168 java.exe 2128 firefox.exe 1168 java.exe 1540 AsyncRAT.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2128 2696 firefox.exe 86 PID 2696 wrote to memory of 2128 2696 firefox.exe 86 PID 2696 wrote to memory of 2128 2696 firefox.exe 86 PID 2696 wrote to memory of 2128 2696 firefox.exe 86 PID 2696 wrote to memory of 2128 2696 firefox.exe 86 PID 2696 wrote to memory of 2128 2696 firefox.exe 86 PID 2696 wrote to memory of 2128 2696 firefox.exe 86 PID 2696 wrote to memory of 2128 2696 firefox.exe 86 PID 2696 wrote to memory of 2128 2696 firefox.exe 86 PID 2696 wrote to memory of 2128 2696 firefox.exe 86 PID 2696 wrote to memory of 2128 2696 firefox.exe 86 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 2172 2128 firefox.exe 87 PID 2128 wrote to memory of 4392 2128 firefox.exe 88 PID 2128 wrote to memory of 4392 2128 firefox.exe 88 PID 2128 wrote to memory of 4392 2128 firefox.exe 88 PID 2128 wrote to memory of 4392 2128 firefox.exe 88 PID 2128 wrote to memory of 4392 2128 firefox.exe 88 PID 2128 wrote to memory of 4392 2128 firefox.exe 88 PID 2128 wrote to memory of 4392 2128 firefox.exe 88 PID 2128 wrote to memory of 4392 2128 firefox.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\OptiFine_1.19.4_HD_U_I4.jar1⤵
- Suspicious use of SetWindowsHookEx
PID:1168
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb0e360a-dfa5-4a18-9047-2b35629b71d4} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" gpu3⤵PID:2172
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2360 -parentBuildID 20240401114208 -prefsHandle 2352 -prefMapHandle 2348 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d16a43-1698-4565-b6aa-4000a19e3727} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" socket3⤵
- Checks processor information in registry
PID:4392
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3296 -childID 1 -isForBrowser -prefsHandle 2740 -prefMapHandle 3324 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dce586bf-5fc2-41cf-98f9-109d71b2627a} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" tab3⤵PID:1932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4208 -childID 2 -isForBrowser -prefsHandle 4172 -prefMapHandle 3328 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {579f03e1-ea22-45ad-8704-828f707e521c} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" tab3⤵PID:616
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4828 -prefMapHandle 4824 -prefsLen 29198 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10b849dd-359d-4013-a0d6-ab65715a00c2} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" utility3⤵
- Checks processor information in registry
PID:4404
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4704 -childID 3 -isForBrowser -prefsHandle 5060 -prefMapHandle 4212 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9197b50a-af15-4711-a3af-1d0232b9748e} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" tab3⤵PID:4456
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4416 -childID 4 -isForBrowser -prefsHandle 4284 -prefMapHandle 4704 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0c50ead-1b53-4e75-9b7d-21cdaa6c5975} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" tab3⤵PID:3028
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4220 -childID 5 -isForBrowser -prefsHandle 5404 -prefMapHandle 5408 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7841f6ec-2d0b-4827-8e86-75dd351852e1} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" tab3⤵PID:3444
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 6 -isForBrowser -prefsHandle 5544 -prefMapHandle 5548 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd175639-f44b-4f81-b9b5-cd3f58b97234} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" tab3⤵PID:1656
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 7 -isForBrowser -prefsHandle 5556 -prefMapHandle 5404 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8c934bc-f17d-48fe-a0dc-b92af6c68d5c} 2128 "\\.\pipe\gecko-crash-server-pipe.2128" tab3⤵PID:1128
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1528 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff9c277cc40,0x7ff9c277cc4c,0x7ff9c277cc582⤵PID:2888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2036,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2032 /prefetch:22⤵PID:828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1848,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2004 /prefetch:32⤵PID:3564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2304 /prefetch:82⤵PID:1768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3168 /prefetch:12⤵PID:3720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3232 /prefetch:12⤵PID:4760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4572 /prefetch:12⤵PID:2600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4548,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4732 /prefetch:82⤵PID:3508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4888 /prefetch:82⤵PID:2108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5028 /prefetch:82⤵PID:4696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3868,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5128 /prefetch:82⤵PID:2336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4912 /prefetch:82⤵PID:1488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5256,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4420 /prefetch:82⤵PID:2540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4408,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5208 /prefetch:12⤵PID:1300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3544,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3456 /prefetch:12⤵PID:1152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4900,i,6342236778712523589,13388836344386119513,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4920 /prefetch:82⤵PID:4208
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1656
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2796
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap4287:74:7zEvent287781⤵
- Suspicious use of FindShellTrayWindow
PID:4012
-
C:\Users\Admin\Desktop\AsyncRAT\AsyncRAT.exe"C:\Users\Admin\Desktop\AsyncRAT\AsyncRAT.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1540
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4964
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51888ecad9973d9e37377154360237bd5
SHA136d6b6b316b4a6d483f333cc0cdcfe4f39cc940d
SHA2561cf056a4e0ac3f70a738c2fd16e431a3b1d94e16ae07ae21f284bc9040eb0159
SHA5121bd4eb9c3fb5041e0f013a81845d60fdace461e387802a63664661743782d05e22cd49561b21c50c407dddf771067089ad03c4c451bfdc0e96a396727d758633
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\79598027-ce49-4c05-9183-1929cb93d3fe.tmp
Filesize356B
MD5abe9b6c5fad6710f3617974da6cfad1d
SHA1df91d3ffa5e9763f4370057339f8d6381d4be6d3
SHA256fd0be8534170087ab2a3fd51cf8803339681c98f6f008e2e8cc14a09b7280b3d
SHA51229d58841b8c23706be7c3849a0c0c729325aa8d0ce1ddf251cdbbe28662da529e1126d7783a02fead08d610e838e0b038b86cdd2ebbdbdb4a997190950798250
-
Filesize
5KB
MD5445124bd13f5d7b39be8c58d8bc4cbb3
SHA19649e88c096cabb4b9eb60932a388274dc440000
SHA256b2679d13cc677693487239dc9f9772054b0bfd9344fed143f428b5caf31329c3
SHA512ba7fad05142ad731c45998746669060e480f9333ff4346f458289dba3fbbc286d5340205ce4765ab69085a52fbaecd1e58487b40c198f20a4a943aed4fd741d0
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD56075775fd403ac220b777685c918246d
SHA1ce876266d7e3478fbacea824c47cfb841cc9542a
SHA256c249279cf13a4e825c943b30cb8b7c6e46a254b81e8c778d33947c76fa4d4ff0
SHA512aab276829a8dc5db052323b3e636d9af06e2ab90f8e477ab1e3a87e9fe91c668d32ac9cc59ddec4b38a5aaf489ccc60fa21e36dbf6fb3f78b2c3c2aa902cd5f0
-
Filesize
1KB
MD5a6a2a4e9d4ec66561acd5e8f11ad1adc
SHA1b20dbfb67e1d8a5c2a90ca84fc7e9a662a2900f9
SHA256089ae8912e28c6952c6f3e9ce786aa6bd42cc4f94879c0614107455818d3b96e
SHA512cce710ca7dd45e12bc23b74fcc7131e7571cbb4ec2596e61397ad6176fe5c6db9835d46a6d8aa29a44f59a82aadf8c9db723285af18f875d7e4b9b3991534523
-
Filesize
9KB
MD518b039a46f31141eddb016a0c9fc3c31
SHA1c79aada1c1f4d365cd2bdd1d6b67d67e90ebdf10
SHA2569e05102f36f210558296b03a402bc102d81c4c23e02cd29a24cb1aa7ab9ab6c4
SHA512ec2ba82fcfcb15541b38da41ccea9c5ac1eb69537d0befdfc0f619096bd53dbc1945df1049324e2a7512593e456b0a2a20d5a2e2beab587083c19a47b0de820e
-
Filesize
9KB
MD541ad59dafa8b7031b87bb6c043d1bc8d
SHA14f6bd224869ac4044126f20759d003be3340f0b4
SHA2562323b8e8762f682d39c8553911f669f521d77ae74ae403fcf2a2438b8cd199b5
SHA51248d310ea1abfb25a4519209d09f41f075e9ebe8231ae822dbe4c3a360d2e009144ff368565518648a9b383b2a1ef8f06d71a8e9c9ec67c4daa005916e0cb3e29
-
Filesize
9KB
MD5b19746128963880dc452254d78189420
SHA15e3a6c4c6917084e980bcb309de9470507a95085
SHA256a1bb752e57f737499d7a0eec5b2348d05fc75a2f85a380b989075101c2a7ad79
SHA512812fe4d1e6f47434459219e7a28a6cb83b9342ce3656d2c9dad2b3ed91c766cc8f10b5c5dda73f3a6245b5707bec1c29499f2be94cf553badaf0161843414dc8
-
Filesize
10KB
MD5c86b571be39beed36c7d16aa3e481356
SHA18cdc2d59a7b092958adf560b935e8011c49a831a
SHA256a597ff08eee45e259ef60dd0a4dde547216ef5b06d5c15b8750881f34a240db4
SHA5121f5c8b5a924c61c5e486b5d4fac89d641b9a3ae0e173c9aa89f65cb80e361b42ad12e21158ff6bd296873eb7e3e77fdc93f3fdce2512ca757f66286c55527e15
-
Filesize
9KB
MD582ceea0a2bd8515f840a672c033bc15a
SHA1de43e972867a399029a485de14762cee135b69ec
SHA2563de251f3c60424aeb471624655237ed1271387f929754e6672cc633797f261fd
SHA512fd8b0ce8cd59f32a98986c53418176e40c2df82757b5dfbc35c22132cb398d96ba7aa30d8a77dc759ef87548b2eec8d37952b5faa671a89b862deb8dece12bcd
-
Filesize
10KB
MD5f8f61d0cf3c1064e2d89b78da0a18ab7
SHA14d18834457c1539a968db2966eed69f84504293d
SHA256d0ebecb478f9296018253b36a731c2e45ccd0fe152f3bf81cab2ccf42bc17c5b
SHA5125ee33dce8f9ff3851f90092645872e1438d48762a3794c54a20bca2d02aeec849e7d948b47eb629710041ad4a9d6d427e688daa37d57c1a2c4bdaaefd91255b7
-
Filesize
10KB
MD52b10134e509dbe1fdf2af344c6a8e8c6
SHA1cdd253a2d6d7e1b59e86661ee90c23be6ec2af00
SHA256cfd6b199f2a2d777c1c6274283e726c506c8a5121dcde2148a1236d03ecc0628
SHA512968ee3e1d49fae23427923fec7c4ce6bbcb272ce6b4dcb351ac38187c69a96c059f08d6ee583c4e43950a3045f95b47820858e7407bbf9fab5d9e8bfc6ba343d
-
Filesize
15KB
MD511163fa172f24fa5ed8d95a4e5b35d62
SHA1980afbf90ef42e6737bbe8af36f3aae433817934
SHA2569511493d0108489d499300e21d50a966d33038adc1200e8495820eefeea962b4
SHA5122645d580dee543c5683a12e8afc9a5f7ebe003df638ec83b43aabff3333213aaff7cb2690393a7ead0ebc86d37e286ef046a7fb564c03f1055084eef563940f5
-
Filesize
234KB
MD5f35e72484e8d887a62cc5f33caff7807
SHA1d9eca1cd53ea93f413baedde24a335557710cb6d
SHA2568c2cb9ae94d081a93fe5709584f08464822104ae117cc4c96edccd473f9a18b1
SHA51285b98e1c8a52e09b7d426a930a3660fde63857406bd1eb3dba5ed45e2e10e850aead22bc1c1ac5388bd2311def5d091c93d585f38c038b493068cec48031d3a4
-
Filesize
234KB
MD5353f3346c472c9b156665584cb4a895a
SHA1231a556c47219ae59ca32179c00be6c93be679ac
SHA2566d2830413ef05d8ab55e495defa4f489aec6e64ed8871afa48075359c4a10566
SHA5128fc43732b2ad1eb129d6a5197bdee4a988fcfb87eb2d256bf1f0fb78adc01ba88028fa42ee69d3c224370fa325acabd46e7cca074e94920bb106b27ceb4df42f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mfuo34j5.default-release\activity-stream.discovery_stream.json.tmp
Filesize22KB
MD5e2f10990f5c762bf4fe33afdcae903af
SHA1b6434d0a6d6f5a622eec497c52c4a6e9d522868c
SHA2560632189326d1daeeb31661b06dc35c6de1d9e101c03401d2d41444eabf3caf98
SHA512077ac75166ceb3c1f615135360ce459b6ea828fc931b9d04332a4dbc441c5f35a718354fda26d070ad38cc0b8a6c3fce00ab32fd818d036e6459a4cadaf702a6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD57bb73566b39bfa7f18627594fddd7d5a
SHA196f8a478edcf581d8301544690f3eaf7edca8ba0
SHA2566e04c2104694de2589aefa9ee84461787dd272e513dfb3246b04dbcd42b2e780
SHA51255c0b61127fb0bcf7a5fe9b33bfd64b9fd890898f86641d3d2311f2ba32634c2e5fb24f423fb2fca044d20f3d628e7ad87827daada1586af4d842b72d4350abc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\datareporting\glean\db\data.safe.tmp
Filesize20KB
MD5f77e94e2219e592be4ab77c53be2b3cc
SHA1ad78b9b8646dddc46b4d6abd8f8dc9b01b5bd5ff
SHA256183193e6099f90d0365f8bdffc5f6119d6fd464dd2b51131279be4344d8d2549
SHA512921cd7999c160d3865ec88765762a2d270b6b39623d5b1ce6bccc6937c89da61655241e22d40c2e3cacf006a067af3d5d8370a6949557c73ecafae87d8fd1e27
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD54cd3dce47348189f81769fce798223cb
SHA1911375c5bca0771126bd7a2a2f66fc6b7b2061a9
SHA25604858b01cb640e168e2e93e27203e4731e6b2e2fffd9160ddbcdcec6bb216ff8
SHA5129768d503b7f46c983a53e2843cc1840db0e12f0670c78adb18798bc33c75519ceeec0070f4e89f05b0ffabc636093cdb9f34c769e919b47ab595f21db0bedc5f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\datareporting\glean\pending_pings\2a967363-9402-4e31-97b5-6910481101c5
Filesize982B
MD541e8c06cb46ebc0c2e832fc0c5e6d7c3
SHA1b403f253e9dbf183b472e828466b0273f93e2b63
SHA2561209ce2bc064d7bcb1e46d24b3ac193e61b060871d62f86b8b3f4924dfbfcf0f
SHA512a25091286aa2ab99c20bd316d3df68ead0e64d0affbbe9593b00e220b7b04a86da66beea946c321a82bdcc6dbbc76151e227d9c289327b7b470c9e540c92d6b3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\datareporting\glean\pending_pings\9255ec5c-8995-42a3-983a-53df088931dc
Filesize659B
MD523b8f8c369d170efc5ff9a07ae2d33a3
SHA188a75456779cdcfbd9a10a37787b139ff1599e49
SHA256bdde917f1206e3804488ca8bf7039b429918cc6bfa1eb1ea3577485d6e5c1289
SHA51297405dfcd9ec000f66dd7bd6d4d94c54727054c9413eead90195df34373457c8482f76b35214f60ff2f7b4286a4042155e7efe932d5decdd8208333f58347be4
-
Filesize
10KB
MD5ea890468f15790a0c2ada6987673ca66
SHA16c572191ba61f5cfaa6832de381e7aace33a5733
SHA256d1cdcae6e74d62c204a215cb92b383934e509a058a5676a382e0113bdf9e72ee
SHA5124eef4f6cda821b6ff6f0c06082dccac0a8b01ebbfe9834c6262ea602865bf43189d6ba8c9694046b3fb826f947c99e666a8c246fdc1cbb236136d12387555cf7
-
Filesize
11KB
MD5844c42c1c9efb8e019d803bfa0857bf6
SHA122c475cc2e115e6b196d4480d5e91f9d290e78a1
SHA256711e6f11932fba7007ce999cd885a924f2d55cdce79309b20d6812bf9af132ee
SHA5120a2080e1befc4c7562c3fbd746a36e1de443a598aa509cd2b4365af9f6836d9aae03440ad8b8fa093ea66392fe53832cf7a5614147015e225f5d0d5190828140
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\sessionCheckpoints.json.tmp
Filesize288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
Filesize
6.4MB
MD597a429c4b6a2cb95ece0ddb24c3c2152
SHA16fcc26793dd474c0c7113b3360ff29240d9a9020
SHA25606899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5
SHA512524a63f39e472bd052a258a313ff4f2005041b31f11da4774d3d97f72773f3edb40df316fa9cc2a0f51ea5d8ac404cfdd486bab6718bae60f0d860e98e533f89
-
Filesize
5KB
MD5cb1f2dcfeb5cbb5af8efa7ea40b8e908
SHA1ceb040761554040cac2fc7ca18623498d3bfc7ce
SHA25658f956abe9d717683f4a1cfa6f70e256c80461315a8d47b6456116b3d3075372
SHA512f0d805bb7983a111b7083e08d5e53c30dd78a0a5fa2baa2af6c5d3395475a3399fd085d151cc8cce312c7eb3e11ac7c2cc78c49ff8a9bfba4b6ad6585caeaeea
-
Filesize
390KB
MD5cd4a9e669264419eca4de564e6272fe0
SHA1bb69bb1542ea06395df74dbedc98866d6c8a36cb
SHA25656fd699258a7186f709068c283cd725797bab392e3a6f1cd28f35bbdb3e98e38
SHA5125addb4f97c7e1cb69e5167e670bd2c3a817e0415f1fd8a5158af7e03e4340a8b1a6d803e85c9ea56415b9e7d3dcb4c352775a6a6b4770443d72114396ffaa1e5
-
Filesize
4KB
MD575b9bdf0578161d20c8e411433076e58
SHA1edd5ae05a2b9438d141dea75975cd02486a824b9
SHA25666411f3364a1a1dd46e8891160e46cb7640253c29c25f5afac708f86fa816168
SHA51259d7735155e547af847adb321acc94fba0cc87e65eacdf572e7f1687c033bc371833fe20dd3b507d78f225ac526e942f2147426633915dbde273a4568d9e6478
-
Filesize
38KB
MD5f76702fa423ce2b2b4b0fdcf547b0789
SHA1ea408a4419e8a3139ef14df987608964c12d3190
SHA2560e19cefba973323c234322452dfd04e318f14809375090b4f6ab39282f6ba07e
SHA51203c7d8814687bb4f11ac41a555f368d89d5be749c92624073b77da0e57d872df201f2657b180ad0c9d5bc9ffa0a85989bf31374c7e5deefa06cf36bce3697971
-
Filesize
6.9MB
MD530b1961a9b56972841a3806e716531d7
SHA163c6880d936a60fefc43a51715036c93265a4ae5
SHA2560b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c
SHA5129449065743226bd15699e710b2bab2a5bb44866f2d9a8bd1b3529b7c53d68e5ecba935e36406d1b69e1fb050f50e3321ef91bc61faac9790f6209fec6f930ed0