asyncrat | 002a936cc181ea7e45b5f441d90cfe633a9ba5abece878a789163ca2ef992374

Analysis

max time kernel
311s
max time network
311s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
21-02-2025 15:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

AntonsFile.exe
Size

47KB
MD5

cf2ca438000d1b1eb52027e072633348
SHA1

225a0741c9cb1cdddd12dfad6895bb91bb218712
SHA256

002a936cc181ea7e45b5f441d90cfe633a9ba5abece878a789163ca2ef992374
SHA512

6c12d644711ac63005dfc958c69a7e5b842d1e66ae23d8f60373a171572398f73187197f1f480222469dfa371f1a6baea65c5189bbf8e4a593db0e0e907a1396
SSDEEP

768:EuQItT/QUscWUCezGmo2q8tULTWm3oPPIH+Lmo6d3bWBGMxJUzbK7ZhVgQ2MBDZ5:EuQItT/Lm2aTrteLYbWMMbUzbUTgQfd5

Score

10^/10

asyncrat discordrat default discovery execution persistence rat rootkit stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

77.100.63.251:5631

Mutex

wPgAGvV1528Y

Attributes

delay
3
install
true
install_file
G.exe
install_folder
%AppData%

aes.plain

Extracted

Family

discordrat

Attributes

discord_token
MTMzNTM2MTY5MTk5OTAxMDgxNg.GtNU3a.zcxe-6PV115CQATEk1hTCU9X-rMD_KNVmCqxEM
server_id
1300562615369732158

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001c00000002ae1c-12.dat	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
4348	G.exe
3104	ratjhe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
53	discord.com
55	discord.com
56	discord.com
57	discord.com
10	discord.com

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
3328	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AntonsFile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	G.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2004	timeout.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "73"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
2100	AntonsFile.exe
3328	powershell.exe
3328	powershell.exe
4348	G.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	AntonsFile.exe
Token: SeDebugPrivilege	4348	G.exe
Token: SeDebugPrivilege	4348	G.exe
Token: SeDebugPrivilege	3816	firefox.exe
Token: SeDebugPrivilege	3816	firefox.exe
Token: SeDebugPrivilege	3816	firefox.exe
Token: SeDebugPrivilege	3816	firefox.exe
Token: SeDebugPrivilege	3816	firefox.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	3104	ratjhe.exe
Token: SeDebugPrivilege	3816	firefox.exe
Token: SeShutdownPrivilege	1132	shutdown.exe
Token: SeRemoteShutdownPrivilege	1132	shutdown.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe
3816	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3816	firefox.exe
2064	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 5052	2100	AntonsFile.exe	78
PID 2100 wrote to memory of 5052	2100	AntonsFile.exe	78
PID 2100 wrote to memory of 5052	2100	AntonsFile.exe	78
PID 2100 wrote to memory of 628	2100	AntonsFile.exe	80
PID 2100 wrote to memory of 628	2100	AntonsFile.exe	80
PID 2100 wrote to memory of 628	2100	AntonsFile.exe	80
PID 628 wrote to memory of 2004	628	cmd.exe	83
PID 628 wrote to memory of 2004	628	cmd.exe	83
PID 628 wrote to memory of 2004	628	cmd.exe	83
PID 5052 wrote to memory of 3304	5052	cmd.exe	82
PID 5052 wrote to memory of 3304	5052	cmd.exe	82
PID 5052 wrote to memory of 3304	5052	cmd.exe	82
PID 628 wrote to memory of 4348	628	cmd.exe	84
PID 628 wrote to memory of 4348	628	cmd.exe	84
PID 628 wrote to memory of 4348	628	cmd.exe	84
PID 1460 wrote to memory of 3816	1460	firefox.exe	88
PID 1460 wrote to memory of 3816	1460	firefox.exe	88
PID 1460 wrote to memory of 3816	1460	firefox.exe	88
PID 1460 wrote to memory of 3816	1460	firefox.exe	88
PID 1460 wrote to memory of 3816	1460	firefox.exe	88
PID 1460 wrote to memory of 3816	1460	firefox.exe	88
PID 1460 wrote to memory of 3816	1460	firefox.exe	88
PID 1460 wrote to memory of 3816	1460	firefox.exe	88
PID 1460 wrote to memory of 3816	1460	firefox.exe	88
PID 1460 wrote to memory of 3816	1460	firefox.exe	88
PID 1460 wrote to memory of 3816	1460	firefox.exe	88
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89
PID 3816 wrote to memory of 2880	3816	firefox.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AntonsFile.exe
"C:\Users\Admin\AppData\Local\Temp\AntonsFile.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "G" /tr '"C:\Users\Admin\AppData\Roaming\G.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "G" /tr '"C:\Users\Admin\AppData\Roaming\G.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2004
- - C:\Users\Admin\AppData\Roaming\G.exe
    "C:\Users\Admin\AppData\Roaming\G.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4348
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ratjhe.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:1676
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ratjhe.exe"'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
      - C:\Users\Admin\AppData\Local\Temp\ratjhe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ratjhe.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
      4⤵
      System Location Discovery: System Language Discovery
      PID:4584
    - - C:\Windows\SysWOW64\shutdown.exe
        
        Shutdown /s /f /t 00
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1800 -prefsLen 27661 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4080cebd-1a70-4338-ae3f-a3de53d66b37} 3816 "\\.\pipe\gecko-crash-server-pipe.3816" gpu
    3⤵
    PID:2880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2344 -parentBuildID 20240401114208 -prefsHandle 2328 -prefMapHandle 2324 -prefsLen 27539 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bf9a909-e7fd-413d-97e2-d599b342a7be} 3816 "\\.\pipe\gecko-crash-server-pipe.3816" socket
    3⤵
    PID:1944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3172 -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3192 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5178f14b-b689-4589-8959-85d411e76e25} 3816 "\\.\pipe\gecko-crash-server-pipe.3816" tab
    3⤵
    PID:3100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3452 -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3456 -prefsLen 32913 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c61b568-d76d-44d6-96d1-2acef41adf16} 3816 "\\.\pipe\gecko-crash-server-pipe.3816" tab
    3⤵
    PID:3540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4356 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2728 -prefMapHandle 2724 -prefsLen 32913 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6491c7d-7d05-442b-b29f-c291f4ab7c6d} 3816 "\\.\pipe\gecko-crash-server-pipe.3816" utility
    3⤵
    - Checks processor information in registry
    PID:1900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 3 -isForBrowser -prefsHandle 5412 -prefMapHandle 5408 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec1f3a83-1592-4c5c-af06-32690bb75f66} 3816 "\\.\pipe\gecko-crash-server-pipe.3816" tab
    3⤵
    PID:2980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5608 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {407999e6-92a7-4fa8-9934-b451b07ffd7d} 3816 "\\.\pipe\gecko-crash-server-pipe.3816" tab
    3⤵
    PID:4872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 5 -isForBrowser -prefsHandle 5728 -prefMapHandle 5732 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17cac66b-d274-4077-a308-37e499e148cc} 3816 "\\.\pipe\gecko-crash-server-pipe.3816" tab
    3⤵
    PID:4884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6260 -childID 6 -isForBrowser -prefsHandle 2628 -prefMapHandle 6244 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ddc0340-9a5f-4566-a385-8c62d585bd49} 3816 "\\.\pipe\gecko-crash-server-pipe.3816" tab
    3⤵
    PID:1988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a1a855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qnr7778y.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
79e661f12ae079f5294af12f34f640a1

SHA1
8337697378c4975c8179cc7c21c9c5e74eec5318

SHA256
1f02a59cbca589ce594eacea7da5dcc3000c026df8d649ba0ce6a4c46747f67b

SHA512
3896fe1bbaa56ea9554065affa6d785cedeb5bf280aa6a21067cfce85807016b6626687bc550a9ad6bf505e4467aa61e9775b254db249ec37f867cf332ad059f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qnr7778y.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
8853be48c8ec780c4fc023e8938ed167

SHA1
b7fcad2eb68d0bbf5bedc27ab999e7af8895c60b

SHA256
9b2073e8383f9c1ac8dd13d98b35925a362fb046670105e4109dc0594be3102a

SHA512
363ed7b2140e15f634452bfc2463b47662583b9f3c8b82e6c6e007026a9a8231caef424805f02e72868c2018beaa04c72de15f554aa3b303dfdafa470a35195a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qnr7778y.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89

Filesize
13KB

MD5
5e935a66e12d68cf64affc1bfc47366c

SHA1
b92f52df5cee2e290075e362107bb41dfe6af8ef

SHA256
68e5e81564a8ae6413a19f0af3480668b36aa19e0d5e850bff213b474e1ec999

SHA512
f9bf565a2623c278e837596f45b5a6e844e7301cc0d843550f223106d6aedd940795e13e8030e4656d45af738add43d6c393c73521420ce80056a8e619c49b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qunwsu4w.yna.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratjhe.exe

Filesize
78KB

MD5
b15cef41fc457e1bf2f69a278ee1864f

SHA1
461d198a90c22b9b2752fe9205aa074484fc7f63

SHA256
b5da8ba6cb64578b8953294f1901f1cdfc3ad5164dfa19b87f22ff3fafb2edd4

SHA512
3ea119011f2b99d236e04f4084d0ef425abb17bd86aa4b8e47f61c3faee3bebfdffed29ecbca07e2974d566f5593c428ecf526f953d00063cb4ed66b8e8b24d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9877.tmp.bat

Filesize
145B

MD5
f6418962a9a67e219964c8547785422d

SHA1
1b7daf37631178cfb3043817ab90633005075068

SHA256
3ad8efbb84fb570b22c21ab0713154fb063bf015314c60f1fee17852adef9fd7

SHA512
596bb7eefefdb4f3ce2c36e8de385975d9c077ed713859366d3dc6f725a7a627c4403b042b25da8e1076f8c3fa470ef3614c131f2eed427a66c715bba8b60554

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\G.exe

Filesize
47KB

MD5
cf2ca438000d1b1eb52027e072633348

SHA1
225a0741c9cb1cdddd12dfad6895bb91bb218712

SHA256
002a936cc181ea7e45b5f441d90cfe633a9ba5abece878a789163ca2ef992374

SHA512
6c12d644711ac63005dfc958c69a7e5b842d1e66ae23d8f60373a171572398f73187197f1f480222469dfa371f1a6baea65c5189bbf8e4a593db0e0e907a1396

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CS63ODFP9FN6T6QY0ZNN.temp

Filesize
10KB

MD5
62b706c9694a05c8709d5cf2a6416633

SHA1
93cfa7a4bb2ac97395e31a47da17f2a62b0a218b

SHA256
8a35ce59f0e95f49b46d3a37870a4b65fcff95389a7c758844f6163b66896238

SHA512
277e6e8d937f8bd7693210b3037c15939a05f001d2e23af846a3f92477a97ad5000b129e4043999d61fba83f1fc5f44c15e196ab83d62499fcc6396bedefb58b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\AlternateServices.bin

Filesize
7KB

MD5
83c48aba8e7003d80f85ec9e5e93656d

SHA1
06c2acdd6ea7d7a9d93f7d961d97733cb764e23d

SHA256
76cceb363658429d2b56419b617aa821c00a313d635388a6e591cafaf1166dc6

SHA512
941c4d4e20f6b6e5d607141dd7729f646482029dcb21d36003768b78d46e88b6ef769d0661e4c4d6adeb78d870f659c996727311ece9844b2d51a0e4b48496e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\AlternateServices.bin

Filesize
12KB

MD5
0a3f29682053692bd88c5c4d78332ed2

SHA1
21625609acaf947d1e1d98927ce806875fcf6811

SHA256
ce0470b08732a3340fd96216f1a3150f434b5e725ac930ac1ed3ba54ff99e83d

SHA512
5492f3d7ac2868f67376c76c9443ed233e232c3110d55dd93c1f264f7d93b189b66338afd0f0b282a85d7b3f57850bbb7e9a4265ecda4b146aa06235327118f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
a55ffa127f0ef55a1ea8fc8ce8e758ae

SHA1
96b2c6d65ca1fb38c297683f5f9ed2e32ff355e8

SHA256
c1b7a7302b5a0b05e2b295b0ad4556ce167638380e22d3b2a9ab6e4a66504211

SHA512
881fc5c444b10006fe82df60043e1ccfe7bd214f5bc37188ccf2e263ed476ccddc9b71c2e269b406c882d6f04cee311b978b9d9351312fd50574533da727615c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
18ee30bfcaa27b82151314617ada32ea

SHA1
49e0d9816a1b60cd2930240ee5ef5f8425742bf5

SHA256
9cd611da16f769deac18af6a79f7f2501c4f7e17f1093fab4c0f4bd34a3143a3

SHA512
b9cd4fde1ac31695501ad717901ccf5905c3f982b2e25dea3dfd4bf01463af50a9d50eb7550ba30368e3e775e5e577f529c708fe2cdf64fa020d1273a6ac14e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
97f6a14048563a495c6c96978893886b

SHA1
ac509af1473d624994deedde8bb2ef0755240339

SHA256
d12159b00e1a3990146b9bcd3acf9a9bb260f0753fe719a7862d9f1d27d077d8

SHA512
96513f6862b00f5fdc01c9113bb1e78065012b2484b816d342bcec74d2437ebacb5ed72cb3925e78efb655a7bc87a726459550b9bb7c118c7f7e646f185a9d71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\datareporting\glean\pending_pings\196fd1af-3e11-4fda-aa0c-23045098ae08

Filesize
982B

MD5
4d4ce0d0acbde16f0cf5c3ba738652cc

SHA1
3f7039da19a8918ad7e69c9d844cdc0df4e96b78

SHA256
3626779e6ac44a4a44f5d2583a31f3cb0b102462ca170b888826b5cbc7755c5e

SHA512
70f1716f48efc5be7eac8b5c77fc7cb04b4b963a4595c3a0f3e3e0a7ef5300085b73931ec783c52c8aa3f67a4a76304fd95566e5c65def37c600812758690a84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\datareporting\glean\pending_pings\265384f1-9d90-469a-ad96-febc2ffbbd4f

Filesize
671B

MD5
9adb2854d03b350a766082cdc6448dc7

SHA1
79011554fedf02001ae985862c81bd59ed43a127

SHA256
6308207be72cae82bb7b6f73ff7d201aaaa725b6ecd98bf833f1fc04b7478534

SHA512
b5c99f8216a8d9410a4adbd2d537068d91b6bc6b042b9ae7761bc32d87943e1c3a6b70ccb9cdbd4713177ae5edd585420a72617f7754bc3fde17303f1951d24a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\datareporting\glean\pending_pings\87cea96d-3b7d-48fb-85ec-821434e59255

Filesize
27KB

MD5
ce7cff28aee020919f47eafabfebb6d8

SHA1
6b34331c5496ef64e11ef31f280d940d7a8e8d68

SHA256
1b26872c5859f056d6fec0c44c53d7685611911ce1a516491c7746887661b070

SHA512
dc0f79b662419ef51773c5d21b6ebb1e072e69ff4548658817cc90f8281dbea62e6f6eb625d171adce0053812f44e820bdbf4c03d41af96baa2d09d581e03750

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\places.sqlite

Filesize
5.0MB

MD5
ea924361cf72823bdd418d1ef5704740

SHA1
055d8cc65d58b0742ba21f4c45a4ec30fd0fb9dc

SHA256
325a48b8155dc441a0900e3a24385c4cb83273c2cf1314023d9785314ec5c0f9

SHA512
27590c42327692a153a52879f3dc6cf5f6dafaedc1abb49f67a0f71b5bfa47a968cf0c3735afb9a928ba4dfcc8193e22aef713cc406e872b0222ed1b34f46d80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\prefs-1.js

Filesize
10KB

MD5
76c9c20d782e30eb48c33f17177a64b2

SHA1
fec19122eed2024d44541de2a189bf2be79c25a3

SHA256
b74c54fcd037258bf04a7d25df9e994612e3df046435817678cb537dbf57b226

SHA512
60a696ca8250142c0f1a29da9742fa1c152374e5866cb56f41794fc8da4a473a2a87552943ac48a56b22e9287bf36da300e447e30ea9b257366e71c584ad1992

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\prefs-1.js

Filesize
11KB

MD5
04ddf9cf03e06b7d14e04d3ed8c68c41

SHA1
b0115deea869062e49be64d4189b42295969334d

SHA256
f063704014c02bab1fd7511118568f4eba734971cd832132e7473f7d7bac2657

SHA512
bd0e7b2576c66ee051784f9a9760c4afc4068c9b50f556541774b4a503690293d34131f05c3723c3fecd86704984e978456bceb875c468b57d8a67473fc6921a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\prefs.js

Filesize
10KB

MD5
20f9e001323983f3c4786e9d19a50f3e

SHA1
aaefcabf65e6325ad857dc56fcc246bdb7a7a812

SHA256
a13fa45b1b91b15a68734d6425b73d398a8e7c11cc27f90378474fac9395a714

SHA512
16b816bed7bafb93bf9435ff579263812fec4e8b7a77555beeb0bb78e2db31caeb9baa4fe3e4ba8e253feb699eeb29dc3d6a4508e3d987e53ad13cdfc68938db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\prefs.js

Filesize
9KB

MD5
c977f5bbf4678d3fd25f1f54c133eb5c

SHA1
dc271db2ccfe0a5973b06a59246911029a231165

SHA256
85b6297a1480342643b22edbe46bc7baa37e7ea9fcbf347929edea257befd980

SHA512
5dfd4062209160efdde9ff2363b9e3554f81b391361b37bb157965851770f1a30874ae2eca787612547abb076b45eebd902ebd01c2c930c3f696f598f120c9b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
10835df3c3506bbbbbb306af213eb091

SHA1
fb28dab6ef929c4c573f66536a4a8df3c9982fea

SHA256
cb806ed01b62a310cbcf6e0b1850ab761f75dcba23b34582991a02ae0ebd6239

SHA512
8029cbe96b7260caf30b1adb8f4363d527fbee78d9724722a536e11fd5116b8dbdcf32cd0e123bd616a249bf730be438d106205c5fdc23841312bfac1e8439e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
d54b768124fa201e13665260fb41a156

SHA1
1d943cc57466c51a4633ab7b4ed66c62293e59a0

SHA256
8fbbe80ef9a4392ddfdb7f6337cd7f85f58f269266d8984af01a2566c3b941d4

SHA512
1478422125f28eb2c1f9f8ad8f9b545f5f392d9fc4ed83deb50da4eeb64e451c4d573793d0928cc33a43d0c5ab8ac608d219d6b50a46115d08d2297986c400bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
87172b7090435728047e6df5f1c98c2a

SHA1
c56ece7eb46aa1188a0229ca93e4fccb8f8f3d4d

SHA256
af34e53b07daec95aecbe9d55368b3c1a028c8a73c7c04cacb9038eabe82c677

SHA512
e3509fdf1fed8f8e90f20fafa0894f1ce6bbf27171264bc3bbbb358e57d20ef8b5f369748b5aa7c70432e9ca0e40468c09a981e99c205e2dd51e0f85d7a3caa7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
95026cd135d1c1facd73acb88097502f

SHA1
8e9c59deef1d4fd7a67d6e90f408180acfd9fe1b

SHA256
d7b594eb3f71b1a32124c157c431e3f189739609a23d0ed0d8ea9a9d70a948f7

SHA512
62a3e53b924758199e6a836b5dcd0a28a99bc3850a9925fcb59bd1842c9f2ec6ed972dd34d499eb5f691df6e2aa0532ddb43f80b7cb9a4205f459a25cc2e147d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
0246efcc592c3fffcee2cffdfe3f6547

SHA1
b377461a7743d454cfedd866b666297e311f7e0e

SHA256
1d20ecb08027937c4a3137e20057fea69ae9383a6124fa9bee0a20456d21daaa

SHA512
d357fc4fe1b7a1b89e2dca2271e952b1027303b0df547f2cff61de8c4806261c5a4addd1cf6f3592a60f69390156605c03bc35815749ade15a86ca921d81bca0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
1e136d1e21a9df087629a83e740eda0a

SHA1
4234c9b4893599176db617e556c089c0a9ba101a

SHA256
fd09f5e8eb5c09f92b979ce0fbcbde39cb9c0c373fc1db1f57be454406666f34

SHA512
2570ea4c9e3f8661b90d0298bea0531834188f04d9d8fe0354f83536083203623a1e857d5d52db20699b4abef15a1462ece1249b20ab46e5d40463ef00b1b1bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
8b85ef698af1620c235944ca8cf47e63

SHA1
d8cc20635da46f7435ac671bc2d373c67da2df63

SHA256
9104fb95b0745d6df7e771ce954cb00c0dd6c63cfc85122c01ebbd60e4cbb812

SHA512
ae0e652ade334253bd2b9667671cfe3cab583372cde63c9f9d2b7395466f0dc2e065e34094be6a4b7bf73b01f2a4fe12153ba120a5b51a0a6a8eec65613a6327

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qnr7778y.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
ab3b34ad673dae234e2a8622a0da0d25

SHA1
1197b48fdcb2353a1b29b46ca088242a70941f18

SHA256
eaf6011455a4b0c8e638dcedfb444f456828433addc300c7bffe1ef31da4562e

SHA512
4129fb7dbe531a56c86c9bdfc7fd25e0c34f05574b9e7d2d04a6e2fa7b19c99db7160f0c70705d28e4b5c3fc475db97e07d53a3786514cb99df5b0be1f3e7ef9

Download Submit
memory/2100-1-0x0000000000FF0000-0x0000000001002000-memory.dmp

Filesize
72KB

Download
memory/2100-4-0x0000000005F10000-0x0000000005FAC000-memory.dmp

Filesize
624KB

Download
memory/2100-0-0x000000007511E000-0x000000007511F000-memory.dmp

Filesize
4KB

Download
memory/2100-3-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/2100-2-0x0000000075110000-0x00000000758C1000-memory.dmp

Filesize
7.7MB

Download
memory/2100-9-0x0000000075110000-0x00000000758C1000-memory.dmp

Filesize
7.7MB

Download
memory/3104-634-0x00000228CB580000-0x00000228CBAA8000-memory.dmp

Filesize
5.2MB

Download
memory/3104-633-0x00000228CAE60000-0x00000228CB022000-memory.dmp

Filesize
1.8MB

Download
memory/3104-630-0x00000228B0770000-0x00000228B0788000-memory.dmp

Filesize
96KB

Download
memory/3328-610-0x00000000054D0000-0x0000000005506000-memory.dmp

Filesize
216KB

Download
memory/3328-611-0x0000000005B60000-0x000000000618A000-memory.dmp

Filesize
6.2MB

Download
memory/3328-613-0x00000000063A0000-0x0000000006406000-memory.dmp

Filesize
408KB

Download
memory/3328-622-0x00000000064F0000-0x0000000006847000-memory.dmp

Filesize
3.3MB

Download
memory/3328-623-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/3328-624-0x00000000069B0000-0x00000000069FC000-memory.dmp

Filesize
304KB

Download
memory/3328-625-0x0000000007940000-0x00000000079D6000-memory.dmp

Filesize
600KB

Download
memory/3328-626-0x0000000006EA0000-0x0000000006EBA000-memory.dmp

Filesize
104KB

Download
memory/3328-627-0x0000000006EF0000-0x0000000006F12000-memory.dmp

Filesize
136KB

Download
memory/3328-612-0x0000000006300000-0x0000000006322000-memory.dmp

Filesize
136KB

Download
memory/4348-608-0x00000000075E0000-0x0000000007642000-memory.dmp

Filesize
392KB

Download
memory/4348-14-0x0000000075070000-0x0000000075821000-memory.dmp

Filesize
7.7MB

Download
memory/4348-601-0x0000000005C10000-0x0000000005C28000-memory.dmp

Filesize
96KB

Download
memory/4348-600-0x0000000005B40000-0x0000000005BA2000-memory.dmp

Filesize
392KB

Download
memory/4348-15-0x0000000006840000-0x0000000006DE6000-memory.dmp

Filesize
5.6MB

Download
memory/4348-16-0x0000000075070000-0x0000000075821000-memory.dmp

Filesize
7.7MB

Download
memory/4348-17-0x0000000007070000-0x00000000070E6000-memory.dmp

Filesize
472KB

Download
memory/4348-722-0x0000000007650000-0x00000000076B4000-memory.dmp

Filesize
400KB

Download
memory/4348-18-0x00000000067D0000-0x0000000006838000-memory.dmp

Filesize
416KB

Download
memory/4348-759-0x0000000075070000-0x0000000075821000-memory.dmp

Filesize
7.7MB

Download
memory/4348-19-0x0000000007040000-0x000000000705E000-memory.dmp

Filesize
120KB

Download
memory/4348-20-0x00000000074B0000-0x0000000007542000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads