dcrat | 6230ef10cc3c6ff83a0ee0c5d87273ccae68c0f61883b9a218dc4e0f2b351cd5

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gay.exe
Size

1.1MB
MD5

088ef66571d8d08e8e8f56d9464d9a2b
SHA1

bb77ae41dd0cb709f3938f264463aa2aa6943071
SHA256

6230ef10cc3c6ff83a0ee0c5d87273ccae68c0f61883b9a218dc4e0f2b351cd5
SHA512

1cdfd8428c2fcb29205be394c9a55824e7a5407611fd694a52526196852956e824f57e76e332b0c8d984ea8577f0000dfb9d72550344a9ced8c13e8d74938ccc
SSDEEP

24576:U2G/nvxW3Ww0tVOOfWa+tZDfQgZ9E9SXNmgSG:UbA30VOOfUVvJ

Score

10^/10

dcrat evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5196	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5216	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5124	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5784	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5172	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6056	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5212	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	1108	schtasks.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	1108	schtasks.exe	106

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/files/0x000c00000001ea83-10.dat	dcrat
behavioral3/memory/2068-12-0x0000000000DA0000-0x0000000000E80000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	gay.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	comweb.exe

Executes dropped EXE 2 IoCs

pid	Process
2068	comweb.exe
1448	WmiPrvSE.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
48	pastebin.com
49	pastebin.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\lua\61a52ddc9dd915	comweb.exe
File created	C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe	comweb.exe
File created	C:\Program Files\Microsoft Office\Office16\9e8d7a4ca61bd9	comweb.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\csrss.exe	comweb.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\886983d96e3d3e	comweb.exe
File created	C:\Program Files\VideoLAN\VLC\lua\msedge.exe	comweb.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\lsass.exe	comweb.exe
File created	C:\Windows\Fonts\6203df4a6bafc7	comweb.exe
File created	C:\Windows\tracing\WaaSMedicAgent.exe	comweb.exe
File created	C:\Windows\tracing\c82b8037eab33d	comweb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3324	schtasks.exe
3304	schtasks.exe
3748	schtasks.exe
2912	schtasks.exe
3952	schtasks.exe
2988	schtasks.exe
2052	schtasks.exe
3076	schtasks.exe
1900	schtasks.exe
3392	schtasks.exe
5216	schtasks.exe
5160	schtasks.exe
2160	schtasks.exe
228	schtasks.exe
4248	schtasks.exe
3480	schtasks.exe
3700	schtasks.exe
1896	schtasks.exe
4768	schtasks.exe
3516	schtasks.exe
5000	schtasks.exe
3332	schtasks.exe
5196	schtasks.exe
5172	schtasks.exe
1096	schtasks.exe
4072	schtasks.exe
2908	schtasks.exe
4816	schtasks.exe
3848	schtasks.exe
4820	schtasks.exe
3980	schtasks.exe
5124	schtasks.exe
3752	schtasks.exe
2640	schtasks.exe
3936	schtasks.exe
2932	schtasks.exe
5784	schtasks.exe
1436	schtasks.exe
6056	schtasks.exe
3964	schtasks.exe
3564	schtasks.exe
3100	schtasks.exe
5212	schtasks.exe
5056	schtasks.exe
1812	schtasks.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	gay.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	comweb.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4404	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2068	comweb.exe
2068	comweb.exe
2068	comweb.exe
2068	comweb.exe
1448	WmiPrvSE.exe
1448	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	comweb.exe
Token: SeDebugPrivilege	1448	WmiPrvSE.exe
Token: SeDebugPrivilege	3392	firefox.exe
Token: SeDebugPrivilege	3392	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3392	firefox.exe
3392	firefox.exe
3392	firefox.exe
3392	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3392	firefox.exe
3392	firefox.exe
3392	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3392	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5136 wrote to memory of 5828	5136	gay.exe	99
PID 5136 wrote to memory of 5828	5136	gay.exe	99
PID 5136 wrote to memory of 5828	5136	gay.exe	99
PID 5828 wrote to memory of 1600	5828	WScript.exe	100
PID 5828 wrote to memory of 1600	5828	WScript.exe	100
PID 5828 wrote to memory of 1600	5828	WScript.exe	100
PID 1600 wrote to memory of 2068	1600	cmd.exe	104
PID 1600 wrote to memory of 2068	1600	cmd.exe	104
PID 2068 wrote to memory of 3504	2068	comweb.exe	153
PID 2068 wrote to memory of 3504	2068	comweb.exe	153
PID 3504 wrote to memory of 3944	3504	cmd.exe	155
PID 3504 wrote to memory of 3944	3504	cmd.exe	155
PID 1600 wrote to memory of 4404	1600	cmd.exe	156
PID 1600 wrote to memory of 4404	1600	cmd.exe	156
PID 1600 wrote to memory of 4404	1600	cmd.exe	156
PID 3504 wrote to memory of 1448	3504	cmd.exe	158
PID 3504 wrote to memory of 1448	3504	cmd.exe	158
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 4188 wrote to memory of 3392	4188	firefox.exe	167
PID 3392 wrote to memory of 5056	3392	firefox.exe	168
PID 3392 wrote to memory of 5056	3392	firefox.exe	168
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169
PID 3392 wrote to memory of 4916	3392	firefox.exe	169

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\gay.exe
"C:\Users\Admin\AppData\Local\Temp\gay.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5136
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\WebreviewRuntime\DA0G5NQf2P.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\WebreviewRuntime\TaqdBAfZaG.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\WebreviewRuntime\comweb.exe
      "C:\WebreviewRuntime\comweb.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPPuo7WD3O.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3944
      - C:\WebreviewRuntime\WmiPrvSE.exe
        
        "C:\WebreviewRuntime\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Contacts\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\WebreviewRuntime\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\WebreviewRuntime\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\WebreviewRuntime\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\WebreviewRuntime\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\WebreviewRuntime\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\WebreviewRuntime\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\WebreviewRuntime\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\WebreviewRuntime\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\WebreviewRuntime\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\WebreviewRuntime\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\WebreviewRuntime\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\WebreviewRuntime\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comwebc" /sc MINUTE /mo 6 /tr "'C:\odt\comweb.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comweb" /sc ONLOGON /tr "'C:\odt\comweb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comwebc" /sc MINUTE /mo 11 /tr "'C:\odt\comweb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\lua\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\tracing\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:4892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.0.615108731\683095078" -parentBuildID 20221007134813 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {477cc07a-b38c-487c-9c12-4d85a2150881} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 1976 1c1fa1fa458 gpu
    3⤵
    PID:5056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.1.777649972\1294192441" -parentBuildID 20221007134813 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {082016a4-fbd1-4159-bdf4-aa8a87807176} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 2376 1c1e6470758 socket
    3⤵
    PID:4916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.2.154560074\463148280" -childID 1 -isForBrowser -prefsHandle 3408 -prefMapHandle 3404 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20f91b59-ca6e-4e7f-a186-06fd9485f40b} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 3420 1c1fe2a8058 tab
    3⤵
    PID:5976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.3.779135237\1252516923" -childID 2 -isForBrowser -prefsHandle 3044 -prefMapHandle 3636 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e197e0a-38f3-4f9c-b524-9056768bbe91} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 3664 1c1fc5eb158 tab
    3⤵
    PID:5804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.4.698054714\46091106" -childID 3 -isForBrowser -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a38f762-413e-4abb-8f1d-35fe55b5d22c} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 4068 1c1fca81158 tab
    3⤵
    PID:556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.5.694757141\1793576139" -childID 4 -isForBrowser -prefsHandle 5104 -prefMapHandle 5088 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f14820a-b313-455b-867e-34239ff41f0f} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 5068 1c1f9ef0a58 tab
    3⤵
    PID:3772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.6.2100760295\988714736" -childID 5 -isForBrowser -prefsHandle 4964 -prefMapHandle 4908 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27d41e68-b70a-462c-b9a5-f9c836678b2e} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 5060 1c1fc5cf858 tab
    3⤵
    PID:6004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3392.7.1615020329\475156105" -childID 6 -isForBrowser -prefsHandle 5396 -prefMapHandle 5392 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1424 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1133601d-679d-40d5-8807-682f0a41b1bd} 3392 "\\.\pipe\gecko-crash-server-pipe.3392" 5404 1c1fc5eb458 tab
    3⤵
    PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\E66F5AA5E3C285C270CF84BD11111C74D38F245C

Filesize
13KB

MD5
bd1350a8033f5d96c9a44cdf587f29cf

SHA1
12f90a0e33e455cd0945666260759ce540216bcb

SHA256
08d829f7a65a6e767ba8dd21c014582f89633be6571682721c8f9f98de1ba384

SHA512
288ddd54f552ad015342f551e09b139f83d182dda12b51ec01c4bb6b0ae2999ea02856e0f210873c8a4ede4cf0e679ef23cb5044ff05b42b4a32f7772f38d1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPPuo7WD3O.bat

Filesize
197B

MD5
92e3902f680cde418469c3753bf4b319

SHA1
a7e75a4adf55505f3f441750addbcdae5c893834

SHA256
e8e6bae527a1ff67a6a4cb81ff7bf4525cf962e0c071feacd1ee4998a6bd1296

SHA512
d8a1a5fcdf3bf5f7e7131512054e1bc0438c307bb9d2ca703e84f6d4882f73b525b1d3c510602663544b6b8f1b09f9812de464d8b08b43e2c2d603c33a27d2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
8fafdb77d8aa376306db2afc7d6c8ed0

SHA1
308e74cc6618ef941575902a848ba15e88d9654f

SHA256
4f71c4135398a1860ea2accfe86f597bf19aa6e3fd28eda19f897cd3c8767570

SHA512
cc3467457962d34a0c767d6d27dcfbabd7ce81b64e5fe86491432297d9aa9c8e489a1715452d86912135d0059502ea2a5a9eea312d8d5003526bbc0676f205bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\1828f740-fe76-4977-b234-c71b0b8106d1

Filesize
746B

MD5
300fbb4a77e8f6ceb77e5d67b9959443

SHA1
5095e6d330befebcd105b49b086ef66d2e6516f5

SHA256
7e829f55b1a33617ff04db180f344fe8e6ee53fcd3f99709509b06205b9c80a5

SHA512
7bd38a61d6afd3e79f9cda221f3b3ee85d73fdd6197973c2bba235743f003faa4379f4beae2bfd82d5146136b4652da8809b74eebce41057bc388fcdc2742efe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\451e1006-1214-4dbd-9879-7765131bc94b

Filesize
11KB

MD5
a458ffb09e137cbae2edafdba270a573

SHA1
8015a1dbba1dfb93b7e5203032ca892604821879

SHA256
7c15cd4ac8bd2ec1c3d9946dbe94e129f2e11ff67cc10adcdf385dd9bb3479e6

SHA512
3a986b613cf5060ee653c7f302bb30b322a73ed8b899fdb8c0a240e83562cb99f5b77f57032b81f079e383e8ffc917d89febc4c2c85436d0c402c352b8cd0f58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
62KB

MD5
e8d09ae247e90f50a3f6acf3a8f19fa5

SHA1
5d5c965913c17408ac264c4e041c82b2a9de6cef

SHA256
4d2c191c1ac43b636eacf3476791c3789f0f4c88352e173252a8e4046386df9d

SHA512
6b503ce8158b9bd4847dae424e978d94c83b6306ff7008b405278cde0b96bb232eb2f01e7e183f6780639dd487d643420f242f47a670e38688730a17f26cf7b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
8KB

MD5
f33900f458c979afd4444ea0e3dab78e

SHA1
b36d6b0632f60d913a7a4595d70dce123a85480c

SHA256
a718ba9e9895d1b34eb9e753f58e28770c752015cebd3918fc87b28f4ed19073

SHA512
051ff7e2a0acc1a743db694ca30b0c87bcca8480ab7b70bd281b3178c62089c074721b2f9113e068944fe8c07144428974605d28c61869d13a69f9969d79dd0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
29954ab4553dcb831a4eaf86c0d40053

SHA1
ca4de84d9329e45b548a8468f3bbc566674bea15

SHA256
53c4aea5851faa61ea31809474fbc59348a8b0c48aa3d9a56f74e6e093f8df1f

SHA512
95aeaebfdf2216b2331fb8d7ffa3806955be0408f01d95685de555e6e92b0c6eebffc74551fc38eb52f616c25c494ab565221b2875c27e30fcfeb8dc1659e0ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
359d26ab81065a973516c94803904723

SHA1
c636f56262dd4f93ae107d714de8512887178335

SHA256
3292d57397a965737933341abf6a86eb52aafd073b630a41190a70c3bde99d68

SHA512
481406d8c59ea7acfa1599275992fd115d754a38c0cf3979ad9fa2f62daeb001a172fb37a0a1a1deb66c0f6ec547bc04482d2c5a233325f8f696e433f55f5eec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
6KB

MD5
975ece8e44750781cf08beec792baedb

SHA1
8252af63b3b4efe506be9df55d35f84e9cf57099

SHA256
60e8701ba6c48d2bdb885012470ac13140b2ce63a67ffe159c2ab9d15f064c54

SHA512
f6a6f4657709b4917620e6e29cbcf9749aa20f045a0d83cb832e780133b6fcdb8afa3c644301b9abab249440028462c55cabc9c77e0b3775544a20ede632dc7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
b446a1c106b105aa66d2f426d37876cc

SHA1
16c6f9997cea183560af37fb9de7edf8cb8f9c61

SHA256
2cb7abecbc7460db47993856faa3ae849cf4c1fdfb33b1a9e675a7f7719bc6e3

SHA512
9b7bef024409dc6439b3c1a8426f33b4b3c1226c80e3f51b946781197a1c144440532e36e605a23178a715333ca321b4a0700b5a6eaf1fc29db0c4efc46ca2ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
901KB

MD5
8ad7207486846b9867705babf8352a2e

SHA1
76888a603fc671bbc85618bd97b6b6b463a80f2e

SHA256
54a74c4638a4e32a6be11ad6d18b6346494fd5df091a726cbfe5b011817b947f

SHA512
1a6775d4960ab42ec3323629fadd71d7bb319912ed351e0938c4e321b1471aeb9b2fb49f1f36259ca64d4fc83151c9abac46ec6af5ed026841a55a86d539090a

Download Submit
C:\WebreviewRuntime\DA0G5NQf2P.vbe

Filesize
203B

MD5
7fa3bfacfe0cacddb6346eeb7778b9e0

SHA1
78401945f41a85308674f3bde838b26a510e4233

SHA256
3d3d160d1d8264ac4aa1893fe67933ed5beb63aeaac1def84303abf3ca339f5d

SHA512
593ad78bad06523899c96afaf02f50cf8cda5ffffb01b402db63d8640beb55cc777dea84d568bc094d6320263d749a45a3d588562af1d2f4a9238595354fe701

Download Submit
C:\WebreviewRuntime\TaqdBAfZaG.bat

Filesize
144B

MD5
f58eadc9badc34d4296980bcd9a7d257

SHA1
cee017450cadfdc68e6ba8c9d26f76cff1586cba

SHA256
a4768266d92d5695d29070cfdb3538a5fd8557ca3674dc810921a0d9f6212219

SHA512
320299b8a6186b3af170d6997818ff75f7c34205da139aa0031afaae8e101ab7f2c30479fe5cc40614daf244e0b4d17a7190e0d7123bfcb7325b75122edc7677

Download Submit
C:\WebreviewRuntime\comweb.exe

Filesize
863KB

MD5
30f1d9098a779211064a5a0e258e74f0

SHA1
23109fab7d75cd1cde1d4bd94a1313f432497314

SHA256
6829753d21c982cf0ea6700ebbc9f78c411047406052507f00dd0169f9db7b95

SHA512
f69f49a166e88db2331a1e3826554d5fea983becce45260518e65d09b069babcfe3e478c612ad856b7eac79d66e395d3596b69b9caa1444cbf71b56714394c33

Download Submit
memory/1448-61-0x00007FFD82CA0000-0x00007FFD83761000-memory.dmp

Filesize
10.8MB

Download
memory/1448-59-0x000000001B0B0000-0x000000001B0C0000-memory.dmp

Filesize
64KB

Download
memory/1448-58-0x00007FFD82CA0000-0x00007FFD83761000-memory.dmp

Filesize
10.8MB

Download
memory/1448-57-0x000000001B0B0000-0x000000001B0C0000-memory.dmp

Filesize
64KB

Download
memory/1448-56-0x00007FFD82CA0000-0x00007FFD83761000-memory.dmp

Filesize
10.8MB

Download
memory/2068-12-0x0000000000DA0000-0x0000000000E80000-memory.dmp

Filesize
896KB

Download
memory/2068-15-0x0000000002F90000-0x0000000002F9A000-memory.dmp

Filesize
40KB

Download
memory/2068-13-0x00007FFD82CA0000-0x00007FFD83761000-memory.dmp

Filesize
10.8MB

Download
memory/2068-52-0x00007FFD82CA0000-0x00007FFD83761000-memory.dmp

Filesize
10.8MB

Download
memory/2068-14-0x0000000001680000-0x0000000001690000-memory.dmp

Filesize
64KB

Download