Analysis
-
max time kernel
76s -
max time network
115s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
-
submitted
07-05-2024 23:39
General
-
Target
https://github.com/BlitzedOfficial/BlitzedGrabberV12/
Malware Config
Extracted
orcus
209.25.141.181:40489
248d60d8a7114264bce951ca45664b1d
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programdata%\Chrome\chromedriver.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
winlogon.exe
-
watchdog_path
AppData\svchost.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload 2 IoCs
-
Orcurs Rat Executable 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Obfuscated with Agile.Net obfuscator 34 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 61 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 23 IoCs
-
Suspicious use of SetWindowsHookEx 20 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/BlitzedOfficial/BlitzedGrabberV12/"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/BlitzedOfficial/BlitzedGrabberV12/2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1896 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1912 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9458c530-a561-4a6c-a817-33041fa37870} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 26379 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f653da6-7d55-43ce-b2ad-6a0cf06b36fc} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3252 -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 3240 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f04cd573-e570-48a2-ad41-bfcb24fb6dd2} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 940 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14899d86-7769-48e4-a268-eeea199534f6} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4176 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2744 -prefMapHandle 2740 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4f840fc-a5e2-4410-bc4b-bd914e924759} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" utility3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 3 -isForBrowser -prefsHandle 5528 -prefMapHandle 5464 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac74de57-5cc2-4b48-b671-2cbe8313b14e} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 4 -isForBrowser -prefsHandle 5744 -prefMapHandle 5568 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cc4ef8f-aa51-4a12-880e-bae59d274e40} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 5 -isForBrowser -prefsHandle 5716 -prefMapHandle 5468 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aab9b7fc-1e5b-4264-8aa3-bc1980d4b230} 3480 "\\.\pipe\gecko-crash-server-pipe.3480" tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\BlitzedGrabberV12.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\BlitzedGrabberV12\BlitzedGrabberV12.exe"C:\Users\Admin\Downloads\BlitzedGrabberV12\BlitzedGrabberV12.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File mxfixer.ps13⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gq-kww4y.cmdline"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8931.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8930.tmp"4⤵
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install3⤵
-
C:\ProgramData\Chrome\chromedriver.exe"C:\ProgramData\Chrome\chromedriver.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\chromedriver.exe" 5940 /protectFile4⤵
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\chromedriver.exe" 5940 "/protectFile"5⤵
-
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"2⤵
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
-
C:\ProgramData\Chrome\chromedriver.exeC:\ProgramData\Chrome\chromedriver.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Chrome\chromedriver.exeFilesize
4.2MB
MD509204a8bedcb4cfd02bfb8e3b9758104
SHA189175f810ce27ab7b3f9fa988303224d60de6472
SHA256dc69f6f8d94d4b3fe5bd15a35966ec7e5b1f34a5d9ec916693aca8373a6c9a67
SHA51239db007631a55a53d58a0de1e49a23003a1470e7742f2dc486661e6fbaddd1e6342d01e2f4e042c4e8122c048c4d60815a984712647f1affb24d12835e941db4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qfgaykt1.default-release\cache2\doomed\24951Filesize
808B
MD5269125f1ca65c5433aaa9990d4b0fc3e
SHA1528a3d5dccc4da121aee808c039f51708a29ac1a
SHA256cba80eda59df9bd9ef1e98cd7198c172ea647aafeabe111331a3ee16842effd7
SHA512e9b65095a6ad9d8bf89ce4effee26f124df177bbf2d19b61dd3156c98bf39f01ae1842e2da1face775f1819c4e87064ccd343924df92806428b10fc5fb879d36
-
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exeFilesize
1.6MB
MD5228a69dc15032fd0fb7100ff8561185e
SHA1f8dbc89fed8078da7f306cb78b92ce04a0bdeb00
SHA256920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
SHA512373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mxfixer.ps1Filesize
35B
MD55d792fc7c4e2fd3eb595fce4883dcb2d
SHA1ee2a88f769ad746f119e144bd06832cb55ef1e0f
SHA25641eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb
SHA5124b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e
-
C:\Users\Admin\AppData\Local\Temp\RES8931.tmpFilesize
1KB
MD5a986ba182c63bb2f3fbfcf793dbc5219
SHA1b2b84f31b153b38882c00ce419a0719ed22a9c29
SHA256c6adb08aeb51e535b575a4c410a728e4c3ca6747a911d6ad9f57e79cdacb3617
SHA5127513fa41720c89cccfb02414e36b5b44904e059158b45f3ec0abb3a5305c0c47669ffc05b65bbca6bb55d0444d9312b06c989976d4e1d69ce6e2aed439c1fd47
-
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exeFilesize
6.0MB
MD53926c7b8fdfb0ab3b92303760b14d402
SHA1b33e12ef4bdcd418139db59d048609c45fe8f9eb
SHA256c101904ec19b45612213c2b398892a4523f63862bb3e24c245509db2417585e7
SHA5124a022be27f58b1735f3a0ac9abdedbd769adb4e3ca1dacdcdc98700b17e138b647f9059585c8ef37fdd7072ad6283e95f10def171584097eb8c70e7d1212ce0e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xmdzptxi.khh.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dllFilesize
136KB
MD59af5eb006bb0bab7f226272d82c896c7
SHA1c2a5bb42a5f08f4dc821be374b700652262308f0
SHA25677dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA5127badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a
-
C:\Users\Admin\AppData\Local\Temp\gq-kww4y.dllFilesize
76KB
MD545fef03a8a52faab9d26ddc1c68f78b1
SHA1001ce01661469e4976814929f3bd5770682f2ca6
SHA25687359780ae5c4bf5a82221dad2733aad89e532424237151f1850aef14c0c4247
SHA5120e40e454611fab4cccb5015dae40d6ad9f6c11564a80cbcee6c2d5d8cf6c62422c078f3170af7791aff9671bea99add3f122a0a3e7c31a51f27a909c4d2ab84c
-
C:\Users\Admin\AppData\Local\Temp\mxfix.EXEFilesize
155KB
MD5b4ec612c441786aa614ce5f32edae475
SHA13a264f8daeec9b156ddb5ed576d490dd8fbd8e7d
SHA256e18ba6573b9aa2d139ed5c30f18ac2ece3ce8287d1651db4bc632dbc816f53bd
SHA512c6800371cdc2b571061e6e755a2c95f49dcb233c3999976f180cb7cf95fa2c62d03b52a3c497a2cd7ae46ec72eaf823db25bd291ca676724194c05966f2bce16
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\AlternateServices.binFilesize
7KB
MD5058f0f8eb5662a094552ec0900376c82
SHA1b51e1fe8e676a192a080290e6d45867e6db71f66
SHA25692e8212b58e63173ba23f7627a9f23bc4afe17c23f828e9baa99b94053b2f5cb
SHA512a9c8b944c8cc7d8fd02ea8733678b2842d611a0734c24e7a3903fdc0d83215a1a3d5305282a47fc8bf14ddb5d5155f1dad1867263b0db75900e17f3148a4279d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\db\data.safe.tmpFilesize
5KB
MD5584466ca7402767ebc4759c62df9a60e
SHA1eea849c53973886e14f762cb34bb4f86c42f2dd3
SHA256d11c3441399bad470b2cc0940857c2fa96608388d906a41b612f3d89b642a925
SHA51205eb4a294a5b197196f35fd06f5e8282d67a133846fd90839a3efdbfbf51cfe72e41ea5679cc39f8181b397bdf23ebebfb37c0dcce6f16fa5a650209bc2256fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\db\data.safe.tmpFilesize
5KB
MD5c1a265349f621498d0b300c33676bc4b
SHA1e8a3e1cc62eccbf61d2d2b5739ec3cc696ef7dac
SHA256af0bd94e1f20a444e241dd3c300bef05a67e39e66394fafc1fe90f515ca4d00e
SHA5122f551388ebd7b9f123b988b652f9a193f0831e94b302fc0ffea2d5642a8d7e7d95c1a77a7d7ff00ffd7c3c2dceba7766e1c62cdf49de69c568ebdba4b378af97
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\db\data.safe.tmpFilesize
6KB
MD5900d3c1c5c44caf41aad159179c07dcb
SHA1a6cf269dcea0facb3a8d41e058046721bbe5728b
SHA256c32812d91af1f8c2045a1274e7387daaa7805e7b72b0405918733d69ee10ac48
SHA5123576da76be82c9a4c9456b86cc379d1e1913a7e940bbd66a8ed18f4cecac3fb8b9b8d56f8a19f31c365ad2e52bf4148037afd49328cfc26c81d361a6ffe6ece5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\db\data.safe.tmpFilesize
6KB
MD504821472d65673179756bd7ee9dbb945
SHA14827ab37946ed6f8a33744ce99e5e7cbbb47a70a
SHA25613929fed68c86a9c7346748e7d1fd6d970893212b109d90f7e8f07aeabff9ad4
SHA512fe4fd888da41ef0832a6bbd8dd127c86084d47ac6543e4c4772d2abf494293fb8bae739f6177cfbe3f90ccf7850e3e1ddb2710420c20c9ce69929e65a3573e13
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\pending_pings\560a5566-c831-473a-9dc2-925c763fff13Filesize
671B
MD5f682cdfd6b66d06295b289f18bd797c5
SHA13b722bcd12da0fda588464604f55118829b7b062
SHA25678cad6d9c7ea2e485b4cca7b07c2ccecb363c134faa5d62567792f2a8274504b
SHA5122b75e440781449d1367e9d8723197a0ef92f9dab7ca9cf41ed89d41084d142c9621d8572b590d61e4e6451542625a5080f4f1f04b17a5038e9fa4f20bf71eae8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\pending_pings\94395168-45ae-423a-8882-0290e85e0c31Filesize
25KB
MD54b87df325ea80bb9a041f9705448633e
SHA15f18c857078fa93ca3db4a15f1d2dd17b105b1a0
SHA2568a9fe59a5015b34527b2e982be30cd2c55bf202fbb271b08c2e69b14c38a4d17
SHA512155ec55cced4db0b8e967b9ed45df0ad08705e66c7a960c103447f59f4d275db75506ba020c128c9b03c48ca6262abe8723b6f6e5a9d14c4566011f38596acb7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\pending_pings\c7968418-3975-4671-8ca5-ff3bfd6ca898Filesize
982B
MD5a0eec1b8867561f52f962623163fcb6f
SHA1ff91f781892788a78545944cd96310b601cf4b2f
SHA256de986b2ead17f94b4e0bc1d81556da7029af06673797b971fb9fb302db5b1818
SHA512637ff85c355c5674d12089f4c994ad87c6cdb18d7f8ffc6a36e4429e8a4646bd439116ccecd7aa35cc8dd063e4ca075398ef903fa923ff2040dbeb16232a3652
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dllFilesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.infoFilesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\gmp-widevinecdm\4.10.2710.0\manifest.jsonFilesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dllFilesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\prefs-1.jsFilesize
9KB
MD5fe01193800731e3b89da295d27f1f72b
SHA142306b485f821a5108dc3dc413ef6ae5752b186f
SHA2563e652ea0be7f9eb9a1a6d76f16463f52f82ccd1c9e4de55df308f3218450ad24
SHA512b6651d6a85abdb6c4ad9a8702632e6c4460630c8c90737fdbf91655fdb149f76f1a975b032f40bd89c3a6e4c4946d9016f0634daeeb35deb71d02931d9845660
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\prefs.jsFilesize
8KB
MD58005f2dabd13bc4c021f2a4fe7071c35
SHA1fae870407bb7004c6d7ee1d96be323ddd799700b
SHA2568a34ca4eecd1e4034d3d28946bf02dad3cc6bd8d68737b835f82fee036cca38b
SHA51216ca1cb513b31a3256f793df9021cb1d4f091080dc81b0f072c8ae1e8c90ef4789cd09cd9af40a23d71a4861c925b15a11b671cce41a050b2142563e807c3a2f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\prefs.jsFilesize
8KB
MD5b303baaa209331da4fdeb70cdbacd6a5
SHA1416c30f3ad56a05c62c1c526a6848fa779caaf1d
SHA256b5f54f006c5e551a5e7f18cc20b0b5f39caff0922a1dded323d7cbbe52412e76
SHA51220bf646e987f27e2f3e45468598a72f9720d89e1223b35f06cee9baab18c51038608f1ccdbd04dadb2e2d0d343fb50f78df716fafa4e216dc8058a66b1ede3dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\prefs.jsFilesize
8KB
MD56fe787c5dd6431e8f4b7de718b290c7c
SHA1aa55884ad7255ae05161f2957543c2fae3405536
SHA25672c109aab1aa8fae4d86ec81a540d591ae706e786d69f910b14ebd3669c7d895
SHA512381497274e64ad6b81185973da73e794a665f00c4b94658cdca39a916d9fd2cd4fa732146ad0ebd0703a16767f6b13e0b1686c9e57a58ea02b7400e7802f0fe1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\prefs.jsFilesize
8KB
MD5a24ec67abc8aac8670a668116a238284
SHA1735074dd0c1cdbcd28fc4f0fc1bea42a62e943a4
SHA25678a17fcbd6b6c04bf2a2e730283fba5fdb8997ff402c55db62d8b5ae57147a26
SHA512bdbf41981e24a4ae72a147c44b48e96794bef59fec7ae39334b60f3f5ba903ed28b40b76fbe32aa5c4ab318eb2cd0f6d6531d0db0184656c701bc9df94760dc9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\sessionstore-backups\recovery.baklz4Filesize
3KB
MD52d8d0c9a3b42ed2688ad24cf0c8e7797
SHA14420393a9354590e93a744dabb889c10d4e7018a
SHA256b7e1dd3970894e77e90cd52c47c9e767acc7f7288959ace6a38acca445158624
SHA51208d144a50fedab5c29955e54cc346fe8c217d10417eeb40a35cf3d8926a351015627583080589fd2db5889b04c57a43bf5e6917730ed0f4109edde4098790194
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\sessionstore-backups\recovery.baklz4Filesize
3KB
MD538fdbe09fd335e4cdcdbdc81ce4560af
SHA1b23dd04344978b50fb29096e66bee4ff78e0698e
SHA256d157ac0ee67eb08d483441c3b92b0ffd482ce4f55c416bbc127820bfbdd87c86
SHA512da73aa4a9340802ee32ae44bd6ff397b0f47cf42a74d0dc510a677199ee3f3a8f90b93940581a8cbf3ce4fc3f390734c2f6741fa7341a5252f8f1a5e3159e665
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\sessionstore-backups\recovery.baklz4Filesize
3KB
MD51262bd349e8d82ea61772e7cfc9ad8f3
SHA1aba423440b7e82b506ffe9b1a1e23136b23b395c
SHA2566ab731e501486d0861561e3ca4d159ffd0848b2ae4746a67fbcf970b95480d8d
SHA51290ce0e4262989fcbb7df3a4f5b176794c0e9562d5a07337e73704b378726013f4908d07e889a12538dd38009fdb900c485abb5320f4728e298d0a0bb3af38dd6
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
C:\Users\Admin\Downloads\BlitzedGrabberV12.dViY9gnQ.rar.partFilesize
3.6MB
MD54282ce784621bf22365f21260be70e5e
SHA13e743738e2ec8cc35d64ebbad99abcfde46eafe3
SHA25606fa7e3221aa6f67eeefa8b807a6abb0b4c385d7eb61434ccec55ad2a5d3a1dd
SHA512aa776cfdc39c152814a7e0e6def451454ca30fc4388dec48f3d12b1e50a0ee3925bfd2333700919b52af725cfe7ece93146ba24a9c0d2a6c0d602f7b243b77ec
-
C:\Windows\SysWOW64\WindowsInput.exeFilesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
C:\Windows\SysWOW64\WindowsInput.exe.configFilesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC8930.tmpFilesize
676B
MD57971209fc63e96e876683e624664afc8
SHA12120a9a479028dc75a9e78c45bc7cf89a4ad4c6a
SHA2569c5870eae53643dfa0c570d542e421b0fc3bd3bdc1f2d91d6832404483f9ef57
SHA512042fa6c3f2cb256f84d2132744128b423bf76d468bf7cbfe68a2ef6a342a51101fb0872c9050499abd7ef96a0d3cbcabba1b72df683e7a3f4d85595bfa5c9113
-
\??\c:\Users\Admin\AppData\Local\Temp\gq-kww4y.0.csFilesize
208KB
MD5a4ac551cf6ed0120fb07554f008c27bf
SHA1ae32616938f3787f9b019cfce3f4612989631dd5
SHA25627b90722a258043d12c7d3f700eaa3eeb2b8e282ca5c1bfb47b964f6f53ebb2a
SHA51281c1066d2f6d87cb577fab84e10b7dabb07c12f71bf47c1aeeefd4f4aabb720b2279bd655c86b6c944493392f921b8e690b01187810a5cafb8860d03297dcb78
-
\??\c:\Users\Admin\AppData\Local\Temp\gq-kww4y.cmdlineFilesize
349B
MD58da8e9d1eee890ef6d472126b4596968
SHA1414df613cba9e1cb8233beb1addee4949be2c0a7
SHA25623838a12a40580f12ef4762d73b1dcf9188d53d3a6aba3a155759283daad2ae6
SHA5123f29e5fbb688a81e74908103f4799a9280edd7725721e11892655e11e36594a0f21858651751e0a295cabf19e3f0c5dac2b8b11948d56e682796e58b88312077
-
memory/3304-680-0x0000022954DB0000-0x0000022954DD2000-memory.dmpFilesize
136KB
-
memory/3472-752-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-723-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-769-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-734-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-766-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-765-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-763-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-760-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-758-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-756-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-729-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-750-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-748-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-746-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-744-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-742-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-740-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-738-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-737-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-710-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-697-0x0000000005140000-0x0000000005332000-memory.dmpFilesize
1.9MB
-
memory/3472-736-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-733-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-732-0x0000000071620000-0x0000000071657000-memory.dmpFilesize
220KB
-
memory/3472-727-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-694-0x0000000004DD0000-0x0000000004DDA000-memory.dmpFilesize
40KB
-
memory/3472-684-0x00000000002A0000-0x000000000044C000-memory.dmpFilesize
1.7MB
-
memory/3472-707-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-705-0x0000000073AF0000-0x0000000073B7A000-memory.dmpFilesize
552KB
-
memory/3472-725-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-754-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-706-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-690-0x0000000005450000-0x00000000059F6000-memory.dmpFilesize
5.6MB
-
memory/3472-711-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-722-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-719-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-691-0x0000000004DF0000-0x0000000004E82000-memory.dmpFilesize
584KB
-
memory/3472-717-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-715-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3472-713-0x0000000005140000-0x000000000532E000-memory.dmpFilesize
1.9MB
-
memory/3708-636-0x0000000000830000-0x0000000000A74000-memory.dmpFilesize
2.3MB
-
memory/4272-686-0x000000001B440000-0x000000001B49C000-memory.dmpFilesize
368KB
-
memory/4272-2301-0x000000001CAC0000-0x000000001CAE0000-memory.dmpFilesize
128KB
-
memory/4272-2268-0x0000000000E70000-0x0000000000E82000-memory.dmpFilesize
72KB
-
memory/4272-693-0x000000001C0E0000-0x000000001C17C000-memory.dmpFilesize
624KB
-
memory/4272-2273-0x0000000000D40000-0x0000000000D48000-memory.dmpFilesize
32KB
-
memory/4272-1817-0x000000001B660000-0x000000001B676000-memory.dmpFilesize
88KB
-
memory/4272-692-0x000000001BB70000-0x000000001C03E000-memory.dmpFilesize
4.8MB
-
memory/4272-689-0x000000001B620000-0x000000001B62E000-memory.dmpFilesize
56KB
-
memory/5144-2931-0x0000000000950000-0x000000000095C000-memory.dmpFilesize
48KB
-
memory/5144-3071-0x00000000029F0000-0x0000000002A2C000-memory.dmpFilesize
240KB
-
memory/5144-3070-0x00000000011A0000-0x00000000011B2000-memory.dmpFilesize
72KB
-
memory/5180-6629-0x0000000000A10000-0x0000000000A18000-memory.dmpFilesize
32KB
-
memory/5916-3569-0x0000000019F10000-0x000000001A01A000-memory.dmpFilesize
1.0MB
-
memory/5940-5578-0x0000000002190000-0x00000000021A2000-memory.dmpFilesize
72KB
-
memory/5940-5280-0x0000000000010000-0x000000000010C000-memory.dmpFilesize
1008KB
-
memory/5940-5660-0x000000001AD20000-0x000000001AD6E000-memory.dmpFilesize
312KB
-
memory/5940-5886-0x000000001AD90000-0x000000001ADA8000-memory.dmpFilesize
96KB
-
memory/5940-6062-0x000000001B630000-0x000000001B7F2000-memory.dmpFilesize
1.8MB
-
memory/5940-6063-0x000000001ADF0000-0x000000001AE00000-memory.dmpFilesize
64KB