Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 15:39
Behavioral task
behavioral1
Sample
nursultan nexgen fix.exe
Resource
win7-20240221-en
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1840 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1528 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2372 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1788 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 632 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 844 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1424 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3052 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2364 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2988 2920 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2920 schtasks.exe -
Processes:
resource yara_rule C:\portagentbrowserweb\Containerruntime.exe dcrat behavioral1/memory/2616-13-0x0000000000CF0000-0x0000000000E22000-memory.dmp dcrat behavioral1/memory/3048-61-0x0000000000D80000-0x0000000000EB2000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
Containerruntime.exesmss.exepid process 2616 Containerruntime.exe 3048 smss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2696 cmd.exe 2696 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 11 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files\Uninstall Information\886983d96e3d3e Containerruntime.exe File created C:\Program Files (x86)\Windows Portable Devices\Idle.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f Containerruntime.exe File created C:\Program Files (x86)\Internet Explorer\101b941d020240 Containerruntime.exe File created C:\Program Files (x86)\Common Files\Adobe\Idle.exe Containerruntime.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Idle.exe Containerruntime.exe File created C:\Program Files\Windows NT\TableTextService\taskhost.exe Containerruntime.exe File created C:\Program Files (x86)\Internet Explorer\lsm.exe Containerruntime.exe File created C:\Program Files (x86)\Common Files\Adobe\6ccacd8608530f Containerruntime.exe File created C:\Program Files\Windows NT\TableTextService\b75386f1303e64 Containerruntime.exe File created C:\Program Files\Uninstall Information\csrss.exe Containerruntime.exe -
Drops file in Windows directory 6 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Windows\Migration\WTR\7a0fd90576e088 Containerruntime.exe File created C:\Windows\Fonts\dwm.exe Containerruntime.exe File created C:\Windows\Fonts\6cb0b6c459d5d3 Containerruntime.exe File created C:\Windows\it-IT\smss.exe Containerruntime.exe File created C:\Windows\it-IT\69ddcba757bf72 Containerruntime.exe File created C:\Windows\Migration\WTR\explorer.exe Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Creates scheduled task(s) 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2256 schtasks.exe 1552 schtasks.exe 2372 schtasks.exe 896 schtasks.exe 1524 schtasks.exe 1840 schtasks.exe 1496 schtasks.exe 632 schtasks.exe 2028 schtasks.exe 2156 schtasks.exe 888 schtasks.exe 3008 schtasks.exe 1968 schtasks.exe 2976 schtasks.exe 2396 schtasks.exe 2516 schtasks.exe 2104 schtasks.exe 1160 schtasks.exe 2348 schtasks.exe 1856 schtasks.exe 2892 schtasks.exe 844 schtasks.exe 1712 schtasks.exe 1644 schtasks.exe 3024 schtasks.exe 1424 schtasks.exe 1332 schtasks.exe 2692 schtasks.exe 2464 schtasks.exe 1528 schtasks.exe 2284 schtasks.exe 1032 schtasks.exe 1044 schtasks.exe 2556 schtasks.exe 1460 schtasks.exe 840 schtasks.exe 1656 schtasks.exe 2292 schtasks.exe 1812 schtasks.exe 2748 schtasks.exe 3032 schtasks.exe 2096 schtasks.exe 2360 schtasks.exe 2336 schtasks.exe 1728 schtasks.exe 2252 schtasks.exe 2448 schtasks.exe 2772 schtasks.exe 1700 schtasks.exe 2804 schtasks.exe 2988 schtasks.exe 2428 schtasks.exe 3052 schtasks.exe 2364 schtasks.exe 2020 schtasks.exe 2836 schtasks.exe 1788 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings firefox.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Containerruntime.exesmss.exepid process 2616 Containerruntime.exe 2616 Containerruntime.exe 2616 Containerruntime.exe 2616 Containerruntime.exe 2616 Containerruntime.exe 3048 smss.exe 3048 smss.exe 3048 smss.exe 3048 smss.exe 3048 smss.exe 3048 smss.exe 3048 smss.exe 3048 smss.exe 3048 smss.exe 3048 smss.exe 3048 smss.exe 3048 smss.exe 3048 smss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
smss.exepid process 3048 smss.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Containerruntime.exesmss.exefirefox.exedescription pid process Token: SeDebugPrivilege 2616 Containerruntime.exe Token: SeDebugPrivilege 3048 smss.exe Token: SeDebugPrivilege 2020 firefox.exe Token: SeDebugPrivilege 2020 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 2020 firefox.exe 2020 firefox.exe 2020 firefox.exe 2020 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 2020 firefox.exe 2020 firefox.exe 2020 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.exefirefox.exefirefox.exedescription pid process target process PID 2876 wrote to memory of 2916 2876 nursultan nexgen fix.exe WScript.exe PID 2876 wrote to memory of 2916 2876 nursultan nexgen fix.exe WScript.exe PID 2876 wrote to memory of 2916 2876 nursultan nexgen fix.exe WScript.exe PID 2876 wrote to memory of 2916 2876 nursultan nexgen fix.exe WScript.exe PID 2916 wrote to memory of 2696 2916 WScript.exe cmd.exe PID 2916 wrote to memory of 2696 2916 WScript.exe cmd.exe PID 2916 wrote to memory of 2696 2916 WScript.exe cmd.exe PID 2916 wrote to memory of 2696 2916 WScript.exe cmd.exe PID 2696 wrote to memory of 2616 2696 cmd.exe Containerruntime.exe PID 2696 wrote to memory of 2616 2696 cmd.exe Containerruntime.exe PID 2696 wrote to memory of 2616 2696 cmd.exe Containerruntime.exe PID 2696 wrote to memory of 2616 2696 cmd.exe Containerruntime.exe PID 2616 wrote to memory of 3048 2616 Containerruntime.exe smss.exe PID 2616 wrote to memory of 3048 2616 Containerruntime.exe smss.exe PID 2616 wrote to memory of 3048 2616 Containerruntime.exe smss.exe PID 2696 wrote to memory of 2564 2696 cmd.exe reg.exe PID 2696 wrote to memory of 2564 2696 cmd.exe reg.exe PID 2696 wrote to memory of 2564 2696 cmd.exe reg.exe PID 2696 wrote to memory of 2564 2696 cmd.exe reg.exe PID 1896 wrote to memory of 2020 1896 firefox.exe firefox.exe PID 1896 wrote to memory of 2020 1896 firefox.exe firefox.exe PID 1896 wrote to memory of 2020 1896 firefox.exe firefox.exe PID 1896 wrote to memory of 2020 1896 firefox.exe firefox.exe PID 1896 wrote to memory of 2020 1896 firefox.exe firefox.exe PID 1896 wrote to memory of 2020 1896 firefox.exe firefox.exe PID 1896 wrote to memory of 2020 1896 firefox.exe firefox.exe PID 1896 wrote to memory of 2020 1896 firefox.exe firefox.exe PID 1896 wrote to memory of 2020 1896 firefox.exe firefox.exe PID 1896 wrote to memory of 2020 1896 firefox.exe firefox.exe PID 1896 wrote to memory of 2020 1896 firefox.exe firefox.exe PID 1896 wrote to memory of 2020 1896 firefox.exe firefox.exe PID 2020 wrote to memory of 1644 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1644 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1644 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe PID 2020 wrote to memory of 1872 2020 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\it-IT\smss.exe"C:\Windows\it-IT\smss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\portagentbrowserweb\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\portagentbrowserweb\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\portagentbrowserweb\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\portagentbrowserweb\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\portagentbrowserweb\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\portagentbrowserweb\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\it-IT\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\portagentbrowserweb\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\portagentbrowserweb\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\portagentbrowserweb\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.0.142806333\1059453835" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc1fb3d1-8e12-4b74-a48d-07d2face83e2} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 1292 46d5458 gpu3⤵PID:1644
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.1.470172293\139751212" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58bf3ece-4ec6-4513-afc3-415e2fffd87f} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 1484 e72558 socket3⤵PID:1872
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.2.363990832\502884956" -childID 1 -isForBrowser -prefsHandle 2064 -prefMapHandle 2060 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64d4c4bc-c28f-459f-bd06-c048e49de1f1} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 2076 1a698158 tab3⤵PID:2940
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.3.1585743486\1225789549" -childID 2 -isForBrowser -prefsHandle 1644 -prefMapHandle 1640 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e78e2967-17af-4e47-95ed-96ced9f6f50e} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 624 e70758 tab3⤵PID:2820
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.4.163121456\1492471893" -childID 3 -isForBrowser -prefsHandle 2788 -prefMapHandle 2784 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15f55585-0fa9-4110-b3c3-cf99997b8d1d} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 2808 e62858 tab3⤵PID:1536
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.5.1550377341\1503501865" -childID 4 -isForBrowser -prefsHandle 3780 -prefMapHandle 3784 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdd94314-ffdd-4c9a-b9b2-af598db57b33} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 3752 1f404a58 tab3⤵PID:2244
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.6.913305700\1727471758" -childID 5 -isForBrowser -prefsHandle 3892 -prefMapHandle 3896 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebac3521-81da-47dc-aa07-995ffddd47ae} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 3880 1f405f58 tab3⤵PID:1084
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2020.7.1413558705\667403620" -childID 6 -isForBrowser -prefsHandle 4080 -prefMapHandle 4084 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 864 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea624145-671e-4c75-b974-0bbbf5797bff} 2020 "\\.\pipe\gecko-crash-server-pipe.2020" 4068 1f406e58 tab3⤵PID:824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ifb4waqr.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649Filesize
13KB
MD597695e1deaca6718798af8a24200f469
SHA14cec05cb0a1021df92092b7bf28fda8c4c1b521f
SHA2563a44364859dcc155ab4e7be3c6af9f24f6dae9365a1fc777827acd4769324783
SHA51285f3b7c6e52bb2eb0d8e1ca8d640e77921bdb29b2e4eb1a6fc70175c99b0acf44f4d319b148240f90d7b910b82d4f283fa67e197c0adb306bec26017110c4e16
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD52c50ce20959182dbefa37f80c2420e15
SHA1513beb712d114becc4a9a07c51925f695d275d56
SHA25661910b00bfbf9479f0b9c521fa930ac330d3da143e4221bc1fc0774059cd1001
SHA512e61eeb004d91bcac622867750877ea29ad24efdcada05b03cc149377134b15f9c6136cc7ca448cecb91492a5d066ba24ddbcd05d569b7113fbf307fd84e89da4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\datareporting\glean\pending_pings\3a96d33a-4070-430a-9ce6-6eaad9be2c67Filesize
745B
MD5b242b4a8de66c258b3db8d1db9523128
SHA1c5eb70c46124e2808215db2d545bc0d5a6028935
SHA25652cfc0ff23f3708aa083f14cb11f0890abc792df73a00ddddfd88b72da88c57d
SHA512e947ab70d21ca31a35e75a9b068b4ab44c19c72f5f4ccab65040926811cdbe2cc1e7365d94d131db60f4d3c7bebc2473637a3e3ff2377f880a527c0d6d4b36a3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\datareporting\glean\pending_pings\bea0c67d-0b1a-4b40-8f08-8d9facd11334Filesize
11KB
MD540b78f3773f1d3d25d75ac32d26e6e50
SHA183439390a55b617b6bc6b561f59a3749b084cd4a
SHA256ac2585b466aeae86d40705e8d46fdbc11ee363b7721aa313dca6f796ed2951e4
SHA51235cd9741ff2c93e58391980f2b832544359ad3777d8135c215c09cdb657ab465c66cfcd645c0f2ea640df76f3e0fd32d0fe01626917f65090959457238339bba
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\prefs-1.jsFilesize
9KB
MD58ec73d6a7eeaf0e223e97a32b96c7f00
SHA1799f0a085e875bddf122f36b139eda51a4c8031e
SHA256caeedd006ce32d387c23b8156dd28dd335a9d6a6353ed4f51c5905656ddb26d0
SHA51246350c4ddff981c23ea057052c3a6130b171036f363fc5c5f096800e84bfcdc91a4891581eac276383340761a678b1bd4bf1a100ee5ae8f76478d1e49599c9f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\prefs-1.jsFilesize
6KB
MD560c58f7113e441ee1bf09b2582ecdd7b
SHA100fee0f5672a9f81e016cf706979d15beb9ad071
SHA25611e0a248fe29005367556603c561be76c6e1d9fd7c13dde301972c75f8c48dae
SHA5128c1734adec0282dd6a67119c438634cca1abe30bd93cf2f6d88ec603bdc22b5fe166bed008ea6d85fa39314d6c2e704d70585d99769487f10b02a2e3c841facd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\prefs.jsFilesize
6KB
MD5a7cf76c49622df9e307c9374ca2eb92b
SHA180a13416999c959175d9af478e76608137cd4d63
SHA256439a23244f7fd5cf270517ff7591b71510bfa4fb71c7e0d42c240303bf4e2cd2
SHA512dfe848f929a99a19df63b8b618030d4d6d44a85f45dc9c0d3c01bc44e6571d857c13b2ca67e28a4dcbe969c64969500a1215c7f799fe2565bb06d14e6f49ddae
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD5d7fc088ecb5985bf698ca9f1515765f7
SHA19a882f8384530023b701817cf0daa9ad1a96eb2d
SHA256967d32977e0bced7d8e7bde7100a1310b025602332dda9437754afa584cdf0fb
SHA5127efa225a61ce18671419855957e3e9cd3e38c55af581e35ae384f8459726d27d6826abf0d469d070535eaeff3f4553f869ae592b099b6e053b8c032842e9d2f7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ifb4waqr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
3.1MB
MD59ee642e9e5f4cf6882463e84cf7a1d37
SHA13a1b563754065a9334dda057acc5f6ca71b458ef
SHA256e7ebf43ae7dcefb911a599b9bf7a8e38d49d8cf28ba23ca266cd756dbb702049
SHA512706c43416e49f3defd9a2e504826f02d8f944be8801c9cf160212ca2afa270b21fdfffcc479d2629f5a8b91e661f015960cee3a56eb88e5b52408ec63533b963
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
memory/2616-16-0x0000000000500000-0x000000000050C000-memory.dmpFilesize
48KB
-
memory/2616-15-0x00000000004E0000-0x00000000004F6000-memory.dmpFilesize
88KB
-
memory/2616-14-0x00000000004C0000-0x00000000004DC000-memory.dmpFilesize
112KB
-
memory/2616-13-0x0000000000CF0000-0x0000000000E22000-memory.dmpFilesize
1.2MB
-
memory/3048-61-0x0000000000D80000-0x0000000000EB2000-memory.dmpFilesize
1.2MB