Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
31-05-2024 15:16
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat 22 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exenursultan nexgen fix.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3868 schtasks.exe 2128 schtasks.exe 1252 schtasks.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings nursultan nexgen fix.exe 4584 schtasks.exe 2784 schtasks.exe 3492 schtasks.exe 4840 schtasks.exe 4264 schtasks.exe 2624 schtasks.exe 4312 schtasks.exe 2240 schtasks.exe 1804 schtasks.exe 3972 schtasks.exe 1248 schtasks.exe 884 schtasks.exe 2916 schtasks.exe 3884 schtasks.exe 664 schtasks.exe 3588 schtasks.exe 4728 schtasks.exe 64 schtasks.exe -
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 884 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 64 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4312 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3492 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3884 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 664 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3588 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3868 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4264 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4728 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 1332 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 1332 schtasks.exe -
Processes:
resource yara_rule C:\portagentbrowserweb\Containerruntime.exe dcrat behavioral1/memory/204-31-0x0000000000420000-0x0000000000552000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
Containerruntime.exedllhost.exelsass.exepid process 204 Containerruntime.exe 2512 dllhost.exe 5060 lsass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 7 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\66fc9ff0ee96c2 Containerruntime.exe File created C:\Program Files (x86)\Windows Portable Devices\services.exe Containerruntime.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\services.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc Containerruntime.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe Containerruntime.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\5940a34987c991 Containerruntime.exe -
Drops file in Windows directory 2 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Windows\GameBarPresenceWriter\dllhost.exe Containerruntime.exe File created C:\Windows\GameBarPresenceWriter\5940a34987c991 Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3972 schtasks.exe 4312 schtasks.exe 1804 schtasks.exe 3884 schtasks.exe 1248 schtasks.exe 2916 schtasks.exe 664 schtasks.exe 3868 schtasks.exe 4728 schtasks.exe 2240 schtasks.exe 2784 schtasks.exe 3492 schtasks.exe 1252 schtasks.exe 2128 schtasks.exe 2624 schtasks.exe 4264 schtasks.exe 884 schtasks.exe 4584 schtasks.exe 64 schtasks.exe 4840 schtasks.exe 3588 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
nursultan nexgen fix.exefirefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings nursultan nexgen fix.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings firefox.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
Containerruntime.exedllhost.exepid process 204 Containerruntime.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe 2512 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 2512 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Containerruntime.exedllhost.exelsass.exefirefox.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 204 Containerruntime.exe Token: SeDebugPrivilege 2512 dllhost.exe Token: SeDebugPrivilege 5060 lsass.exe Token: SeDebugPrivilege 3856 firefox.exe Token: SeDebugPrivilege 3856 firefox.exe Token: 33 664 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 664 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
firefox.exepid process 3856 firefox.exe 3856 firefox.exe 3856 firefox.exe 3856 firefox.exe 3856 firefox.exe 3856 firefox.exe 3856 firefox.exe 3856 firefox.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
firefox.exepid process 3856 firefox.exe 3856 firefox.exe 3856 firefox.exe 3856 firefox.exe 3856 firefox.exe 3856 firefox.exe 3856 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 3856 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.exefirefox.exefirefox.exedescription pid process target process PID 1296 wrote to memory of 3220 1296 nursultan nexgen fix.exe WScript.exe PID 1296 wrote to memory of 3220 1296 nursultan nexgen fix.exe WScript.exe PID 1296 wrote to memory of 3220 1296 nursultan nexgen fix.exe WScript.exe PID 3220 wrote to memory of 1876 3220 WScript.exe cmd.exe PID 3220 wrote to memory of 1876 3220 WScript.exe cmd.exe PID 3220 wrote to memory of 1876 3220 WScript.exe cmd.exe PID 1876 wrote to memory of 204 1876 cmd.exe Containerruntime.exe PID 1876 wrote to memory of 204 1876 cmd.exe Containerruntime.exe PID 204 wrote to memory of 2512 204 Containerruntime.exe dllhost.exe PID 204 wrote to memory of 2512 204 Containerruntime.exe dllhost.exe PID 1876 wrote to memory of 2248 1876 cmd.exe reg.exe PID 1876 wrote to memory of 2248 1876 cmd.exe reg.exe PID 1876 wrote to memory of 2248 1876 cmd.exe reg.exe PID 5072 wrote to memory of 3856 5072 firefox.exe firefox.exe PID 5072 wrote to memory of 3856 5072 firefox.exe firefox.exe PID 5072 wrote to memory of 3856 5072 firefox.exe firefox.exe PID 5072 wrote to memory of 3856 5072 firefox.exe firefox.exe PID 5072 wrote to memory of 3856 5072 firefox.exe firefox.exe PID 5072 wrote to memory of 3856 5072 firefox.exe firefox.exe PID 5072 wrote to memory of 3856 5072 firefox.exe firefox.exe PID 5072 wrote to memory of 3856 5072 firefox.exe firefox.exe PID 5072 wrote to memory of 3856 5072 firefox.exe firefox.exe PID 5072 wrote to memory of 3856 5072 firefox.exe firefox.exe PID 5072 wrote to memory of 3856 5072 firefox.exe firefox.exe PID 3856 wrote to memory of 3900 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 3900 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe PID 3856 wrote to memory of 2432 3856 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- DcRat
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\portagentbrowserweb\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:64
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\portagentbrowserweb\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\portagentbrowserweb\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Desktop\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240
-
C:\Users\Public\Desktop\lsass.exe"C:\Users\Public\Desktop\lsass.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.0.481606486\1095259352" -parentBuildID 20221007134813 -prefsHandle 1772 -prefMapHandle 1768 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a65362b-d512-4758-8e50-877670938cee} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 1852 2dafdfd8758 gpu3⤵PID:3900
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.1.1429527686\1646534139" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea4b75d2-1a25-487e-9e7c-f8e501f9ec21} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 2184 2daf59e2e58 socket3⤵PID:2432
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.2.177409307\34289349" -childID 1 -isForBrowser -prefsHandle 2872 -prefMapHandle 2900 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc4b1c03-9ab2-4f59-8d5b-e8438501fcb7} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 3068 2da84cdba58 tab3⤵PID:2296
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.3.877706393\509023690" -childID 2 -isForBrowser -prefsHandle 3384 -prefMapHandle 3380 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6c1d111-a9a8-4320-9d4c-8df40c169558} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 3404 2da834a6e58 tab3⤵PID:1152
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.4.1713544233\2081598886" -childID 3 -isForBrowser -prefsHandle 4244 -prefMapHandle 4240 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {121c761d-0db3-4b2f-86f6-5d3003b667ec} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 4256 2da86a7a658 tab3⤵PID:4488
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.5.2125883994\1694393229" -childID 4 -isForBrowser -prefsHandle 4756 -prefMapHandle 4744 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5ac7c88-bc09-459f-9b57-c1920751ae89} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 4472 2da873fa758 tab3⤵PID:1596
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.6.306947\1751483240" -childID 5 -isForBrowser -prefsHandle 5048 -prefMapHandle 5052 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8d31a21-9a19-47f8-96a5-ca5afba8424f} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5036 2da873fad58 tab3⤵PID:3312
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.7.2029447189\45586422" -childID 6 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2085fcbe-ef32-4d5b-801f-32e3cf844d11} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5324 2da873fbf58 tab3⤵PID:3780
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.8.748528905\377455978" -childID 7 -isForBrowser -prefsHandle 5696 -prefMapHandle 5692 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7ad1d77-63b9-47d2-bd8f-c6a2fde7600d} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5704 2da88723758 tab3⤵PID:5168
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.9.950250762\1085760762" -parentBuildID 20221007134813 -prefsHandle 5692 -prefMapHandle 5696 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ebc99e5-6da7-46bd-aa92-f1741739cee7} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5916 2da88b5d758 rdd3⤵PID:5432
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.10.1998504364\68965365" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6048 -prefMapHandle 6044 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4d2e4c3-09c0-46b1-a539-c3b407ff8168} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5916 2da88b5fe58 utility3⤵PID:5456
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.11.892419629\1309683216" -childID 8 -isForBrowser -prefsHandle 6284 -prefMapHandle 6280 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {417847ae-5983-4fd6-9bf9-b31b97319fe9} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 6292 2da88ac7e58 tab3⤵PID:5596
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.12.2032108865\1731595784" -childID 9 -isForBrowser -prefsHandle 4356 -prefMapHandle 4280 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f89ab3a5-9d37-491a-940f-55b13dd5c619} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 6592 2da86aa3258 tab3⤵PID:5324
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.13.566393915\2040945924" -childID 10 -isForBrowser -prefsHandle 4356 -prefMapHandle 7200 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8dd735f-8f42-4df1-91ef-623338bb401f} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 6228 2da86aa5358 tab3⤵PID:4588
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.14.1280319327\1185847357" -childID 11 -isForBrowser -prefsHandle 10456 -prefMapHandle 6536 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96cc1369-015a-4368-b14c-e15b6acabbcc} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 10452 2da8927aa58 tab3⤵PID:1144
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4381⤵
- Suspicious use of AdjustPrivilegeToken
PID:664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\1619Filesize
16KB
MD58c76e38ecb0d2c86b27447f23c76cc7d
SHA1d294d68a7d8e3a2038bb66e779ab162ef1b94a31
SHA2560faf4eeb909126d8275cc21eeee4e70f704f3882d9e1b27faa9666add0c690dc
SHA512d6ffec013aa84fd683155a16984db60747505c9b4637cadd0cb78d1ce9841bfa72deac2f4626c0a8135d02438e251b1296a75f5f833e55f578048e679df58a87
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\1788Filesize
19KB
MD5c90faca4ac7410e5e1c1e32670964aaa
SHA1448ec45fb0a7075e469bed9688bfd35e5921445b
SHA2564d644b98773a5c7622eb09a4028fe6c31cdd7962d3f701a6380c14e11bb54954
SHA512d7e911e11a450a0406a0ae8f92ca1b20bcfb04f36622581ddbae4dadf1cfa431e0098f6b0680bdba754c72b31f830fd5f5f5827292df5fc3e52137818e6ad204
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\26742Filesize
15KB
MD5a3e2a9afea17a90fd04933a3075a8e0e
SHA1790846a3080836264f17752f00da6a90768d33ce
SHA2563616921e5c60fa4ca957fd2acbd5ec7ab7c2983d2cc301b3956a9ef202312746
SHA512cfaa0b787acad290f05770f109fa63572231b0342db15987a57d9eb145e04b5adf3fff773201511fffbada1e15c1e83de4c3c03c19db6d9898538825c1441974
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\3226Filesize
15KB
MD56d3fe88da0cb85d1876c89703afa799b
SHA19c857095997142d3b6e7561a72a21927d8e20504
SHA2563a8094b637f78af6853e7088493da0b5fc1ec544d31e356a1199bbdb5e30e407
SHA5126e189ccb3e6bc1e090a11b876b88aa26f218d0099657c995d2f95e3eb38d4ac7809b8113474031160594798fac818693181cd59232196f831c2d3837a820e82d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\B3316860430DA0966649580110E85D2FFB7B5A61Filesize
23KB
MD5963552580a1ff3625d7dac3cdc766809
SHA102edc160d61b35234ddc79b2cd83ee3a69c6efc4
SHA256ce55597104485c4d5f941ec6593e874d51915460b2bb0989dffc2ca3142f362b
SHA512938597699f6bea4e2d6874895e4d558ebd0fc6deb150c3bbd679a862cfb2a342b86e069cfd4a24a77ebfe89fca94c6ef64e2b0e43e94f94b4c0b5959d22c9dc0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD5132011ac6cccb63bd6dbdf33068f0d6b
SHA114d922bc9a1b3fca8cfd15a60c7dfde045f63626
SHA2561771fbda91e79384589e2596f89348f1b8bac26b767de96a386d593a5d61b452
SHA5126d3e3ee55f80bc07ac9d10f266bee365dc3b5aa7264056701f0ac4c6fd5d5791321ef0f05b14adba5af6618771d8c7bb3cdbc9e79ad267bb57530ba58124226b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\615f9224-3268-4337-9374-c1dc7f852c8aFilesize
10KB
MD5aef1d007a467f5cf27098023e49518bf
SHA12ea52fd20a2e480f7607e8af237134b99bb6c1ab
SHA256c478a05ceb02021724bc2d790ee2d8385a487aba594731c50b525e943a4a8f60
SHA51253a98cae60ae27e456f3c5f33efed68048339932859e0e8441ecba0b1efe96d645c5e9bd6ec9356278842f61b4434a94448db6c172027e0b775cf746d23b3006
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\efe87705-e89e-42e7-b3e1-d25db96bda79Filesize
746B
MD5d06f3e3b25a759191aef2bca5d5f02b4
SHA19cb2099d33498470085c961760c1f8eeaf6bae03
SHA256ca00876d67d446642f3ed73023d04ff2a8e4b4001db896127c696d199610361c
SHA5125525521a002a35186bd13bd185d25b6380c90a4d86714fe0f42ac4f4d790205566ebcdba9e6178c4632b261e8b5aac4a096f09d74de82e62726e6165049aea3a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.jsFilesize
6KB
MD5729bb85a798dd9496cced39fb7fe086f
SHA1cf8d42d75ded9dee6b276e4fd038ff253a753b41
SHA256dec5c5455e6d74c2743311f32f29d7c274bc4ce2bb78b0d30217544ad062425a
SHA512f31ce7ceda8072c56a3f234e4626b46b94a0f7e7f5cfd17eb7d6130fc7d3295dd86d8a755b49cbc9f48c6f4d0f233ed0c529ea3aa12155e56de7d945bad01a62
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD547725092e8694c84a9f4ad473f166626
SHA1fd81a7a0668236185f16d65db6c408c0e8f6f4d9
SHA256c93100b088228040179da7bb2f50136ea09b4364be23b55f8e51e6436c89582f
SHA51238d765b70cd679ff035741345cc0f0f4a13b73dff12576cca4853d86fe78ad5f8a23f58668a9977a5f11f3c1370b7d8458bfacb05c2b41d3932aa8cd516a9119
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4Filesize
12KB
MD52d8dd2f5738d42b16f7877876ab1f5c2
SHA12640a254e78db2b95211f2928660f5640f691774
SHA256e40bd6c15522145c37ddcd4288eba1e9cd8f4af0d615c233722aab4a570a44a5
SHA512f9a249567dc0881322e2e5d77a6b1ade93fcfa3efce4183fdb7c8c08162fa4a8f8a82cb0f98138451a23354ca0b41aea278a3b09c6b27565fd1c8d474c8b09d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4Filesize
12KB
MD5ca178bddc62dbcbc4a7f4eda6db1d846
SHA1f03cca73fd1f95c8b97e28d46509e85d2d355202
SHA2564d90f225e793df4fe9f982d6992bf25229b705d5e1de565a91d5ae083beddd06
SHA5120aff9a7552a148e2d5bd7ac6ec3280eca0002f07966a23adeece216ee76ad3413d78036aff1ff5001ad7c84de9d305796740067b803eb7ebcc5751a5bb0d5f8b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4Filesize
5KB
MD5c665de8863129119063d846304404cdd
SHA1fdc61098846cb021767f44c173b3f7e3685fe6df
SHA256dc02f8229657368727dd3680ddff64b90e113676232ed7683b521718e032ddc6
SHA5125f92afb4fde6d251415ac6534689ac385c6aced695de0729337cb769f9b7ba68e2f4cf38d024243327e68666b6b61c4c6cb527d36b16a2a73bd83673f596ff07
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4Filesize
12KB
MD5075d94e75d4d19e04d22ddc3b7bdff92
SHA1c6b72b8aec012ea30ce8b9baa396c124cdafe35d
SHA256573b4acfdc0b941cee66dfce101c550eca8af751a3237f34d0c02381f3cb9b8b
SHA51211d091ac738c881ac9f9e9fd62aa2b726354f3d513a3cf8a8ab84a218f11b26d87d211bd48d5a919691c3a563512edf5b444470d76d3788c563fd488a16eeb8e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\cache\morgue\124\{67370385-2399-4edc-801f-9143f393c47c}.finalFilesize
4KB
MD5c27db3d65048003ad8ef29962ff2d691
SHA15bb939f6c5131a93d52da46aa855cd28e3903c81
SHA256b7e3fb38531eb7a38f67e7ef1562b58bac2cb971940450c11b9f3846927c00a6
SHA5125e1d75bec2e03a96a92f0d8fec19a0f49b8a88992ea74567eb09b5a823ce57a6cec642c24a6586314672c6cdaddfb1e7d28c8278abbc8412b32974560a493219
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\cache\morgue\127\{f796a8c8-7e7c-4c70-875e-f8dab310657f}.finalFilesize
78KB
MD533eb9f44045c5d260694dc8176423e6a
SHA18605385621c6170d391ca3c431c2f77d5389ce81
SHA256d7e5351d8c0acbfda74aec3664eb73337428df65518a38bd45b6554431c159df
SHA51201c280bf24755e8e9e6167be2cd2d842ea530ef64eaf5bcb59fe7f5cf1f1cec84804e302b702938c3aea273bd204682308c5c1df7e1945c88c90bb1e6cfeb513
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\idb\1321911027LCo7g%sCD7a%t1a2b6a2s.sqliteFilesize
48KB
MD5cee44dd65c713efe020fef8ace21a072
SHA12c61d148b4ae437d6e4d3eaa9b7a8224cebd66cb
SHA2567b446fd5104ce9207434c527a697fdb2b08852edd2f4b85f6de56af9ae15c846
SHA51259b11eb9deef79ee37bebb38da3148bae3d23a99fca363ac3744e1105a1f1fa999fb60985afcd832b7ee38b272ee1beeefa87a0042e9ec6cf722ef876cc77713
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\idb\1578069077yCt7-%iCt7-%r1e2s6p2o.sqliteFilesize
64KB
MD56e11afa736b3efe3df832f145258901a
SHA1f51a383183b05a11078c50273ec48b9ec854beb8
SHA2569006517d4fc231d10a6dbd903bc80570542de2f5e3d3b958545ae572030fee2a
SHA5129b6de88fb62daff3d1f3e99421afb420217bbf2ceeee57e7ef6f0aef018ba8f0403147389a1e5db5e1dedc958d17ef0c2fcfd49ce58e10c405e23df944e92dc5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\idb\1578069077yCt7-%iCt7-%r1e2s6p2o.sqliteFilesize
48KB
MD5ea22d50638c9ad5d88c5213179a2c8e7
SHA1edcb3de510418e3d3afa7c7b6b87da5f9c885a9d
SHA256ae60c9add684f96cff31352bbf45583a8792d54f9940fa1088fae753d0d86ebe
SHA51266fb0b752664da366d8096387eb46ab3fae752eb4be0b7979c103b51fa9af044467b6a0c8b36a62375ef5e8b0d60f81359b45f7dacff33935ebe6a60166f2bce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite-walFilesize
40KB
MD5bc3a8aca7fa6351c2c1484db1b82f165
SHA1ccc5ed7b2abb091a0d32e8691899842fd6313875
SHA256785e07edefd4b6722adc4fa8b58c5a9b4d06708e93a080f13dd54633cd0177a1
SHA5129a244823ca81250efddaf5860192b75da90fd6cd5ef740c73f1a202f6c7a2ad0562aaddffe01d0d435f7bc74f644c2b88c3c3c0f3395676425a398c7ead4b8cd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
184KB
MD53018d1aad8385b734068dbad441e344e
SHA12a3925bc92ec843db64b6db2cd6fe18ccf084a86
SHA256f33415b0b1fc8c7e52356318d44aef1ae6bd9c64a89afa012d43a01a79954f88
SHA5127ab1a1115a4f7ac61ba41bfe5875792cfa84d81f14f71239e43848de5940bfa07e2e34ea4be85a61c091d0b4b7742f3f55961fd26734b528cdb2c0b4d169c5e0
-
C:\Users\Admin\Desktop\CheckpointFind.vsdFilesize
552KB
MD52e595558361527240ecabc59bce9b060
SHA17dc73a34f7c45d29c03ba9099f68ad7afa0166bc
SHA25621c4b0a1695c1b8e7adfafaff8e09ec18f3a59236eb387cd2e4f0893f8a05ab3
SHA5126e970b91532ed72f756ddc15c4f6c7fc0e9b48e36a0d0c058d25fe2e54151de066fd5e0a1cdb946b4b12966cc2eaa96439d006fb291403dcf47c0f946ad15a88
-
C:\Users\Admin\Desktop\CopyOptimize.cssFilesize
228KB
MD5f7586966d0a73f60c6de70cab89aebaa
SHA1e3801be9df83d3dd8eca8b6bbb63d96cd2168046
SHA2565ed9d0f307ba2e3efc709f1abc74240b4437696c702ee96d5f996d32afb8b7e2
SHA5127dc96f446fd9b774a9f907787920371f7b232636dd506469005c1bc2d92f48500fa13d2e8919c033ea018d14e73ee014e6bce8103079ca8442d58179b6eae074
-
C:\Users\Admin\Desktop\DebugRepair.WTVFilesize
418KB
MD5846818ae4243350f63a8339f5ff77a72
SHA16e92117ffb6c2bb6330bcf336c35133c35f46fbb
SHA25664d85d31db23ce47cdea5e9f4ff573daee11382a231c55cea43f35a5b2340d54
SHA512974b4ab3944510b8cc09b464120d004b6ae2e9c5991f59d097f61090e9f19cfade91fe01da0f037d1570d8f1c04c3ed6dcfc29445b6ebeedc6ca4802ee5798cb
-
C:\Users\Admin\Desktop\DisableAssert.midiFilesize
361KB
MD575b949d648f1f07fbf8a7cd680027ba5
SHA1c86a3ce1ea6738f78cecbbc2fa09c80d20ca6b2b
SHA2568f37b2b8acde799811fc96dbd374e6975fbf9ac8dc0b8c2e44b5d5b580222a02
SHA51260adabb6e14049d866f0f8d4805b409fe8e78cece56640ea17c02836a98d0ed1e8646f7a01230cd114bec95647d3b0e803afaf0be552ce54e27f8561bb9c905f
-
C:\Users\Admin\Desktop\EnableFind.mhtmlFilesize
571KB
MD5a801329739f5164b4beaf1a73b016a60
SHA1fea3451cd1811f474de730505a765ebf1178b60a
SHA2565ccebc72b58194eda04c58b2ce67461fa7e20c696d857a1cad581711c87ef60c
SHA5127b5cf75e0e0dbfac5c18cbff2458da45c039eaef610407befe68a5405676f8f7d75f6c56d86edad5f694cc4abedbbe51d8db91af552cc136a636a26ae2b9ffa4
-
C:\Users\Admin\Desktop\EnableSelect.kixFilesize
342KB
MD5c4a63dd6610867f85de77d82fc2c0a49
SHA1892ca5708a93de8bba70d0c98610afcb43c4cdac
SHA25665a243d3b20f5ee3c30a48b676bc7acde15ed4b70245c0932605f5d981f7ca2c
SHA5120e93a576a4d6aa01ed87e1d8b91cdf537941779e53a3d0302432ca91b87e8a92763f3fc9392f537c44e1017fbe032d1829f64c1b9c6ec76f9ec93ca5ec2b3716
-
C:\Users\Admin\Desktop\ExitConvertFrom.zipFilesize
304KB
MD5175e9c921eb077206b7b2aaae535adc4
SHA12250d53d896d42b445e175f5a3ef7e3df937438b
SHA256169f26aadcc0626e511dfb5c33b148b0e7f2fc858d0298309962c27af8669438
SHA512ae1a8ce4c422592ff37a2908b68adac31efa6fce0c7e04edcb408701633db12558521883d197af63dd40c9df1f7f6ebc4c167d5c30998c38c76d191bacb53ef3
-
C:\Users\Admin\Desktop\ExitDebug.mpeg2Filesize
495KB
MD53647160f89e01681aed2fd9906535c51
SHA146b0775677ec195941f2371ced327cd2721654be
SHA256a5feb1a9c8b722e56e5b41353ec7dc7652d8ee15074df49bc531b59bbfa27555
SHA51232f2ce9ff59833ca67ba11ea72d221a062e47903b7f4d973187cfa58d9b3541ee7526dd15abd70220425ea9542bb36cffff3fe20e8a5ca9e67ee7c6017c4941b
-
C:\Users\Admin\Desktop\FindConfirm.vstFilesize
247KB
MD54f96c120426ba4efb2fd73f6574e0ded
SHA1ffedb793ebef8430d8534c6234ca5dd413d8f86a
SHA256857180bf69a23a510620d2802b454d1aad692e241fd54b0f7a7c02ba8fa1ae5d
SHA512c19e427ed7e25f381b780300f8839a51f2ab5f9127dae2b9260d818a61b63c82d59b2f72f3a4d42aefdee7ae8ce0c631fd310f2fcc7785e53f0210351d30d13b
-
C:\Users\Admin\Desktop\GroupRestart.WTVFilesize
323KB
MD54cf0fb081685764817d1ae513f40b800
SHA103dd764196538139ef753ed5f81af161a161a315
SHA25697aa4e123d5e68112fd10427b1cf93633f22bb32a6b9c28a9fec25cc273cfe0b
SHA51204154d92a870dd698a147077bbfeee48a695f03c91358b69b3e040fbf268df8b77bd8e267a919ecd8bddafe32b95708a9f2abd21b290f58067f9f0056d18469d
-
C:\Users\Admin\Desktop\InstallDisconnect.icoFilesize
399KB
MD54c2c7ef348b3fc5190fb27a026aff4ec
SHA198a99bc4fe1f064b8f451db9304fc0162b2787eb
SHA256f2d847d544b6b23012fe6c45f01c0b92b7deb2c72b5880a6291d58d188c586eb
SHA512d507beb5b6c150ff9b8b08cc346ba0394c7382aacd22ad7e5ebf24f0635d7539106a14e62821639876c18ba379e8d466bb3ddec599714fd58a0a209fc020074f
-
C:\Users\Admin\Desktop\NewInstall.asfFilesize
437KB
MD56aeb6338ae381491c13348d5be57e53a
SHA189f11fb38db5009bd236aaef15f605ed4d2f49d9
SHA256b8d7f643a841ff163571f749afaf163d5d1b393771923a3fbc8685c608014788
SHA512d02c684db7d01b24cb6872906469406b7746c3c38bd0959a2b5f594222df9ba7400e3da0b66658155b186cf2c10092983ab331f6ba10615d241b68dc3068cb05
-
C:\Users\Admin\Desktop\ResizeEnter.bmpFilesize
533KB
MD5f32bd09c92d971eb952a60e8a02eb9d3
SHA16a09fc5c002298b2b0b287294ed37f53c4415d16
SHA2566d9269aeb5d551008bdf2c74546d92b9749378efd9cdc44206a97825eb6fd497
SHA512466a89851b6404cbce72d2a490efc0e7888ee5585e99ccb970759030d5219681fd6e05ae06a78e4815156690675433a5b459ca4a3f8077c9c13a381ca1af10ed
-
C:\Users\Admin\Desktop\ResizeUndo.tempFilesize
380KB
MD58c4a9bb4b17f6d8eca8b4f4c3aefa03d
SHA15e9f1fa2bea4e17a745fcdbbf346319142b1497f
SHA25614ffad2a6d867fa5f978a44d3f871992066b34b2fe3f437ae8987d3e24068119
SHA51205698b91a1784c1df4eddafa44a467221be9266b38ed25823448cd75c99b676d40c2b41a1038a9cbe816fc34bc4f966337d6a2fd2e71f4bc6b08ec9d701f120c
-
C:\Users\Admin\Desktop\ResumeLimit.exeFilesize
514KB
MD5f2f76be946a631710ea2a201593f79c3
SHA1d2e8685b9a474a976f4422cb77c0f59977e8caac
SHA256404682f8ac9eeecf7a82a7b2b25791e86c9b2387c346976d8320e67b6d1940e0
SHA512d697c9ecc3767b1d7004aa5383055e8580196f0e7d5bb92c790b52dd244e80de66ce251abccb09d625d797b83e8989381c9dac0cae9cdd7c8d7f24881454302d
-
C:\Users\Admin\Desktop\SelectUndo.kixFilesize
266KB
MD54341403840546f70b64c3574debca10e
SHA145dcd506e097fc1bc3ed2d939d0b1920db1364d5
SHA25622026de915aed71f9d2dd69fbecb68c778a0b3c5d58d093d06c2e45239909994
SHA5126b9b6fdaf3d480a36175148e0d5f816bf92fccf47e3ff6fd8f83955aad216a634be275926ee86c5ee6d78a26c99c4b3c187dd783550e31c75e72536e4e640943
-
C:\Users\Admin\Desktop\ShowRead.cssFilesize
456KB
MD5c7811acc035bfe9850c3552a3f4ce23e
SHA1d464d0960eb6c35efd9a4d79b3d98ba25c52d6bc
SHA256c2745a2a3552ca7e1bc390a895e87304b9386ebbd96956d18d68fae45542ceab
SHA51292546c9830bfa51a5d9088d50f0e4519df16f237f18469035bc642e60a4ae72d1157e38efd4b9df3f1c4853c2a96941e0ecbd754e1e4786024978e0e6ce7c8c0
-
C:\Users\Admin\Desktop\StepConvert.wplFilesize
818KB
MD59021b03cc7327fb57fd55a4e672c9c44
SHA1e7f42aac023051592be0cd7c9af4cace1d0ec354
SHA2562f6d625f52bbb8e062e5e2c0afb611dbd4f1d443b39ff3216130ecec65533f10
SHA512acaddcbe9299f6be917e65b24d4013f9abf7d3299b40c7c5dc6ea96edefd042ec876de55562c3f41e69f4d21814c82ee2d70020bd58cde393116dc6ab57e9b00
-
C:\Users\Admin\Desktop\TestSelect.ramFilesize
285KB
MD51a400cade36460a5cc62f56eec131ada
SHA1f93228bfeb01141284aebc125acfe41ef8a050f5
SHA256d3f9d9784912eb389b652372fc8a5b35ee3268164466b7ba6560a094e073208d
SHA5128d66d0baaf6a13d3e2990ff92dc0304ca5265a6e28ec02edff9217b8946ac29c6d8c226b37bdc1f36bf37331f3fd71eea7af8d96475a8b3cdf56e89b42e7dfb3
-
C:\Users\Admin\Desktop\UndoTest.xlsFilesize
590KB
MD56c06ec0839f54841d3d0fcb21138a62a
SHA10976d1c84b8b1944e2ecae56c80b503b1a1f7c58
SHA256a549ab1f3620572e2796b7260c0367efb2e0a29c0630cefd1992dc18714284b8
SHA512f7fbd84b35e6f59cd02e0477f2e1297e735ba399ac71a233186270703281e68319b845f13ddfc499d7448a90ebfc576734622d9a2c74f1e0d6159c0b84fc51d5
-
C:\Users\Admin\Desktop\UninstallOptimize.search-msFilesize
209KB
MD5ec684e028a01eb0e803489da0a866457
SHA1c202f908a6e16ead026fd1cb1314447d69b27fe7
SHA25692e06ec88df5e8842e19993ee5dc0620c40e6502e5ac1a32f860b01756061211
SHA512140a69b0a82ad6a7cb8d5cfbedfc3a4c3421b3aa4fd0240822115140b2db607e2197cf86ed7e54278714b1a35e553951bb7cff5183735f1c7469a73ddd99d3dd
-
C:\Users\Admin\Desktop\UnprotectMeasure.aviFilesize
476KB
MD580eda092b60bf30f3080e0fcafa84f8c
SHA12f24a10e3963f4a7229a034db7d80c7c19735475
SHA25653769fa13c3161e84f01fbfea2480c46506e23e0cbca3505f48e2dd9057d1ce5
SHA512ca61fe0dc8650c354bf4ed3ac8eecbe94245a20fd934054d1054f45a823e1084ef03ad64f685645131d230c4ac6db02dc6429f8d407f2caebc27ea945d140e0d
-
C:\Users\Public\Desktop\Acrobat Reader DC.lnkFilesize
2KB
MD538e83dddf1c2efa3f4e42d486ebd1c03
SHA19cc77e42c2a72556e5d1f6d44bb9f56773d8f030
SHA256fbda9fc0d5d4ca691735b590da38f0e6f1d441698bc5e0e539a45c0df4153b4f
SHA512aa84300db92ca3ea7608b6b5b1deaf9ba34af9720998656773c8314470c9dae22622375f1e8c76d12fe10754d98c0310b257aeb88ea8b666ce28176ae727fe89
-
C:\Users\Public\Desktop\Firefox.lnkFilesize
1000B
MD52eaed728d783be1daed7a070467bdf0b
SHA18b8111966966fc92271af429997d978c84e839e7
SHA2569f637c5801f974a88f72cc8190002746b1136dc564f6e6082c4baaf72518ffb1
SHA51213d12228abb8425393cc55b5e7eabc3823bb030adf6cf18b03a6d4d85e556d21ef5bdf6a390044f57c1254343d9d80adc679f12432deb7b23b79fdc4a5948c24
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5e36f3abf1b4fe80fc5c8966c916297ae
SHA1df490de100de3fb8630f55fdb55c1030c4a084f0
SHA25674fb6e084786e71f505aa28a9ecc25086eea396cf18ec2f049f8380e41ff55b2
SHA5129888ed46a5ca3604f65e9c4fb3d90f98c01e151ddccc3774a4a4f47ea03147b5e14f4752a98842d83cae3135e23d82faebd5b88ccd51bc4441268274c34c6be0
-
C:\Users\Public\Desktop\VLC media player.lnkFilesize
923B
MD5eb3ad8641e3385134298c82297774712
SHA1d6e1bd8d2646de3a13c0444116dac37e8c28f3a5
SHA25654f420f24220ff1225260bb3b71f044f34a46af821515295b487e78fdb7485ac
SHA51202fc4e7f66bf22cf05d6231dc95af211097e188b989a118e3142e127b4a35a8da5b903371f68660d67f6f59179e6542143277cd3f8e05bf1752a6831d6d0296a
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
memory/204-31-0x0000000000420000-0x0000000000552000-memory.dmpFilesize
1.2MB
-
memory/204-32-0x0000000002730000-0x000000000274C000-memory.dmpFilesize
112KB
-
memory/204-34-0x000000001B670000-0x000000001B686000-memory.dmpFilesize
88KB
-
memory/204-33-0x000000001B6C0000-0x000000001B710000-memory.dmpFilesize
320KB
-
memory/204-35-0x0000000002710000-0x000000000271C000-memory.dmpFilesize
48KB