Malware Analysis Report

2024-10-10 12:53

Sample ID 240531-snfckacc7x
Target nursultan nexgen fix.exe
SHA256 16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
Tags
rat dcrat evasion infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de

Threat Level: Known bad

The file nursultan nexgen fix.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer spyware stealer

Process spawned unexpected child process

DcRat

DCRat payload

Dcrat family

DCRat payload

Downloads MZ/PE file

Disables Task Manager via registry modification

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Checks processor information in registry

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry class

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 15:16

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 15:16

Reported

2024-05-31 15:18

Platform

win10-20240404-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe C:\portagentbrowserweb\Containerruntime.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\66fc9ff0ee96c2 C:\portagentbrowserweb\Containerruntime.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\services.exe C:\portagentbrowserweb\Containerruntime.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\services.exe C:\portagentbrowserweb\Containerruntime.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc C:\portagentbrowserweb\Containerruntime.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe C:\portagentbrowserweb\Containerruntime.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\5940a34987c991 C:\portagentbrowserweb\Containerruntime.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\GameBarPresenceWriter\dllhost.exe C:\portagentbrowserweb\Containerruntime.exe N/A
File created C:\Windows\GameBarPresenceWriter\5940a34987c991 C:\portagentbrowserweb\Containerruntime.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\portagentbrowserweb\Containerruntime.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\portagentbrowserweb\Containerruntime.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\lsass.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1296 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe C:\Windows\SysWOW64\WScript.exe
PID 1296 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe C:\Windows\SysWOW64\WScript.exe
PID 1296 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe C:\Windows\SysWOW64\WScript.exe
PID 3220 wrote to memory of 1876 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 1876 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 1876 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 204 N/A C:\Windows\SysWOW64\cmd.exe C:\portagentbrowserweb\Containerruntime.exe
PID 1876 wrote to memory of 204 N/A C:\Windows\SysWOW64\cmd.exe C:\portagentbrowserweb\Containerruntime.exe
PID 204 wrote to memory of 2512 N/A C:\portagentbrowserweb\Containerruntime.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe
PID 204 wrote to memory of 2512 N/A C:\portagentbrowserweb\Containerruntime.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe
PID 1876 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1876 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1876 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5072 wrote to memory of 3856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5072 wrote to memory of 3856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5072 wrote to memory of 3856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5072 wrote to memory of 3856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5072 wrote to memory of 3856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5072 wrote to memory of 3856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5072 wrote to memory of 3856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5072 wrote to memory of 3856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5072 wrote to memory of 3856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5072 wrote to memory of 3856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5072 wrote to memory of 3856 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 3900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 3900 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3856 wrote to memory of 2432 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe

"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "

C:\portagentbrowserweb\Containerruntime.exe

"C:\portagentbrowserweb\Containerruntime.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\portagentbrowserweb\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\portagentbrowserweb\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\portagentbrowserweb\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Desktop\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\GameBarPresenceWriter\dllhost.exe'" /rl HIGHEST /f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Users\Public\Desktop\lsass.exe

"C:\Users\Public\Desktop\lsass.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.0.481606486\1095259352" -parentBuildID 20221007134813 -prefsHandle 1772 -prefMapHandle 1768 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a65362b-d512-4758-8e50-877670938cee} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 1852 2dafdfd8758 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.1.1429527686\1646534139" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea4b75d2-1a25-487e-9e7c-f8e501f9ec21} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 2184 2daf59e2e58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.2.177409307\34289349" -childID 1 -isForBrowser -prefsHandle 2872 -prefMapHandle 2900 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc4b1c03-9ab2-4f59-8d5b-e8438501fcb7} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 3068 2da84cdba58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.3.877706393\509023690" -childID 2 -isForBrowser -prefsHandle 3384 -prefMapHandle 3380 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6c1d111-a9a8-4320-9d4c-8df40c169558} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 3404 2da834a6e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.4.1713544233\2081598886" -childID 3 -isForBrowser -prefsHandle 4244 -prefMapHandle 4240 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {121c761d-0db3-4b2f-86f6-5d3003b667ec} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 4256 2da86a7a658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.5.2125883994\1694393229" -childID 4 -isForBrowser -prefsHandle 4756 -prefMapHandle 4744 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5ac7c88-bc09-459f-9b57-c1920751ae89} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 4472 2da873fa758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.6.306947\1751483240" -childID 5 -isForBrowser -prefsHandle 5048 -prefMapHandle 5052 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8d31a21-9a19-47f8-96a5-ca5afba8424f} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5036 2da873fad58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.7.2029447189\45586422" -childID 6 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2085fcbe-ef32-4d5b-801f-32e3cf844d11} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5324 2da873fbf58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.8.748528905\377455978" -childID 7 -isForBrowser -prefsHandle 5696 -prefMapHandle 5692 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7ad1d77-63b9-47d2-bd8f-c6a2fde7600d} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5704 2da88723758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.9.950250762\1085760762" -parentBuildID 20221007134813 -prefsHandle 5692 -prefMapHandle 5696 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ebc99e5-6da7-46bd-aa92-f1741739cee7} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5916 2da88b5d758 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.10.1998504364\68965365" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6048 -prefMapHandle 6044 -prefsLen 26328 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4d2e4c3-09c0-46b1-a539-c3b407ff8168} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 5916 2da88b5fe58 utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.11.892419629\1309683216" -childID 8 -isForBrowser -prefsHandle 6284 -prefMapHandle 6280 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {417847ae-5983-4fd6-9bf9-b31b97319fe9} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 6292 2da88ac7e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.12.2032108865\1731595784" -childID 9 -isForBrowser -prefsHandle 4356 -prefMapHandle 4280 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f89ab3a5-9d37-491a-940f-55b13dd5c619} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 6592 2da86aa3258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.13.566393915\2040945924" -childID 10 -isForBrowser -prefsHandle 4356 -prefMapHandle 7200 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8dd735f-8f42-4df1-91ef-623338bb401f} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 6228 2da86aa5358 tab

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x438

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3856.14.1280319327\1185847357" -childID 11 -isForBrowser -prefsHandle 10456 -prefMapHandle 6536 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96cc1369-015a-4368-b14c-e15b6acabbcc} 3856 "\\.\pipe\gecko-crash-server-pipe.3856" 10452 2da8927aa58 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0987415.xsph.ru udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
US 8.8.8.8:53 26.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 44.237.98.207:443 shavar.services.mozilla.com tcp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:49866 tcp
N/A 127.0.0.1:49873 tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 207.98.237.44.in-addr.arpa udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
GB 142.250.200.14:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 216.58.212.214:443 i.ytimg.com tcp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 214.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
GB 216.58.212.214:443 i.ytimg.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
NL 142.250.27.84:443 accounts.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 84.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.180.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.180.2:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 2.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 216.58.213.6:443 static.doubleclick.net tcp
GB 216.58.201.106:443 jnn-pa.googleapis.com tcp
GB 216.58.201.106:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 static.doubleclick.net udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 216.58.201.106:443 jnn-pa.googleapis.com udp
GB 216.58.213.6:443 static.doubleclick.net udp
US 8.8.8.8:53 suggestqueries-clients6.youtube.com udp
US 8.8.8.8:53 6.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
GB 172.217.16.238:443 suggestqueries-clients6.youtube.com tcp
GB 172.217.16.238:443 suggestqueries-clients6.youtube.com tcp
US 8.8.8.8:53 suggestqueries-clients6.youtube.com udp
GB 216.58.201.106:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 suggestqueries-clients6.youtube.com udp
GB 172.217.16.238:443 suggestqueries-clients6.youtube.com udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.200.46:443 youtube.com tcp
US 8.8.8.8:53 youtube.com udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.200.46:443 youtube.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 142.250.200.46:443 youtube.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
US 8.8.8.8:53 photos-ugc.l.googleusercontent.com udp
GB 142.250.180.1:443 yt3.ggpht.com tcp
GB 142.250.180.1:443 photos-ugc.l.googleusercontent.com tcp
US 8.8.8.8:53 photos-ugc.l.googleusercontent.com udp
GB 142.250.180.1:443 photos-ugc.l.googleusercontent.com udp
US 8.8.8.8:53 1.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 rr3---sn-5hne6n6e.googlevideo.com udp
NL 172.217.132.232:443 rr3---sn-5hne6n6e.googlevideo.com tcp
US 8.8.8.8:53 rr3.sn-5hne6n6e.googlevideo.com udp
NL 172.217.132.232:443 rr3.sn-5hne6n6e.googlevideo.com tcp
NL 172.217.132.232:443 rr3.sn-5hne6n6e.googlevideo.com udp
US 8.8.8.8:53 rr3.sn-5hne6n6e.googlevideo.com udp
US 8.8.8.8:53 232.132.217.172.in-addr.arpa udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 rr2---sn-5hneknee.googlevideo.com udp
GB 172.217.16.225:443 tpc.googlesyndication.com tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
NL 74.125.8.71:443 rr2---sn-5hneknee.googlevideo.com tcp
US 8.8.8.8:53 rr2.sn-5hneknee.googlevideo.com udp
US 8.8.8.8:53 tpc.googlesyndication.com udp
US 8.8.8.8:53 rr2.sn-5hneknee.googlevideo.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.16.225:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 71.8.125.74.in-addr.arpa udp
NL 74.125.8.71:443 rr2.sn-5hneknee.googlevideo.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
US 8.8.8.8:53 lh4.googleusercontent.com udp
GB 172.217.16.225:443 lh4.googleusercontent.com tcp
US 8.8.8.8:53 googlehosted.l.googleusercontent.com udp
US 8.8.8.8:53 googlehosted.l.googleusercontent.com udp
GB 172.217.16.225:443 googlehosted.l.googleusercontent.com udp
US 8.8.8.8:53 34.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 photos-ugc.l.googleusercontent.com udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
US 8.8.8.8:53 bestsearches.net udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
US 35.83.105.82:443 bestsearches.net tcp
US 8.8.8.8:53 bestsearches.net udp
US 8.8.8.8:53 rr3---sn-5hne6nsr.googlevideo.com udp
US 8.8.8.8:53 rr3.sn-5hne6nsr.googlevideo.com udp
NL 172.217.132.72:443 rr3.sn-5hne6nsr.googlevideo.com tcp
US 8.8.8.8:53 82.105.83.35.in-addr.arpa udp
US 8.8.8.8:53 rr3---sn-5hne6nsr.googlevideo.com udp
NL 172.217.132.72:443 rr3---sn-5hne6nsr.googlevideo.com tcp
NL 172.217.132.72:443 rr3---sn-5hne6nsr.googlevideo.com udp
GB 216.58.212.214:443 i.ytimg.com tcp
GB 216.58.212.214:443 i.ytimg.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 d2g4kcs2g0r8f3.cloudfront.net udp
US 8.8.8.8:53 search.yahoo.com udp
GB 142.250.200.42:443 ajax.googleapis.com tcp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
NL 13.227.211.177:443 d2g4kcs2g0r8f3.cloudfront.net tcp
NL 13.227.211.177:443 d2g4kcs2g0r8f3.cloudfront.net tcp
NL 13.227.211.177:443 d2g4kcs2g0r8f3.cloudfront.net tcp
NL 13.227.211.177:443 d2g4kcs2g0r8f3.cloudfront.net tcp
US 8.8.8.8:53 72.132.217.172.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 177.211.227.13.in-addr.arpa udp
GB 142.250.200.42:443 ajax.googleapis.com udp
US 8.8.8.8:53 bestsearches.net udp
IE 212.82.100.137:443 search.yahoo.com tcp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 s.yimg.com udp
US 8.8.8.8:53 www.clarity.ms udp
GB 87.248.114.11:443 s.yimg.com tcp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 d2g4kcs2g0r8f3.cloudfront.net udp
US 8.8.8.8:53 d2g4kcs2g0r8f3.cloudfront.net udp
US 8.8.8.8:53 ds-global3.l7.search.ystg1.b.yahoo.com udp
IE 212.82.100.137:443 ds-global3.l7.search.ystg1.b.yahoo.com tcp
US 8.8.8.8:53 xmlp.search.yahoo.com udp
IE 212.82.100.137:443 xmlp.search.yahoo.com tcp
US 8.8.8.8:53 rr3.sn-5hne6nsr.googlevideo.com udp
US 8.8.8.8:53 edge.gycpi.b.yahoodns.net udp
US 8.8.8.8:53 edge.gycpi.b.yahoodns.net udp
US 8.8.8.8:53 global3.l7.search.ystg1.b.yahoo.com udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 11.114.248.87.in-addr.arpa udp
US 8.8.8.8:53 global3.l7.search.ystg1.b.yahoo.com udp
US 13.107.246.64:443 www.clarity.ms tcp
US 8.8.8.8:53 s-part-0036.t-0009.t-msedge.net udp
US 8.8.8.8:53 s-part-0036.t-0009.t-msedge.net udp
US 8.8.8.8:53 ds-global3.l7.search.ystg1.b.yahoo.com udp
US 8.8.8.8:53 c.clarity.ms udp
IE 68.219.88.97:443 c.clarity.ms tcp
US 8.8.8.8:53 c-msn-com-nsatc.trafficmanager.net udp
US 8.8.8.8:53 h.clarity.ms udp
US 8.8.8.8:53 c-msn-com-nsatc.trafficmanager.net udp
US 52.224.31.34:443 h.clarity.ms tcp
US 8.8.8.8:53 vmss-clarity-ingest-eus-c.eastus.cloudapp.azure.com udp
US 8.8.8.8:53 97.88.219.68.in-addr.arpa udp
US 8.8.8.8:53 c.bing.com udp
US 8.8.8.8:53 h.clarity.ms udp
US 8.8.8.8:53 dual-a-0034.a-msedge.net udp
US 204.79.197.237:443 dual-a-0034.a-msedge.net tcp
US 52.224.31.34:443 h.clarity.ms tcp
US 8.8.8.8:53 dual-a-0034.a-msedge.net udp
US 8.8.8.8:53 vmss-clarity-ingest-eus-c.eastus.cloudapp.azure.com udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 34.31.224.52.in-addr.arpa udp
US 52.224.31.34:443 h.clarity.ms tcp
GB 216.58.212.214:443 i.ytimg.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 rr1---sn-5hnekn7l.googlevideo.com udp
US 8.8.8.8:53 rr1.sn-5hnekn7l.googlevideo.com udp
US 8.8.8.8:53 rr1.sn-5hnekn7l.googlevideo.com udp
US 8.8.8.8:53 rr5---sn-5hne6nsr.googlevideo.com udp
NL 172.217.132.74:443 rr5---sn-5hne6nsr.googlevideo.com tcp
US 8.8.8.8:53 rr5.sn-5hne6nsr.googlevideo.com udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 216.58.201.106:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 rr5.sn-5hne6nsr.googlevideo.com udp
NL 172.217.132.74:443 rr5.sn-5hne6nsr.googlevideo.com udp
US 8.8.8.8:53 74.132.217.172.in-addr.arpa udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
US 8.8.8.8:53 rr5---sn-5hne6nzk.googlevideo.com udp
NL 172.217.132.138:443 rr5---sn-5hne6nzk.googlevideo.com tcp
US 8.8.8.8:53 rr5.sn-5hne6nzk.googlevideo.com udp
US 8.8.8.8:53 rr5.sn-5hne6nzk.googlevideo.com udp
US 8.8.8.8:53 138.132.217.172.in-addr.arpa udp
US 8.8.8.8:53 rr3---sn-5hne6nzd.googlevideo.com udp
US 8.8.8.8:53 rr3.sn-5hne6nzd.googlevideo.com udp
NL 74.125.100.232:443 rr3.sn-5hne6nzd.googlevideo.com tcp
US 8.8.8.8:53 rr3.sn-5hne6nzd.googlevideo.com udp
US 8.8.8.8:53 rr3---sn-5hneknek.googlevideo.com udp
NL 74.125.8.136:443 rr3---sn-5hneknek.googlevideo.com tcp
US 8.8.8.8:53 rr3.sn-5hneknek.googlevideo.com udp
US 8.8.8.8:53 rr3.sn-5hneknek.googlevideo.com udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
NL 74.125.8.136:443 rr3.sn-5hneknek.googlevideo.com udp
US 8.8.8.8:53 232.100.125.74.in-addr.arpa udp
US 8.8.8.8:53 136.8.125.74.in-addr.arpa udp
US 8.8.8.8:53 rr5---sn-5hne6nzd.googlevideo.com udp
NL 74.125.100.234:443 rr5---sn-5hne6nzd.googlevideo.com tcp
US 8.8.8.8:53 rr5.sn-5hne6nzd.googlevideo.com udp
US 8.8.8.8:53 rr5.sn-5hne6nzd.googlevideo.com udp
NL 74.125.100.234:443 rr5.sn-5hne6nzd.googlevideo.com udp
US 8.8.8.8:53 234.100.125.74.in-addr.arpa udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
US 8.8.8.8:53 rr4---sn-5hnekn7s.googlevideo.com udp
NL 74.125.100.41:443 rr4---sn-5hnekn7s.googlevideo.com tcp
US 8.8.8.8:53 rr4.sn-5hnekn7s.googlevideo.com udp
US 8.8.8.8:53 rr4.sn-5hnekn7s.googlevideo.com udp
US 8.8.8.8:53 41.100.125.74.in-addr.arpa udp
US 8.8.8.8:53 rr1---sn-5hneknek.googlevideo.com udp
NL 74.125.8.134:443 rr1---sn-5hneknek.googlevideo.com tcp
US 8.8.8.8:53 rr1.sn-5hneknek.googlevideo.com udp
US 8.8.8.8:53 rr1.sn-5hneknek.googlevideo.com udp
US 8.8.8.8:53 rr5---sn-5hneknes.googlevideo.com udp
NL 74.125.8.202:443 rr5---sn-5hneknes.googlevideo.com tcp
US 8.8.8.8:53 rr5.sn-5hneknes.googlevideo.com udp
US 8.8.8.8:53 rr5.sn-5hneknes.googlevideo.com udp
US 8.8.8.8:53 rr5---sn-5hneknes.googlevideo.com udp
US 8.8.8.8:53 134.8.125.74.in-addr.arpa udp
US 8.8.8.8:53 202.8.125.74.in-addr.arpa udp
US 8.8.8.8:53 rr5---sn-5hne6nsk.googlevideo.com udp
NL 172.217.132.42:443 rr5---sn-5hne6nsk.googlevideo.com tcp
US 8.8.8.8:53 rr5.sn-5hne6nsk.googlevideo.com udp
US 8.8.8.8:53 rr5.sn-5hne6nsk.googlevideo.com udp
NL 172.217.132.42:443 rr5.sn-5hne6nsk.googlevideo.com tcp
US 8.8.8.8:53 42.132.217.172.in-addr.arpa udp
NL 172.217.132.42:443 rr5.sn-5hne6nsk.googlevideo.com udp
US 8.8.8.8:53 rr3---sn-5hne6nzk.googlevideo.com udp
US 8.8.8.8:53 rr3.sn-5hne6nzk.googlevideo.com udp
US 8.8.8.8:53 rr3.sn-5hne6nzk.googlevideo.com udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
RU 141.8.192.26:80 a0987415.xsph.ru tcp
RU 141.8.192.26:80 a0987415.xsph.ru tcp

Files

C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe

MD5 61a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1 e695b0c2b43c786453bf3f6ae504f0626951d281
SHA256 5c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA512 8ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d

C:\Users\Public\Desktop\VLC media player.lnk

MD5 eb3ad8641e3385134298c82297774712
SHA1 d6e1bd8d2646de3a13c0444116dac37e8c28f3a5
SHA256 54f420f24220ff1225260bb3b71f044f34a46af821515295b487e78fdb7485ac
SHA512 02fc4e7f66bf22cf05d6231dc95af211097e188b989a118e3142e127b4a35a8da5b903371f68660d67f6f59179e6542143277cd3f8e05bf1752a6831d6d0296a

C:\Users\Public\Desktop\Firefox.lnk

MD5 2eaed728d783be1daed7a070467bdf0b
SHA1 8b8111966966fc92271af429997d978c84e839e7
SHA256 9f637c5801f974a88f72cc8190002746b1136dc564f6e6082c4baaf72518ffb1
SHA512 13d12228abb8425393cc55b5e7eabc3823bb030adf6cf18b03a6d4d85e556d21ef5bdf6a390044f57c1254343d9d80adc679f12432deb7b23b79fdc4a5948c24

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 e36f3abf1b4fe80fc5c8966c916297ae
SHA1 df490de100de3fb8630f55fdb55c1030c4a084f0
SHA256 74fb6e084786e71f505aa28a9ecc25086eea396cf18ec2f049f8380e41ff55b2
SHA512 9888ed46a5ca3604f65e9c4fb3d90f98c01e151ddccc3774a4a4f47ea03147b5e14f4752a98842d83cae3135e23d82faebd5b88ccd51bc4441268274c34c6be0

C:\Users\Admin\Desktop\CheckpointFind.vsd

MD5 2e595558361527240ecabc59bce9b060
SHA1 7dc73a34f7c45d29c03ba9099f68ad7afa0166bc
SHA256 21c4b0a1695c1b8e7adfafaff8e09ec18f3a59236eb387cd2e4f0893f8a05ab3
SHA512 6e970b91532ed72f756ddc15c4f6c7fc0e9b48e36a0d0c058d25fe2e54151de066fd5e0a1cdb946b4b12966cc2eaa96439d006fb291403dcf47c0f946ad15a88

C:\Users\Admin\Desktop\DisableAssert.midi

MD5 75b949d648f1f07fbf8a7cd680027ba5
SHA1 c86a3ce1ea6738f78cecbbc2fa09c80d20ca6b2b
SHA256 8f37b2b8acde799811fc96dbd374e6975fbf9ac8dc0b8c2e44b5d5b580222a02
SHA512 60adabb6e14049d866f0f8d4805b409fe8e78cece56640ea17c02836a98d0ed1e8646f7a01230cd114bec95647d3b0e803afaf0be552ce54e27f8561bb9c905f

C:\Users\Admin\Desktop\GroupRestart.WTV

MD5 4cf0fb081685764817d1ae513f40b800
SHA1 03dd764196538139ef753ed5f81af161a161a315
SHA256 97aa4e123d5e68112fd10427b1cf93633f22bb32a6b9c28a9fec25cc273cfe0b
SHA512 04154d92a870dd698a147077bbfeee48a695f03c91358b69b3e040fbf268df8b77bd8e267a919ecd8bddafe32b95708a9f2abd21b290f58067f9f0056d18469d

C:\Users\Admin\Desktop\ExitConvertFrom.zip

MD5 175e9c921eb077206b7b2aaae535adc4
SHA1 2250d53d896d42b445e175f5a3ef7e3df937438b
SHA256 169f26aadcc0626e511dfb5c33b148b0e7f2fc858d0298309962c27af8669438
SHA512 ae1a8ce4c422592ff37a2908b68adac31efa6fce0c7e04edcb408701633db12558521883d197af63dd40c9df1f7f6ebc4c167d5c30998c38c76d191bacb53ef3

C:\Users\Admin\Desktop\EnableSelect.kix

MD5 c4a63dd6610867f85de77d82fc2c0a49
SHA1 892ca5708a93de8bba70d0c98610afcb43c4cdac
SHA256 65a243d3b20f5ee3c30a48b676bc7acde15ed4b70245c0932605f5d981f7ca2c
SHA512 0e93a576a4d6aa01ed87e1d8b91cdf537941779e53a3d0302432ca91b87e8a92763f3fc9392f537c44e1017fbe032d1829f64c1b9c6ec76f9ec93ca5ec2b3716

C:\Users\Admin\Desktop\EnableFind.mhtml

MD5 a801329739f5164b4beaf1a73b016a60
SHA1 fea3451cd1811f474de730505a765ebf1178b60a
SHA256 5ccebc72b58194eda04c58b2ce67461fa7e20c696d857a1cad581711c87ef60c
SHA512 7b5cf75e0e0dbfac5c18cbff2458da45c039eaef610407befe68a5405676f8f7d75f6c56d86edad5f694cc4abedbbe51d8db91af552cc136a636a26ae2b9ffa4

C:\Users\Admin\Desktop\InstallDisconnect.ico

MD5 4c2c7ef348b3fc5190fb27a026aff4ec
SHA1 98a99bc4fe1f064b8f451db9304fc0162b2787eb
SHA256 f2d847d544b6b23012fe6c45f01c0b92b7deb2c72b5880a6291d58d188c586eb
SHA512 d507beb5b6c150ff9b8b08cc346ba0394c7382aacd22ad7e5ebf24f0635d7539106a14e62821639876c18ba379e8d466bb3ddec599714fd58a0a209fc020074f

C:\Users\Admin\Desktop\NewInstall.asf

MD5 6aeb6338ae381491c13348d5be57e53a
SHA1 89f11fb38db5009bd236aaef15f605ed4d2f49d9
SHA256 b8d7f643a841ff163571f749afaf163d5d1b393771923a3fbc8685c608014788
SHA512 d02c684db7d01b24cb6872906469406b7746c3c38bd0959a2b5f594222df9ba7400e3da0b66658155b186cf2c10092983ab331f6ba10615d241b68dc3068cb05

C:\Users\Admin\Desktop\UnprotectMeasure.avi

MD5 80eda092b60bf30f3080e0fcafa84f8c
SHA1 2f24a10e3963f4a7229a034db7d80c7c19735475
SHA256 53769fa13c3161e84f01fbfea2480c46506e23e0cbca3505f48e2dd9057d1ce5
SHA512 ca61fe0dc8650c354bf4ed3ac8eecbe94245a20fd934054d1054f45a823e1084ef03ad64f685645131d230c4ac6db02dc6429f8d407f2caebc27ea945d140e0d

C:\Users\Admin\Desktop\TestSelect.ram

MD5 1a400cade36460a5cc62f56eec131ada
SHA1 f93228bfeb01141284aebc125acfe41ef8a050f5
SHA256 d3f9d9784912eb389b652372fc8a5b35ee3268164466b7ba6560a094e073208d
SHA512 8d66d0baaf6a13d3e2990ff92dc0304ca5265a6e28ec02edff9217b8946ac29c6d8c226b37bdc1f36bf37331f3fd71eea7af8d96475a8b3cdf56e89b42e7dfb3

C:\Users\Admin\Desktop\StepConvert.wpl

MD5 9021b03cc7327fb57fd55a4e672c9c44
SHA1 e7f42aac023051592be0cd7c9af4cace1d0ec354
SHA256 2f6d625f52bbb8e062e5e2c0afb611dbd4f1d443b39ff3216130ecec65533f10
SHA512 acaddcbe9299f6be917e65b24d4013f9abf7d3299b40c7c5dc6ea96edefd042ec876de55562c3f41e69f4d21814c82ee2d70020bd58cde393116dc6ab57e9b00

C:\Users\Admin\Desktop\ShowRead.css

MD5 c7811acc035bfe9850c3552a3f4ce23e
SHA1 d464d0960eb6c35efd9a4d79b3d98ba25c52d6bc
SHA256 c2745a2a3552ca7e1bc390a895e87304b9386ebbd96956d18d68fae45542ceab
SHA512 92546c9830bfa51a5d9088d50f0e4519df16f237f18469035bc642e60a4ae72d1157e38efd4b9df3f1c4853c2a96941e0ecbd754e1e4786024978e0e6ce7c8c0

C:\Users\Admin\Desktop\SelectUndo.kix

MD5 4341403840546f70b64c3574debca10e
SHA1 45dcd506e097fc1bc3ed2d939d0b1920db1364d5
SHA256 22026de915aed71f9d2dd69fbecb68c778a0b3c5d58d093d06c2e45239909994
SHA512 6b9b6fdaf3d480a36175148e0d5f816bf92fccf47e3ff6fd8f83955aad216a634be275926ee86c5ee6d78a26c99c4b3c187dd783550e31c75e72536e4e640943

C:\Users\Admin\Desktop\ResizeEnter.bmp

MD5 f32bd09c92d971eb952a60e8a02eb9d3
SHA1 6a09fc5c002298b2b0b287294ed37f53c4415d16
SHA256 6d9269aeb5d551008bdf2c74546d92b9749378efd9cdc44206a97825eb6fd497
SHA512 466a89851b6404cbce72d2a490efc0e7888ee5585e99ccb970759030d5219681fd6e05ae06a78e4815156690675433a5b459ca4a3f8077c9c13a381ca1af10ed

C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat

MD5 c8f8a078dace2ff4cb106803c9199643
SHA1 a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA256 1b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512 efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999

C:\portagentbrowserweb\Containerruntime.exe

MD5 5887a563351ca99247b7e2c448bd9f2e
SHA1 b24695e88143863297535989900bb7521ea86d67
SHA256 e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512 b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107

memory/204-31-0x0000000000420000-0x0000000000552000-memory.dmp

memory/204-32-0x0000000002730000-0x000000000274C000-memory.dmp

memory/204-34-0x000000001B670000-0x000000001B686000-memory.dmp

memory/204-33-0x000000001B6C0000-0x000000001B710000-memory.dmp

memory/204-35-0x0000000002710000-0x000000000271C000-memory.dmp

C:\Users\Public\Desktop\Acrobat Reader DC.lnk

MD5 38e83dddf1c2efa3f4e42d486ebd1c03
SHA1 9cc77e42c2a72556e5d1f6d44bb9f56773d8f030
SHA256 fbda9fc0d5d4ca691735b590da38f0e6f1d441698bc5e0e539a45c0df4153b4f
SHA512 aa84300db92ca3ea7608b6b5b1deaf9ba34af9720998656773c8314470c9dae22622375f1e8c76d12fe10754d98c0310b257aeb88ea8b666ce28176ae727fe89

C:\Users\Admin\Desktop\DebugRepair.WTV

MD5 846818ae4243350f63a8339f5ff77a72
SHA1 6e92117ffb6c2bb6330bcf336c35133c35f46fbb
SHA256 64d85d31db23ce47cdea5e9f4ff573daee11382a231c55cea43f35a5b2340d54
SHA512 974b4ab3944510b8cc09b464120d004b6ae2e9c5991f59d097f61090e9f19cfade91fe01da0f037d1570d8f1c04c3ed6dcfc29445b6ebeedc6ca4802ee5798cb

C:\Users\Admin\Desktop\FindConfirm.vst

MD5 4f96c120426ba4efb2fd73f6574e0ded
SHA1 ffedb793ebef8430d8534c6234ca5dd413d8f86a
SHA256 857180bf69a23a510620d2802b454d1aad692e241fd54b0f7a7c02ba8fa1ae5d
SHA512 c19e427ed7e25f381b780300f8839a51f2ab5f9127dae2b9260d818a61b63c82d59b2f72f3a4d42aefdee7ae8ce0c631fd310f2fcc7785e53f0210351d30d13b

C:\Users\Admin\Desktop\ResumeLimit.exe

MD5 f2f76be946a631710ea2a201593f79c3
SHA1 d2e8685b9a474a976f4422cb77c0f59977e8caac
SHA256 404682f8ac9eeecf7a82a7b2b25791e86c9b2387c346976d8320e67b6d1940e0
SHA512 d697c9ecc3767b1d7004aa5383055e8580196f0e7d5bb92c790b52dd244e80de66ce251abccb09d625d797b83e8989381c9dac0cae9cdd7c8d7f24881454302d

C:\Users\Admin\Desktop\UninstallOptimize.search-ms

MD5 ec684e028a01eb0e803489da0a866457
SHA1 c202f908a6e16ead026fd1cb1314447d69b27fe7
SHA256 92e06ec88df5e8842e19993ee5dc0620c40e6502e5ac1a32f860b01756061211
SHA512 140a69b0a82ad6a7cb8d5cfbedfc3a4c3421b3aa4fd0240822115140b2db607e2197cf86ed7e54278714b1a35e553951bb7cff5183735f1c7469a73ddd99d3dd

C:\Users\Admin\Desktop\CopyOptimize.css

MD5 f7586966d0a73f60c6de70cab89aebaa
SHA1 e3801be9df83d3dd8eca8b6bbb63d96cd2168046
SHA256 5ed9d0f307ba2e3efc709f1abc74240b4437696c702ee96d5f996d32afb8b7e2
SHA512 7dc96f446fd9b774a9f907787920371f7b232636dd506469005c1bc2d92f48500fa13d2e8919c033ea018d14e73ee014e6bce8103079ca8442d58179b6eae074

C:\Users\Admin\Desktop\ExitDebug.mpeg2

MD5 3647160f89e01681aed2fd9906535c51
SHA1 46b0775677ec195941f2371ced327cd2721654be
SHA256 a5feb1a9c8b722e56e5b41353ec7dc7652d8ee15074df49bc531b59bbfa27555
SHA512 32f2ce9ff59833ca67ba11ea72d221a062e47903b7f4d973187cfa58d9b3541ee7526dd15abd70220425ea9542bb36cffff3fe20e8a5ca9e67ee7c6017c4941b

C:\Users\Admin\Desktop\UndoTest.xls

MD5 6c06ec0839f54841d3d0fcb21138a62a
SHA1 0976d1c84b8b1944e2ecae56c80b503b1a1f7c58
SHA256 a549ab1f3620572e2796b7260c0367efb2e0a29c0630cefd1992dc18714284b8
SHA512 f7fbd84b35e6f59cd02e0477f2e1297e735ba399ac71a233186270703281e68319b845f13ddfc499d7448a90ebfc576734622d9a2c74f1e0d6159c0b84fc51d5

C:\Users\Admin\Desktop\ResizeUndo.temp

MD5 8c4a9bb4b17f6d8eca8b4f4c3aefa03d
SHA1 5e9f1fa2bea4e17a745fcdbbf346319142b1497f
SHA256 14ffad2a6d867fa5f978a44d3f871992066b34b2fe3f437ae8987d3e24068119
SHA512 05698b91a1784c1df4eddafa44a467221be9266b38ed25823448cd75c99b676d40c2b41a1038a9cbe816fc34bc4f966337d6a2fd2e71f4bc6b08ec9d701f120c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\efe87705-e89e-42e7-b3e1-d25db96bda79

MD5 d06f3e3b25a759191aef2bca5d5f02b4
SHA1 9cb2099d33498470085c961760c1f8eeaf6bae03
SHA256 ca00876d67d446642f3ed73023d04ff2a8e4b4001db896127c696d199610361c
SHA512 5525521a002a35186bd13bd185d25b6380c90a4d86714fe0f42ac4f4d790205566ebcdba9e6178c4632b261e8b5aac4a096f09d74de82e62726e6165049aea3a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin

MD5 132011ac6cccb63bd6dbdf33068f0d6b
SHA1 14d922bc9a1b3fca8cfd15a60c7dfde045f63626
SHA256 1771fbda91e79384589e2596f89348f1b8bac26b767de96a386d593a5d61b452
SHA512 6d3e3ee55f80bc07ac9d10f266bee365dc3b5aa7264056701f0ac4c6fd5d5791321ef0f05b14adba5af6618771d8c7bb3cdbc9e79ad267bb57530ba58124226b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\615f9224-3268-4337-9374-c1dc7f852c8a

MD5 aef1d007a467f5cf27098023e49518bf
SHA1 2ea52fd20a2e480f7607e8af237134b99bb6c1ab
SHA256 c478a05ceb02021724bc2d790ee2d8385a487aba594731c50b525e943a4a8f60
SHA512 53a98cae60ae27e456f3c5f33efed68048339932859e0e8441ecba0b1efe96d645c5e9bd6ec9356278842f61b4434a94448db6c172027e0b775cf746d23b3006

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 3018d1aad8385b734068dbad441e344e
SHA1 2a3925bc92ec843db64b6db2cd6fe18ccf084a86
SHA256 f33415b0b1fc8c7e52356318d44aef1ae6bd9c64a89afa012d43a01a79954f88
SHA512 7ab1a1115a4f7ac61ba41bfe5875792cfa84d81f14f71239e43848de5940bfa07e2e34ea4be85a61c091d0b4b7742f3f55961fd26734b528cdb2c0b4d169c5e0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

MD5 729bb85a798dd9496cced39fb7fe086f
SHA1 cf8d42d75ded9dee6b276e4fd038ff253a753b41
SHA256 dec5c5455e6d74c2743311f32f29d7c274bc4ce2bb78b0d30217544ad062425a
SHA512 f31ce7ceda8072c56a3f234e4626b46b94a0f7e7f5cfd17eb7d6130fc7d3295dd86d8a755b49cbc9f48c6f4d0f233ed0c529ea3aa12155e56de7d945bad01a62

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 47725092e8694c84a9f4ad473f166626
SHA1 fd81a7a0668236185f16d65db6c408c0e8f6f4d9
SHA256 c93100b088228040179da7bb2f50136ea09b4364be23b55f8e51e6436c89582f
SHA512 38d765b70cd679ff035741345cc0f0f4a13b73dff12576cca4853d86fe78ad5f8a23f58668a9977a5f11f3c1370b7d8458bfacb05c2b41d3932aa8cd516a9119

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\cache\morgue\124\{67370385-2399-4edc-801f-9143f393c47c}.final

MD5 c27db3d65048003ad8ef29962ff2d691
SHA1 5bb939f6c5131a93d52da46aa855cd28e3903c81
SHA256 b7e3fb38531eb7a38f67e7ef1562b58bac2cb971940450c11b9f3846927c00a6
SHA512 5e1d75bec2e03a96a92f0d8fec19a0f49b8a88992ea74567eb09b5a823ce57a6cec642c24a6586314672c6cdaddfb1e7d28c8278abbc8412b32974560a493219

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\idb\1578069077yCt7-%iCt7-%r1e2s6p2o.sqlite

MD5 ea22d50638c9ad5d88c5213179a2c8e7
SHA1 edcb3de510418e3d3afa7c7b6b87da5f9c885a9d
SHA256 ae60c9add684f96cff31352bbf45583a8792d54f9940fa1088fae753d0d86ebe
SHA512 66fb0b752664da366d8096387eb46ab3fae752eb4be0b7979c103b51fa9af044467b6a0c8b36a62375ef5e8b0d60f81359b45f7dacff33935ebe6a60166f2bce

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite-wal

MD5 bc3a8aca7fa6351c2c1484db1b82f165
SHA1 ccc5ed7b2abb091a0d32e8691899842fd6313875
SHA256 785e07edefd4b6722adc4fa8b58c5a9b4d06708e93a080f13dd54633cd0177a1
SHA512 9a244823ca81250efddaf5860192b75da90fd6cd5ef740c73f1a202f6c7a2ad0562aaddffe01d0d435f7bc74f644c2b88c3c3c0f3395676425a398c7ead4b8cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\cache\morgue\127\{f796a8c8-7e7c-4c70-875e-f8dab310657f}.final

MD5 33eb9f44045c5d260694dc8176423e6a
SHA1 8605385621c6170d391ca3c431c2f77d5389ce81
SHA256 d7e5351d8c0acbfda74aec3664eb73337428df65518a38bd45b6554431c159df
SHA512 01c280bf24755e8e9e6167be2cd2d842ea530ef64eaf5bcb59fe7f5cf1f1cec84804e302b702938c3aea273bd204682308c5c1df7e1945c88c90bb1e6cfeb513

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\1788

MD5 c90faca4ac7410e5e1c1e32670964aaa
SHA1 448ec45fb0a7075e469bed9688bfd35e5921445b
SHA256 4d644b98773a5c7622eb09a4028fe6c31cdd7962d3f701a6380c14e11bb54954
SHA512 d7e911e11a450a0406a0ae8f92ca1b20bcfb04f36622581ddbae4dadf1cfa431e0098f6b0680bdba754c72b31f830fd5f5f5827292df5fc3e52137818e6ad204

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 c665de8863129119063d846304404cdd
SHA1 fdc61098846cb021767f44c173b3f7e3685fe6df
SHA256 dc02f8229657368727dd3680ddff64b90e113676232ed7683b521718e032ddc6
SHA512 5f92afb4fde6d251415ac6534689ac385c6aced695de0729337cb769f9b7ba68e2f4cf38d024243327e68666b6b61c4c6cb527d36b16a2a73bd83673f596ff07

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 2d8dd2f5738d42b16f7877876ab1f5c2
SHA1 2640a254e78db2b95211f2928660f5640f691774
SHA256 e40bd6c15522145c37ddcd4288eba1e9cd8f4af0d615c233722aab4a570a44a5
SHA512 f9a249567dc0881322e2e5d77a6b1ade93fcfa3efce4183fdb7c8c08162fa4a8f8a82cb0f98138451a23354ca0b41aea278a3b09c6b27565fd1c8d474c8b09d8

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\B3316860430DA0966649580110E85D2FFB7B5A61

MD5 963552580a1ff3625d7dac3cdc766809
SHA1 02edc160d61b35234ddc79b2cd83ee3a69c6efc4
SHA256 ce55597104485c4d5f941ec6593e874d51915460b2bb0989dffc2ca3142f362b
SHA512 938597699f6bea4e2d6874895e4d558ebd0fc6deb150c3bbd679a862cfb2a342b86e069cfd4a24a77ebfe89fca94c6ef64e2b0e43e94f94b4c0b5959d22c9dc0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\idb\1578069077yCt7-%iCt7-%r1e2s6p2o.sqlite

MD5 6e11afa736b3efe3df832f145258901a
SHA1 f51a383183b05a11078c50273ec48b9ec854beb8
SHA256 9006517d4fc231d10a6dbd903bc80570542de2f5e3d3b958545ae572030fee2a
SHA512 9b6de88fb62daff3d1f3e99421afb420217bbf2ceeee57e7ef6f0aef018ba8f0403147389a1e5db5e1dedc958d17ef0c2fcfd49ce58e10c405e23df944e92dc5

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\3226

MD5 6d3fe88da0cb85d1876c89703afa799b
SHA1 9c857095997142d3b6e7561a72a21927d8e20504
SHA256 3a8094b637f78af6853e7088493da0b5fc1ec544d31e356a1199bbdb5e30e407
SHA512 6e189ccb3e6bc1e090a11b876b88aa26f218d0099657c995d2f95e3eb38d4ac7809b8113474031160594798fac818693181cd59232196f831c2d3837a820e82d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\26742

MD5 a3e2a9afea17a90fd04933a3075a8e0e
SHA1 790846a3080836264f17752f00da6a90768d33ce
SHA256 3616921e5c60fa4ca957fd2acbd5ec7ab7c2983d2cc301b3956a9ef202312746
SHA512 cfaa0b787acad290f05770f109fa63572231b0342db15987a57d9eb145e04b5adf3fff773201511fffbada1e15c1e83de4c3c03c19db6d9898538825c1441974

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 ca178bddc62dbcbc4a7f4eda6db1d846
SHA1 f03cca73fd1f95c8b97e28d46509e85d2d355202
SHA256 4d90f225e793df4fe9f982d6992bf25229b705d5e1de565a91d5ae083beddd06
SHA512 0aff9a7552a148e2d5bd7ac6ec3280eca0002f07966a23adeece216ee76ad3413d78036aff1ff5001ad7c84de9d305796740067b803eb7ebcc5751a5bb0d5f8b

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\1619

MD5 8c76e38ecb0d2c86b27447f23c76cc7d
SHA1 d294d68a7d8e3a2038bb66e779ab162ef1b94a31
SHA256 0faf4eeb909126d8275cc21eeee4e70f704f3882d9e1b27faa9666add0c690dc
SHA512 d6ffec013aa84fd683155a16984db60747505c9b4637cadd0cb78d1ce9841bfa72deac2f4626c0a8135d02438e251b1296a75f5f833e55f578048e679df58a87

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\storage\default\https+++www.youtube.com\idb\1321911027LCo7g%sCD7a%t1a2b6a2s.sqlite

MD5 cee44dd65c713efe020fef8ace21a072
SHA1 2c61d148b4ae437d6e4d3eaa9b7a8224cebd66cb
SHA256 7b446fd5104ce9207434c527a697fdb2b08852edd2f4b85f6de56af9ae15c846
SHA512 59b11eb9deef79ee37bebb38da3148bae3d23a99fca363ac3744e1105a1f1fa999fb60985afcd832b7ee38b272ee1beeefa87a0042e9ec6cf722ef876cc77713

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

MD5 075d94e75d4d19e04d22ddc3b7bdff92
SHA1 c6b72b8aec012ea30ce8b9baa396c124cdafe35d
SHA256 573b4acfdc0b941cee66dfce101c550eca8af751a3237f34d0c02381f3cb9b8b
SHA512 11d091ac738c881ac9f9e9fd62aa2b726354f3d513a3cf8a8ab84a218f11b26d87d211bd48d5a919691c3a563512edf5b444470d76d3788c563fd488a16eeb8e