Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 15:34
Behavioral task
behavioral1
Sample
nursultan nexgen fix.exe
Resource
win7-20240221-en
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 54 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2596 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2692 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 336 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1884 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1740 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 488 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 836 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1992 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1948 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 848 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2340 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2076 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 428 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3032 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1580 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 952 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2152 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2432 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 2432 schtasks.exe -
Processes:
resource yara_rule C:\portagentbrowserweb\Containerruntime.exe dcrat behavioral1/memory/2708-13-0x0000000000A60000-0x0000000000B92000-memory.dmp dcrat behavioral1/memory/2656-59-0x0000000000DA0000-0x0000000000ED2000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
Containerruntime.execsrss.exepid process 2708 Containerruntime.exe 2656 csrss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2544 cmd.exe 2544 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 14 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files\Windows NT\Accessories\wininit.exe Containerruntime.exe File created C:\Program Files\Windows NT\Accessories\56085415360792 Containerruntime.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe Containerruntime.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\6ccacd8608530f Containerruntime.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe Containerruntime.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\886983d96e3d3e Containerruntime.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\c5b4cb5e9653cc Containerruntime.exe File created C:\Program Files (x86)\Common Files\lsass.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ebf1f9fa8afd6d Containerruntime.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsm.exe Containerruntime.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\101b941d020240 Containerruntime.exe File created C:\Program Files (x86)\Common Files\6203df4a6bafc7 Containerruntime.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\services.exe Containerruntime.exe -
Drops file in Windows directory 3 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Windows\ModemLogs\dwm.exe Containerruntime.exe File opened for modification C:\Windows\ModemLogs\dwm.exe Containerruntime.exe File created C:\Windows\ModemLogs\6cb0b6c459d5d3 Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Creates scheduled task(s) 1 TTPs 54 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 428 schtasks.exe 952 schtasks.exe 2600 schtasks.exe 1596 schtasks.exe 2948 schtasks.exe 2340 schtasks.exe 1396 schtasks.exe 2400 schtasks.exe 2956 schtasks.exe 2596 schtasks.exe 848 schtasks.exe 3008 schtasks.exe 1664 schtasks.exe 2040 schtasks.exe 1612 schtasks.exe 2840 schtasks.exe 1564 schtasks.exe 1884 schtasks.exe 1676 schtasks.exe 2132 schtasks.exe 2436 schtasks.exe 1584 schtasks.exe 1580 schtasks.exe 2240 schtasks.exe 3012 schtasks.exe 2776 schtasks.exe 1992 schtasks.exe 1748 schtasks.exe 852 schtasks.exe 1948 schtasks.exe 3032 schtasks.exe 2444 schtasks.exe 336 schtasks.exe 1740 schtasks.exe 2348 schtasks.exe 2568 schtasks.exe 2780 schtasks.exe 1472 schtasks.exe 1956 schtasks.exe 2044 schtasks.exe 2352 schtasks.exe 1872 schtasks.exe 2152 schtasks.exe 2284 schtasks.exe 488 schtasks.exe 1668 schtasks.exe 2020 schtasks.exe 1712 schtasks.exe 2692 schtasks.exe 836 schtasks.exe 2488 schtasks.exe 2076 schtasks.exe 2068 schtasks.exe 2024 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings firefox.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Containerruntime.execsrss.exepid process 2708 Containerruntime.exe 2708 Containerruntime.exe 2708 Containerruntime.exe 2708 Containerruntime.exe 2708 Containerruntime.exe 2708 Containerruntime.exe 2708 Containerruntime.exe 2656 csrss.exe 2656 csrss.exe 2656 csrss.exe 2656 csrss.exe 2656 csrss.exe 2656 csrss.exe 2656 csrss.exe 2656 csrss.exe 2656 csrss.exe 2656 csrss.exe 2656 csrss.exe 2656 csrss.exe 2656 csrss.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
csrss.exepid process 2656 csrss.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Containerruntime.execsrss.exefirefox.exedescription pid process Token: SeDebugPrivilege 2708 Containerruntime.exe Token: SeDebugPrivilege 2656 csrss.exe Token: SeDebugPrivilege 1552 firefox.exe Token: SeDebugPrivilege 1552 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 1552 firefox.exe 1552 firefox.exe 1552 firefox.exe 1552 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 1552 firefox.exe 1552 firefox.exe 1552 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.exefirefox.exefirefox.exedescription pid process target process PID 2172 wrote to memory of 2228 2172 nursultan nexgen fix.exe WScript.exe PID 2172 wrote to memory of 2228 2172 nursultan nexgen fix.exe WScript.exe PID 2172 wrote to memory of 2228 2172 nursultan nexgen fix.exe WScript.exe PID 2172 wrote to memory of 2228 2172 nursultan nexgen fix.exe WScript.exe PID 2228 wrote to memory of 2544 2228 WScript.exe cmd.exe PID 2228 wrote to memory of 2544 2228 WScript.exe cmd.exe PID 2228 wrote to memory of 2544 2228 WScript.exe cmd.exe PID 2228 wrote to memory of 2544 2228 WScript.exe cmd.exe PID 2544 wrote to memory of 2708 2544 cmd.exe Containerruntime.exe PID 2544 wrote to memory of 2708 2544 cmd.exe Containerruntime.exe PID 2544 wrote to memory of 2708 2544 cmd.exe Containerruntime.exe PID 2544 wrote to memory of 2708 2544 cmd.exe Containerruntime.exe PID 2708 wrote to memory of 2656 2708 Containerruntime.exe csrss.exe PID 2708 wrote to memory of 2656 2708 Containerruntime.exe csrss.exe PID 2708 wrote to memory of 2656 2708 Containerruntime.exe csrss.exe PID 2544 wrote to memory of 2716 2544 cmd.exe reg.exe PID 2544 wrote to memory of 2716 2544 cmd.exe reg.exe PID 2544 wrote to memory of 2716 2544 cmd.exe reg.exe PID 2544 wrote to memory of 2716 2544 cmd.exe reg.exe PID 652 wrote to memory of 1552 652 firefox.exe firefox.exe PID 652 wrote to memory of 1552 652 firefox.exe firefox.exe PID 652 wrote to memory of 1552 652 firefox.exe firefox.exe PID 652 wrote to memory of 1552 652 firefox.exe firefox.exe PID 652 wrote to memory of 1552 652 firefox.exe firefox.exe PID 652 wrote to memory of 1552 652 firefox.exe firefox.exe PID 652 wrote to memory of 1552 652 firefox.exe firefox.exe PID 652 wrote to memory of 1552 652 firefox.exe firefox.exe PID 652 wrote to memory of 1552 652 firefox.exe firefox.exe PID 652 wrote to memory of 1552 652 firefox.exe firefox.exe PID 652 wrote to memory of 1552 652 firefox.exe firefox.exe PID 652 wrote to memory of 1552 652 firefox.exe firefox.exe PID 1552 wrote to memory of 2364 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 2364 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 2364 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe PID 1552 wrote to memory of 1876 1552 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2656 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ModemLogs\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\portagentbrowserweb\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\portagentbrowserweb\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\portagentbrowserweb\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\portagentbrowserweb\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\portagentbrowserweb\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\portagentbrowserweb\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\portagentbrowserweb\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\portagentbrowserweb\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\portagentbrowserweb\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.0.284243406\828377027" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1be62e9a-f066-4a59-96fd-cbd098846926} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 1284 10fb5458 gpu3⤵PID:2364
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.1.1850627859\933695156" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2749aac-4add-464c-ba58-c47fe5abbe15} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 1488 e70158 socket3⤵PID:1876
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.2.779767583\75083454" -childID 1 -isForBrowser -prefsHandle 2148 -prefMapHandle 2164 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afa9c2c2-4674-4cdf-8e68-fdd4f09f13e2} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 2140 1a698458 tab3⤵PID:952
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.3.1786702683\265030290" -childID 2 -isForBrowser -prefsHandle 2380 -prefMapHandle 620 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74866a27-1ae9-4fb2-aa47-7369e516554f} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 1644 e61958 tab3⤵PID:2480
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.4.164626267\1708590400" -childID 3 -isForBrowser -prefsHandle 2876 -prefMapHandle 2872 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f46c30d-adbe-4eb0-83ad-219ede55fca8} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 2888 1c454958 tab3⤵PID:1780
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.5.1976531840\757003713" -childID 4 -isForBrowser -prefsHandle 3768 -prefMapHandle 3760 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d474185e-25e2-487f-be31-0438751b879e} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 3560 10fb4558 tab3⤵PID:428
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.6.958718452\1136938848" -childID 5 -isForBrowser -prefsHandle 3876 -prefMapHandle 3880 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b744dfdd-4898-43d8-be7b-4028c7702c20} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 3864 1eb8d158 tab3⤵PID:2568
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.7.1730308404\2078796244" -childID 6 -isForBrowser -prefsHandle 3920 -prefMapHandle 3916 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9970128a-47b0-4354-a969-8835bcbb4891} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 3932 1eb8dd58 tab3⤵PID:1996
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.8.1344258445\1165602095" -childID 7 -isForBrowser -prefsHandle 4160 -prefMapHandle 4164 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b780ef24-7fc4-4433-9695-f1161c832f0b} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 4260 21bc8458 tab3⤵PID:1968
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.9.533622847\1880963624" -parentBuildID 20221007134813 -prefsHandle 4476 -prefMapHandle 4164 -prefsLen 26251 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {070f710a-6ccd-4cd5-ace1-ef4368a97282} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 4488 22273858 rdd3⤵PID:1528
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.10.669522205\1629253016" -childID 8 -isForBrowser -prefsHandle 4660 -prefMapHandle 4648 -prefsLen 26426 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8cb6ef7-2db9-4d02-8ed2-e96cf194c16b} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 4672 223a3d58 tab3⤵PID:2820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\cache2\doomed\12614Filesize
16KB
MD5562c8870bb6d1ede22e14de08d4739bb
SHA1d9f480cfe999ddd36e09569a5fc6c6230989142f
SHA2561d433d0319ccd786e01ac86ec4b5cf0133a97a934dd53052e44f2db57cb56fcc
SHA5127cb8200c38a8e768ed3e108a6aab0ebc67d9a79ae0f63ac0e734572240d262ea57a4b00812359fb84d78705a021b6b285437b8c69b98d64af560f1cde4daba99
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\cache2\doomed\19640Filesize
16KB
MD51da401355e767eeaedadd5e36d87499c
SHA12d990b8dc5e384bbd7e7df7d99f18dd78d465914
SHA256320358c3816e2a4762c4aa1935de48a9ae62ffdc4503759009545cc91a1670e0
SHA5127e675ddec1a8fea55c324e8b061edf6a3196d386e91d8f1a1fba09c7632044b5313d16751d9deb006c13d8cf2076206e6ccd7f1434b05307129029ef400a6d31
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\cache2\doomed\19977Filesize
16KB
MD51ea9f4f0d109d85c8fef7764298e648b
SHA19aa02ce2ef7c4e4cb7a2b262fda89f0be298b4f9
SHA256846e7f9a274a9f1736d8a6728615af7334e077eaf604e2f2b45a419f2c2ec3ee
SHA512e976c83aece2988ae9c5b9793e6beb19edc7e0547d9d1d35a68d02b3bbac3780cbf5d18636f1270ea7d1cbc9d5cb0e74562b6feaec5da12b051afcc821f1e398
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\cache2\doomed\22670Filesize
16KB
MD5561152ba5d0b1986fceecb4b1b593363
SHA142d062ab44fddddaa91e4727e065f70e8864cd5a
SHA256926fd6857177a249be2b82028baca64c458da09f5ea09f04df6f52e4beec7084
SHA512f81d4ce0d1b4507fe1574a43b416b907ca1c4992a917ef0f3a9a03e395ad6bacbd79b512e0e37e11991158b0d4f8080f46af15c09e4dcae299f148a6d56f9dc5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\cache2\doomed\5510Filesize
16KB
MD5d95370ec1e0d5024a346222c2314b0aa
SHA19e68add82def5064468478846ef9d7b3c931d44e
SHA2566b7e08da9c678977ad058d11f8ab75c80bf372bce05a38bee2057003f12703d8
SHA51237cc41a0a42121e68caea4e8c938b23e6383f940d9a61b07b19b9f6e41e96940dfcadd2f09dbbf4981e9169325ea52724f0802885db0f761b60ac42822feb65a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\cache2\doomed\9348Filesize
16KB
MD57361af8836326bf3673375bb55b8bc39
SHA1fdb31422fa4d46ab5abe06f52bc1ecbc3762bc5c
SHA2569ce9c6207ecb1d1f59b9c992bbc34a155248e60440f6aff24b033dacc624d72c
SHA5122a27d8a61c887b558a28d073d7cc57f58fd9a2d2483260bf3516c021e839c72b0323f8a242e092a1103d15c2adfb9da5ec3891512a60262c3ad8a60ea48ff699
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD542356c902aacd0048abeb14048315592
SHA123e7c8b10718a74ed01834e208cb0f219b1ee4a8
SHA256b0c3244fceceadc8c5ae6b76c3ffaf57afe164f510a4566830616ea2af4bfeb5
SHA5129678fcd3520f6851f9ddf89f9273ae8c3fc5b00d901f59f2088cec864b47dc0856ad3c8bc31c0d83e3edeb6be71e965a5a3f8f927bcbab6b1d9c4d529beef4f4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\pending_pings\0d619650-e4b3-4303-813b-79fbbcb6530aFilesize
10KB
MD5aa7f55dcc4015ea67dfb841cd65932bc
SHA17416f4d59ca181d7c23ac1f743b814d3d67aec3e
SHA25620b2dea234a2c97b43ece581f29d7bdbb001cda31287232f5674ba8f2e4ffa04
SHA5122d194df7b22c131380f321d4f0de9c660bbc7b38bca3c51200f0d55daf5a9ab853f21335a62dbb1716abecce13d82baa00b8e20f27ab7f620ba8ddd2764bf1a3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\pending_pings\2c2b2f9e-f9c0-4656-aa53-392e8bbb6a8dFilesize
745B
MD5ec05e250e2240123da50eea67f9e17fe
SHA1d99f2f07d9b101399bebebdcf707631bb4c3c8e5
SHA2569559bbad2f566c67cb57b15b552b6d2e3badb44b45287d489191457ee00694c9
SHA512ab8c5a01cf291169dfb9f284aebd6c91ea71c0ec644090437ee07dd8c9b97ef4b70b1c5be50a90dc001e3a770e94ef30d773b7082a2a9e60525f738f56671d8b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs-1.jsFilesize
7KB
MD53f7e68fe334228307b3ea301d8daedf7
SHA159d1af6275e899b45e76b0e6c8975cc3381cb230
SHA2564c2e6f3a7935cdc1843f17edbc92882fc93524702981ebe69c407c1c3442d3e5
SHA512be90c01de5661c1de9cd35b0a9d1876d92d4e89e8ce65b9c606982834ff101be4f42266a1d476d9c65eaa285ac990a1aa45b8371f24761943bfa0bff303e23ec
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs-1.jsFilesize
6KB
MD5d508c1e780a3124000a125d559a0810f
SHA15c8cf533b054fb2aa364bf54cc208a452b320edd
SHA25658bb9caaf2c3d5e5d0380776746b700165b54cd1b79c5a21524859baa46b104f
SHA5123fd0aaef86eb17775d3a6f5acc3db39cbc2bc6bdaa10407aee38a6f72287d72dd20936659bf43f3d97545dead39dc44e40f815b217b438ed8e2c7bf470bcb0b3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs-1.jsFilesize
6KB
MD5b43ce841e3a57220e2ad367004f71c69
SHA163ece6d6f960b811bcd37dec87837661c1fc0cf9
SHA25627a7ce2b0f8bba90b54d0788a3ac5b367df31ef1510d180895e104ca531b4dd2
SHA512495bbaf530bbde1d167e739310a0b63e8e52127b617ac4f4656835a149115762f4e3517c581a873008358f11747d70672da4c9a41d208c568bec788394c27b63
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs.jsFilesize
6KB
MD5a3ef916ff360723049e7824f01bf86db
SHA1f2125271d0e85b08a5e275a2db8916bc9ae60ce4
SHA25672e8d5e2b1380771f59db84e5dffaccdb50670eaadb026ea062ae3a88e0da82e
SHA51259f708a0a25e4b4ae988a6a82731efc9eb0776e8d4648ae49de5ceb1db8bff215020b29d762360ce0a7f9104f5e422dff0fccad79c138e69f4b59e3a683b124c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD519c3b014777d0f8f4b4fd548df3f5ffc
SHA131c1f418bbd9ec7d5d8e76929b40e85d67b888de
SHA25683ea736f2d4470c66a8cd138149776d43b319b7ec70ae218b2225a19d7cd970b
SHA512de5dea76d102960746216ecb46c428c79f5145d12d831922945ac1004359700e557a070c3b291e1d774f9e2a5ed2100e83301d9e158ec3fd27f6367e34e2124c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD58b65ae032527ab1b16499601c7233fa8
SHA1b95365ca06dbef58f5db55242db2bed871adbf73
SHA256abd653ed1be57d8a5b7928a788d51e0691c689f9838aadce371df6721a111021
SHA5126843dbaec52aaf3b838bfd2981801c0b38eeb35a9827ee9558dd8702f36975903be522e18c98315f6f6d43aaa9cb693d401e438456e6996fbd10e3cc64fc1724
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD565ea50a40fcf5c559c3f1a6859c138e2
SHA12fa9f09d204aaf4b8d4f08e459bce88fb836a55c
SHA25697d26e40d0e7f9f989acdf3a53b15e1505d6f3a482dece2ac68c2cc5c93f5cd1
SHA5122b0bbb6a808616c14562d0956f5c2566d4d9cf88a7ebc69d4d7ded24b1c6f3ec61aefe7bd92a417a062f4c03aacdd4277028e54bb06a8a94c12155eaf2eb9a37
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
184KB
MD5a2ffce9200aae731041efd2af9dc9b00
SHA179f47c99dbbfd8f103309538516887265c087adb
SHA256c9757e1d7b33333d4306f9e3478f7fbef91b208a7e6a684b38a07b510adc8930
SHA512dcfb64d8ca2fc018de57d4662db6ba0195f4c3f9bcc6f570b784571852c2039497adb4b7edf83d6b461ecb68f779242619076903707ee31f891474d552664dfa
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
memory/2656-59-0x0000000000DA0000-0x0000000000ED2000-memory.dmpFilesize
1.2MB
-
memory/2708-16-0x00000000002E0000-0x00000000002EC000-memory.dmpFilesize
48KB
-
memory/2708-15-0x00000000004F0000-0x0000000000506000-memory.dmpFilesize
88KB
-
memory/2708-14-0x0000000000240000-0x000000000025C000-memory.dmpFilesize
112KB
-
memory/2708-13-0x0000000000A60000-0x0000000000B92000-memory.dmpFilesize
1.2MB