Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 15:34

General

  • Target

    nursultan nexgen fix.exe

  • Size

    1.5MB

  • MD5

    a3d07c747770c9a471a44446e46e33d5

  • SHA1

    8340534fb1770bae9660287ddb0496e243efcfe4

  • SHA256

    16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de

  • SHA512

    307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99

  • SSDEEP

    24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe
    "C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\portagentbrowserweb\Containerruntime.exe
          "C:\portagentbrowserweb\Containerruntime.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe
            "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2656
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:2716
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2400
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ModemLogs\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2436
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2284
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2956
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1564
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2596
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2600
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2692
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2776
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2444
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:336
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1884
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1596
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1676
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1584
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:488
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1396
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2348
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\portagentbrowserweb\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:836
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\portagentbrowserweb\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2780
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\portagentbrowserweb\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2488
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2840
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1992
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2132
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1948
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2948
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:848
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1748
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2340
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2076
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:428
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3008
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:952
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2024
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1712
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:852
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2240
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1472
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1664
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\portagentbrowserweb\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1956
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\portagentbrowserweb\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2044
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\portagentbrowserweb\csrss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1872
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1668
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2020
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\portagentbrowserweb\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2152
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\portagentbrowserweb\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\portagentbrowserweb\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3012
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.0.284243406\828377027" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1be62e9a-f066-4a59-96fd-cbd098846926} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 1284 10fb5458 gpu
        3⤵
          PID:2364
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.1.1850627859\933695156" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 20830 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2749aac-4add-464c-ba58-c47fe5abbe15} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 1488 e70158 socket
          3⤵
            PID:1876
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.2.779767583\75083454" -childID 1 -isForBrowser -prefsHandle 2148 -prefMapHandle 2164 -prefsLen 20868 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {afa9c2c2-4674-4cdf-8e68-fdd4f09f13e2} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 2140 1a698458 tab
            3⤵
              PID:952
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.3.1786702683\265030290" -childID 2 -isForBrowser -prefsHandle 2380 -prefMapHandle 620 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74866a27-1ae9-4fb2-aa47-7369e516554f} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 1644 e61958 tab
              3⤵
                PID:2480
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.4.164626267\1708590400" -childID 3 -isForBrowser -prefsHandle 2876 -prefMapHandle 2872 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f46c30d-adbe-4eb0-83ad-219ede55fca8} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 2888 1c454958 tab
                3⤵
                  PID:1780
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.5.1976531840\757003713" -childID 4 -isForBrowser -prefsHandle 3768 -prefMapHandle 3760 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d474185e-25e2-487f-be31-0438751b879e} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 3560 10fb4558 tab
                  3⤵
                    PID:428
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.6.958718452\1136938848" -childID 5 -isForBrowser -prefsHandle 3876 -prefMapHandle 3880 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b744dfdd-4898-43d8-be7b-4028c7702c20} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 3864 1eb8d158 tab
                    3⤵
                      PID:2568
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.7.1730308404\2078796244" -childID 6 -isForBrowser -prefsHandle 3920 -prefMapHandle 3916 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9970128a-47b0-4354-a969-8835bcbb4891} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 3932 1eb8dd58 tab
                      3⤵
                        PID:1996
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.8.1344258445\1165602095" -childID 7 -isForBrowser -prefsHandle 4160 -prefMapHandle 4164 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b780ef24-7fc4-4433-9695-f1161c832f0b} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 4260 21bc8458 tab
                        3⤵
                          PID:1968
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.9.533622847\1880963624" -parentBuildID 20221007134813 -prefsHandle 4476 -prefMapHandle 4164 -prefsLen 26251 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {070f710a-6ccd-4cd5-ace1-ef4368a97282} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 4488 22273858 rdd
                          3⤵
                            PID:1528
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1552.10.669522205\1629253016" -childID 8 -isForBrowser -prefsHandle 4660 -prefMapHandle 4648 -prefsLen 26426 -prefMapSize 233444 -jsInitHandle 860 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8cb6ef7-2db9-4d02-8ed2-e96cf194c16b} 1552 "\\.\pipe\gecko-crash-server-pipe.1552" 4672 223a3d58 tab
                            3⤵
                              PID:2820

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\cache2\doomed\12614
                          Filesize

                          16KB

                          MD5

                          562c8870bb6d1ede22e14de08d4739bb

                          SHA1

                          d9f480cfe999ddd36e09569a5fc6c6230989142f

                          SHA256

                          1d433d0319ccd786e01ac86ec4b5cf0133a97a934dd53052e44f2db57cb56fcc

                          SHA512

                          7cb8200c38a8e768ed3e108a6aab0ebc67d9a79ae0f63ac0e734572240d262ea57a4b00812359fb84d78705a021b6b285437b8c69b98d64af560f1cde4daba99

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\cache2\doomed\19640
                          Filesize

                          16KB

                          MD5

                          1da401355e767eeaedadd5e36d87499c

                          SHA1

                          2d990b8dc5e384bbd7e7df7d99f18dd78d465914

                          SHA256

                          320358c3816e2a4762c4aa1935de48a9ae62ffdc4503759009545cc91a1670e0

                          SHA512

                          7e675ddec1a8fea55c324e8b061edf6a3196d386e91d8f1a1fba09c7632044b5313d16751d9deb006c13d8cf2076206e6ccd7f1434b05307129029ef400a6d31

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\cache2\doomed\19977
                          Filesize

                          16KB

                          MD5

                          1ea9f4f0d109d85c8fef7764298e648b

                          SHA1

                          9aa02ce2ef7c4e4cb7a2b262fda89f0be298b4f9

                          SHA256

                          846e7f9a274a9f1736d8a6728615af7334e077eaf604e2f2b45a419f2c2ec3ee

                          SHA512

                          e976c83aece2988ae9c5b9793e6beb19edc7e0547d9d1d35a68d02b3bbac3780cbf5d18636f1270ea7d1cbc9d5cb0e74562b6feaec5da12b051afcc821f1e398

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\cache2\doomed\22670
                          Filesize

                          16KB

                          MD5

                          561152ba5d0b1986fceecb4b1b593363

                          SHA1

                          42d062ab44fddddaa91e4727e065f70e8864cd5a

                          SHA256

                          926fd6857177a249be2b82028baca64c458da09f5ea09f04df6f52e4beec7084

                          SHA512

                          f81d4ce0d1b4507fe1574a43b416b907ca1c4992a917ef0f3a9a03e395ad6bacbd79b512e0e37e11991158b0d4f8080f46af15c09e4dcae299f148a6d56f9dc5

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\cache2\doomed\5510
                          Filesize

                          16KB

                          MD5

                          d95370ec1e0d5024a346222c2314b0aa

                          SHA1

                          9e68add82def5064468478846ef9d7b3c931d44e

                          SHA256

                          6b7e08da9c678977ad058d11f8ab75c80bf372bce05a38bee2057003f12703d8

                          SHA512

                          37cc41a0a42121e68caea4e8c938b23e6383f940d9a61b07b19b9f6e41e96940dfcadd2f09dbbf4981e9169325ea52724f0802885db0f761b60ac42822feb65a

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0rowjuc9.default-release\cache2\doomed\9348
                          Filesize

                          16KB

                          MD5

                          7361af8836326bf3673375bb55b8bc39

                          SHA1

                          fdb31422fa4d46ab5abe06f52bc1ecbc3762bc5c

                          SHA256

                          9ce9c6207ecb1d1f59b9c992bbc34a155248e60440f6aff24b033dacc624d72c

                          SHA512

                          2a27d8a61c887b558a28d073d7cc57f58fd9a2d2483260bf3516c021e839c72b0323f8a242e092a1103d15c2adfb9da5ec3891512a60262c3ad8a60ea48ff699

                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                          Filesize

                          442KB

                          MD5

                          85430baed3398695717b0263807cf97c

                          SHA1

                          fffbee923cea216f50fce5d54219a188a5100f41

                          SHA256

                          a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                          SHA512

                          06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                        • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                          Filesize

                          8.0MB

                          MD5

                          a01c5ecd6108350ae23d2cddf0e77c17

                          SHA1

                          c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                          SHA256

                          345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                          SHA512

                          b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\db\data.safe.bin
                          Filesize

                          2KB

                          MD5

                          42356c902aacd0048abeb14048315592

                          SHA1

                          23e7c8b10718a74ed01834e208cb0f219b1ee4a8

                          SHA256

                          b0c3244fceceadc8c5ae6b76c3ffaf57afe164f510a4566830616ea2af4bfeb5

                          SHA512

                          9678fcd3520f6851f9ddf89f9273ae8c3fc5b00d901f59f2088cec864b47dc0856ad3c8bc31c0d83e3edeb6be71e965a5a3f8f927bcbab6b1d9c4d529beef4f4

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\pending_pings\0d619650-e4b3-4303-813b-79fbbcb6530a
                          Filesize

                          10KB

                          MD5

                          aa7f55dcc4015ea67dfb841cd65932bc

                          SHA1

                          7416f4d59ca181d7c23ac1f743b814d3d67aec3e

                          SHA256

                          20b2dea234a2c97b43ece581f29d7bdbb001cda31287232f5674ba8f2e4ffa04

                          SHA512

                          2d194df7b22c131380f321d4f0de9c660bbc7b38bca3c51200f0d55daf5a9ab853f21335a62dbb1716abecce13d82baa00b8e20f27ab7f620ba8ddd2764bf1a3

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\datareporting\glean\pending_pings\2c2b2f9e-f9c0-4656-aa53-392e8bbb6a8d
                          Filesize

                          745B

                          MD5

                          ec05e250e2240123da50eea67f9e17fe

                          SHA1

                          d99f2f07d9b101399bebebdcf707631bb4c3c8e5

                          SHA256

                          9559bbad2f566c67cb57b15b552b6d2e3badb44b45287d489191457ee00694c9

                          SHA512

                          ab8c5a01cf291169dfb9f284aebd6c91ea71c0ec644090437ee07dd8c9b97ef4b70b1c5be50a90dc001e3a770e94ef30d773b7082a2a9e60525f738f56671d8b

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
                          Filesize

                          997KB

                          MD5

                          fe3355639648c417e8307c6d051e3e37

                          SHA1

                          f54602d4b4778da21bc97c7238fc66aa68c8ee34

                          SHA256

                          1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                          SHA512

                          8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
                          Filesize

                          116B

                          MD5

                          3d33cdc0b3d281e67dd52e14435dd04f

                          SHA1

                          4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                          SHA256

                          f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                          SHA512

                          a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
                          Filesize

                          479B

                          MD5

                          49ddb419d96dceb9069018535fb2e2fc

                          SHA1

                          62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                          SHA256

                          2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                          SHA512

                          48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
                          Filesize

                          372B

                          MD5

                          8be33af717bb1b67fbd61c3f4b807e9e

                          SHA1

                          7cf17656d174d951957ff36810e874a134dd49e0

                          SHA256

                          e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                          SHA512

                          6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
                          Filesize

                          11.8MB

                          MD5

                          33bf7b0439480effb9fb212efce87b13

                          SHA1

                          cee50f2745edc6dc291887b6075ca64d716f495a

                          SHA256

                          8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                          SHA512

                          d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
                          Filesize

                          1KB

                          MD5

                          688bed3676d2104e7f17ae1cd2c59404

                          SHA1

                          952b2cdf783ac72fcb98338723e9afd38d47ad8e

                          SHA256

                          33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                          SHA512

                          7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
                          Filesize

                          1KB

                          MD5

                          937326fead5fd401f6cca9118bd9ade9

                          SHA1

                          4526a57d4ae14ed29b37632c72aef3c408189d91

                          SHA256

                          68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                          SHA512

                          b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs-1.js
                          Filesize

                          7KB

                          MD5

                          3f7e68fe334228307b3ea301d8daedf7

                          SHA1

                          59d1af6275e899b45e76b0e6c8975cc3381cb230

                          SHA256

                          4c2e6f3a7935cdc1843f17edbc92882fc93524702981ebe69c407c1c3442d3e5

                          SHA512

                          be90c01de5661c1de9cd35b0a9d1876d92d4e89e8ce65b9c606982834ff101be4f42266a1d476d9c65eaa285ac990a1aa45b8371f24761943bfa0bff303e23ec

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          d508c1e780a3124000a125d559a0810f

                          SHA1

                          5c8cf533b054fb2aa364bf54cc208a452b320edd

                          SHA256

                          58bb9caaf2c3d5e5d0380776746b700165b54cd1b79c5a21524859baa46b104f

                          SHA512

                          3fd0aaef86eb17775d3a6f5acc3db39cbc2bc6bdaa10407aee38a6f72287d72dd20936659bf43f3d97545dead39dc44e40f815b217b438ed8e2c7bf470bcb0b3

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          b43ce841e3a57220e2ad367004f71c69

                          SHA1

                          63ece6d6f960b811bcd37dec87837661c1fc0cf9

                          SHA256

                          27a7ce2b0f8bba90b54d0788a3ac5b367df31ef1510d180895e104ca531b4dd2

                          SHA512

                          495bbaf530bbde1d167e739310a0b63e8e52127b617ac4f4656835a149115762f4e3517c581a873008358f11747d70672da4c9a41d208c568bec788394c27b63

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\prefs.js
                          Filesize

                          6KB

                          MD5

                          a3ef916ff360723049e7824f01bf86db

                          SHA1

                          f2125271d0e85b08a5e275a2db8916bc9ae60ce4

                          SHA256

                          72e8d5e2b1380771f59db84e5dffaccdb50670eaadb026ea062ae3a88e0da82e

                          SHA512

                          59f708a0a25e4b4ae988a6a82731efc9eb0776e8d4648ae49de5ceb1db8bff215020b29d762360ce0a7f9104f5e422dff0fccad79c138e69f4b59e3a683b124c

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          1KB

                          MD5

                          19c3b014777d0f8f4b4fd548df3f5ffc

                          SHA1

                          31c1f418bbd9ec7d5d8e76929b40e85d67b888de

                          SHA256

                          83ea736f2d4470c66a8cd138149776d43b319b7ec70ae218b2225a19d7cd970b

                          SHA512

                          de5dea76d102960746216ecb46c428c79f5145d12d831922945ac1004359700e557a070c3b291e1d774f9e2a5ed2100e83301d9e158ec3fd27f6367e34e2124c

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          3KB

                          MD5

                          8b65ae032527ab1b16499601c7233fa8

                          SHA1

                          b95365ca06dbef58f5db55242db2bed871adbf73

                          SHA256

                          abd653ed1be57d8a5b7928a788d51e0691c689f9838aadce371df6721a111021

                          SHA512

                          6843dbaec52aaf3b838bfd2981801c0b38eeb35a9827ee9558dd8702f36975903be522e18c98315f6f6d43aaa9cb693d401e438456e6996fbd10e3cc64fc1724

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          4KB

                          MD5

                          65ea50a40fcf5c559c3f1a6859c138e2

                          SHA1

                          2fa9f09d204aaf4b8d4f08e459bce88fb836a55c

                          SHA256

                          97d26e40d0e7f9f989acdf3a53b15e1505d6f3a482dece2ac68c2cc5c93f5cd1

                          SHA512

                          2b0bbb6a808616c14562d0956f5c2566d4d9cf88a7ebc69d4d7ded24b1c6f3ec61aefe7bd92a417a062f4c03aacdd4277028e54bb06a8a94c12155eaf2eb9a37

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0rowjuc9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                          Filesize

                          184KB

                          MD5

                          a2ffce9200aae731041efd2af9dc9b00

                          SHA1

                          79f47c99dbbfd8f103309538516887265c087adb

                          SHA256

                          c9757e1d7b33333d4306f9e3478f7fbef91b208a7e6a684b38a07b510adc8930

                          SHA512

                          dcfb64d8ca2fc018de57d4662db6ba0195f4c3f9bcc6f570b784571852c2039497adb4b7edf83d6b461ecb68f779242619076903707ee31f891474d552664dfa

                        • C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat
                          Filesize

                          157B

                          MD5

                          c8f8a078dace2ff4cb106803c9199643

                          SHA1

                          a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5

                          SHA256

                          1b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d

                          SHA512

                          efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999

                        • C:\portagentbrowserweb\Containerruntime.exe
                          Filesize

                          1.2MB

                          MD5

                          5887a563351ca99247b7e2c448bd9f2e

                          SHA1

                          b24695e88143863297535989900bb7521ea86d67

                          SHA256

                          e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390

                          SHA512

                          b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107

                        • C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe
                          Filesize

                          220B

                          MD5

                          61a07f2f9e8e9b1f5175b2d60c3e3f18

                          SHA1

                          e695b0c2b43c786453bf3f6ae504f0626951d281

                          SHA256

                          5c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1

                          SHA512

                          8ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d

                        • memory/2656-59-0x0000000000DA0000-0x0000000000ED2000-memory.dmp
                          Filesize

                          1.2MB

                        • memory/2708-16-0x00000000002E0000-0x00000000002EC000-memory.dmp
                          Filesize

                          48KB

                        • memory/2708-15-0x00000000004F0000-0x0000000000506000-memory.dmp
                          Filesize

                          88KB

                        • memory/2708-14-0x0000000000240000-0x000000000025C000-memory.dmp
                          Filesize

                          112KB

                        • memory/2708-13-0x0000000000A60000-0x0000000000B92000-memory.dmp
                          Filesize

                          1.2MB