Malware Analysis Report

2024-11-13 15:24

Sample ID 240619-ke6t6a1hkr
Target Redengine Crack.exe
SHA256 2da8c55da46f148005b1b6eb5eaf231091b9f05ce4f73085abea04c242d77af4
Tags
pyinstaller spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2da8c55da46f148005b1b6eb5eaf231091b9f05ce4f73085abea04c242d77af4

Threat Level: Shows suspicious behavior

The file Redengine Crack.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 08:31

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 08:31

Reported

2024-06-19 08:34

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe

"C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe"

C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe

"C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI9442\python39.dll

MD5 2135da9f78a8ef80850fa582df2c7239
SHA1 aac6ad3054de6566851cae75215bdeda607821c4
SHA256 324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3
SHA512 423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 08:31

Reported

2024-06-19 08:34

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe

"C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe"

C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe

"C:\Users\Admin\AppData\Local\Temp\Redengine Crack.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.gofile.io udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 api.ipify.org udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI9682\python39.dll

MD5 2135da9f78a8ef80850fa582df2c7239
SHA1 aac6ad3054de6566851cae75215bdeda607821c4
SHA256 324963a39b8fd045ff634bb3271508dab5098b4d99e85e7648d0b47c32dc85c3
SHA512 423b03990d6aa9375ce10e6b62ffdb7e1e2f20a62d248aac822eb9d973ae2bf35deddd2550a4a0e17c51ad9f1e4f86443ca8f94050e0986daa345d30181a2369

C:\Users\Admin\AppData\Local\Temp\_MEI9682\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

C:\Users\Admin\AppData\Local\Temp\_MEI9682\base_library.zip

MD5 b8ed4da65fcd99bfa0ebc1e05c117368
SHA1 9d822e68363ffd59d4e5b3af6a4f27f5a89d35e5
SHA256 da7b254387c376f8dd50db6c88b9e5a801aacfc7e577e34197ebac8fb990ce70
SHA512 d9dcbbf1e4f3e6837deca1030fc0b8b45513230ed11f60c7dfada87842f9c1ded53c6f8678ed8bc47d22c98805cd95fe3c27549a7069d04833ed32977456ba19

C:\Users\Admin\AppData\Local\Temp\_MEI9682\python3.DLL

MD5 4a776941c0aa723c50223cb1a19e6d02
SHA1 08e4cdf06f3b9ee5f9d5c865b49c808d20938583
SHA256 5a2f39ed041d35bb48e89c72c1ad16a5a24a3674f8eb34bfbc6310fd75128f16
SHA512 0319030bd2b51bf605c8ef4324eacf3a1f2e2315c92bc0cfc8e9eb7df72038f6c377b9537fec16470363499e6e0dbb7ca164169ae43601294310f84e53a06881

C:\Users\Admin\AppData\Local\Temp\_MEI9682\_ctypes.pyd

MD5 a1e9b3cc6b942251568e59fd3c342205
SHA1 3c5aaa6d011b04250f16986b3422f87a60326834
SHA256 a8703f949c9520b76cb1875d1176a23a2b3ef1d652d6dfac6e1de46dc08b2aa3
SHA512 2015b2ae1b17afc0f28c4af9cedf7d0b6219c4c257dd0c89328e5bd3eee35e2df63ef4fccb3ee38e7e65f01233d7b97fc363c0eae0cfa7754612c80564360d6f

C:\Users\Admin\AppData\Local\Temp\_MEI9682\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI9682\_socket.pyd

MD5 cd56f508e7c305d4bfdeb820ecf3a323
SHA1 711c499bcf780611a815afa7374358bbfd22fcc9
SHA256 9e97b782b55400e5a914171817714bbbc713c0a396e30496c645fc82835e4b34
SHA512 e937c322c78e40947c70413404beba52d3425945b75255590dedf84ee429f685e0e5bc86ad468044925fbc59cf7ec8698a5472dd4f05b4363da30de04f9609a5

C:\Users\Admin\AppData\Local\Temp\_MEI9682\select.pyd

MD5 35bb285678b249770dda3f8a15724593
SHA1 a91031d56097a4cbf800a6960e229e689ba63099
SHA256 71ed480da28968a7fd07934e222ae87d943677468936fd419803280d0cad07f3
SHA512 956759742b4b47609a57273b1ea7489ce39e29ebced702245a9665bb0479ba7d42c053e40c6dc446d5b0f95f8cc3f2267af56ccaaaf06e6875c94d4e3f3b6094

C:\Users\Admin\AppData\Local\Temp\_MEI9682\_bz2.pyd

MD5 b024a6f227eafa8d43edfc1a560fe651
SHA1 92451be6a2a6bfc4a8de8ad3559ba4a25d409f2e
SHA256 c0dd9496b19ba9536a78a43a97704e7d4bef3c901d196ed385e771366682819d
SHA512 b9edb6d0f1472dd01969e6f160b41c1e7e935d4eebcaf08554195eb85d91c19ff1bfbc150773f197462e582c6d31f12bd0304f636eb4f189ed3ed976824b283e

C:\Users\Admin\AppData\Local\Temp\_MEI9682\_lzma.pyd

MD5 77b78b43d58fe7ce9eb2fbb1420889fa
SHA1 de55ce88854e314697fa54703a2cd6cc970f3111
SHA256 6e571d93ce55d09583ec91c607883a43c1da3d4d36794d68c6ecd6bea4ab466a
SHA512 7b03b7d3f2fd9b51391de08e69ca9156a0232b56f210878a488b9d5a19492ab5880f45d9407331360fbe543a52c03d68f68da4387bf6a13b20ec903a7b081846

C:\Users\Admin\AppData\Local\Temp\_MEI9682\pyexpat.pyd

MD5 3ee5ec36b631c2352cd8bd2e4b58b37f
SHA1 d6ddab5eb14226fea6e5212382b5dd39aa50df97
SHA256 f32af8a21c016702647a83661eb4460bac7c791754cb1faaf1c4d096a94cd7cb
SHA512 873f72bc481bf6c55cdd00e97ea0e5946f466790f3319374b1c15772d4abdc7f394defd2cb130323fff2169380b0cda7319bb2b19f87ed5dfa479635f4b21317

C:\Users\Admin\AppData\Local\Temp\_MEI9682\win32api.pyd

MD5 30d431bdd2419b1c59f22c0ab790ab88
SHA1 fe4c07f5e77806e5f0f5f90762849818eb4d29d1
SHA256 0813e92197b04508363d93f3fc2065e962baab44f8a2c18c6297e1fb348cc679
SHA512 d5c8e362c5be1decffb7960b0169e18641816ada783e0ec5a3c909c163bf1aa8878d6e7d7efb0258a0f1a031ac8e71c084d7220347b85b07412d6717f3b5ff58

C:\Users\Admin\AppData\Local\Temp\_MEI9682\pywintypes39.dll

MD5 f0c9ae2851bdadd218d864430281b576
SHA1 b7fb397f1c9cd07c81c7ae794b2af794c918746f
SHA256 15ff353b873b58c7a8af42d94462aa4cb4ea03c10673a87a0d7f2c42b7ec60c0
SHA512 915aa0121265b11d6ab58643fb1e4d867e3c49608dd5c8842364d4ed913f4742b4c4d54b21526ea62d7d48598b02c613f1ab39a4a071e403d4cc6fe68f839b7e

C:\Users\Admin\AppData\Local\Temp\_MEI9682\pythoncom39.dll

MD5 f7248c0bf2538a832f06bf5735badd88
SHA1 301b9c6803781c9cf63414862d8ed8c64c1d5316
SHA256 86be43773e1b863cc2e87c980ae9fd8291eff3d82dd4136491b8f95b2dbf868f
SHA512 abc5ee57598cdbff3091d77f2f00bd7b69235b48810ba8946ffeed039b7aa03a7d49db2e21b01b6d0753b1dcb7ac5a29d56732451d2c739b5c47fe299a99c765

C:\Users\Admin\AppData\Local\Temp\_MEI9682\_sqlite3.pyd

MD5 d7dce668e11c61245f91e723db68b134
SHA1 0edd1d7783b6be460e9a5c02aaec971bb4aa25af
SHA256 e8cd83af8716df93b761ffaa01949d57e2551804c3bab679d81ac72534490a1d
SHA512 ace805042be4130329bafbe29d44a5c80a3746abdfc1ab63016f8e0dba97f4d02b30dd4dc29cb658f5757215bd132e8acc34a5842f955a0c45c1837b916319e4

C:\Users\Admin\AppData\Local\Temp\_MEI9682\sqlite3.dll

MD5 1d234679a3e6e068b741b83eebc3adb2
SHA1 e63c5b5ee813a73585ecf5e4425cf3fe52e1294c
SHA256 5a4fc3957bc5f007b6c3a2df66c8286fe65ae74827a233f0df2e9679dc7ad39f
SHA512 a085613067482b4544bddcdceef56f5fb46322ddb4490b1034f2fdacbe2a3dcc3721e645941d89dbb9110cd5630cab0cc4cc1573946e5667d6c6c07ffce341cd

C:\Users\Admin\AppData\Local\Temp\_MEI9682\_hashlib.pyd

MD5 69dc506cf2fa3da9d0caba05fca6a35d
SHA1 33b24abb7b1d68d3b0315be7f8f49de50c9bdcb6
SHA256 c5b8c4582e201fef2d8cb2c8672d07b86dec31afb4a17b758dbfb2cff163b12f
SHA512 0009ec88134e25325a47b8b358da0fed8bb34fe80602e08a60686f6029b80f4287d33adb66ef41435d11d6edff86a88916f776eeaf2d1cb72035783f109ca1ff

C:\Users\Admin\AppData\Local\Temp\_MEI9682\libcrypto-1_1.dll

MD5 ab01c808bed8164133e5279595437d3d
SHA1 0f512756a8db22576ec2e20cf0cafec7786fb12b
SHA256 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55
SHA512 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

C:\Users\Admin\AppData\Local\Temp\_MEI9682\_ssl.pyd

MD5 70014e88ecf3133b7be097536f77b459
SHA1 5d75675bb35ba6fae774937789491e051e62a252
SHA256 d318795c98c5f3c127c8e47220a92acba0736daf31bab0dc9c7e6c3513bb2aa3
SHA512 aa59b32c9164afca1b799e389c7087e95eeaa543790b6f590f9e30aa13b7fdb8cc83d0ef6351f0b578a4da636f4ca1e6dfe4558dcf3a813b744a80f7392aa462

C:\Users\Admin\AppData\Local\Temp\_MEI9682\libssl-1_1.dll

MD5 de72697933d7673279fb85fd48d1a4dd
SHA1 085fd4c6fb6d89ffcc9b2741947b74f0766fc383
SHA256 ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f
SHA512 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

C:\Users\Admin\AppData\Local\Temp\_MEI9682\_brotli.cp39-win_amd64.pyd

MD5 2c7528407abfd7c6ef08f7bcf2e88e21
SHA1 ee855c0cde407f9a26a9720419bf91d7f1f283a7
SHA256 093ab305d9780373c3c7d04d19244f5e48c48e71958963ceca6211d5017a4441
SHA512 93e7c12a6038778fcda30734d933b869f93e3b041bb6940852404641a599fe9c8ee1168a2e99dcfb624f84c306aff99757d17570febabc259908c8f6cda4dbea

C:\Users\Admin\AppData\Local\Temp\_MEI9682\VCRUNTIME140_1.dll

MD5 135359d350f72ad4bf716b764d39e749
SHA1 2e59d9bbcce356f0fece56c9c4917a5cacec63d7
SHA256 34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32
SHA512 cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

C:\Users\Admin\AppData\Local\Temp\_MEI9682\_queue.pyd

MD5 328e41b501a51b58644c7c6930b03234
SHA1 bc09f8b62fec750a48bafd9db3494d2f30f7bd54
SHA256 2782cf3c04801ede65011be282e99cd34d163b2b2b2333fd3147b33f7d5e72ab
SHA512 c6e6e6bca0e9c4e84f7c07541995a7ee4960da095329f69120ba631c3c3e07c0441cf2612d9dcc3d062c779aec7d4e6a00f71f57cc32e2a980a1e3574b67d248

C:\Users\Admin\AppData\Local\Temp\_MEI9682\unicodedata.pyd

MD5 3ba2a20dda6d1b4670767455bbe32870
SHA1 7c98221bc6ed763030087b1f33fb83eac2823ea4
SHA256 3a0987025f1cf2111dc6e4f59402073ba123d7436d809ee4198b4e7bfb8cb868
SHA512 0688f8af3359a8571bef2a89efabc2dbf26f3f5c6220932a4e7df2e33fac95cafee8b80796346ba698e6bf43630b8069f56538b95a8ff62ec21d629787ca5cd1

C:\Users\Admin\AppData\Local\Temp\_MEI9682\Crypto\Cipher\_raw_cbc.pyd

MD5 0d0450292a5cf48171411cc8bfbbf0f7
SHA1 5de70c8bab7003bbd4fdcadb5c0736b9e6d0014c
SHA256 cb3ce4f65c9e18be6cbb504d79b594b51f38916e390dad73de4177fe88ce9c37
SHA512 ba6bbcc394e07fe09bb3a25e4aae9c4286516317d0b71d090b91aaec87fc10f61a4701aa45bc74cb216fff1e4ad881f62eb94d4ee2a3a9c8f04a954221b81d3a

C:\Users\Admin\AppData\Local\Temp\_MEI9682\Crypto\Hash\_BLAKE2s.pyd

MD5 96789921c688108cac213fadb4ff2930
SHA1 d017053a25549ebff35ec548e76fc79f778d0b09
SHA256 7e4b78275516aa6bdea350940df89c0c94fd0ee70ab3f6a9bac6550783a96cad
SHA512 61a037b5f7787bb2507f1d2d78a31cf26a9472501fb959585608d8652af6f665922b827d45979711861803102a07d4a2148e9be70ab7033ece9e0484fe110fdf

C:\Users\Admin\AppData\Local\Temp\_MEI9682\Crypto\Util\_strxor.pyd

MD5 8070eb2be9841525034a508cf16a6fd6
SHA1 84df6bceba52751f22841b1169d7cd090a4bb0c6
SHA256 ee59933eba41bca29b66af9421ba53ffc90223ac88ccd35056503af52a2813fe
SHA512 33c5f4623a2e5afe404056b92556fdbaf2419d7b7728416d3368d760ddfde44a2739f551de26fa443d59294b8726a05a77733fee66abc3547073d85f2d4ebeee

C:\Users\Admin\AppData\Local\Temp\_MEI9682\Crypto\Cipher\_raw_ctr.pyd

MD5 8f385dbacd6c787926ab370c59d8bba2
SHA1 953bad3e9121577fab4187311cb473d237f6cba3
SHA256 ddf0b165c1c4eff98c4ac11e08c7beadcdd8cc76f495980a21df85ba4368762a
SHA512 973b80559f238f6b0a83cd00a2870e909a0d34b3df1e6bb4d47d09395c4503ea8112fb25115232c7658e5de360b258b6612373a96e6a23cde098b60fe5579c1c

C:\Users\Admin\AppData\Local\Temp\_MEI9682\Crypto\Cipher\_raw_ofb.pyd

MD5 b894480d74efb92a7820f0ec1fc70557
SHA1 07eaf9f40f4fce9babe04f537ff9a4287ec69176
SHA256 cdff737d7239fe4f39d76683d931c970a8550c27c3f7162574f2573aee755952
SHA512 498d31f040599fe3e4cfd9f586fc2fee7a056635e9c8fd995b418d6263d21f1708f891c60be09c08ccf01f7915e276aafb7abb84554280d11b25da4bdf3f3a75

C:\Users\Admin\AppData\Local\Temp\_MEI9682\Crypto\Cipher\_raw_cfb.pyd

MD5 0f4d8993f0d2bd829fea19a1074e9ce7
SHA1 4dfe8107d09e4d725bb887dc146b612b19818abf
SHA256 6ca8711c8095bbc475d84f81fc8dfff7cd722ffe98e0c5430631ae067913a11f
SHA512 1e6f4bc9c682654bd18e1fc4bd26b1e3757c9f89dc5d0764b2e6c45db079af184875d7d3039161ea93d375e67f33e4fb48dcb63eae0c4ee3f98f1d2f7002b103

C:\Users\Admin\AppData\Local\Temp\_MEI9682\Crypto\Cipher\_raw_ecb.pyd

MD5 ade53f8427f55435a110f3b5379bdde1
SHA1 90bdafccfab8b47450f8226b675e6a85c5b4fcce
SHA256 55cf117455aa2059367d89e508f5e2ad459545f38d01e8e7b7b0484897408980
SHA512 2856d4c1bbdd8d37c419c5df917a9cc158c79d7f2ee68782c23fb615d719d8fe61aaa1b5f5207f80c31dc381cd6d8c9dabd450dbc0c774ff8e0a95337fda18bd

C:\Users\Admin\AppData\Local\Temp\_MEI9682\_cffi_backend.cp39-win_amd64.pyd

MD5 3d48e9bc9a3b68e816e1d0be284f2d3f
SHA1 410921af4383bdc898df691ea39e3e9f558c3d85
SHA256 88451f322707b22c43b36796c3711bace64f50ef7b22c94fbf29a04a2838e533
SHA512 829c0e0458f927ffd8e60194c5ef75c9e4f9da86d3fa7d7184715a869a2765b5e3a0d4263ab9acbbdb752f451acc87eb5a7b1d63712c67e21fcef8c228da3db3

C:\Users\Admin\AppData\Local\Temp\_MEI9682\MSVCP140.dll

MD5 0929e46b1020b372956f204f85e48ed6
SHA1 9dc01cf3892406727c8dc7d12ad8855871c9ef09
SHA256 cb3c74d6fcc091f4eb7c67ee5eb5f76c1c973dea8b1c6b851fcca62c2a9d8aa8
SHA512 dd28fca139d316e2cc4d13a6adffb7af6f1a9dc1fc7297976a4d5103fae44de555a951b99f7601590b331f6dbb9bfc592d31980135e3858e265064117012c8d5

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 08:31

Reported

2024-06-19 08:34

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2132 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2132 wrote to memory of 2232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.pyc

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-19 08:31

Reported

2024-06-19 08:34

Platform

win10v2004-20240508-en

Max time kernel

39s

Max time network

49s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc

Signatures

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1120 wrote to memory of 3000 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1120 wrote to memory of 3000 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3000 wrote to memory of 5080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3000 wrote to memory of 5080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3000 wrote to memory of 5080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3000 wrote to memory of 5080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3000 wrote to memory of 5080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3000 wrote to memory of 5080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3000 wrote to memory of 5080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3000 wrote to memory of 5080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3000 wrote to memory of 5080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3000 wrote to memory of 5080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3000 wrote to memory of 5080 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 4700 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5080 wrote to memory of 888 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\main.pyc"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\main.pyc

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.0.175930248\606289859" -parentBuildID 20230214051806 -prefsHandle 1516 -prefMapHandle 1628 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81601c06-9ea8-4213-9012-5cc498ccae7d} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 1868 1918fb1b458 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.1.591623885\1787329886" -parentBuildID 20230214051806 -prefsHandle 2448 -prefMapHandle 2444 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c1bda24-7574-4d14-8e6f-94ca819fd2a7} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 2460 19182e89f58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.2.1525332128\196471007" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3012 -prefsLen 23198 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64779985-5749-4abf-a50f-162ead5973b1} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 3028 19192b3bd58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.3.832410238\1064702155" -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3612 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {815434d8-d69f-474c-a0f1-40ff707247c4} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 3628 191940b7d58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.4.933535042\1532473098" -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 5256 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c70236a6-67c6-446e-ab11-90760968900b} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 5248 191965f9858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.5.2022296737\1315378059" -childID 4 -isForBrowser -prefsHandle 5408 -prefMapHandle 5416 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40016975-cf90-4d69-b4ce-5fa587f9cd64} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 5400 191965f7a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5080.6.1398723293\1030077222" -childID 5 -isForBrowser -prefsHandle 5588 -prefMapHandle 5596 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49b2d88a-8e0c-4103-862e-e955f658f037} 5080 "\\.\pipe\gecko-crash-server-pipe.5080" 5580 191965f8058 tab

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:53058 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
N/A 127.0.0.1:53066 tcp

Files

C:\Users\Admin\Downloads\0zYpGHMf.pyc.part

MD5 e6238cb9a3b60dd096638f4f2d5ba762
SHA1 73cce38064ec658e98a15493da495a7ac0af1449
SHA256 7ed0bc63c96f84a177873bf9f772d175481dbb0e8cf30a62384ee0a707e2b005
SHA512 a46309d6353904cb31d8aad90d8ab7950cc38b566abd99e0f28939f776d4cbe7cebba19e55b3507b02820de73687e588e34cc16108c844413d86cfcef62d85bd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\prefs-1.js

MD5 c0d3337c597423c3286d4b9431a8cca1
SHA1 af7fcc6412a027b15d272cd6d973767dd1bc3029
SHA256 36338b4324e905b45fb28396ebab899adabd4fb288249291c490a2e69012c645
SHA512 62fbe24ab4692182c201a0aae7dfab428225ae258bca05e9b6c540634d12526d5d413c1daebdf33760abd2ea36a4f63fc946d4d7dd3a362742fc9eb188f51b0a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\sessionstore.jsonlz4

MD5 b62cdc62f2741e88dee8af2e4fc19c36
SHA1 88694206fa7e8a196e7044baa9c948e7f9367961
SHA256 1cbec10bf19a39c9f07cfc642d1a869f0652de433ceb63cb54a1bb7ab3c25bb8
SHA512 029c0e2a2ae7dca5d5ca2ef3d51570803fa0d4f4952f3e81dda2df7fd07a4960213896b6cc8b6e2364e4aed604bc967addf76a1a2ec954e92c96bcc9554a3aa2

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ue3bcu6m.default-release\activity-stream.discovery_stream.json.tmp

MD5 90d898b4f4b2dc1229f31bcf4a572e96
SHA1 32809ba0c5a29e001893eddaa13f00fc5652d631
SHA256 a2291c7ca3db217880d0c0843744db7a0e0390e531b5b1262d0c08bbb086be51
SHA512 f94f436f204cd241bed58ed0dd077097937e82ed429b50f45a1ad66afdaa3c4b6fca64e328a11ca53c41ca2a19c388a844ab94c2552b7b6b4f8cba5d3a872347