sodinokibi | e353e8f5ec0090319aca71c252fb4b860bcab40771c89d66ce217de11a9f41c5

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
03-11-2024 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd.dll
Size

789KB
MD5

a47cf00aedf769d60d58bfe00c0b5421
SHA1

656c4d285ea518d90c1b669b79af475db31e30b1
SHA256

8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
SHA512

4c2dcad3bd478fa70d086b7426d55976caa7ffc3d120c9c805cbb49eae910123c496bf2356066afcacba12ba05c963bbb8d95ed7f548479c90fec57aa16e4637
SSDEEP

12288:KXnKcEqGM00LJdqoHuDWeij0XukcWl9e56+5gD6QRqb/kYxFNFsX3ArTjvJjx0u:YETDWX4XukZeVL/kYx9P/JY6gfjcs

Score

10^/10

sodinokibi $2a$12$prox/4ekl8zrpgsc5lnhpecevs5nockouw5r3s4jjydnzzsghvbkq 8254 discovery evasion persistence privilege_escalation ransomware

Malware Config

Extracted

Family

sodinokibi

Botnet

$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq

Campaign

8254

Decoy

boisehosting.net

fotoideaymedia.es

dubnew.com

stallbyggen.se

koken-voor-baby.nl

juneauopioidworkgroup.org

vancouver-print.ca

zewatchers.com

bouquet-de-roses.com

seevilla-dr-sturm.at

olejack.ru

i-trust.dk

wasmachtmeinfonds.at

appsformacpc.com

friendsandbrgrs.com

thenewrejuveme.com

xn--singlebrsen-vergleich-nec.com

sabel-bf.com

seminoc.com

ceres.org.au

Attributes

net
false
pid
$2a$12$prOX/4eKl8zrpGSC5lnHPecevs5NOckOUW5r3s4JJYDnZZSghvBkq
prc
encsvc

powerpnt

ocssd

steam

isqlplussvc

outlook

sql

ocomm

agntsvc

mspub

onenote

winword

thebat

excel

mydesktopqos

ocautoupds

thunderbird

synctime

infopath

mydesktopservice

firefox

oracle

sqbcoreservice

dbeng50

tbirdconfig

msaccess

visio

dbsnmp

wordpad

xfssvccon
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
8254
svc
veeam

memtas

sql

backup

vss

sophos

svc$

mepocs

Extracted

Path

C:\Users\utubdci9h1-readme.txt

Ransom Note

---=== Welcome. Again. ===--- [-] Whats HapPen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension utubdci9h1. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B2DCEF4A099E6FD0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decoder.re/B2DCEF4A099E6FD0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: GtAys0vVqBeGrckWmBuUlG1TQWzawBl+tj9GQCTu3ciHf39zbWcuEj4rtzezQ0jp OTtGEq5mqQhmjQ1dXo8vMG+Cz+CmLbEgja9zsQ24oqKKuIlx1DjBkKfW50bEed9a J2ExxaX6EW3ydIrvic2NPBD/1yeEXz1+vZHABQYvLZtkbs4I5zHacrfCCnpi6ngH JPTwQlYwG98bBeSzLZ398rV5etHs30Bx1JL2SHublYK2Ngw+U9QTrLgms67B5/Ay tFMjT9CZla59EwKgV6N5p992VnDdWUpUnsxvvmyNtYPek71oq9Q3VKwWnX6c6ur/ 5FMnB9Air0Qo1XZSJzlEc+OXwrSp6fZjNRrrFpV12uvHSfPhPdakLfWIwpOs77ow z79JOOifx3tpPbwfzmvdqVQ26hQPtmzx5yeXEhIDKNnGEAXkQTdsFktgKfZ5D/U4 X+mgEgGm6BiR0tbFvbNi+IQW1dqV/yQM5urZvMKFsHMCDGcJ7Rx0O98qr03vYW5s 0qOTItmLj01PjyAqVs3jexNAt63fMYi22Ur8Hyfq2YbcHmrJFRB4/7VThEBgSgvk YaxnLKcYq6RPP8hTJeHpWuCSY8qSzcVvyuOvJaZ3SRZy+ZvGOiMHYKzwNS7gmaCh kxeSvO59g+GucS6FfOdas/gR3FX+TOTjq2khXywX8rN+eE6AGdT72x7/9AylOyu7 uZ1pEO5JqxMNUVY0uee+FUXvGZ7M7ROIDzyoFUo5X4qqx6scBCDy89D+blaxSqj1 /YpLxmM0aBD73X1bQgpP9YhFohOpOieB9UnxW3PH6zsFozBAU9kcthcZkBIcIUzf iHZrDogAirohSldSncQpBPfCyesZmBLEBzgVDerJO2Avr1AMhShQJBOfEvSAkNpI Ed2x3rk5g0XWLtThe0omIl+tp+Bs9jiyT+sbScKmbpwa4os6o7OGpeI8gq8GpeJh GzZXMrzbqb5ncg3Vaqfkw1RNd8FZlDaZq1W4UXVzGRh+Wa2D17ITnvnCn9kEbgSR FDZWQF7QRn02pKzoLcpvuewWlz+c5xW/QEbxW44cIUAyPZYhFGRBJk7H1yP8Vixv OyvLlJvyux+EinMBjHtVdY7l/NCwv6bKKx8QES31I4pDOs6wK8+BuI1ptMnMnwx7 vELVeoJNIpwWuxOyeaX9IdV7Zkis+jI/QBpTNwb+GzJ0eCmJyCcJiwYYBeBW9cWH 5EOl9AOdmh4VC/dxxHRpn1zXmHcRu/9Xeh4+JYEEY/VN7Uw4ahdlKB2vu8kcXMnG /fRDUnYsL28MRm3h8jpv5BJD/vJ7/PXElqCYG8Adx25I8DsMqIYY7MmppF/Aj4uj cdTxIodRYJm8cj5MdHHdcREhBsJqzuv+JrUpJGd6tcKtwFQ1 ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B2DCEF4A099E6FD0

http://decoder.re/B2DCEF4A099E6FD0

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Sodinokibi family
sodinokibi

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4880	netsh.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\D:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v06s5.bmp"	rundll32.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\UnlockTest.xlsb	rundll32.exe
File created	\??\c:\program files\tmp	rundll32.exe
File opened for modification	\??\c:\program files\ConnectShow.crw	rundll32.exe
File opened for modification	\??\c:\program files\LimitFormat.3gpp	rundll32.exe
File opened for modification	\??\c:\program files\OptimizeUse.png	rundll32.exe
File opened for modification	\??\c:\program files\LockUpdate.avi	rundll32.exe
File opened for modification	\??\c:\program files\SkipCompare.xps	rundll32.exe
File created	\??\c:\program files (x86)\utubdci9h1-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\ConnectSkip.wmf	rundll32.exe
File opened for modification	\??\c:\program files\ConvertTrace.png	rundll32.exe
File opened for modification	\??\c:\program files\PingClose.contact	rundll32.exe
File opened for modification	\??\c:\program files\DenyExport.vssm	rundll32.exe
File opened for modification	\??\c:\program files\OpenFind.M2V	rundll32.exe
File opened for modification	\??\c:\program files\CheckpointOut.jpg	rundll32.exe
File opened for modification	\??\c:\program files\MountUndo.wm	rundll32.exe
File opened for modification	\??\c:\program files\PushGrant.wmf	rundll32.exe
File opened for modification	\??\c:\program files\RemoveLock.ppsm	rundll32.exe
File opened for modification	\??\c:\program files\NewReset.htm	rundll32.exe
File opened for modification	\??\c:\program files\RequestDebug.001	rundll32.exe
File created	\??\c:\program files (x86)\tmp	rundll32.exe
File opened for modification	\??\c:\program files\ReadRename.xltm	rundll32.exe
File opened for modification	\??\c:\program files\RemoveGroup.rle	rundll32.exe
File opened for modification	\??\c:\program files\RestoreRevoke.htm	rundll32.exe
File opened for modification	\??\c:\program files\StartBlock.vb	rundll32.exe
File opened for modification	\??\c:\program files\TraceUninstall.vsdm	rundll32.exe
File created	\??\c:\program files\utubdci9h1-readme.txt	rundll32.exe
File opened for modification	\??\c:\program files\EditSubmit.vsdx	rundll32.exe
File opened for modification	\??\c:\program files\EnableInstall.mht	rundll32.exe
File opened for modification	\??\c:\program files\EnterCompress.xsl	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c0031000000000063598d40110050524f4752417e310000740009000400efbec552596163598d402e0000003f0000000000010000000000000000004a0000000000e4646e00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Key created	\Registry\User\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\NotificationData	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
4968	chrome.exe
4968	chrome.exe
2152	msedge.exe
2152	msedge.exe
4692	msedge.exe
4692	msedge.exe
1176	msedge.exe
1176	msedge.exe
5904	identity_helper.exe
5904	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5336	OpenWith.exe
5012	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	rundll32.exe
Token: SeTakeOwnershipPrivilege	2112	rundll32.exe
Token: SeBackupPrivilege	4132	vssvc.exe
Token: SeRestorePrivilege	4132	vssvc.exe
Token: SeAuditPrivilege	4132	vssvc.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeShutdownPrivilege	4968	chrome.exe
Token: SeCreatePagefilePrivilege	4968	chrome.exe
Token: SeDebugPrivilege	4196	firefox.exe
Token: SeDebugPrivilege	4196	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
4968	chrome.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe
4196	firefox.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
4968	chrome.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe
2152	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5336	OpenWith.exe
5336	OpenWith.exe
5336	OpenWith.exe
5336	OpenWith.exe
5336	OpenWith.exe
5336	OpenWith.exe
5336	OpenWith.exe
5336	OpenWith.exe
5336	OpenWith.exe
5336	OpenWith.exe
5336	OpenWith.exe
5336	OpenWith.exe
5336	OpenWith.exe
5336	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5704	OpenWith.exe
5704	OpenWith.exe
5704	OpenWith.exe
5704	OpenWith.exe
5704	OpenWith.exe
5704	OpenWith.exe
5704	OpenWith.exe
5704	OpenWith.exe
5704	OpenWith.exe
5704	OpenWith.exe
5704	OpenWith.exe
5704	OpenWith.exe
5704	OpenWith.exe
5928	firefox.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2112	2088	rundll32.exe	79
PID 2088 wrote to memory of 2112	2088	rundll32.exe	79
PID 2088 wrote to memory of 2112	2088	rundll32.exe	79
PID 2112 wrote to memory of 4880	2112	rundll32.exe	81
PID 2112 wrote to memory of 4880	2112	rundll32.exe	81
PID 2112 wrote to memory of 4880	2112	rundll32.exe	81
PID 5516 wrote to memory of 5576	5516	OpenWith.exe	91
PID 5516 wrote to memory of 5576	5516	OpenWith.exe	91
PID 5704 wrote to memory of 5756	5704	OpenWith.exe	95
PID 5704 wrote to memory of 5756	5704	OpenWith.exe	95
PID 5840 wrote to memory of 5928	5840	firefox.exe	101
PID 5840 wrote to memory of 5928	5840	firefox.exe	101
PID 5840 wrote to memory of 5928	5840	firefox.exe	101
PID 5840 wrote to memory of 5928	5840	firefox.exe	101
PID 5840 wrote to memory of 5928	5840	firefox.exe	101
PID 5840 wrote to memory of 5928	5840	firefox.exe	101
PID 5840 wrote to memory of 5928	5840	firefox.exe	101
PID 5840 wrote to memory of 5928	5840	firefox.exe	101
PID 5840 wrote to memory of 5928	5840	firefox.exe	101
PID 5840 wrote to memory of 5928	5840	firefox.exe	101
PID 5840 wrote to memory of 5928	5840	firefox.exe	101
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102
PID 5928 wrote to memory of 6096	5928	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd.dll,#1
  2⤵
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4880

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5516
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Desktop\UnprotectJoin.3gp2.utubdci9h1"
  2⤵
  PID:5576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5704
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\UnprotectJoin.3gp2.utubdci9h1"
  2⤵
  PID:5756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5840
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c337cd91-9c0b-4c6e-89e4-20f477d1771e} 5928 "\\.\pipe\gecko-crash-server-pipe.5928" gpu
    3⤵
    PID:6096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {177e2313-30fe-430f-b4ad-6601fcc3cc47} 5928 "\\.\pipe\gecko-crash-server-pipe.5928" socket
    3⤵
    PID:2020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd65a9cc40,0x7ffd65a9cc4c,0x7ffd65a9cc58
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,9437578521214342833,3018420545697740514,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=580,i,9437578521214342833,3018420545697740514,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,9437578521214342833,3018420545697740514,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,9437578521214342833,3018420545697740514,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,9437578521214342833,3018420545697740514,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4404,i,9437578521214342833,3018420545697740514,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3204,i,9437578521214342833,3018420545697740514,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4172 /prefetch:8
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4584,i,9437578521214342833,3018420545697740514,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd65323cb8,0x7ffd65323cc8,0x7ffd65323cd8
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,6035867153970826763,15723201243454568538,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,6035867153970826763,15723201243454568538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,6035867153970826763,15723201243454568538,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6035867153970826763,15723201243454568538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6035867153970826763,15723201243454568538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6035867153970826763,15723201243454568538,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6035867153970826763,15723201243454568538,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,6035867153970826763,15723201243454568538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,6035867153970826763,15723201243454568538,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5904

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5568

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\utubdci9h1-readme.txt
1⤵
PID:4056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5012
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\ResumeComplete.vst.utubdci9h1"
  2⤵
  PID:4268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\ResumeComplete.vst.utubdci9h1
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4196
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1936 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1844 -prefsLen 23678 -prefMapSize 244710 -appDir "C:\Program Files\Mozilla Firefox\browser" - {080142a9-af03-473c-be6b-a3c848448962} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" gpu
      4⤵
      PID:5868
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2356 -parentBuildID 20240401114208 -prefsHandle 2348 -prefMapHandle 2336 -prefsLen 24598 -prefMapSize 244710 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01427517-f8f4-4616-8931-4b5e48783a5a} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" socket
      4⤵
      PID:5216
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=908 -childID 1 -isForBrowser -prefsHandle 1436 -prefMapHandle 2828 -prefsLen 24739 -prefMapSize 244710 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b472a8a4-6e95-4e8c-9b09-fc2b4276c8e3} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" tab
      4⤵
      PID:4692
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4008 -childID 2 -isForBrowser -prefsHandle 4000 -prefMapHandle 3996 -prefsLen 29088 -prefMapSize 244710 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae5d90e7-5ea1-4b7e-9b02-cb84fc0c207f} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" tab
      4⤵
      PID:4932
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5004 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5016 -prefMapHandle 5012 -prefsLen 29195 -prefMapSize 244710 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd22306d-6e84-463c-99db-beeb40d9666a} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" utility
      4⤵
      Checks processor information in registry
      PID:1176
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 3 -isForBrowser -prefsHandle 5424 -prefMapHandle 5400 -prefsLen 27132 -prefMapSize 244710 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb3d1d96-e839-4848-b3be-ea73d71dd273} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" tab
      4⤵
      PID:5748
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5644 -childID 4 -isForBrowser -prefsHandle 5568 -prefMapHandle 5572 -prefsLen 27132 -prefMapSize 244710 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f30e1aa-033c-4c12-95be-c217628d749a} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" tab
      4⤵
      PID:6088
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5760 -childID 5 -isForBrowser -prefsHandle 5836 -prefMapHandle 5832 -prefsLen 27132 -prefMapSize 244710 -jsInitHandle 928 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c869e4b2-0712-4e6e-bee3-06e610cf2c7a} 4196 "\\.\pipe\gecko-crash-server-pipe.4196" tab
      4⤵
      PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1ff5c011379a653186c36b2714846449

SHA1
5cae0746c0d660e1e2a97c792fb4b39b60d3eb3b

SHA256
f56d4b22657af4ff336e70c2cd29bdd11a55c1ffa600397fc55f5969745233ae

SHA512
863392541da95b510aecc8742e5be447010848d82319dd8bb57c020ced592f2c0e8d9f0b3701be799fee01af16fd5fba7122150cd1fea4315a2436d67e25a650

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c87d916c0ed15fd16abb5f36c785b7eb

SHA1
fbdbe27059fb01a4b7944bb5e3f5744b26b8a165

SHA256
bb8a8d52d8d9ffeb8edbae52c8b3b5c6da3d4247ba41f063b545c56750e71332

SHA512
28f7b602145cad1df46ad780db923684bdc9b655da22efd4ef0486ce5666fc153f1907ac234fe02a0eb5d2ca238da1b6b2a06767c2899649aae9f7f25979aa8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
245b42ad78fe182a338bcd5f81a0e131

SHA1
543bea6391d135ca8c0c948dfb4453d41cb7e1eb

SHA256
a38de4d0049db9bf9b9f10ec45d85bd280f040112e7f1a0adf3964cb2ce589b3

SHA512
293b71dc48d3b1f32dc61609683720f0398a75475462ddb45c77758629c70adbcbe64bce84229b94ec0145470fb5e24983bc2ac7e6fb381f4da0bbc353d3d357

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
2efc8a9c64714ef2047b6a1dcb512a0c

SHA1
4ed3dd7c4ddbc3a844b974a7a88942bf6535f4ca

SHA256
cdca3179063da8379a278372cc5b909bb532ed65dfbb55ce060ee581f4d35dbb

SHA512
03d2bd3c7f3af93daf0f77852fd09831eeabcca610fa275f8862557f60881aab9638342ef3045e3f86514387672e7e5c9dbc5211b0811167f9b2b5aaca7229c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c5d92bff3a6b7f5818cc6f5301cc5e61

SHA1
400f19d55484cd49cd0473f6ba10b0ca9501fb6f

SHA256
efc968a764bb874608de8f0f38fb86dac4786b528b2a23b5e4aaa6dd66408ab9

SHA512
3e99f4f8c34fab97a41c12836df40f85fd73cc9d9be943e21c80b73a0c181466cfe081f4517980e4869c06c144cb4aaae3a0ae34e5e5e7688dc6c19e49062570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a723ca144beee0ea28f85417e49fce21

SHA1
b5d20c06d13cc227e53647ba29bedb0272b218bb

SHA256
b49a20d69b73cddfbdef3660c281d6d493bef8ca9a7d1e0b63dd446e3d0b045a

SHA512
0d6a2c9f23488a481b291b00675e9ccb0e38dd4998b5cea26ea6611e750d676d8575e38f5e345ce280751698954f7f0098744fd151e80c9f41197f3f8fb3a632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2d4d419fb4ffca940095f976cacbe69f

SHA1
fe95dde68b276de92e8b14945a5389c90617e42a

SHA256
1a22a80b7b72236a657ee1374114e928dbafb1fb12620154337e7dcac2feaab0

SHA512
c4398d40259ccf35c11e09a8dc465630ea8fffff72a7f485c2e1db3c29c5cea37b031980506eaf0fcd5af8f15f418a7dd23763a9e05a1b65c56ea97e75974395

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5l9wod5l.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
b5cc517ee1d0d1eaec05e9668bb7a214

SHA1
df310820167617869ee075c73ae8e80407a70f8b

SHA256
7cf081bd52e597b277fc36b7a6a351f11fe7ec80344180b63f2bb5d534507331

SHA512
9d68aa27755975792250ed1de6dba1fe8971b41c3a11c1c10b7c6307d45b3c8ce59b3ee5f9c890bf164a72c904a382bd064d90b1fd1d41732ecdfd2b5c9010ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
edc20dc1e36626653087021249400dc0

SHA1
8df5e357441a8cc7a49d25351c654af7b65f6bb4

SHA256
f1495651110575ff8bb81425d3e24fea83c2e25f29f49f5fde7140f4fee1a59e

SHA512
5d5f48ecd6292532cbc4b2c7faca2f5beda4cb04be77456976c79db56937a153958e5ddd671f3484c7f42ae455fff169b30b6a9edb32586862f1df617fe769e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
4fedb5211a19f9345c1f450c3675dd54

SHA1
7f5a4c6e7ace15d497369a736219112acb7c8e83

SHA256
8f4295e704ded4d12ea870cccc65d5ab2977ce88b084ec40f190b5ad3b0f3cee

SHA512
5b5d572ffea747df06113e036e20061ff6730a150d9a5209ba492acfd63f3355060582c5e332a37262bc901007e5b0ced556bac192fa0ac9a289b38c2653defe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\371721e5-28b6-41f1-bdd4-4f42e09cf478

Filesize
26KB

MD5
fb0977ab1e736a7d64f9af7ec818a687

SHA1
0c40ad5a56d2191e157eb6d5b2dd7293b54f97bf

SHA256
dd408e1000cca61dec8db544bfb2226792843ab1ae7692ec8641b886ef803400

SHA512
7d664387f9e5a1fff618594bac187b572e585645da928b5382a5583845c6e446e9af52d0af6c88268012b22ce017bdacdbf6304f445b6cabd3ff66b1cdbc3f3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\988b6a55-61e9-4fe4-8a4b-ee27a8765782

Filesize
982B

MD5
3d72f38477d12dc57e8c606336c93efe

SHA1
4189d7cbbab5993ed71c77d559b04b43320dc758

SHA256
e68d8bcd125f4cb6a3621b3fd73a57b2da835386a5b02b1db1974d435b000ae7

SHA512
b4827b9cfbf2037883323ecaa03476e12b942dcf42e9c34a49b02c9e2141f3e70c08f3bbe38a7c898964ac25739f17fdf18e2199a4f7683b562524ad39734ca5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\datareporting\glean\pending_pings\f6d05272-729d-464d-afc6-4d752ddef61e

Filesize
671B

MD5
fb372a82e777bc7e7c151ceef4d28653

SHA1
1972c72285bc2ae6f5b4b858cdbeef73395e6dc0

SHA256
d0494816bd3bc2e77063fb997085d02266eae387ae0b8e2b75d608f8819d4e57

SHA512
5df9ce5b18f555d2891a72ee9f73c213d0eea7d12688fba08b37656753d528c6caf971f145d2edb31847001ce8523c6811681e5d69ec6ba3c324bcf2732e25ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\prefs-2.js

Filesize
10KB

MD5
9cde28b7d56ae9c5ce6d6b1a8413c6e9

SHA1
68f2a94777f58ac0a77647730471523cbd569587

SHA256
21d401b3fa2542b2a73a422804c8d6f8bbf48b1ba0abb7f465c9bdb904a01a41

SHA512
aa3c1a1f0f8d701906dc1c61551c03b9b99e225feac4334be8727557992e6cbc899b6c2ec34fd92a52107f2455a5d775e82d9c4f494ffd6416a09e55c674a6f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5l9wod5l.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\Desktop\ResumeComplete.vst.utubdci9h1

Filesize
342KB

MD5
17fed58029e1563c80468a527b3771e5

SHA1
393f6c76ca92f32c1deb1eea2e0c6815798d7015

SHA256
137fb62ae3972662b05b19692ffd7379350e034d20e05520711c0c5b3d21cfe6

SHA512
10d29db6e3d867e185262ac5545105435ffe2fefad33357cac6b2aea913f83ca08f7f9c8f4224d1bd2e3eaf4ea19c0c367227a427bc4643cffe5ff9e899b26ac

Download Submit
C:\Users\Admin\Desktop\UnprotectJoin.3gp2.utubdci9h1

Filesize
139KB

MD5
f2c6ab94c818bf41019cfe28d795a502

SHA1
cbbea32a1ec7404f3e8ce99bd0cd27b88b9a90ca

SHA256
efad20fb962248513df4555a7fd102282cbb5bbf74af36f4bda970315812242c

SHA512
967dc6231b46be0886e1cdd36723373b7928b4fe97b75d1a2e592dd51d30cddf101321d7f1323f024928cbef1ed1fbd582d690e5f7617666dae21f8d501aec16

Download Submit
C:\Users\utubdci9h1-readme.txt

Filesize
6KB

MD5
de957a02a543774ac0c29bb7c58cb7ef

SHA1
ac3a7c82ae4ccda8b8bc40a3beca96958f61048b

SHA256
02e82ea133db5ebfa3c49fa144da63a98c543f98448fc63edc4c62f4aac213b1

SHA512
fb10681e4dfd3f2ded7cf3d12a4eea1b9388286b451deeb8bac2e7e46530a4f44a7cebce8f0538f86feb229fbe215b318fe65a6edd1ed91803220af159b62fd9

Download Submit
memory/2112-0-0x0000000002450000-0x0000000002472000-memory.dmp

Filesize
136KB

Download
memory/2112-741-0x0000000002450000-0x0000000002472000-memory.dmp

Filesize
136KB

Download
memory/2112-724-0x0000000002450000-0x0000000002472000-memory.dmp

Filesize
136KB

Download
memory/2112-1-0x0000000002450000-0x0000000002472000-memory.dmp

Filesize
136KB

Download
memory/2112-20-0x0000000002450000-0x0000000002472000-memory.dmp

Filesize
136KB

Download
memory/2112-460-0x0000000002450000-0x0000000002472000-memory.dmp

Filesize
136KB

Download