35a2cc0635e0cde9cb882f2c24bb28c28b5b41e2c372a4c83b5143e05ecdc77a

Analysis

max time kernel
146s
max time network
244s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-11-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.pyc
Size

1KB
MD5

1c65418e7a672e3c175033085cf5bc3f
SHA1

b21cb50dfcf93782bd7636dcb42b0206366b1935
SHA256

97d54fdfb92d4106f6301566e9121b9a3a277e88dffeffb0ad2f695e59106cae
SHA512

6fd7fcd7e0a70f1b399cf5942e535b16833907d1459ca604a2fca1da1c5a4b755302bcfed6cf0d813dcf27748023d67b84e18c35e15353ff9d28855e6c58a23c

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000020000000100000000000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000ed30bdda43008947a7f8d013a47366226400000078000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupView = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\NodeSlot = "10"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0100000000000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = b5021f006502d5dfa3235702040000000000530200003153505305d5cdd59c2e1b10939708002b2cf9ae9301000012000000004100750074006f004c006900730074000000420000001e000000700072006f0070003400320039003400390036003700320039003500000000004c010000aea54e38e1ad8a4e8a9b7bea78fff1e9060000800000000001000000020000800100000001000000020000002000000000000000500014001f50e04fd020ea3a6910a2d808002b30309d3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000c1f5fcc06f25db0100848d317725db0100848d317725db0114000000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001900530065006100720063006800200052006500730075006c0074007300200069006e0020004400650073006b0074006f007000000000000000000000000000000000000000000000000000000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d00650000001400000076c1b8fc0d0000006b00000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f0000001b000000530065006100720063006800200052006500730075006c0074007300200069006e0020004400650073006b0074006f00700030000000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe00000020000000000000000000000000000000000000000000000000010000008b020000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\TV_TopViewVersion = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\TV_TopViewID = "{BDBE736F-34F5-4829-ABE8-B550E65146C4}"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\NodeSlot = "7"	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4900	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2616	OpenWith.exe
4900	NOTEPAD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4900	NOTEPAD.EXE
4900	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe
2616	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 4900	2616	OpenWith.exe	90
PID 2616 wrote to memory of 4900	2616	OpenWith.exe	90

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc
1⤵
PID:2540

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\main.pyc
  2⤵
  - Modifies registry class
  - Opens file in notepad (likely ransom note)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:4900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2276
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:1208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {629bd650-b044-449e-a4cd-dc2dd6dd66b5} 1208 "\\.\pipe\gecko-crash-server-pipe.1208" gpu
    3⤵
    PID:704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e79c54b7-c56a-486b-817e-f1b0041c17f0} 1208 "\\.\pipe\gecko-crash-server-pipe.1208" socket
    3⤵
    PID:820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 3144 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ee833b6-3701-4f19-9a70-b191cd9e3c7b} 1208 "\\.\pipe\gecko-crash-server-pipe.1208" tab
    3⤵
    PID:2280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4356 -childID 2 -isForBrowser -prefsHandle 4348 -prefMapHandle 2528 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfacbad2-3b6b-443a-9599-732c65488b8d} 1208 "\\.\pipe\gecko-crash-server-pipe.1208" tab
    3⤵
    PID:1440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4908 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4892 -prefMapHandle 4888 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af8c4e37-9365-4aca-8d61-475caf2bad04} 1208 "\\.\pipe\gecko-crash-server-pipe.1208" utility
    3⤵
    PID:4636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -childID 3 -isForBrowser -prefsHandle 5252 -prefMapHandle 5248 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d7c063b-576f-44c0-98a8-87038e198da3} 1208 "\\.\pipe\gecko-crash-server-pipe.1208" tab
    3⤵
    PID:888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 4 -isForBrowser -prefsHandle 5408 -prefMapHandle 5416 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05ea66d3-9ce3-407a-bc9c-c2fb1b7543fb} 1208 "\\.\pipe\gecko-crash-server-pipe.1208" tab
    3⤵
    PID:1688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0ed718f-3c42-43f5-a2fd-eba4d8875080} 1208 "\\.\pipe\gecko-crash-server-pipe.1208" tab
    3⤵
    PID:4536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6124 -childID 6 -isForBrowser -prefsHandle 6076 -prefMapHandle 6116 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2919fff-62c3-427a-b669-dd4cd2bbd68e} 1208 "\\.\pipe\gecko-crash-server-pipe.1208" tab
    3⤵
    PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
c125ba314b418b724df2ad34392d6790

SHA1
5d7faffda1da4fe5c59992596843b9a1659124f1

SHA256
617c565bfedd899d39ce81bf008b8688a9cd89372ee65ce49bf52fc33591f367

SHA512
88994aaa59410b477650f7be1d1a47a7aafe2ca6891761244e56b87da20c357c9b443444f93076464ff1e3cb387f38149cb734d583afabd385a59c828aee0957

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\sd844ipy.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
84b396dcf2c00b6467d5e2d46f2b37c7

SHA1
7fc44d0901158b9f109cb7fce9de4bf10d477b57

SHA256
d0f55fa31cc40a67bfb75a47acfa4034aeb05513a1c85ec2b22b0e7b467626e3

SHA512
5800e56fec84fe2ab9bd8d298ef8ee5e2539c4651e0d039b7212784d2b4bfa49e4dd4cc658ecb440a990e4d98ef36dba420b741186b05abb05f1e7d991369b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\AlternateServices.bin

Filesize
10KB

MD5
f0f593636f966943bc427c81c7ed50c2

SHA1
1ece5dfbb35d02038083ba3a20679e656b36b4aa

SHA256
2264cb710a45c58f6c9310fb469bf4eba425ea5320fc58032c4702240a1815f8

SHA512
2ad0e5ca076a705135e4c1ab66c19ded45df327b13cf490bbd08204175109fe6d35121685b0e8de0201adac0dd446eadcc65abb5cee34aa05389f882955efaf6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\AlternateServices.bin

Filesize
17KB

MD5
3fb1c2d95a6ac269c2eed7d0c3ef3f94

SHA1
b6de4473904f4ec67a4bcb7a51aa2dd843172a79

SHA256
75223d2f6b2efb00fd4e6a3140d9786c39acdb1e1bb86c6040c2f1ba0faa6b7f

SHA512
9cbce5769f5a3680c583e79706234be2d17f7fc2413cb9bfe396c2e1a74ea57b63c0c020096df18637a6f3c51a98b4ad54386395e58140098cd477b34e40d0e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
af2710ff939f919a49ba304bb52f568b

SHA1
a5f7c8cb66e576e25bd0277b3633ff669e97b856

SHA256
4c301c375410e996e779c06ded90b585617a90305e4296e5511d92d7d8b86146

SHA512
0c8f5e7f019cef07ed02d50f6ea724bb505e625e4766ae92e50075f8a9199e01605fd2c37e466a16b18e39874ac3929c47d18e23ab179673956a7dac35195633

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
79cb5af8f53d99c489543a4a668bed16

SHA1
3dc425bb8f671f944d268f8990aca588be38e2fa

SHA256
d67d0d90ed1b8c82bf1e82ed5f7de0457e5aeea063c6baa936fe144f76360ef2

SHA512
7012d7f00a9124baa2b3f1c420cde42f63fd4db7236f6a89d74bd002c7f36ce518e97cc7bd064f8ae0d68312e71b3dfa7fd7039418090af4f5a31347030a1b4c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
14710d728edb1e7ba28251bff30f352d

SHA1
6206877bfd91d5f2ba85d1e31191b834a2a05473

SHA256
b141c905799c497e24552221136f54283d14bd9b421adee140e0f58c5a64411f

SHA512
684d3f21c68b0633a72e211f4bd9ee4c24217a18c7d1f93c251a8738bbc220a52590e54e15d0cf5a530b7ccd6fbb8bddf801a65ea7d79b0ad115bec01bc7b915

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\1533fd23-456c-4f2a-b3aa-22cc0bba441c

Filesize
982B

MD5
5cafd6fd4ce922001dbaffb181c2fb34

SHA1
5f76305f52641828e3150209cc6f9ef21f687da4

SHA256
14213832d66aeda3832f85b8e1b96634412b421c16bd78e6b3ff81aed13e5c27

SHA512
a5c744857cd5298e9daf7b6e2d9715518bd64b0b7e592db373e49979ac65fee189065b2c076bc5230892c8cb6c88184e26b7f3cad3bda8ecef4b596e76489b6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\a90d3d0f-a0a6-496a-8be0-e9417a65dd11

Filesize
671B

MD5
b9a17492c1d2a628218e78dec1ed0bcb

SHA1
5e74dd69d69f32046b69e964d64b3d690e4b3fc7

SHA256
0e0eda88a7438b14acc2d3513a3ca9ce8a6f5562a59d800bd6014e36c9c7ffdc

SHA512
66db1683a1e387af18df14727f7a0123be13dad5ca515a68f43868497fff758483d7b1db6dc9bf9b34f3d18b5f2152dac640b465c4a0fd08acdbe1ccc3620d38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\bf9bfba7-283a-4959-8950-57e818477956

Filesize
25KB

MD5
26cac00d9d7aa3308acc1240cbda67aa

SHA1
5243a65177c4c7532acb6fce182101441798a1ee

SHA256
785d271954cbaa28cd9bf8d444ef6f19db809c563757d214c4773da75b5839ef

SHA512
17e463ea1b3e30a26a083354d75abc3590e7a36c8de17a9982eb58c444afeac6f06e58e47d658c0ff2b6d761a6933246868058d2ed0fc757c1aec99388af46f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\datareporting\glean\pending_pings\c1af1441-ffbf-4453-a156-8a0497905baa

Filesize
6KB

MD5
2434c381debc5633d1ab98e6653a9fcf

SHA1
19e7f18be3cca04bd6893c8cdce63be614d9f0d3

SHA256
fb13019606a9809f117a8906f90b9bf5adba7b80da3aaefe088531f7efbbe394

SHA512
da16419bf15c072a8065e61c2dd8e8220add680166d2551eea1ec73d528fdac38103caa7a9e4f1143df3471271f5a65be1173f94cf8105b136048693f788d46c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs-1.js

Filesize
11KB

MD5
757ffc90514f7656013441d6a8c76bca

SHA1
1504ef5e6c4e8ff1203ea03d75a213a662a80e8d

SHA256
74361f2118ea345045711926b2402120cfd920f2a471ab23f11ca93bcfb8d5db

SHA512
f87d9b3bc8c0dec843dc8dfa8cca2e59fee9b26bdad1e1f693e872725fbd25608e8bf08252b8bd36022c59588b98be238fd7e253aa475df34e8e13d7d0c4e11a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs-1.js

Filesize
11KB

MD5
8447228af4c3e77267100bc643ba4f55

SHA1
b3519709bd12ed5d4222eec43caef8f7fc1470f9

SHA256
045a064567d195c5bb6285294d9f9bb5b66a831f33d2d931052c942fb88ba197

SHA512
8e4bd480c78263f1d90226bce32da065af4aeaaf316c1175afda8427acebc05fce636e4c6f7ab4c1cb124b37aa07117d02a18b244dc8fe5ddb17e6818c47e276

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\prefs.js

Filesize
10KB

MD5
18536b0b89b65f9903d2224c565d1642

SHA1
a4a5af353a4cd90b535e6f60b9a74bffafb3153f

SHA256
7bec144c2b45a25a6d821bf0c54fa672b111a4b8ee8281772544e67335e37aaf

SHA512
a46a9759c8d6240ee28a7f3b927be8a54f68e06c08406d849b35f3211bbc15d5ceed6dda2309b8a4214e8a5a5724f3dcd9625c8e8f3f3248e20e8a83019b1f08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
31b23fdbef9efbf3d90c8f994bacf887

SHA1
5cd6c6ff4cf24b248961ce12e33991f2a8abb802

SHA256
2fc8ea9d8da085329a010211766917a5576a847a638978bb6d9cbc75e603e0b6

SHA512
2bcff43721765c37638b6c01b0d6d07c8869ba6fc7defac3264d58f81e4ae8537417670b9d4565890f7f3fe4d37366b96cca8d0d3d39886a110c38641b88ffcb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
03cc62b1781a69d0b638c91f8d1ef4cf

SHA1
934bd515bf1d89c2fccde94feb36a437860d712c

SHA256
d401115bc33cba87a3cb2756b4d63652540474aead030770e7daf8ac6a1f04dd

SHA512
07af0be65055569f8c62e0626ecbb1a99446c6962c88bb87a261282f510a223ed85c7b12653606b3df04ed7300e5a92ccced2a846d547b458901e55a107e28a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sd844ipy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
1af1a3e7fc2a32bf72d3dfb21cbacdca

SHA1
16c2b0e080c6c587f0cde01af5a05ce36aecc7b5

SHA256
20bf4cb3e956c37eaf34031042ffc404d70041e2fa0bffbda44eddc1c66e5609

SHA512
93c8d79eda4de1998dbec62189c7fb10bd7bca26525cfb230d8948542e29d494a1bf36580cb111e846594a05fd5bdd913226ec1ce0ff6f246b01fab811fdb577

Download Submit