58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f

Analysis

max time kernel
110s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2023, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

calc.exe
Size

27KB
MD5

5da8c98136d98dfec4716edd79c7145f
SHA1

ed13af4a0a754b8daee4929134d2ff15ebe053cd
SHA256

58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f
SHA512

6e2b067760ec178cdcc4df04c541ce6940fc2a0cdd36f57f4d6332e38119dbc5e24eb67c11d2c8c8ffeed43533c2dd8b642d2c7c997c392928091b5ccce7582a
SSDEEP

384:Otj8FKzuRxmeWCJxhd2WS/YWyiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiLiiiB:QXif4CbPQ7

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1352	GUP.exe
8	ldb2.exe
3328	readme.exe
2868	readme.exe

Loads dropped DLL 1 IoCs

pid	Process
1352	GUP.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ldb2.exe	GUP.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1016	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1184	1352	WerFault.exe	110

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\test.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2432	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3528	firefox.exe
Token: SeDebugPrivilege	3528	firefox.exe
Token: SeDebugPrivilege	3528	firefox.exe
Token: SeRestorePrivilege	8	7zG.exe
Token: 35	8	7zG.exe
Token: SeSecurityPrivilege	8	7zG.exe
Token: SeSecurityPrivilege	8	7zG.exe
Token: SeDebugPrivilege	2432	taskmgr.exe
Token: SeSystemProfilePrivilege	2432	taskmgr.exe
Token: SeCreateGlobalPrivilege	2432	taskmgr.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe
8	7zG.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe
2432	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
820	OpenWith.exe
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe
3528	firefox.exe
1352	GUP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 3528	2868	firefox.exe	89
PID 2868 wrote to memory of 3528	2868	firefox.exe	89
PID 2868 wrote to memory of 3528	2868	firefox.exe	89
PID 2868 wrote to memory of 3528	2868	firefox.exe	89
PID 2868 wrote to memory of 3528	2868	firefox.exe	89
PID 2868 wrote to memory of 3528	2868	firefox.exe	89
PID 2868 wrote to memory of 3528	2868	firefox.exe	89
PID 2868 wrote to memory of 3528	2868	firefox.exe	89
PID 2868 wrote to memory of 3528	2868	firefox.exe	89
PID 2868 wrote to memory of 3528	2868	firefox.exe	89
PID 2868 wrote to memory of 3528	2868	firefox.exe	89
PID 3528 wrote to memory of 4300	3528	firefox.exe	90
PID 3528 wrote to memory of 4300	3528	firefox.exe	90
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 3192	3528	firefox.exe	93
PID 3528 wrote to memory of 1924	3528	firefox.exe	95
PID 3528 wrote to memory of 1924	3528	firefox.exe	95
PID 3528 wrote to memory of 1924	3528	firefox.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\calc.exe
"C:\Users\Admin\AppData\Local\Temp\calc.exe"
1⤵
- Modifies registry class
PID:4164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.0.1841497925\1111935180" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {226c994b-bb94-422e-be7a-5c46aaca9b4d} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 1936 2def4d16b58 gpu
    3⤵
    PID:4300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.1.557780700\257345225" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cc913f6-bd19-4463-9235-a4243201615f} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 2316 2dee6d72e58 socket
    3⤵
    PID:3192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.2.1999743095\28565966" -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 2936 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b76fb10-0cba-48cb-81ca-493958303669} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 3120 2def7a03558 tab
    3⤵
    PID:1924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.3.151874650\1777817162" -childID 2 -isForBrowser -prefsHandle 2464 -prefMapHandle 1460 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {556feecf-441a-40b3-a90e-fb23c270663f} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 1660 2dee6d67858 tab
    3⤵
    PID:5044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.4.1956533564\1999582039" -childID 3 -isForBrowser -prefsHandle 4044 -prefMapHandle 4040 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b9d355a-ed08-4681-b833-1a5717a03ee3} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 4056 2def88c5658 tab
    3⤵
    PID:4396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.5.1126566585\1606406810" -childID 4 -isForBrowser -prefsHandle 4924 -prefMapHandle 4948 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee1a4df5-1344-40b0-81e1-ecddf9ce4222} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 4976 2def9ebd858 tab
    3⤵
    PID:4144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.7.424333245\1749101590" -childID 6 -isForBrowser -prefsHandle 5324 -prefMapHandle 5328 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1be4a25-d724-489b-a139-7b0de045af4d} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 5316 2defa1e0058 tab
    3⤵
    PID:3332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.6.687669124\1659804826" -childID 5 -isForBrowser -prefsHandle 5124 -prefMapHandle 5128 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a134fbc-dae6-48ce-8bd3-e34170d852d2} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 5116 2defa1e1858 tab
    3⤵
    PID:1844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3528.8.328241443\1494804203" -childID 7 -isForBrowser -prefsHandle 2812 -prefMapHandle 2768 -prefsLen 27020 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c43f191-d8e6-40cf-ba42-60cfabd01d57} 3528 "\\.\pipe\gecko-crash-server-pipe.3528" 3260 2dee6d70a58 tab
    3⤵
    PID:4456

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4232

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\test\" -spe -an -ai#7zMap25041:70:7zEvent28322
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:8

C:\Users\Admin\Downloads\test\GUP.exe
"C:\Users\Admin\Downloads\test\GUP.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1352
- C:\Windows\SysWOW64\sc.exe
  sc start "Windows Firewall Extensioner"
  2⤵
  - Launches sc.exe
  PID:1016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Public\readme.exe
  2⤵
  PID:2148
- - C:\Users\Public\readme.exe
    C:\Users\Public\readme.exe
    3⤵
    - Executes dropped EXE
    PID:3328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 520
  2⤵
  - Program crash
  PID:1184

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2432

C:\Windows\SysWow64\ldb2.exe
C:\Windows\SysWow64\ldb2.exe
1⤵
- Executes dropped EXE
PID:8
- C:\Users\Public\readme.exe
  C:\Users\Public\readme.exe
  2⤵
  - Executes dropped EXE
  PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1352 -ip 1352
1⤵
PID:4176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\activity-stream.discovery_stream.json.tmp

Filesize
146KB

MD5
b5310a6968d25d29c5e7549ee46f59e4

SHA1
b210f8ae80b06bb6f8abff99eff169afbbb6f565

SHA256
0a0bb6547054dafa4a59d201242320d2fe4bf219cdebb375f83a16b7e151730c

SHA512
da1da9e2dff64f4437d93ac01c0018bb2fe2114e8443ecf2e9bfae7d1ae749af44f3d1f4c752bb6574046b4befcae3837e85d031cf7ace0cb5a2b8064e5f97ad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\14646

Filesize
101KB

MD5
e08a650a8616334b40337bab3f71cee3

SHA1
095a3a7aaeaa81b4a94fca063a22f699ef262549

SHA256
3f5c73a40905b2235318bd86b736f81bd8cc7a7647a909bac433854e9b7becb1

SHA512
ee3dfa68c5b50f6ebb76a46a2db9df4dd016a29ff3678f87c4140c08278ce88bee76c9ec52f8a1056643b4370b5baad534a8acf3aef00bcf3059cd21dfdde0ef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\14687

Filesize
11KB

MD5
29180df0d943e939a3cc8eae6457176a

SHA1
4b6b457edf023fd429070da19210761fe65a60cb

SHA256
6ba283b8ae3bf90f534cfd6e7e856be359f54f979646623d72062f9100534e9a

SHA512
a8dbdff88461fe4335611de9a277b7cc5a042ebf82f91b747b62df4e6df89061431368e07e4cd3175d1592cb6038f279f749d3a0625a7712d20c17646b491318

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\22779

Filesize
11KB

MD5
c6a7a6375b69ad780215ee93f24b9f01

SHA1
460999a4e4ab0584af71d3651d0338c12d0cea0d

SHA256
ea344a35836048080a356b14f0047e6a7f358bcb83a55b797262a6305300ea3d

SHA512
8762f0ccb1ed93c8f868151e43cb8746ed444b6cd7fd7c725cfcf7ad5d950f69799fc16da9f306fd86ea0b92bb46ab00f6854c1fce46d757def4fbec548b75e6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\30217

Filesize
43KB

MD5
c6384f2bdd007ebf9c20a6f5f2654814

SHA1
bd7d1d4d81e33d2819de39e7192449b0775c31c0

SHA256
27bcd97fd8928c86a0c84c54f853138813eade15f27d1e6d51bab4d06c483d73

SHA512
8c178b0173528aa8393aa75b54260dab9b88360286afbe0607d03e5cc2e7d330b808a08a180634ec690dd1d86783130b9d4dddb7d26414db0f0b3dd3b9ec0190

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\30861

Filesize
9KB

MD5
3c7c9f787375e96936445d40af1b02c4

SHA1
417b40854a56e4476df254608ccdb424c592d600

SHA256
5bd29379ce09f7b91e6101ef98882e898b70cc18bb538f9e2a30e32975d27f5f

SHA512
bba96c5f943e703146780d8c0f2187ba58a32652a5d2426a6d7a1292f3c5a2c1dfe12d8146d665c040a71c04f65f62a8cd43bf28c153aaaffb9e023917bff281

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\31759

Filesize
11KB

MD5
18c8c0d7145bf6b7f838d39f0b5bcab6

SHA1
9ad3c0eb2e9873a543f29717b753da9b74b04a17

SHA256
5de4859533e15526eef4e72e931ea20e4fd86f2c105978dab09321dcee1e44dc

SHA512
25bc39336454ae4ccd4ebd645a0b722eaea28b11ca210d451cced48205359d03cdb5646d75407ccc8b4419e6a44f677f4a40a06d2f3a971aaa053db876c6be22

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\7022

Filesize
26KB

MD5
ed942a57cc746e79a2e12331482c096a

SHA1
fb65a9b44bb2662cbfd4824af736e2c33bb5d405

SHA256
2417f15351937ffea5a1c59e877fe9114c717a48e0b875f4311c77d42b454813

SHA512
badf6dd65d9db439605e965b74caa68bd02b62cbed88c545e6153af9595e7cde20fae40ffcbf6099cf2e07a8ceae6c65d851dd32b844dd54df04c66c2bc98c22

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\8043

Filesize
9KB

MD5
a5abc605188c19670c8f18d4c9b1af04

SHA1
4a2b65036da2132940bac845523764a05ad5a506

SHA256
d3fa62c47b13f20647a39bfdb447a5bfc6cec3f32439f627e0efc03ed06b9cca

SHA512
b4676a58f2e77845e5267cf50590464b9df9c6b045df1bf0cff3499cfe05310143767f99fabfe61b76f4c30738c6a52d6ba30c9433ffc93ffdf398329d37a960

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\9492

Filesize
9KB

MD5
ae3c9ec97d76eeb2206566b4b77b3ffb

SHA1
3c18e0e5c6640174204b49ce2653c08a0384e3f7

SHA256
933e53fefbafd3d226731cc5f276f81bb2c527f56c33c087da6c8ce85dd50053

SHA512
dafe03c83c9813ecb81fa5da12b2895e487f0dc4fb87d2718d320bae654d82c2b343a1b8ee5e72a16e88c3d5a5c5d44162e38174d43f7b581aa6f886537ee960

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
6KB

MD5
275ee9f47d1ee64d1c17aa094748bf5d

SHA1
6f7df0d65988adfae2663e4650db4fea518371c6

SHA256
a3d56c7add19d88bcb567491ec03b50ba2110412120376e481cf5094be53437e

SHA512
d0332c549b7e43998f092c9f6b6b1103a2984218c8f89306644ae802713136a4a2f9f2260e853eee217f702dd968974f23fc0f9f5de41bce731b5f2647fabc23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
6KB

MD5
ecbc056c93b18b893e6bce5d906ca43b

SHA1
ee029d94354f8a248c309fc99f6867478a09f73f

SHA256
2a7f22bf418d22f43855b2f3dcbf04d45aa2b5362c19fe09c98d4393f6ad79d1

SHA512
36f3da5b7b16014f6970fd3f48148e6af1266f7ac32208766388725096ba7d71203013cdc40e4ef1c4aa45311dfb2551feca4485d95814bcdd350daf3adecec3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
6KB

MD5
6a35eea64e33b0d675d4c49b51bb4250

SHA1
975e7e4184af508999281103db8fb5082644e116

SHA256
c4696c6d7ac359483f88833066aa71d26008578a1f2de5233d8b94d226329be2

SHA512
2960297092e1dc40c6327e11ec61d08459c573d29c121b3797a821f7bc1f2e085dd864d01f9196362a5ee15c3d67e382d3525f8ada7b420e9e63f454f22a9d65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
7KB

MD5
61d23af22bbf93473dde59999d6dee97

SHA1
e9b4c75b7843ec81bd25f93a12e7556a657c8e1f

SHA256
c598bb1cfa964506efefb2292814b4d16825d3188569cc609f8a31a2a34ce6fa

SHA512
1612aaf254008262dd3838792e768364df4cd2f5c1353da1737b1fd2ca8813bc275ab101a288367c6f59218e3613d02afee611b401483cc974df6f910787f96e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js

Filesize
7KB

MD5
8167cc4a62b618526b2f58b5381af08e

SHA1
945bbe56cf16f934b8ecdef4f31e6a9f589a7cba

SHA256
fd32c062bfe34fa6a03d938e12f2c476f93808eb140b544b5d97366a30d7bc85

SHA512
62a62f26a8f8072fe3b83f99355ea03aefd86b7d0b57a3998a18fdc73eddd6b0bda0a71f51268c686356d4dbcf0c4a66692cb34128b6f2b8b7ba15188a669e11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js

Filesize
6KB

MD5
108b97b1ff7efbdb1aecce96d55ff2e5

SHA1
bb72b2e0c3d859fe5e821632307a32df331b55e1

SHA256
c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e

SHA512
e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
a55db85163701a7fe36b7823118ac206

SHA1
c621cb531aa62646426a2ec928a1ff214c921bdb

SHA256
5b7391776374ea71bd2328133f93796d3c8d39d99d4e533f05ec08893e24e2d3

SHA512
f2da7187ae73dbcf1bd5a2d84d102b73cecff079f7defeddfd6c782a023b9bae97a29050b746d11dd3650989cdd7c9c0ac082b7f38971766403eeace42f1aebd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
b6ac9ff849df1945f6cc1a54fb97822f

SHA1
3851d93d984d470711349d251bec133d5ad9baf2

SHA256
d4579ae99a9f960d428dba5927b2f085ea6c9f49bf1040617d79f9f71038a8b7

SHA512
6f6feead4604672e9d999f440f47f75fa5100657370aae64ab72a4aa6e2059658371a0cb00fe9584a68ce1d946304fb791be6235b236b550ef8af3815b73694c

Download Submit
C:\Users\Admin\Downloads\test.Q0xmWAe4.zip.part

Filesize
60KB

MD5
4c99b2d636236faa2577203256facc34

SHA1
c96e80ff74b5776f42403e4e6f7e5e9626d49058

SHA256
5fc4c9694d2fa95c210a51dd4f040274f4051c882ce2bfd8e6d5112a23d167bd

SHA512
eb93a0fa648c0d12e617952b5227550d757e258e702587c72aa46d6e69121241b588a620dca417670fb61b702e7009b031115ff9d95d843f1e2f32b70d7907d2

Download Submit
C:\Users\Admin\Downloads\test.zip

Filesize
1.3MB

MD5
a0b3797cef59be5f22481ad18759cfc6

SHA1
480f31c6560bff4861ed49e56cdcda0a6f58d2b5

SHA256
a21c3aee6ce125758babea6d2f638e4720bb78a638706977c436d4c8c0d2db0e

SHA512
40098e7c276247a5c80775ae24badde8a21f3b2ee1e63ae6e0e59c58ac3584bf4c5e7c3e0aaeb7d80e11dd025e0f6d34bb85cbef8c501625661629724de1b689

Download Submit
C:\Users\Admin\Downloads\test\GUP.exe

Filesize
735KB

MD5
14b0b4b0b265e12e4f82acd9ac55c7ff

SHA1
9302dfc6b5f9fdeb4fa48febaced1f59aa9d80bf

SHA256
b229a5a67a6431eb2b99a56039cc374562f1a4da50847e5214be93baf507095e

SHA512
610cc706de51e515b96da221c249cedc7814052992974ecbcecfa2a863c571059a9bbfc7ddcefef071827d9554daec9815778aa984c675ca212eb62b0b5a5b7d

Download Submit
C:\Users\Admin\Downloads\test\GUP.exe

Filesize
735KB

MD5
14b0b4b0b265e12e4f82acd9ac55c7ff

SHA1
9302dfc6b5f9fdeb4fa48febaced1f59aa9d80bf

SHA256
b229a5a67a6431eb2b99a56039cc374562f1a4da50847e5214be93baf507095e

SHA512
610cc706de51e515b96da221c249cedc7814052992974ecbcecfa2a863c571059a9bbfc7ddcefef071827d9554daec9815778aa984c675ca212eb62b0b5a5b7d

Download Submit
C:\Users\Admin\Downloads\test\libcurl.dll

Filesize
652KB

MD5
771f2c571391b9ce490b9a2e15298e5d

SHA1
190806dc1291446b92f9369bab9d59bf92663e16

SHA256
3156edc00db2bc0b52df48bd94e4c632375db28418f3d98fd93581e2fcc8656d

SHA512
d2e2c713af75b7dd9ecb15f8008132bfd7f19a0514aafdcbbdad2aa78405de07eae64fab7708afba7211f818d34ea09b9cafe5791f8c6f9c120d58ec505def2d

Download Submit
C:\Users\Admin\Downloads\test\libcurl.dll

Filesize
652KB

MD5
771f2c571391b9ce490b9a2e15298e5d

SHA1
190806dc1291446b92f9369bab9d59bf92663e16

SHA256
3156edc00db2bc0b52df48bd94e4c632375db28418f3d98fd93581e2fcc8656d

SHA512
d2e2c713af75b7dd9ecb15f8008132bfd7f19a0514aafdcbbdad2aa78405de07eae64fab7708afba7211f818d34ea09b9cafe5791f8c6f9c120d58ec505def2d

Download Submit
C:\Users\Admin\Downloads\test\readme.uxd

Filesize
1000KB

MD5
949b1108874418a66cec13e46ec35066

SHA1
781ff787d65dd3d1546279328bed19d7e9d70930

SHA256
6ab58c1533cbe3cd896c04b69c8635cba81d3d95f5429d96f18300b1c4ff0939

SHA512
54dfb8a4e25276afd002377d6536dc65c562c6dc42edc337d9e461535a4a189803347a61d894b2c6f3898ab34d3da7599b3028ee8f941d33fa3e3c4e66c37593

Download Submit
C:\Users\Public\readme.exe

Filesize
1000KB

MD5
949b1108874418a66cec13e46ec35066

SHA1
781ff787d65dd3d1546279328bed19d7e9d70930

SHA256
6ab58c1533cbe3cd896c04b69c8635cba81d3d95f5429d96f18300b1c4ff0939

SHA512
54dfb8a4e25276afd002377d6536dc65c562c6dc42edc337d9e461535a4a189803347a61d894b2c6f3898ab34d3da7599b3028ee8f941d33fa3e3c4e66c37593

Download Submit
C:\Users\Public\readme.exe

Filesize
1000KB

MD5
949b1108874418a66cec13e46ec35066

SHA1
781ff787d65dd3d1546279328bed19d7e9d70930

SHA256
6ab58c1533cbe3cd896c04b69c8635cba81d3d95f5429d96f18300b1c4ff0939

SHA512
54dfb8a4e25276afd002377d6536dc65c562c6dc42edc337d9e461535a4a189803347a61d894b2c6f3898ab34d3da7599b3028ee8f941d33fa3e3c4e66c37593

Download Submit
C:\Windows\SysWOW64\ldb2.exe

Filesize
48KB

MD5
bc8a70bfc3e69c8060509c9669ce6290

SHA1
3897834a9b8bea2d44e467e546fa9ccd6083765a

SHA256
b26b2a2f8c8892f80a9e250a5e8b511ded6e9fbbd94ab9c24aa9825850f694c1

SHA512
ec121dc8871ffde9b06d0fe1a1e4e0a6032eb591d344afca6f3b7af144d6fb74f629227eba034980119cf4aaecf478a7cf5b0ed0c56de54037ddae7fdd68a9c8

Download Submit
C:\Windows\SysWOW64\ldb2.exe

Filesize
48KB

MD5
bc8a70bfc3e69c8060509c9669ce6290

SHA1
3897834a9b8bea2d44e467e546fa9ccd6083765a

SHA256
b26b2a2f8c8892f80a9e250a5e8b511ded6e9fbbd94ab9c24aa9825850f694c1

SHA512
ec121dc8871ffde9b06d0fe1a1e4e0a6032eb591d344afca6f3b7af144d6fb74f629227eba034980119cf4aaecf478a7cf5b0ed0c56de54037ddae7fdd68a9c8

Download Submit
memory/1352-1069-0x0000000075E40000-0x0000000075EBA000-memory.dmp

Filesize
488KB

Download
memory/2432-1102-0x000001BF64D40000-0x000001BF64D41000-memory.dmp

Filesize
4KB

Download
memory/2432-1105-0x000001BF64D40000-0x000001BF64D41000-memory.dmp

Filesize
4KB

Download
memory/2432-1106-0x000001BF64D40000-0x000001BF64D41000-memory.dmp

Filesize
4KB

Download
memory/2432-1107-0x000001BF64D40000-0x000001BF64D41000-memory.dmp

Filesize
4KB

Download
memory/2432-1103-0x000001BF64D40000-0x000001BF64D41000-memory.dmp

Filesize
4KB

Download
memory/2432-1104-0x000001BF64D40000-0x000001BF64D41000-memory.dmp

Filesize
4KB

Download
memory/2432-1101-0x000001BF64D40000-0x000001BF64D41000-memory.dmp

Filesize
4KB

Download
memory/2432-1096-0x000001BF64D40000-0x000001BF64D41000-memory.dmp

Filesize
4KB

Download
memory/2432-1097-0x000001BF64D40000-0x000001BF64D41000-memory.dmp

Filesize
4KB

Download
memory/2432-1095-0x000001BF64D40000-0x000001BF64D41000-memory.dmp

Filesize
4KB

Download