7d202f15c7fac8991417ec14c890dfc79c4ce6aef8498bb7e551473e65731ba9

Analysis

max time kernel
299s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MoonSpoofer.exe
Size

369KB
MD5

2d73d569359592ac10ce35d14a6f8526
SHA1

886a6053e7723e1358eb1d22c339375e5a794ce9
SHA256

7d202f15c7fac8991417ec14c890dfc79c4ce6aef8498bb7e551473e65731ba9
SHA512

d5543e97545e7464cce975b14e41f60d56e8a2e3fce35fbf3d6e1ae1bad36e6a94271cc3e3107fd9797b2e3f587d1d2fdeaa7d1e5a5f663771b1b4b161943aed
SSDEEP

6144:CtuezJ/rvhl0bBGaA5v7xpKpQ9/3Ew/uo27pUogiDsZAEw/uo2uEw/uo2uEw/uor:Wl5B0K527lsZK52hK52hK52T6

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3488	MoonSpoofer.exe
1104	MoonSpoofer.exe
4176	MoonSpoofer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
83	mediafire.com
85	mediafire.com
86	mediafire.com

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2992	1624	WerFault.exe	84
3780	3488	WerFault.exe	113
4448	1104	WerFault.exe	117
1576	4176	WerFault.exe	121

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\MoonSpoofer.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	firefox.exe
Token: SeDebugPrivilege	1344	firefox.exe
Token: SeDebugPrivilege	1344	firefox.exe
Token: SeDebugPrivilege	1344	firefox.exe
Token: SeDebugPrivilege	1344	firefox.exe
Token: SeDebugPrivilege	4196	taskmgr.exe
Token: SeSystemProfilePrivilege	4196	taskmgr.exe
Token: SeCreateGlobalPrivilege	4196	taskmgr.exe
Token: 33	4196	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4196	taskmgr.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
1344	firefox.exe
1344	firefox.exe
1344	firefox.exe
1344	firefox.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
1344	firefox.exe
1344	firefox.exe
1344	firefox.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe
4196	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1344	firefox.exe
1344	firefox.exe
1344	firefox.exe
1344	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 1344	468	firefox.exe	102
PID 468 wrote to memory of 1344	468	firefox.exe	102
PID 468 wrote to memory of 1344	468	firefox.exe	102
PID 468 wrote to memory of 1344	468	firefox.exe	102
PID 468 wrote to memory of 1344	468	firefox.exe	102
PID 468 wrote to memory of 1344	468	firefox.exe	102
PID 468 wrote to memory of 1344	468	firefox.exe	102
PID 468 wrote to memory of 1344	468	firefox.exe	102
PID 468 wrote to memory of 1344	468	firefox.exe	102
PID 468 wrote to memory of 1344	468	firefox.exe	102
PID 468 wrote to memory of 1344	468	firefox.exe	102
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 4644	1344	firefox.exe	103
PID 1344 wrote to memory of 3164	1344	firefox.exe	104
PID 1344 wrote to memory of 3164	1344	firefox.exe	104
PID 1344 wrote to memory of 3164	1344	firefox.exe	104
PID 1344 wrote to memory of 3164	1344	firefox.exe	104
PID 1344 wrote to memory of 3164	1344	firefox.exe	104
PID 1344 wrote to memory of 3164	1344	firefox.exe	104
PID 1344 wrote to memory of 3164	1344	firefox.exe	104
PID 1344 wrote to memory of 3164	1344	firefox.exe	104
PID 1344 wrote to memory of 3164	1344	firefox.exe	104
PID 1344 wrote to memory of 3164	1344	firefox.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MoonSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\MoonSpoofer.exe"
1⤵
PID:1624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1056
  2⤵
  - Program crash
  PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1624 -ip 1624
1⤵
PID:1740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2028

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:468
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.0.581481335\424033053" -parentBuildID 20230214051806 -prefsHandle 1648 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7f844ce-d8dd-48e2-90fa-e54ca5b7161b} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 1864 1ce12a2df58 gpu
    3⤵
    PID:4644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.1.2070072646\408374232" -parentBuildID 20230214051806 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {977e17b0-5733-4e1a-925b-51349a68f3ce} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 2432 1ce05c8a558 socket
    3⤵
    - Checks processor information in registry
    PID:3164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.2.2000918405\423846828" -childID 1 -isForBrowser -prefsHandle 3144 -prefMapHandle 3140 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {304c184b-6e64-4899-b38c-9359357084dc} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 3156 1ce11a93358 tab
    3⤵
    PID:1072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.3.1797664134\2129409153" -childID 2 -isForBrowser -prefsHandle 3992 -prefMapHandle 3988 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12e6d029-4f23-44e7-aae1-7e701ff5f0d9} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 3964 1ce17aa4558 tab
    3⤵
    PID:3540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.4.819398309\672163836" -childID 3 -isForBrowser -prefsHandle 2836 -prefMapHandle 4444 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbe9a986-0838-49c0-ae5c-fa487b4c759d} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 2844 1ce182a1058 tab
    3⤵
    PID:1500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.5.1896278439\1839944733" -childID 4 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c16651e6-75ec-4884-aa3a-37a1175de6c2} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 5204 1ce19f3b958 tab
    3⤵
    PID:820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.6.904996084\1164585892" -childID 5 -isForBrowser -prefsHandle 5468 -prefMapHandle 5464 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81614118-7fff-4a93-9154-da5941bc81ad} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 5480 1ce14d2f558 tab
    3⤵
    PID:4136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.7.672421475\73875377" -childID 6 -isForBrowser -prefsHandle 5956 -prefMapHandle 5952 -prefsLen 28041 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3694f975-f7bc-4cca-a138-1fd57bc6fef7} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 5864 1ce1816a558 tab
    3⤵
    PID:1712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.8.1933657903\1757108364" -childID 7 -isForBrowser -prefsHandle 5692 -prefMapHandle 6328 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ff750a2-3be9-4536-b660-9524c164ff0d} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 6340 1ce190cd858 tab
    3⤵
    PID:2832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1344.9.157343416\190820593" -childID 8 -isForBrowser -prefsHandle 5316 -prefMapHandle 5328 -prefsLen 31300 -prefMapSize 235121 -jsInitHandle 1260 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9944c044-dc16-4eec-a36e-24ecf03b5376} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" 5396 1ce20c1b058 tab
    3⤵
    PID:3640

C:\Users\Admin\Downloads\MoonSpoofer.exe
"C:\Users\Admin\Downloads\MoonSpoofer.exe"
1⤵
- Executes dropped EXE
PID:3488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1048
  2⤵
  - Program crash
  PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3488 -ip 3488
1⤵
PID:2940

C:\Users\Admin\Downloads\MoonSpoofer.exe
"C:\Users\Admin\Downloads\MoonSpoofer.exe"
1⤵
- Executes dropped EXE
PID:1104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1016
  2⤵
  - Program crash
  PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1104 -ip 1104
1⤵
PID:2264

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4196

C:\Users\Admin\Downloads\MoonSpoofer.exe
"C:\Users\Admin\Downloads\MoonSpoofer.exe"
1⤵
- Executes dropped EXE
PID:4176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 1016
  2⤵
  - Program crash
  PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4176 -ip 4176
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
b8112e96cffccdc8ab541106763dbec0

SHA1
b7e117036b573f62929b68ad3f114d1866a72399

SHA256
efbf1ed92070f4f848aca84c3c1d6f53340fe819c163401ba967f3fb060c010f

SHA512
1510fcaae74565fe4c77707fd29fa7e10d468b677314c1f56a7a9199926b96671f13f83d57ba11f9b6b83aac55bce9661205a6e664ca09e4df9b6316b20e49ab

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
d12b6f050e99871911c302f70f04ae23

SHA1
92aa8847783733e595a2e293e30541209cc15ad6

SHA256
fe7fe52904e73e2ec92d173e94a26cb446248a8346ea65f747dd90f6e1962174

SHA512
a7f6f757c0655a7d90fa90b7aa8956e93b23f0b202d8dbc2dbbffc21fdcde21e878da55710b6feeef8f49cc908bfe15b16f2025a511e20910d59bb7bfc71e7ec

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

Filesize
13KB

MD5
a3151d4f79eccf8e8c888d1791d5366e

SHA1
ec03947a1e9f4c8dbf1a681dc99e1d78d1478e94

SHA256
aad0042dd8eda704a4f5997b8ef7ebcb1ebad62393692e116535351f71ef6da2

SHA512
54ba3f9d44e601a59dc2b98f4773d64a271628e6f4ed3b9321bd6fe1873333548735a9bf87283ecbd6f7a4f9d09bd1c6c1f41a33f99370ffa4ce5401a1d6268c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\prefs-1.js

Filesize
8KB

MD5
70b1e0d2249d5412a8efb4ec774defd0

SHA1
a21274c204715f5564f8d9b462cd05c30243e21b

SHA256
dc5f24e73427f7f1086b4200858045a62e4d1cd3fe08f9d0f981f095b11a2655

SHA512
73c8d6d4bcb2cfd6b994f7ac025768e21c3facf9a727c59c98be7c03fb22d0029d849b20a346d71c2e17d6d7705d061c52892c1e499edc4734f8b8a2c620c32a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\prefs-1.js

Filesize
7KB

MD5
29038fb4f521cf6c08778a6b7ee0a0ea

SHA1
d967bfa3e538bf97bc076b55e2c33ad6bd53be55

SHA256
0ba10fb095c489e9d6b19e090dd7ec1b6fe1b8eb4ed9e14afeadd828142f0d67

SHA512
9807bcbf5fcc6558b97da19ce9f1016f08ab7dc00bcca1e12b8158631569740fc696ea8b5a74663721fc0c91c122a5c5a8254880052c4c9ca478c4d2671153d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\prefs-1.js

Filesize
10KB

MD5
cd7d9588a18fa7824c0d2799d5247613

SHA1
60e16e5538bb1f0bcf07b5d1473d7bec94f74c9f

SHA256
d5984c892621553121d9831546d8e41d8c0638ed5719062ca150499ca0aeb260

SHA512
a40c910a799a75a3c9ea8eaf414810312ca3d3ce78e2f8acfe9c02cf1ad901e23e346fe0bb16e1ede05bbd61654489c0c7da8af09c2c40db3ace4464e022d607

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\prefs.js

Filesize
7KB

MD5
c5d553ae2316bcff37627dd3ebc8dcce

SHA1
0908fbca4a3eff31fbfa2418dee9f74f639c4bba

SHA256
11c819c79ab64ca8854c232ed46bee83a247f566833cc7de72282096516e18b8

SHA512
e11d4a984b41af7aa7b857972e99b7ad4185a520f556a11ff9aabf44b61e85877f2895bc547f060562c2c308587e006ed83fec5f6b6a07c99c5c4202e79ca9e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\prefs.js

Filesize
6KB

MD5
4b810717aece703fa04f498dc662f741

SHA1
39b1a10dd55fc8140173e111df85cab1fad199dc

SHA256
16dff5ef84052cc7e438b1108b4bb87c8a9d18452d9fa4e7cc7e98005d03d710

SHA512
5e28c7cb0c9ce3a8bcd8d8108bb8e434783478cc7f2e7037513a81025f889d3cd0fb83d0caf569830230cf161ef7225f90108bf63d8d01b0750ea58195645315

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
ab0ad4e3e5407686c888208e15fd1ffd

SHA1
0b53413e251ff93f51e8c6316e5770f647b60367

SHA256
0bdeaba138148b45bfb9f1ca2e307772f26d3395f3698e6e0534e494f06f7378

SHA512
66a0f10e51d13540967adcc0449aca82eff29509e729071f6de44068ec97d2de1d0938af227917f6662c75ff0d5b3b2ff3ea5f65f7d1e300e6dec1a4cbb6e376

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
759523a1d8e264430310e10e41752f2f

SHA1
fe83b2ba399e0d0392ebedc42dc0495237e91d4f

SHA256
31d6d7909f79184bcfc681c84ad39cc676bdb88b462ba28abf0731d85e3c0788

SHA512
de356ac88e845294186996a53d433ee983880f0e23b7ed4ef11f9ee9cb2594b054d3e3fda21412808c4b5577b75b0150a4cee273dd2fd8085cb2b2d65849933e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
a469b6e75fcebce1ef3539b8ff4ad409

SHA1
f77568e2077e03a05d3d67fc22db866c30a78b23

SHA256
9b0667392df6078d8db7a48779080c5736a47ba94fae06bdb076719abfa2bc76

SHA512
1661e87471eb6122ee63b31905ea7f8e14facf80ed1fc10d22f70b4c8b7e2b904ef164229dc70a83b6e7496a1d857087b74475051fa9fce8dc6222bdc5778877

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
696a16190d6ea98f7ba30f0a46164f5a

SHA1
f9761b9ca8da6fc0a99abf8dbc2f3240e7d85e0a

SHA256
8f5a3f423ddb50148858036ea2dc52c607b24dd6c7720f552942635521bc2519

SHA512
fe2c4d8d14e181d8a34175f2d9f38c759cb128a5a692aca70665bad34e615141e3e6a695e2e74f7a665542aaf67443b61769e69a431ed02ef5acc5be2554b3ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
e6d05e786606715bf7d58d183bcd88c2

SHA1
4f19e81258a83c80b9a7b3152302a335eda21952

SHA256
e00de01be3856a95bca6a3fca92341514cc959919fc081a536fe11b4ea4f396e

SHA512
d82c421cf0446796c8b570cdc881121e9fc574b58686a56d7b995c8daf38f50cf478a6dbecfb7ef44fa71a4b8ba84fc8c9104d051e72b44b8aa0bf991e36adf3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
9f63c3d2efe4bc3cdd475759658f6dfd

SHA1
d54ce53c156a0131e32bb179064a247fca14c228

SHA256
07aae7858f9784b5f57cd621e30a9a1cf65215ea1d0c5a2e5ecbb3e1b4e78a16

SHA512
e344100b62f910aaf4476406dee8060e8e3c55f723ed41f8fe0affaed6a4ddbd118d9bca53bc42b6f33ad8ab9fccd5e9b823d54d9b54f5cbaac7fbfb40f611eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
fcdccfe1da23d2f92aa70fe29d6f3ec3

SHA1
b067285d2fb18ff16f54c93d3cd714fd358dfbda

SHA256
6ae20a844d554518d19cf5ea63e203eccb6c77f353b9e61231be0320279422d6

SHA512
1f8ca6b2f3acb7868df621dc343538d438cd90cf58536a83544008c130724b38b1cb87132f21efbf3d707d974eebecbed1d52fbdbfb1d56affc0b0ecc7e20e29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
5a14ea446294e23c5a1977f736a6b0c0

SHA1
03d6fc4b9dd778095fdc1cbe603480c2bf11e90d

SHA256
4f3c59b8f665ff927bc81af185e79af352facdd19d90e65f7d7ba644f97e0d51

SHA512
4143969e651afe2fae4c358b444634c04a8a631c3d62ae170e096fa95762679df69bb46406640a2bf3641f86c570c2e4e5586256844045d078730b80c296df66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x1hfm7fd.default-release\sessionstore.jsonlz4

Filesize
11KB

MD5
ede632166cf6f8cea69b27d7be22b22e

SHA1
bb1451226c3f5b9c605f2395af31f971dbcbce35

SHA256
ae00bdc14947c4c22730cb8aa7a29063892648503efd126006d4dc7e4e3aa133

SHA512
de0fa370f0bf5ec2dc546d2161703ed71234ece4882cc0a615166bbc900028359f7ef024382a83862ab11a212e9a4d3f3b27b1af5071f0429d7423a018f9eb54

Download Submit
C:\Users\Admin\Downloads\MoonSpoofer.exe

Filesize
366KB

MD5
05a818e32cabf2959b6a163b3f24cdf4

SHA1
4ce4103680a0a654bc24be1a561292656fe59005

SHA256
01bfe4c5b557c60274cc43624b637c52f20584d8e4aa24d780e547c4b2ba1059

SHA512
8ff7351e2b0f67662e687466a4bff6661a89858b66b8975b535d942175ce48ce7c9bf7ee007d02d3d4c6fb6011661c1a5d95ceb7afa89e277f1675674333be1d

Download Submit
C:\Users\Admin\Downloads\MoonSpoofer.tspEHGZv.exe.part

Filesize
4KB

MD5
53f159d78b00be485177b8e53d7cbd0e

SHA1
342e56cc5ff7960c59b0e5248e26bc5c0e0c9e95

SHA256
24210705a9ad49249a38f98b7fc50b2f2c5d812dc80dc2b43472d5a4f0e1de64

SHA512
2217d86b037c177030d97cbd699a34fdb31b32671350388a4afad8f7dad6b745514200ecfcc31721d18151b4349492bf950909dd918b5931bdf7803034280cbb

Download Submit
memory/1104-2379-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/1104-2380-0x00000000058F0000-0x0000000005900000-memory.dmp

Filesize
64KB

Download
memory/1104-2381-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/1624-3-0x0000000004A50000-0x0000000004AE2000-memory.dmp

Filesize
584KB

Download
memory/1624-4-0x0000000004A00000-0x0000000004A12000-memory.dmp

Filesize
72KB

Download
memory/1624-5-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1624-1-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/1624-0-0x0000000000010000-0x0000000000072000-memory.dmp

Filesize
392KB

Download
memory/1624-2-0x0000000004F00000-0x00000000054A4000-memory.dmp

Filesize
5.6MB

Download
memory/1624-6-0x0000000004B30000-0x0000000004B3A000-memory.dmp

Filesize
40KB

Download
memory/1624-7-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/3488-2365-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/3488-2366-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/3488-2363-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3488-2364-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/4176-2484-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4176-2483-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/4176-2482-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4196-2476-0x0000023C4BF10000-0x0000023C4BF11000-memory.dmp

Filesize
4KB

Download
memory/4196-2475-0x0000023C4BF10000-0x0000023C4BF11000-memory.dmp

Filesize
4KB

Download
memory/4196-2474-0x0000023C4BF10000-0x0000023C4BF11000-memory.dmp

Filesize
4KB

Download
memory/4196-2477-0x0000023C4BF10000-0x0000023C4BF11000-memory.dmp

Filesize
4KB

Download
memory/4196-2478-0x0000023C4BF10000-0x0000023C4BF11000-memory.dmp

Filesize
4KB

Download
memory/4196-2479-0x0000023C4BF10000-0x0000023C4BF11000-memory.dmp

Filesize
4KB

Download
memory/4196-2480-0x0000023C4BF10000-0x0000023C4BF11000-memory.dmp

Filesize
4KB

Download
memory/4196-2470-0x0000023C4BF10000-0x0000023C4BF11000-memory.dmp

Filesize
4KB

Download
memory/4196-2469-0x0000023C4BF10000-0x0000023C4BF11000-memory.dmp

Filesize
4KB

Download
memory/4196-2468-0x0000023C4BF10000-0x0000023C4BF11000-memory.dmp

Filesize
4KB

Download