4aebcfdabaf24b54f8dca1b2d3c050708a6ee12a1b26709b0cd782656688027c

Analysis

max time kernel
133s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vape_V4_BestMexico.zip
Size

18.6MB
MD5

9f6b55f49bac22f54beee8decf325ad7
SHA1

b2e73f02bda1e604c82d39b86213d64589b04526
SHA256

4aebcfdabaf24b54f8dca1b2d3c050708a6ee12a1b26709b0cd782656688027c
SHA512

91e5de66f3c77fd9f7b426d017bc0c79b438d8a2e22b5d2bcd2aa4a6b1e0b8dc0e4eef6cec157379dba9ee25e99d7578813578d0e54cc73e412b716b8ba687e7
SSDEEP

393216:HSEJ57dIIZLiSmmpO9NZNX4IuYP3lJCuSsMiJOmDPs2m8Ck:yo7GF42+YP3lJCuSgJOmDqo

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4008	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
65	pastebin.com
66	pastebin.com
62	pastebin.com
64	pastebin.com

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Vape_V4_BestMexico.zip:Zone.Identifier	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4524	PING.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5064	firefox.exe
Token: SeDebugPrivilege	5064	firefox.exe
Token: SeDebugPrivilege	5064	firefox.exe
Token: SeDebugPrivilege	5064	firefox.exe
Token: SeDebugPrivilege	5064	firefox.exe
Token: SeDebugPrivilege	5064	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5064	firefox.exe
5064	firefox.exe
5064	firefox.exe
5064	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5064	firefox.exe
5064	firefox.exe
5064	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5064	firefox.exe
5064	firefox.exe
5064	firefox.exe
5064	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 5064	1636	firefox.exe	88
PID 1636 wrote to memory of 5064	1636	firefox.exe	88
PID 1636 wrote to memory of 5064	1636	firefox.exe	88
PID 1636 wrote to memory of 5064	1636	firefox.exe	88
PID 1636 wrote to memory of 5064	1636	firefox.exe	88
PID 1636 wrote to memory of 5064	1636	firefox.exe	88
PID 1636 wrote to memory of 5064	1636	firefox.exe	88
PID 1636 wrote to memory of 5064	1636	firefox.exe	88
PID 1636 wrote to memory of 5064	1636	firefox.exe	88
PID 1636 wrote to memory of 5064	1636	firefox.exe	88
PID 1636 wrote to memory of 5064	1636	firefox.exe	88
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 864	5064	firefox.exe	89
PID 5064 wrote to memory of 3500	5064	firefox.exe	91
PID 5064 wrote to memory of 3500	5064	firefox.exe	91
PID 5064 wrote to memory of 3500	5064	firefox.exe	91
PID 5064 wrote to memory of 3500	5064	firefox.exe	91
PID 5064 wrote to memory of 3500	5064	firefox.exe	91
PID 5064 wrote to memory of 3500	5064	firefox.exe	91
PID 5064 wrote to memory of 3500	5064	firefox.exe	91
PID 5064 wrote to memory of 3500	5064	firefox.exe	91
PID 5064 wrote to memory of 3500	5064	firefox.exe	91
PID 5064 wrote to memory of 3500	5064	firefox.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Vape_V4_BestMexico.zip
1⤵
PID:2332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.0.1030944602\814575128" -parentBuildID 20230214051806 -prefsHandle 1792 -prefMapHandle 1784 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6633057-637b-470a-91f5-15a97070bd2c} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 1736 217ee50dc58 gpu
    3⤵
    PID:864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.1.869716196\413933956" -parentBuildID 20230214051806 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d78c010-33fd-4903-9349-56f521a88f1b} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 2432 217e188a258 socket
    3⤵
    PID:3500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.2.914902811\507385736" -childID 1 -isForBrowser -prefsHandle 3120 -prefMapHandle 3116 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fafaba2-cd8e-411b-a673-06fbdc6ab8a6} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 2808 217f1207858 tab
    3⤵
    PID:4252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.3.1827952368\772333585" -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 3680 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdce6c92-8fad-4577-9970-5e0a227731b8} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 3696 217e1883258 tab
    3⤵
    PID:4280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.4.668314522\1087372831" -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5280 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20f76bfb-a96a-4ec5-b1b7-76db679a11c9} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 5388 217f3f92858 tab
    3⤵
    PID:4704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.5.1734731706\828556816" -childID 4 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93c740fb-c086-4316-9c99-70fa4ecc6890} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 5256 217f5c81858 tab
    3⤵
    PID:1412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.6.1307698355\1937230615" -childID 5 -isForBrowser -prefsHandle 5660 -prefMapHandle 5668 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {556fce8e-499e-47b9-bbef-94a597a955a9} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 5764 217f51ee658 tab
    3⤵
    PID:1384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.7.1353083180\125515914" -childID 6 -isForBrowser -prefsHandle 3188 -prefMapHandle 3000 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fd582b2-9ee2-4427-bc0b-62e58c58f2ba} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 5856 217f6414858 tab
    3⤵
    PID:4728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.8.1240329548\853816952" -parentBuildID 20230214051806 -prefsHandle 6172 -prefMapHandle 6156 -prefsLen 27776 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d8d9d3a-30bd-4c08-a625-aef3100227c3} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 6180 217f6527f58 rdd
    3⤵
    PID:1916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.9.546066218\1029246193" -childID 7 -isForBrowser -prefsHandle 10092 -prefMapHandle 10192 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d99018a-3d9b-4682-9a05-429a3b61ead9} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 5084 217f5183e58 tab
    3⤵
    PID:3152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.10.835951803\1690167669" -childID 8 -isForBrowser -prefsHandle 9844 -prefMapHandle 5092 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe71d8a6-8237-439b-a2f2-e8e962bdd3b8} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 9856 217f71ae958 tab
    3⤵
    PID:3708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.11.238353773\1214412215" -childID 9 -isForBrowser -prefsHandle 9836 -prefMapHandle 10072 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0159d73-69b1-497a-929d-a9c13f557461} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 9636 217f49eb958 tab
    3⤵
    PID:2428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.12.1201546201\1345866417" -childID 10 -isForBrowser -prefsHandle 9456 -prefMapHandle 9644 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad56b9ed-18a2-4b04-a51d-a5df8728d66e} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 9468 217f5c7e558 tab
    3⤵
    PID:3336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.13.1121037778\39341939" -childID 11 -isForBrowser -prefsHandle 9268 -prefMapHandle 9476 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2da0441e-45f5-458e-9206-e381ab1124f5} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 9280 217f7858858 tab
    3⤵
    PID:5112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.14.1095698920\1982976861" -childID 12 -isForBrowser -prefsHandle 9076 -prefMapHandle 9072 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6589223-565e-414d-a62f-67834effa621} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 9064 217f772e958 tab
    3⤵
    PID:4952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.15.1384538218\1581117526" -childID 13 -isForBrowser -prefsHandle 9456 -prefMapHandle 8876 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65c2dcfd-7186-4973-9f92-d727a523d473} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 9652 217f7a96f58 tab
    3⤵
    PID:5780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.16.1930339310\1336131661" -childID 14 -isForBrowser -prefsHandle 9424 -prefMapHandle 9420 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78265f65-5c9a-421e-ab35-7758ebf7d8da} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 8768 217f7a95758 tab
    3⤵
    PID:5788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5064.17.215255241\834150883" -childID 15 -isForBrowser -prefsHandle 8664 -prefMapHandle 9236 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {756200a3-849c-46e8-8a00-1c42442f4c96} 5064 "\\.\pipe\gecko-crash-server-pipe.5064" 9820 217f71add58 tab
    3⤵
    PID:5796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Vape_V4_BestMexico\Vape V4 BestMexico\vape v4.10\bapeclient.bat" "
1⤵
PID:4608
- C:\Windows\system32\mode.com
  mode 55, 9
  2⤵
  PID:5080
- C:\Windows\system32\PING.EXE
  ping localhost -n 5.5
  2⤵
  - Runs ping.exe
  PID:4524
- C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
  java --add-opens java.base/java.lang=ALL-UNNAMED -jar vape-loader.jar
  2⤵
  PID:4548

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Vape_V4_BestMexico\Vape V4 BestMexico\vape v4.10\vape-loader.jar"
1⤵
PID:4736
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:4008

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Vape_V4_BestMexico\Vape V4 BestMexico\vape v4.10\Vape-v4.10.jar"
1⤵
PID:808

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\Vape_V4_BestMexico\Vape V4 BestMexico\vape v4.10\Vape-v4.10.jar"
1⤵
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
3a4b0710cf581273e7cac13749054774

SHA1
4adaed41eb8cdb0ef969222594ebaa5bde1329dc

SHA256
2844ac1e1ca138393190828fc7ad9a0475ac436f18dcbabc730ea1274d9f4762

SHA512
07d3d31c50ae8571b1b99e40817e5a4e5bbb5130bd031dd952fda3c45b68951bc074ef4c24f71673ef58e76d963ad9c939844778af230be2e96492297f6d3d26

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
ebbc37c3387ad845f4d88da3ca6f15bd

SHA1
c6722cea910b5299d2a906c4943ea943172ead67

SHA256
73132a301785f0378cc4ab36f519459e25821b8e47b547fe1ac61927b44cfb7f

SHA512
24589df33e969df217ca3a473ddcc23b4db68884ed8ea7a44c7e37cfc1f46b7c949a60b2a98492258c2f1e7256dac2f673fe428452f339a0b7b734c6f39bc6fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\cache2\doomed\27382

Filesize
7KB

MD5
46925c0bfc4781c8b9fa69cbdd5e95f6

SHA1
d8478570c38d3ab0a09202790b37cf98b982bc46

SHA256
107f0c4058f34bd4dce49b8443ca23f1f856331053165b3426a9c4f6129f6200

SHA512
3e4f14a36cee00b90aa93303287420ecb4fd34a84114c71093b51e9e71cd904d761717eec8856ccb5a12f381642762074e176746c43189d6bf178e77533c14a0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kqdoq520.default-release\thumbnails\457dde8ba547fd3e7a39555e99471c0b.png

Filesize
4KB

MD5
b0e8b64ac34173fab7dcd11611d7489a

SHA1
ab2fa68e9fbbd2e5972de7bf9236061d0b38334b

SHA256
df287dff1a0893a22e419894f08fae2450f11fb7d4169d5b1bf5a58a262d493b

SHA512
5160d63a8bb79db252be40b33b7ab2813288af808940c5b6a3768a0684e30d7bed899653eb6dd52d9a0d7cecbcaed041e22903a1800226f4aaf54accde015305

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\prefs-1.js

Filesize
7KB

MD5
16df2a20d8a2766dcfd55c28d62eec67

SHA1
a37bd749f978b3069b6cd72f7257fcc7fecee9f3

SHA256
44c6aa6904b5fb0ec68748bde7151a915c1fdfeb9b6775ad9189a1ba1d485b28

SHA512
4dbc0b5d9b6dbbf85fc404602be6ea3a78852ffd1217ddbc8dab43843a5a9ec659ca6a3b2e6362311e4de35548239b550a2194ee0687e21025ddb18f23cbf090

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\prefs-1.js

Filesize
6KB

MD5
a35ca77f13b801d462d703e89f879593

SHA1
768eaa6008c955db05101c1f4aa492e5b7f8dae2

SHA256
7726de3ae4c404c855c9eb16796b6f05f5460052f25c90da0afffad694034718

SHA512
fa1fcb03bd0b5b4c8a73e2fb23489361812df98d68ab3b9ab6332e03a36fa42428a2922b81091a9d8fafdeff2d5fe1518ef1086fd896bc580d3002a55de18311

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\prefs.js

Filesize
6KB

MD5
041397741d843033ad9bf8a54d166c99

SHA1
b92552af34fb33e6c9aac63a265fd5c75d9a036b

SHA256
4aede0045e2028b340422a852bae5830b5f5ed304a19dea71da70e12b7fc2a58

SHA512
22de7ee0ef8861d0ec3694012875ff825c09de94301b89ac444c24876f01635646bc4e7d9c323318fe55daa04422dc2a3b1f0bc022c516a837ca4f2f42d634b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
ebf13d8198ff91ed2b55c6ef14afc439

SHA1
5116c7ce60d808e5f9cda769d555dd3244dfd13e

SHA256
947d481de8eb5cdf13e653b2806d2a0cd322bb1d4b44119197f76b0d3e3f56e1

SHA512
7ef0376a07d5d2e9e5cce4db35b7038cb810108eaf34faaa70aed0f5ba4489149cb41ea9f51f9bbd0600220be74185a239c2ecb802ff56a40285e76c3906a0c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6ed7f8ce97a011ee5b37b4c021f8c479

SHA1
f2fd517360ab3e9a9883e805d0b1ce7832bd8c37

SHA256
6f50b2a8a6897c74bd8477d4478fa7207197c97b0d3c61f6e0f980c5495ba6a1

SHA512
8287b6e4ec0c46eefb0caa9be6849f2c42682ae7dbe9353b9dd8a47bbc924fdfacea7c776221f1d6e93d105fb2338a1de9e8b3816b4b310acb4a3888b074ff1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
d3c6465263ae717af280e100c584c9aa

SHA1
0b57f2fff3155f35b2135a04c2d1926cce4b2cf1

SHA256
ca02021ae484cae09a966fa5a8d93674b97f3a666a954b6c30470f1717193d58

SHA512
3f1c829704874650c6b6d41982424aa0d5c89cdc25f5cc79212240e7271bfadad31f7b33f29e5b6e9bed1077f8fcc48ceb113d75a462975020247d59d76b5a83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
ce7d505f7e753570c96274dce3ac963c

SHA1
3494a9dcdd3393c4b98159ea60694c2c492bfd85

SHA256
4280e9e1b988d00072e4a7e7d5fa45f39f4c80f21921ee5d24a12cac1c71ec0b

SHA512
a5115784066d5f62e8a7f43618e2bc7dddeee881cf430107c469835e0a546f2a7e0b4657ad87b9752ab02e13e35b41d0e05b262304d875448e1918aeb23ba70b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kqdoq520.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
0ddd6af5238aae5729cbce0be298e9e5

SHA1
dab2723db93f2190e28dcb710e3c9d52f04a4aa6

SHA256
06a98554bf94feeb1b37f014bdb152222126ca65be72f84253c3f3dcb0012af6

SHA512
55ab1e41f337da40674402f00ad49cc8f6842b45b463f18c17af713a8e1c2c32ae50b05be8a51431c9205754bf8db18b116c61698db22946e4d427ad14ae0738

Download Submit
C:\Users\Admin\Downloads\Vape_V4_BestMexico.gCY2Nr6G.zip.part

Filesize
18.6MB

MD5
9f6b55f49bac22f54beee8decf325ad7

SHA1
b2e73f02bda1e604c82d39b86213d64589b04526

SHA256
4aebcfdabaf24b54f8dca1b2d3c050708a6ee12a1b26709b0cd782656688027c

SHA512
91e5de66f3c77fd9f7b426d017bc0c79b438d8a2e22b5d2bcd2aa4a6b1e0b8dc0e4eef6cec157379dba9ee25e99d7578813578d0e54cc73e412b716b8ba687e7

Download Submit
memory/4736-418-0x0000027376970000-0x0000027376971000-memory.dmp

Filesize
4KB

Download
memory/4736-420-0x0000027376970000-0x0000027376971000-memory.dmp

Filesize
4KB

Download