hxxps://drive[.]google[.]com/file/d/1lP-GGv6x7E8g6WkAf_XddrBjOWrWSvSb/view?usp=sharing

Analysis

max time kernel
158s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
14-09-2024 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1lP-GGv6x7E8g6WkAf_XddrBjOWrWSvSb/view?usp=sharing

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
14	drive.google.com
15	drive.google.com
16	drive.google.com

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
4812	ZoraraUI.exe
4812	ZoraraUI.exe
2908	ZoraraUI.exe
2908	ZoraraUI.exe
1696	ZoraraUI.exe
1696	ZoraraUI.exe
4728	ZoraraUI.exe
4728	ZoraraUI.exe
4404	ZoraraUI.exe
4404	ZoraraUI.exe
2940	ZoraraUI.exe
2940	ZoraraUI.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\meowrara2.6.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4812	ZoraraUI.exe
4812	ZoraraUI.exe
4812	ZoraraUI.exe
4812	ZoraraUI.exe
4812	ZoraraUI.exe
4812	ZoraraUI.exe
4812	ZoraraUI.exe
4812	ZoraraUI.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
2908	ZoraraUI.exe
2908	ZoraraUI.exe
2908	ZoraraUI.exe
2908	ZoraraUI.exe
2908	ZoraraUI.exe
2908	ZoraraUI.exe
2908	ZoraraUI.exe
2908	ZoraraUI.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
1696	ZoraraUI.exe
1696	ZoraraUI.exe
4384	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	firefox.exe
Token: SeDebugPrivilege	4952	firefox.exe
Token: SeDebugPrivilege	4952	firefox.exe
Token: SeDebugPrivilege	4384	taskmgr.exe
Token: SeSystemProfilePrivilege	4384	taskmgr.exe
Token: SeCreateGlobalPrivilege	4384	taskmgr.exe
Token: SeDebugPrivilege	4952	firefox.exe
Token: SeDebugPrivilege	4952	firefox.exe
Token: SeDebugPrivilege	4952	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe
4384	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe
4952	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 4952	3716	firefox.exe	81
PID 3716 wrote to memory of 4952	3716	firefox.exe	81
PID 3716 wrote to memory of 4952	3716	firefox.exe	81
PID 3716 wrote to memory of 4952	3716	firefox.exe	81
PID 3716 wrote to memory of 4952	3716	firefox.exe	81
PID 3716 wrote to memory of 4952	3716	firefox.exe	81
PID 3716 wrote to memory of 4952	3716	firefox.exe	81
PID 3716 wrote to memory of 4952	3716	firefox.exe	81
PID 3716 wrote to memory of 4952	3716	firefox.exe	81
PID 3716 wrote to memory of 4952	3716	firefox.exe	81
PID 3716 wrote to memory of 4952	3716	firefox.exe	81
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1668	4952	firefox.exe	82
PID 4952 wrote to memory of 1812	4952	firefox.exe	83
PID 4952 wrote to memory of 1812	4952	firefox.exe	83
PID 4952 wrote to memory of 1812	4952	firefox.exe	83
PID 4952 wrote to memory of 1812	4952	firefox.exe	83
PID 4952 wrote to memory of 1812	4952	firefox.exe	83
PID 4952 wrote to memory of 1812	4952	firefox.exe	83
PID 4952 wrote to memory of 1812	4952	firefox.exe	83
PID 4952 wrote to memory of 1812	4952	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/1lP-GGv6x7E8g6WkAf_XddrBjOWrWSvSb/view?usp=sharing"
1⤵
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/1lP-GGv6x7E8g6WkAf_XddrBjOWrWSvSb/view?usp=sharing
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8963081-422c-4cf8-a0c7-93d631a26a75} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" gpu
    3⤵
    PID:1668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aad4371-ff00-4d18-9cd7-b5ba403db9e9} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" socket
    3⤵
    PID:1812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3356 -childID 1 -isForBrowser -prefsHandle 3348 -prefMapHandle 3344 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c6767df-4ae8-4019-b0fd-963a35050c0e} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab
    3⤵
    PID:2704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3952 -childID 2 -isForBrowser -prefsHandle 3948 -prefMapHandle 3944 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0595aed-3010-4515-b427-833109a93de5} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab
    3⤵
    PID:4896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2936 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2932 -prefMapHandle 4832 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cda1823d-ca20-4c4d-aa6d-1f50934654a7} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" utility
    3⤵
    - Checks processor information in registry
    PID:220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 3 -isForBrowser -prefsHandle 5456 -prefMapHandle 5452 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d16fb1fa-15a3-4baf-a053-65b577d9a1f1} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab
    3⤵
    PID:5092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5592 -prefMapHandle 5596 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {48ced6e3-a2f1-405d-9ebb-a8de746cefec} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab
    3⤵
    PID:2780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5848 -childID 5 -isForBrowser -prefsHandle 5840 -prefMapHandle 5764 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78c6a21f-6b19-49da-8bc9-72d072caf6e4} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab
    3⤵
    PID:3820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6380 -childID 6 -isForBrowser -prefsHandle 6384 -prefMapHandle 6172 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1816400-c26b-411b-a707-30a34d85d2c0} 4952 "\\.\pipe\gecko-crash-server-pipe.4952" tab
    3⤵
    PID:2468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:924

C:\Users\Admin\Desktop\zorara roblox exec\ZoraraUI.exe
"C:\Users\Admin\Desktop\zorara roblox exec\ZoraraUI.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4812

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4384

C:\Users\Admin\Desktop\zorara roblox exec\ZoraraUI.exe
"C:\Users\Admin\Desktop\zorara roblox exec\ZoraraUI.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2908

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\zorara roblox exec\settings.txt
1⤵
PID:3788

C:\Users\Admin\Desktop\zorara roblox exec\ZoraraUI.exe
"C:\Users\Admin\Desktop\zorara roblox exec\ZoraraUI.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Users\Admin\Desktop\zorara roblox exec\ZoraraUI.exe
"C:\Users\Admin\Desktop\zorara roblox exec\ZoraraUI.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4728

C:\Users\Admin\Desktop\zorara roblox exec\ZoraraUI.exe
"C:\Users\Admin\Desktop\zorara roblox exec\ZoraraUI.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4404

C:\Users\Admin\Desktop\zorara roblox exec\ZoraraUI.exe
"C:\Users\Admin\Desktop\zorara roblox exec\ZoraraUI.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\activity-stream.discovery_stream.json

Filesize
33KB

MD5
919fa5cfb24fdd1c778cd4e0a1f1b142

SHA1
4c77dad870b1b1576364efeda7f13b5c632568e2

SHA256
69e3c8260448753e1318493fb3be088dcb571288adfacc2a8b0a9b6ee2d8bcfe

SHA512
fb450803db7905f111770ddba022baffe69320aad5fad6d45edc9200e9f51b615d05a1f2e05b72ebab57ef2bc2ce4fc6d6af1e1b5f1716d39555dea23469d304

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin

Filesize
11KB

MD5
ad42ff13a688112744ff766a197763a3

SHA1
d417d25960635a86fb0a5ec95d1546f3c2c7e82c

SHA256
643fdf4fcb6f0a6bd474224f75d9f45c804aec98e5affad8c05d439b76257c38

SHA512
905e0e521fc608526acb3d484a2b32ae74f927c502afd5f429efc6d926b6c5e775aefcfdd59b98e4c4eb3225a7397576ad03d470fed9e18fd162c8f8466ed3c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin

Filesize
28KB

MD5
e8e2c65f5dea4bd2e0a8c3d3a54df91f

SHA1
13381ffe9d389fafffc92fb9b4491645ea92b8dc

SHA256
382ff905338d5a67ce1abbe26fe30d77f321dbf3f8086fa21fe3d4b6b167e217

SHA512
dbf223ab456697b38d347631a2b5b27836aaa934d7af907c4d496bd0a4e14656da7304556c9796f83c79f656d5b6ed72a70c7f0396596c2ee591403873b284cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e6bf4dd23531339a5c0942fa6c6ab2ac

SHA1
f0f26d35cc3a4f3a5d8cd96a542fe99b56965465

SHA256
099d6811341042f083ca4d5508229af0edae98947d9dc752369f7b81ba0b0556

SHA512
91e5c8bf4e99f3cfffc6482b72469b93b6193d888817e8c415620a51bb19232b6aa01912c541090a53523b01a544fe342e96ea07fb2ed90962b6dd7a585d2278

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
2f05e3c3f818fd8b274bd5e408e2af77

SHA1
6e70e10f434a56faaa705c7f6549099a0d9c3e5f

SHA256
87896bd88b7296e240ffe0a587f99eb13b4c0d333d54fd33ea6e8d45a8554b36

SHA512
120aa78f09d9762254734558fadd6d91aaada71e5d0c878a44044e51f5419ceb7450068633acbb40c5c9572e71f477a91600893c839473da45b124afbd1d0b3f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\1fb8e336-6ed4-43e6-840e-467b2a15da8d

Filesize
27KB

MD5
c0a67c40c6c005a479e0b77f00ab6cd7

SHA1
a5b2a1805a3e11c741f3d5301c1b47a39009a176

SHA256
9386395213976c615343530528f6c2d837aad7b297c8d67f52b4b55858445587

SHA512
56427740313fb7681b35e8cec21ea39bfa5d8a16045ef3384b715e6a503db86af76503bc172d607e50c354b076ae59e22c69e55866b4df9df467a94ed97d0b75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\9937663c-b529-4633-9af6-77d9d2fe42e3

Filesize
982B

MD5
ce8187afe6fe5479c093c56fd9c56fa1

SHA1
324300da374baa7624a72e2ecdaf2e00fbd739b4

SHA256
cba0a65f818a99caf2e9fa008c5a59cb0a21391993e4ef6d633c8bbbbec755e7

SHA512
6e3d14892735fb7546abe53be752fcc9d52ec0a71097b26193e03cb336cc614b00e44d52760954e8877148b9c8f50ba8b751f6508390ae5b4b6bd6e20c224bd0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\ac463b14-9cf9-4438-86b7-b97bb0dc955d

Filesize
671B

MD5
782187beafc770a2a1b09a2ca53594bd

SHA1
c7aa0db13a99012c0facb8e120923ece173293d6

SHA256
78ddee0bf8d05dfa837bd8ad427e7850c4ccf4f8b29dc9c7c699ee19a811eba4

SHA512
a4c8e47ec3c73b3d43a8c7b1734a26cf4dca503a07df0716dfabd9587b2b4639de50d21af964f1df0f97fb829debd15a54adc2a6318304197b814e0c149b6cd6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs-1.js

Filesize
11KB

MD5
a12c5a76e1f6760584000129ff75930e

SHA1
e37a0b1a875c1e2fc22f38fdc726e65eb6e398dd

SHA256
1abed1b552ff564c38face6d0d92303a11903084eb344af3189faa811a977710

SHA512
80d73288a70ebfd12edb4fe66a9d98d1a645ba9e395658e08308c4f0925f8b123654e0b22326acc4197f3c0027fb6259162f3c2ae874bd19b89f7e0eb0927626

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs.js

Filesize
11KB

MD5
82e9c903f2a803d4c1fde51a61a438aa

SHA1
4b7a090db461511ab884a2ed80dfec50dad2c70d

SHA256
0a4e952ce39c50676f995ce8cecaa99c869f1618f289f17a941a68306a90ad2f

SHA512
8f2b8672dc1709379ff803d049a39f896365de34b95e9d057e049409e5f055f44a98c8c2069f26fbaadc449b533ddc585c5b22f1cac0d5167a5d5faf50531014

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs.js

Filesize
11KB

MD5
766cf278a16c87f861e38363e00d7676

SHA1
40cf038e8b15489eefd99f5afa112abea80c9eb3

SHA256
467d340f710cfa49dc374ddbfb25ec897229c8ae28feae21121c5103a9dbcf3a

SHA512
e371609b0e09b398789a6558a78df4ea4a60beeb24320a0b160f14a9f17fa2a7c5085f17e0b012924197f2262a808755ebbc1270c808edd62552c388a598e290

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
2363f6546580a8509bfd67e000a3b5af

SHA1
2b0331d21d53b020e90e8d525fb240330ff68179

SHA256
2d188530596038c17248c9381ae0761e9a9ac17c2980e130f0769e42a6478938

SHA512
ce2f7b88c76728f4cd61c372e5c22411345d8d531929723750eaa0c4a4761aca5f3b684d77e8fef7ff5bda30e2dd83250ddfe5f96d31b3784bf76e49029532eb

Download Submit
C:\Users\Admin\Desktop\zorara roblox exec\settings.txt

Filesize
10B

MD5
4c65e2f855d8696d18ab503ca9f4cbfc

SHA1
448a8b537b3dfa966682a496168bae8555c3c889

SHA256
268eef82beb074b0ebad1eaa73261d87f97ca50dbcdde8fc5621ed50c5f1faea

SHA512
c127295e977a579679201f36c9c70233ebbf70bf1cc8f6a83283d75c853935902172de3dc8b19eefddd64e182219926d5ecae944a993505e86994cc813e82b59

Download Submit
memory/1696-611-0x00007FFA69110000-0x00007FFA6A646000-memory.dmp

Filesize
21.2MB

Download
memory/2908-593-0x00007FFA69110000-0x00007FFA6A646000-memory.dmp

Filesize
21.2MB

Download
memory/4384-583-0x000001A6A4B10000-0x000001A6A4B11000-memory.dmp

Filesize
4KB

Download
memory/4384-579-0x000001A6A4B10000-0x000001A6A4B11000-memory.dmp

Filesize
4KB

Download
memory/4384-577-0x000001A6A4B10000-0x000001A6A4B11000-memory.dmp

Filesize
4KB

Download
memory/4384-578-0x000001A6A4B10000-0x000001A6A4B11000-memory.dmp

Filesize
4KB

Download
memory/4384-580-0x000001A6A4B10000-0x000001A6A4B11000-memory.dmp

Filesize
4KB

Download
memory/4384-581-0x000001A6A4B10000-0x000001A6A4B11000-memory.dmp

Filesize
4KB

Download
memory/4384-582-0x000001A6A4B10000-0x000001A6A4B11000-memory.dmp

Filesize
4KB

Download
memory/4384-571-0x000001A6A4B10000-0x000001A6A4B11000-memory.dmp

Filesize
4KB

Download
memory/4384-572-0x000001A6A4B10000-0x000001A6A4B11000-memory.dmp

Filesize
4KB

Download
memory/4384-573-0x000001A6A4B10000-0x000001A6A4B11000-memory.dmp

Filesize
4KB

Download
memory/4728-633-0x00007FFA69110000-0x00007FFA6A646000-memory.dmp

Filesize
21.2MB

Download
memory/4812-558-0x00007FFA92A10000-0x00007FFA92A12000-memory.dmp

Filesize
8KB

Download
memory/4812-557-0x00007FFA69110000-0x00007FFA6A646000-memory.dmp

Filesize
21.2MB

Download
memory/4812-550-0x00007FFA950F0000-0x00007FFA950F2000-memory.dmp

Filesize
8KB

Download
memory/4812-551-0x00007FFA95100000-0x00007FFA95102000-memory.dmp

Filesize
8KB

Download
memory/4812-553-0x00007FFA95120000-0x00007FFA95122000-memory.dmp

Filesize
8KB

Download
memory/4812-565-0x00007FFA69110000-0x00007FFA6A646000-memory.dmp

Filesize
21.2MB

Download
memory/4812-555-0x00007FFA936C0000-0x00007FFA936C2000-memory.dmp

Filesize
8KB

Download
memory/4812-556-0x00007FFA92A00000-0x00007FFA92A02000-memory.dmp

Filesize
8KB

Download
memory/4812-554-0x00007FFA936B0000-0x00007FFA936B2000-memory.dmp

Filesize
8KB

Download
memory/4812-552-0x00007FFA95110000-0x00007FFA95112000-memory.dmp

Filesize
8KB

Download
memory/4812-549-0x00007FFA691E7000-0x00007FFA699A3000-memory.dmp

Filesize
7.7MB

Download
memory/4812-564-0x00007FFA691E7000-0x00007FFA699A3000-memory.dmp

Filesize
7.7MB

Download