6952d1344838c24c94c91df876067c6af8ac53a91380662cd0c13b70446577b5

Analysis

max time kernel
86s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fire Toolbox V36.1.exe
Size

93.8MB
MD5

bfb873e1683e59dac64138cc329f499e
SHA1

70b739a30dbb3eac637e572ae192073831df1f77
SHA256

6952d1344838c24c94c91df876067c6af8ac53a91380662cd0c13b70446577b5
SHA512

0f6c74ab35ff97da55d5690ea68c8606b20cd8b73846060cdd58a549d5e83a402ac8e35e5125fc20d4eb4cbbf489b45e52a6b9bdb0beb573b919614c3e400c5f
SSDEEP

1572864:y1717171m17171717171s17171J111v171r171Q171S171717171A1717171914Y:y1717171m17171717171s17171J111vC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4952	adb.exe
1400	adb.exe
3912	adb.exe
3020	adb.exe
3520	adb.exe
2088	adb.exe
1476	adb.exe
728	adb.exe
4948	adb.exe
1312	adb.exe
1540	adb.exe
4964	adb.exe
2280	adb.exe
4020	adb.exe
3692	adb.exe
1984	adb.exe
2740	adb.exe
4952	adb.exe
3472	adb.exe
4248	adb.exe
2692	adb.exe
3508	adb.exe
3584	adb.exe
2440	adb.exe
4776	adb.exe
1456	adb.exe
1192	adb.exe
644	adb.exe
4920	adb.exe
1996	adb.exe
2112	adb.exe
2924	adb.exe
2756	adb.exe
1700	adb.exe
1644	adb.exe
1604	adb.exe
468	adb.exe
3436	adb.exe
904	adb.exe
4564	adb.exe
2576	adb.exe
712	adb.exe
2440	adb.exe
4352	adb.exe
3752	adb.exe
2264	adb.exe
3660	adb.exe
2148	adb.exe
2768	adb.exe
4956	adb.exe
5036	adb.exe
3344	adb.exe
4864	adb.exe
224	adb.exe
3524	adb.exe
2696	adb.exe
3416	adb.exe
3816	adb.exe
1540	adb.exe
3756	adb.exe
2328	adb.exe
4828	adb.exe
4004	adb.exe
3212	adb.exe

Loads dropped DLL 64 IoCs

pid	Process
4952	adb.exe
4952	adb.exe
1400	adb.exe
1400	adb.exe
3912	adb.exe
3912	adb.exe
3020	adb.exe
3020	adb.exe
3520	adb.exe
3520	adb.exe
2088	adb.exe
2088	adb.exe
1476	adb.exe
1476	adb.exe
728	adb.exe
728	adb.exe
4948	adb.exe
4948	adb.exe
1312	adb.exe
1312	adb.exe
1540	adb.exe
1540	adb.exe
4964	adb.exe
4964	adb.exe
2280	adb.exe
2280	adb.exe
4020	adb.exe
4020	adb.exe
3692	adb.exe
3692	adb.exe
1984	adb.exe
1984	adb.exe
2740	adb.exe
2740	adb.exe
4952	adb.exe
4952	adb.exe
3472	adb.exe
3472	adb.exe
4248	adb.exe
4248	adb.exe
2692	adb.exe
2692	adb.exe
3508	adb.exe
3508	adb.exe
3584	adb.exe
3584	adb.exe
2440	adb.exe
2440	adb.exe
4776	adb.exe
4776	adb.exe
1456	adb.exe
1456	adb.exe
1192	adb.exe
1192	adb.exe
644	adb.exe
644	adb.exe
4920	adb.exe
4920	adb.exe
1996	adb.exe
1996	adb.exe
2112	adb.exe
2112	adb.exe
2924	adb.exe
2924	adb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fire Toolbox V36.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4004	taskkill.exe
2528	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1968	Fire Toolbox V36.1.exe
1968	Fire Toolbox V36.1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	Fire Toolbox V36.1.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 3300	1968	Fire Toolbox V36.1.exe	94
PID 1968 wrote to memory of 3300	1968	Fire Toolbox V36.1.exe	94
PID 1968 wrote to memory of 3300	1968	Fire Toolbox V36.1.exe	94
PID 3300 wrote to memory of 4952	3300	cmd.exe	96
PID 3300 wrote to memory of 4952	3300	cmd.exe	96
PID 3300 wrote to memory of 4952	3300	cmd.exe	96
PID 4952 wrote to memory of 1400	4952	adb.exe	98
PID 4952 wrote to memory of 1400	4952	adb.exe	98
PID 4952 wrote to memory of 1400	4952	adb.exe	98
PID 1968 wrote to memory of 1180	1968	Fire Toolbox V36.1.exe	99
PID 1968 wrote to memory of 1180	1968	Fire Toolbox V36.1.exe	99
PID 1968 wrote to memory of 1180	1968	Fire Toolbox V36.1.exe	99
PID 1180 wrote to memory of 3912	1180	cmd.exe	101
PID 1180 wrote to memory of 3912	1180	cmd.exe	101
PID 1180 wrote to memory of 3912	1180	cmd.exe	101
PID 1968 wrote to memory of 1464	1968	Fire Toolbox V36.1.exe	102
PID 1968 wrote to memory of 1464	1968	Fire Toolbox V36.1.exe	102
PID 1968 wrote to memory of 1464	1968	Fire Toolbox V36.1.exe	102
PID 1464 wrote to memory of 3020	1464	cmd.exe	104
PID 1464 wrote to memory of 3020	1464	cmd.exe	104
PID 1464 wrote to memory of 3020	1464	cmd.exe	104
PID 1968 wrote to memory of 1192	1968	Fire Toolbox V36.1.exe	105
PID 1968 wrote to memory of 1192	1968	Fire Toolbox V36.1.exe	105
PID 1968 wrote to memory of 1192	1968	Fire Toolbox V36.1.exe	105
PID 1192 wrote to memory of 3520	1192	cmd.exe	107
PID 1192 wrote to memory of 3520	1192	cmd.exe	107
PID 1192 wrote to memory of 3520	1192	cmd.exe	107
PID 1968 wrote to memory of 3212	1968	Fire Toolbox V36.1.exe	108
PID 1968 wrote to memory of 3212	1968	Fire Toolbox V36.1.exe	108
PID 1968 wrote to memory of 3212	1968	Fire Toolbox V36.1.exe	108
PID 3212 wrote to memory of 2088	3212	cmd.exe	110
PID 3212 wrote to memory of 2088	3212	cmd.exe	110
PID 3212 wrote to memory of 2088	3212	cmd.exe	110
PID 1968 wrote to memory of 2912	1968	Fire Toolbox V36.1.exe	111
PID 1968 wrote to memory of 2912	1968	Fire Toolbox V36.1.exe	111
PID 1968 wrote to memory of 2912	1968	Fire Toolbox V36.1.exe	111
PID 2912 wrote to memory of 1476	2912	cmd.exe	113
PID 2912 wrote to memory of 1476	2912	cmd.exe	113
PID 2912 wrote to memory of 1476	2912	cmd.exe	113
PID 1968 wrote to memory of 1868	1968	Fire Toolbox V36.1.exe	114
PID 1968 wrote to memory of 1868	1968	Fire Toolbox V36.1.exe	114
PID 1968 wrote to memory of 1868	1968	Fire Toolbox V36.1.exe	114
PID 1868 wrote to memory of 728	1868	cmd.exe	116
PID 1868 wrote to memory of 728	1868	cmd.exe	116
PID 1868 wrote to memory of 728	1868	cmd.exe	116
PID 1968 wrote to memory of 2720	1968	Fire Toolbox V36.1.exe	117
PID 1968 wrote to memory of 2720	1968	Fire Toolbox V36.1.exe	117
PID 1968 wrote to memory of 2720	1968	Fire Toolbox V36.1.exe	117
PID 2720 wrote to memory of 4948	2720	cmd.exe	119
PID 2720 wrote to memory of 4948	2720	cmd.exe	119
PID 2720 wrote to memory of 4948	2720	cmd.exe	119
PID 1968 wrote to memory of 4004	1968	Fire Toolbox V36.1.exe	120
PID 1968 wrote to memory of 4004	1968	Fire Toolbox V36.1.exe	120
PID 1968 wrote to memory of 4004	1968	Fire Toolbox V36.1.exe	120
PID 4004 wrote to memory of 1312	4004	cmd.exe	122
PID 4004 wrote to memory of 1312	4004	cmd.exe	122
PID 4004 wrote to memory of 1312	4004	cmd.exe	122
PID 1968 wrote to memory of 1300	1968	Fire Toolbox V36.1.exe	123
PID 1968 wrote to memory of 1300	1968	Fire Toolbox V36.1.exe	123
PID 1968 wrote to memory of 1300	1968	Fire Toolbox V36.1.exe	123
PID 1300 wrote to memory of 1540	1300	cmd.exe	125
PID 1300 wrote to memory of 1540	1300	cmd.exe	125
PID 1300 wrote to memory of 1540	1300	cmd.exe	125
PID 1968 wrote to memory of 624	1968	Fire Toolbox V36.1.exe	126

C:\Users\Admin\AppData\Local\Temp\Fire Toolbox V36.1.exe
"C:\Users\Admin\AppData\Local\Temp\Fire Toolbox V36.1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell devices
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell devices
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
      adb -L tcp:5037 fork-server server --reply-fd 608
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1400
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3912
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:728
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:624
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4964
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:3728
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2280
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3492
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4020
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:4932
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3692
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:3440
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2156
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:4760
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:1256
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1688
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4248
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4256
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4828
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:3808
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3584
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2124
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2640
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4776
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1152
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1456
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:952
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1220
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:644
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4328
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4920
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2716
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:3640
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:1328
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1028
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3756
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:5072
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4464
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:1604
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:2528
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:468
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4492
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:3436
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4148
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3952
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:1660
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:812
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:712
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:2640
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb devices -l
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2912
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb devices -l
    3⤵
    - Executes dropped EXE
    PID:3752
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1868
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:1320
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:3660
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:4500
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:4552
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3220
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:4956
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:876
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:5036
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:1500
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:4900
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3944
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:3524
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4196
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4808
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:3416
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:2240
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:3816
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3584
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb devices -l
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1604
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb devices -l
    3⤵
    - Executes dropped EXE
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:4564
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:2328
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:1180
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:4828
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1256
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:4004
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4092
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - Executes dropped EXE
    PID:3212
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:4144
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:4512
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:2956
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:3264
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:4932
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:624
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:4876
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4892
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:2760
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3560
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:2844
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:4860
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:1168
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:776
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:3812
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:2700
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:4204
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb devices -l
  2⤵
  PID:2124
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb devices -l
    3⤵
    PID:3660
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:3416
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:2240
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1300
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:952
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4328
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:2636
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:3808
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4608
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:4336
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:4384
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4436
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:4964
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:3728
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:4660
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5092
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:1020
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1608
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4676
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb devices -l
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4596
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb devices -l
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2628
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c TASKKILL /IM adb.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3816
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /IM adb.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4004
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:468
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:3212
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  PID:1616
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:3264
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3220
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    PID:4492
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c TASKKILL /IM adb.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4900
- - C:\Windows\SysWOW64\taskkill.exe
    TASKKILL /IM adb.exe /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c adb shell getprop ro.product.brand
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2716
- - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
    adb shell getprop ro.product.brand
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4464
  - - C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe
      adb -L tcp:5037 fork-server server --reply-fd 568
      4⤵
      System Location Discovery: System Language Discovery
      PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\AdbWinApi.dll

Filesize
95KB

MD5
ed5a809dc0024d83cbab4fb9933d598d

SHA1
0bc5a82327f8641d9287101e4cc7041af20bad57

SHA256
d60103a5e99bc9888f786ee916f5d6e45493c3247972cb053833803de7e95cf9

SHA512
1fdb74ee5912fbdd2c0cba501e998349fecfbef5f4f743c7978c38996aa7e1f38e8ac750f2dc8f84b8094de3dd6fa3f983a29f290b3fa2cdbdaed691748baf17

Download Submit
C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\AdbWinUsbApi.dll

Filesize
61KB

MD5
0e24119daf1909e398fa1850b6112077

SHA1
293eedadb3172e756a421790d551e407457e0a8c

SHA256
25207c506d29c4e8dceb61b4bd50e8669ba26012988a43fbf26a890b1e60fc97

SHA512
9cbb26e555ab40b019a446337db58770b9a0c9c08316ff1e1909c4b6d99c00bd33522d05890870a91b4b581e20c7dce87488ab0d22fc3c4bbdd7e9b38f164b43

Download Submit
C:\Users\Admin\AppData\Local\Datastream\FireToolbox\adb\adb.exe

Filesize
5.7MB

MD5
e0473372b98e481f0fc6c5395402f2b5

SHA1
f31a3308bb0e8779da0664a554ed790af818658f

SHA256
1dd18b061a5926107812d71905d957e8865b08f6e7d71d3a4d041cacc29d33e6

SHA512
ba2202725ed16968472f37da3e51d1224f3015a5949bdadea6bf2e86b68e930593d92c96c56c3a5f4ec383cb1289526fe0a100f1b713e362be2a9b6c6434656d

Download Submit
C:\Users\Admin\AppData\Local\Datastream\FireToolbox\bin\Settings\Settings.txt

Filesize
356B

MD5
16c4a012d5e6792e60d5c14100806c01

SHA1
54c9ac05b584c7c226dae370828dba9253dd1308

SHA256
9b1dda8ae65e779a05a207230901b3a68c28fefbf6320eefb9877782873838ab

SHA512
383c4e15a0b0516da0cf5a3fa4045684de67832dc5775176c4675a4b90c6a13dbd20b01bef1cb549baca33414892e6705b32511ab22958d0f61c88a01e71de95

Download Submit
memory/1968-253-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/1968-254-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/1968-6-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/1968-7-0x000000000B160000-0x000000000B1B6000-memory.dmp

Filesize
344KB

Download
memory/1968-8-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/1968-9-0x000000000DF00000-0x000000000DF0A000-memory.dmp

Filesize
40KB

Download
memory/1968-11-0x0000000011CD0000-0x0000000011CE2000-memory.dmp

Filesize
72KB

Download
memory/1968-252-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

Filesize
4KB

Download
memory/1968-0-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

Filesize
4KB

Download
memory/1968-5-0x000000000AF70000-0x000000000AF7A000-memory.dmp

Filesize
40KB

Download
memory/1968-4-0x000000000B060000-0x000000000B0F2000-memory.dmp

Filesize
584KB

Download
memory/1968-3-0x000000000B610000-0x000000000BBB4000-memory.dmp

Filesize
5.6MB

Download
memory/1968-2-0x000000000AFC0000-0x000000000B05C000-memory.dmp

Filesize
624KB

Download
memory/1968-1-0x00000000007E0000-0x00000000065AC000-memory.dmp

Filesize
93.8MB

Download
memory/1968-272-0x000000000F540000-0x000000000F5A6000-memory.dmp

Filesize
408KB

Download
memory/1968-291-0x000000000F870000-0x000000000F922000-memory.dmp

Filesize
712KB

Download
memory/1968-304-0x000000000F510000-0x000000000F532000-memory.dmp

Filesize
136KB

Download
memory/1968-306-0x000000000FE20000-0x0000000010174000-memory.dmp

Filesize
3.3MB

Download
memory/1968-321-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/1968-330-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download