780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f

Analysis

max time kernel
127s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
Size

900KB
MD5

8fe56e30eacadb8bbbdf7840c377e953
SHA1

fc78f67c6888b37c56469282cf5cbde3952e9a5a
SHA256

780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f
SHA512

472a5f9de8d7e2af7fd30e2f7165457da1afe690b5bd23825ee9efe583c0652077c284a631050ff6ec84ff9130dd9dac18bdc79522e6708f8c8492855182f97d
SSDEEP

12288:CqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaFTXE:CqDEvCTbMWu7rQYlBQcBiT6rprG8axU

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1764	taskkill.exe
3776	taskkill.exe
3236	taskkill.exe
4576	taskkill.exe
4032	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	3236	taskkill.exe
Token: SeDebugPrivilege	4576	taskkill.exe
Token: SeDebugPrivilege	4032	taskkill.exe
Token: SeDebugPrivilege	1140	firefox.exe
Token: SeDebugPrivilege	1140	firefox.exe
Token: SeDebugPrivilege	1140	firefox.exe
Token: SeDebugPrivilege	1140	firefox.exe
Token: SeDebugPrivilege	1140	firefox.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
1140	firefox.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
1140	firefox.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
1140	firefox.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1140	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1764	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	84
PID 2588 wrote to memory of 1764	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	84
PID 2588 wrote to memory of 1764	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	84
PID 2588 wrote to memory of 3776	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	90
PID 2588 wrote to memory of 3776	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	90
PID 2588 wrote to memory of 3776	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	90
PID 2588 wrote to memory of 3236	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	92
PID 2588 wrote to memory of 3236	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	92
PID 2588 wrote to memory of 3236	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	92
PID 2588 wrote to memory of 4576	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	94
PID 2588 wrote to memory of 4576	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	94
PID 2588 wrote to memory of 4576	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	94
PID 2588 wrote to memory of 4032	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	96
PID 2588 wrote to memory of 4032	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	96
PID 2588 wrote to memory of 4032	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	96
PID 2588 wrote to memory of 3756	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	98
PID 2588 wrote to memory of 3756	2588	780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe	98
PID 3756 wrote to memory of 1140	3756	firefox.exe	99
PID 3756 wrote to memory of 1140	3756	firefox.exe	99
PID 3756 wrote to memory of 1140	3756	firefox.exe	99
PID 3756 wrote to memory of 1140	3756	firefox.exe	99
PID 3756 wrote to memory of 1140	3756	firefox.exe	99
PID 3756 wrote to memory of 1140	3756	firefox.exe	99
PID 3756 wrote to memory of 1140	3756	firefox.exe	99
PID 3756 wrote to memory of 1140	3756	firefox.exe	99
PID 3756 wrote to memory of 1140	3756	firefox.exe	99
PID 3756 wrote to memory of 1140	3756	firefox.exe	99
PID 3756 wrote to memory of 1140	3756	firefox.exe	99
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102
PID 1140 wrote to memory of 1612	1140	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe
"C:\Users\Admin\AppData\Local\Temp\780fe7aacde2ddddfe0ab2e1bb3675ccc9ab5d9d8681b833cdb3f7e56a04cd2f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefox.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM chrome.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3776
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msedge.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3236
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM opera.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4576
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM brave.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29d2b718-2a6b-4fa2-9714-10fbbd91ac57} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" gpu
      4⤵
      PID:1612
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2380 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83f780cc-38a6-4871-b27f-78bbd39eac82} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" socket
      4⤵
      PID:1668
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3052 -childID 1 -isForBrowser -prefsHandle 3132 -prefMapHandle 2704 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70543594-d3bc-408b-a25c-b08852c44ec4} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" tab
      4⤵
      PID:4780
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3756 -childID 2 -isForBrowser -prefsHandle 3748 -prefMapHandle 3728 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff7e60d0-6cd6-40c1-9c08-263d8dac95b8} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" tab
      4⤵
      PID:3568
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3332 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4772 -prefMapHandle 3748 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10ea0d9a-0b87-4d5c-bee8-4d648e421171} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" utility
      4⤵
      Checks processor information in registry
      PID:2204
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5200 -childID 3 -isForBrowser -prefsHandle 5172 -prefMapHandle 5364 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3ced9ea-448b-4342-9c50-7e5c332e5c0f} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" tab
      4⤵
      PID:4272
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 4 -isForBrowser -prefsHandle 5588 -prefMapHandle 5592 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {244bfcef-ccbb-4eed-baeb-0e5f80f4aea1} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" tab
      4⤵
      PID:2236
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 5 -isForBrowser -prefsHandle 5796 -prefMapHandle 5800 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f4eae20-cd53-4139-b936-c1c9564972de} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" tab
      4⤵
      PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
82138bc7cc959f45851f58a15a158f86

SHA1
b8c81c12b3a4c6d8ed12da34e141eb36d2846eac

SHA256
bd46103b7a2c68eb1043d423fd155ce1aba633c187a1c25753eaa92792fbab7f

SHA512
ce2e880cb45204c65c97c38f8936f913737a1e7740633300d44a6a0577a566b84e4254d076b3b0cb02a7a869b4dd5d5bdbf2ea57778e38a47b81a9218d04a001

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yuzka873.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
d05099df35430f0d37621b8b7cc1d892

SHA1
d5430cfdd25703851bcc55ce2aef61dfaaeb7861

SHA256
b8c5fb4844a1de0b43f5975fdd40a20361e088333ad0a4876473912601ab7ffb

SHA512
9bc9e19736a4ff48debd1b27ee41b4b5e2bf3524da7b7cc4133d7ee92838848f5fbe87234f98c24d65466830e4ec8edeb08a63168e90043e375481e9d05bcbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
6KB

MD5
89df184491eb0043596c83cea7b97dc4

SHA1
8a3cdbdfb75f8ded6574cd0e13a73ca49306468b

SHA256
73a1f2cdacd022ea90ece4df6adba33fb74b662d572d35c268e74d4ba7ac998d

SHA512
704f3724822bf24ef714e13b0af8dfe759bf55c95892dbdcec68c3af73b28f5afc823c71304fd52f6187a21a0bf050241b60e18109c7e5454c386204b259da27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\AlternateServices.bin

Filesize
8KB

MD5
212be5f44ef34369cc5c2d81fa3a0107

SHA1
3f13a24c82e9f491ed3677b36604dc776f88a48f

SHA256
82d80a43150951984bb9ed95005c38a93693da83b94f52bcdf42cb852c8a8384

SHA512
fd6f8f654f7c1ce3f4f7ac5a18370c188f1806dc5f26a96d8c28e3e657035b8de417883b50d156952872d5098e6e7f73f7dbf9a9eed26cf39ba42e8fc1f3d04c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
d271cae17617aef81b7269c89d3a93b9

SHA1
6a2ad396ba4fb1513a2e56468d90b8ae4308523a

SHA256
704b0eb498b7a6be0c5c04d5e36e264fb1bef1c04d1b61458d7cdd451c4160e8

SHA512
d693c5263e364e0199363f0c0e9fcadf3a9a12676585e3281431103e61b3a7aff2b649c661b6ee749a4809fbf3f259437eff492d8f35e02c5b691240fd8d9cfe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
4c1bd7bf8b9b60ad395fc921e7ec136b

SHA1
d8ca925872571be2551488df14b2acf2a21ee967

SHA256
98165d2ab946753a8059080b5369988d86dd0a7fe69e24f7cbeb37dbbcdb3ac0

SHA512
60d84380782f26e6ce554832806fc57c3496ad8958a9ea547f789c7cce55cbbce34312db55af3095bdf4ffded76e8d5ca727e82d804bb3b2827f072990b1c278

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
84c58637cc20478c925d39c1fe4fc9dc

SHA1
319f93fff67653a3b6aa51f219ed5259f8f786ae

SHA256
86b979481b4b5f8d42b39d874045dc062e4ea8631d883cdc2c9567bbb53b61ca

SHA512
888e8abad055c40652dfd5c571e03bc13b8e464ae5e0e3c6d16c11d94e9b5d08bc16c469cd7864968991c1e9bd5ab682037dfc1cd94d247e8fce506162b7a6b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
6be5bb942291d502c94e7a98227e7e35

SHA1
d9d28009f2bb130614a79c94c1d6229056c74698

SHA256
4494e92bce09fed6d0d6b84fe1ec7f780915c4ea094e135d637215d1b1831f20

SHA512
950c8e5aa1b1bb4de716a0a41eba08948d389b7f90b14aeba5217befae23f335e909570db56739e59835030b63c1f3cebae269007bf6a49577ec5cf9422dc815

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\039be1a9-0ee6-48a4-86fe-c4afcec4682b

Filesize
659B

MD5
ef46904d036ac05a7506ee6c97199537

SHA1
4ca3fb9afd9699dff5204d97443c8e8a18401d5f

SHA256
f869b77a8a28733fc4b2248e64e481d871fb037e416e0b1506adfef9655a6c72

SHA512
7d9077ebf6846def559c0b8842a5851e81499eb9a92434c7418cb188ad4e5b78e8fdb4ce9c5640be46f20646e5c5eb7fe24920425fc50ca51ae7c235c32b9fed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\datareporting\glean\pending_pings\633c569a-eb73-40b8-9075-1d5d2f355ca2

Filesize
982B

MD5
374b3d860f33184c8b155d468cab22f5

SHA1
1a4717f1af20537671a72a6348a182b2cf6fa239

SHA256
7d7a3d790da6e565c7e5e5746d241a6b43f267bbd428e501efbd44f3e9f31acb

SHA512
436fa7ef9e7abbb547ab3dda5bca265d943a8b9428f51ff311a3e847ae5d051363806b75b09eb5e51fc3a8eba76c7d62508a4d0a51b8d11c309828c5fda217df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs-1.js

Filesize
15KB

MD5
c32810eeabc1f1cdf94d49ee5581ac54

SHA1
2bb7979f49e3e0d6cb75b101fc49c8fc96490972

SHA256
3999e10217687f5a5e895e9d2b4eabc952f9eb94cd338f5a5bb5524186095035

SHA512
11ff559b762911dec4ca4739e7e7ab9bd5ea960f49d8326925caab5801b2c7ffdf720a5d18aa1eec9dc9614c143642771f22a360b9c7cd74a0ad0c9608687345

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js

Filesize
10KB

MD5
c28b7343a7dc51593307b0f9b4d07288

SHA1
4cf6146980e6cf57efaabc4764fc715eb0460b41

SHA256
8a1544282fb62e9773defc80195f84d5d2194a8094b22b44a1b4f8f1234f6596

SHA512
1e5630ae5889c73685b09659506aca7ecfc201e90a49f7c858f26109d9bc0ac782593af15ecaaf58797d689db46ac7e3005fe93c52bb92c272a1f3b16fc3b03d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js

Filesize
10KB

MD5
eea1a1f0b40365f4f522f671427096d2

SHA1
2d10064198ae12a62d548f5e3e94cc8df68be6c6

SHA256
994b50ad206cb8ff87e772423d26f46f585c7933363e17ca26a3e94fa09cd9b4

SHA512
33fbb34abfe13f4ac5c4bafd7c88e4d1dfcb114b9adf5eddb0d6add057b567474b03ffd7ee9a184d1528039f6416d1bd4b98f61ff55edb3bef95268e241c1241

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\prefs.js

Filesize
12KB

MD5
65470b5727874794f7c522a4095a63a3

SHA1
b0e87ff687c25027d32e2e0407828d3aca946231

SHA256
900b40c6d4d94092df3b708171e7fe217bb222309889e16898c49ed6dc132aea

SHA512
63adf7b0e9910300ddc3d2d91393b76da5120e0504628a7f65374f5e0c13bec86dab50ee108ea7cd56d71232df0053871dd262503b4956ea718f229b39e130d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yuzka873.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.5MB

MD5
70de1c6c2d0bbb95eaa6a79a7e1284b3

SHA1
0646b3a59c0e3419f45e60b99632678446b07bc0

SHA256
5e6be359ff22bd80e7d0f2d5e33ee075cf7b269de82997c98b6d900de93777cb

SHA512
705e28ce8c02ce9a7e7ca62d2999fae3fb372eaa2e0bbce6911e634e5c935169d448306e3c39ae6688b02c9d07c739892b15144388e070fe3cd7ffc29a1fab09

Download Submit