e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc

Analysis

max time kernel
126s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
Size

898KB
MD5

f59d538ee5ef5cf3a012736bac251421
SHA1

ca8de9af1731dbe3a8a478efe0fa63bdb0dc7b77
SHA256

e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc
SHA512

4c1604e92fccfb906ac80ac7452b5df1981ddc1f28f6c530d22e4707b808b29b3200735d92bc6bca77aa4f3b59b88da7f864b0c1dc28eba3400190b3d219fac9
SSDEEP

12288:KqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/T1:KqDEvCTbMWu7rQYlBQcBiT6rprG8ab1

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exee6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2320 taskkill.exe
3408 taskkill.exe
4688 taskkill.exe
4444 taskkill.exe
4292 taskkill.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings firefox.exe

pid	process
2320	taskkill.exe
3408	taskkill.exe
4688	taskkill.exe
4444	taskkill.exe
4292	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe

pid	process
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	4292	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	3408	taskkill.exe
Token: SeDebugPrivilege	5076	firefox.exe
Token: SeDebugPrivilege	5076	firefox.exe
Token: SeDebugPrivilege	5076	firefox.exe
Token: SeDebugPrivilege	5076	firefox.exe
Token: SeDebugPrivilege	5076	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exefirefox.exe

pid	process
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exefirefox.exe

pid	process
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
5076	firefox.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

5076 firefox.exe

pid	process
5076	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exefirefox.exefirefox.exe

description	pid	process	target process
PID 1176 wrote to memory of 4688	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 4688	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 4688	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 4444	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 4444	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 4444	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 4292	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 4292	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 4292	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 2320	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 2320	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 2320	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 3408	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 3408	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 3408	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	taskkill.exe
PID 1176 wrote to memory of 2000	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	firefox.exe
PID 1176 wrote to memory of 2000	1176	e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe	firefox.exe
PID 2000 wrote to memory of 5076	2000	firefox.exe	firefox.exe
PID 2000 wrote to memory of 5076	2000	firefox.exe	firefox.exe
PID 2000 wrote to memory of 5076	2000	firefox.exe	firefox.exe
PID 2000 wrote to memory of 5076	2000	firefox.exe	firefox.exe
PID 2000 wrote to memory of 5076	2000	firefox.exe	firefox.exe
PID 2000 wrote to memory of 5076	2000	firefox.exe	firefox.exe
PID 2000 wrote to memory of 5076	2000	firefox.exe	firefox.exe
PID 2000 wrote to memory of 5076	2000	firefox.exe	firefox.exe
PID 2000 wrote to memory of 5076	2000	firefox.exe	firefox.exe
PID 2000 wrote to memory of 5076	2000	firefox.exe	firefox.exe
PID 2000 wrote to memory of 5076	2000	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe
PID 5076 wrote to memory of 3396	5076	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe
"C:\Users\Admin\AppData\Local\Temp\e6729a92f0d45da80c853970760938cef40dab4aad3882330255810df7fd90fc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM firefox.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM chrome.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msedge.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM opera.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM brave.exe /T
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2008 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8904f984-be47-4bcd-ba40-ebba3413e497} 5076 "\\.\pipe\gecko-crash-server-pipe.5076" gpu
      4⤵
      PID:3396
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a50c41b-1749-4e7b-ad83-a23abee67d2a} 5076 "\\.\pipe\gecko-crash-server-pipe.5076" socket
      4⤵
      PID:396
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3116 -childID 1 -isForBrowser -prefsHandle 2776 -prefMapHandle 1428 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e641a33-7822-4a99-aaf0-cae330b63118} 5076 "\\.\pipe\gecko-crash-server-pipe.5076" tab
      4⤵
      PID:5092
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1412 -childID 2 -isForBrowser -prefsHandle 3996 -prefMapHandle 3456 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7db7ecbe-0f3a-4682-9247-18c2e70ed771} 5076 "\\.\pipe\gecko-crash-server-pipe.5076" tab
      4⤵
      PID:1824
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4696 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4680 -prefMapHandle 4676 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5eb948bd-b426-48ce-b530-9fac1a27ab3e} 5076 "\\.\pipe\gecko-crash-server-pipe.5076" utility
      4⤵
      Checks processor information in registry
      PID:3500
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 3 -isForBrowser -prefsHandle 5596 -prefMapHandle 5604 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbaccee1-8b1f-4076-85f6-cf243dda2c05} 5076 "\\.\pipe\gecko-crash-server-pipe.5076" tab
      4⤵
      PID:2696
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5760 -childID 4 -isForBrowser -prefsHandle 5772 -prefMapHandle 5520 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47e0559e-74d9-4584-b7c5-237ea4dac318} 5076 "\\.\pipe\gecko-crash-server-pipe.5076" tab
      4⤵
      PID:4496
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5976 -prefMapHandle 5980 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1641253c-9765-4a7a-887b-382ceb495663} 5076 "\\.\pipe\gecko-crash-server-pipe.5076" tab
      4⤵
      PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
25315f253d629da6043e035be50b0460

SHA1
7247d6e8e4a759805eb4bd2ad2c252c41ac9d723

SHA256
f0fdeeca44b5220606aced520865fc1ba422ac0fe489e2d0e9409e150d3987d0

SHA512
3b0362c9729aa37662cc51047a9aaf20848eacb2772dce3565a9a3da63dca742bcf6ee29e495d708c26d56b0d6e72758f388dc61e7aed4780f3c14d18efbaf5c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n4zftpal.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
415316ce07addeca9e44e20593ab128f

SHA1
563b7acfdcc8b58520a73a8e4429ab688ffd2292

SHA256
032f12eed8ce7b82572e125086bb1c81fb0264d468b3f48dba4aa3a43631a3e5

SHA512
b1a2e244a6cd9e34aa85dab35989ec70b483568bd382a76bbea2b9e77669e3f42879aa2422c9fb0a6b4617c367c9ef4df5524d09dde86c49d4d754c6b8e63260

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
6KB

MD5
8b33eddcf0c70281f9930d853e6c5890

SHA1
978593468d49915fbd2f1c971943ce98ba6f7cac

SHA256
40e41bb87ae5b520c645b71a060a606914db96a0485d47c2c2781acac9d8c6d7

SHA512
c277a632b261ca310c51d7b9111fa090a88140514623bcc6052e9adaeae697a78c3cc61349d1d3cb96bce0bb7aeb2b7662054a6c86d247882032babc0a453393

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
8KB

MD5
33dc4a4a109100c3e3256effdfa46f8b

SHA1
3f156417d2bb5d9b51b62bf98a2890e9ced6e431

SHA256
09b0cd006d3acd63e1efd9c62dc7efc1869833bd515c7be91ffa4b7e966f33fe

SHA512
d5fe1886f5e9eb4b024333a364af5119a9e6064f33aa9343823cf80defb326cd73b9628d1c922fd9606c8e11fd228081892e0e830aaf8f100ed0528d1d406933

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\AlternateServices.bin

Filesize
13KB

MD5
08389a1e3f53422e2f85094655702002

SHA1
510953fb1f057ffd634e76d3e263acf27eb79265

SHA256
efbcfa1ab81efd1707fac89ee6bd6de25a206737685dfe74db3b743d7c753903

SHA512
21a7e626b401fc9a442fbba11e8e7f5b145cbe554bd70e2227f7697faf58f003d0ae3b9d73f8c6ecc041ab7d5dad5046b77d86b266bdc9950471fff013931e2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
3fcaa3a2cdf6fd077d9301e7fedbc378

SHA1
ff772a8e071028e7ee5f0d26d1341f880aa27a76

SHA256
681008ac54e415399a7a586adf8423b4ea607056f38efce197f7b4600c46f41d

SHA512
20ca045c573990651c0f01d3e31b10e25c555d15a37fb32454b68deeb10351865f23991a9bd721434eed26e2d3b6a8e358adc6e00982bf111f5212bce8d06154

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
288f59f025b0af6ed43f1b6967751b7c

SHA1
46db5f452f007d5bffde046bf0e5ee2c8e9076dc

SHA256
e07284594ce1e5c704bf2ea4232bff7bedf71e0ad28c2ff2a1fc8287fc3f3bc6

SHA512
644b4ae56a43f418e7a135734834a3c5cc86146a8564c1a5bd57dc79ec892dc4826fff260a3cf0747e70d5b36178c5312a555e90a0146d895b8119ec65fa513d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
12ffea84975b9a3e358c5370af4b2805

SHA1
487f2cce7e3e611f329a9e8d6517224848e1a8f9

SHA256
2f1094c2015073a7368470b822f8f2ddd0015ac2ec63b965e05644f14b726ddb

SHA512
96be92b119998b42a23a3f4f0af4f6bf1da1bf3e9c5b8b85289621c980aa7d7b027974ede38ac331f9608768cac209a15c6aa1aa8162e3ac65be51f2046b71a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2928a7e6034e99db491ad01d7afc6525

SHA1
0c5fe2a1db06c813f371ae025c68373823bedbf4

SHA256
c08a66e7c55534f16d9089248acc75da0c36fd23176186c6cd112eb984e26ad0

SHA512
68ece6f9a717b42200e490a9e5f604b8f732ead2168d3dafb9658e32cc00e067057e34ce107db26fea23681fe858138683dfbbd8afd1087eb153fda311aba641

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\16338f5a-9c0f-4244-820c-50e017300f02

Filesize
671B

MD5
f0b3cdfac74340e0e72968d7dd8ba1ce

SHA1
5c0af2396502f1bc42e797cebeae635aac62476b

SHA256
617fbf6e18965febe8da158ee79ebb0b573adf640e38e4de8242a2090c75fc6c

SHA512
bc258008b915dc3f2b8250f49954fab5b50da53b45aa47039a2a1a71456f5fc0a8f71cb3f9f6c29421e2e6b61495c37b93911f8e63bc04d3013a3ba15e515138

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\38a92dc6-d641-464d-9a61-d92e3676e7c2

Filesize
982B

MD5
37b5c73cbdd3907c58e2735ea98db5e9

SHA1
cd541f4eb86148ef6d33c17fbd4dc6abc7ab64b0

SHA256
7f776a52e7dc06805b811fe00568b2cd887616d850d4ae94f18ebdef2eb71e17

SHA512
5bf662cf40d88f7583243be2301119e3adce7695427f5647c03fba9eb40643f2e0c04993a631c93346a231603a93e01c63c62d2eef30866e279fcef5b3350299

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\datareporting\glean\pending_pings\b701c5de-3703-42c4-a9e8-d93dc9723674

Filesize
25KB

MD5
f09b92606acebe28a5c3ca08d82e7ca7

SHA1
de78e6a1fea4c7e2af3eb046245a566e679063f3

SHA256
3300cc5a2e4afdce4a58c16042ae1991e97366340d29d857c4ef5d6a04f1dafe

SHA512
5f024de9d8f554877db7ec60eb3a91275597316482fbfd68acee066e3d9729600d4bbc0bc477ea9dbbcf3d013a5dd249e5e563be3010fa6408496c18e7f00f98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs-1.js

Filesize
11KB

MD5
e39a4a5d90c0b20a5625f37f5530bb9c

SHA1
403121caa3a487271375820bcd7f8ab424303bcb

SHA256
ec35dcb07ae59ec9c582f8e4d645fb742976b3f8a0404470159880d9adeb5cec

SHA512
5789c2cbb41b14fd3100b24bab8a0229f78df24abf43b69e3305d4b0a68f2074f09d940106e3f28b594f5bda2fe04c211ff145e709d6c1d14db3aadef53b8bb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\prefs.js

Filesize
10KB

MD5
29b12d6bf691fe2e5cbdd172039b12f6

SHA1
e4dd8699dc9dd5399f02475875f536885ca9ab7b

SHA256
8feebf1f8f29472fe236f0cdb62ba26522a4cc51b1cd5b25f40017660fafeaf3

SHA512
c707c3b2e5cf41642e7fe63cced545f81f0e4e8777e5ed3fa51b423840be80725edc3c71aa0e114a5be5427b27a64f3ac1ee2f2c3f07b2485d61419d74101adf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4zftpal.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
10.9MB

MD5
7867ed85250be5d9f93e5fa30e88c25e

SHA1
02149d9a9cce6d480d72f65f6c2b1f6e723c61fe

SHA256
7ef3c3e347c5b66777ffafadec74eaf9f0f5aea9dedbb75e46643a74348b130b

SHA512
3a3cadc952fa94f2c7b34f7dbd902a5fee3eabb0f3817981c6f3d2d379621be8e7abef5f41683acf28ab840a6739ea416ee0673d0fbe4ed3dd29f1398a2af5af

Download Submit