netsupport | hxxps://www[.]4sync[.]com/web/directDownload/RPjWS2ET/tBq1mUpE[.]f0fa2e9d3a71d39b343bad0edd034306

Analysis

max time kernel
66s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.4sync.com/web/directDownload/RPjWS2ET/tBq1mUpE.f0fa2e9d3a71d39b343bad0edd034306

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Blocklisted process makes network request 1 IoCs

flow	pid	Process
78	1196	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4820	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
4820	client32.exe
4820	client32.exe
4820	client32.exe
4820	client32.exe
4820	client32.exe
4820	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\ProgramData\\diavwfl\\client32.exe"	WScript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Payment_35.js:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3088	firefox.exe
Token: SeDebugPrivilege	3088	firefox.exe
Token: SeDebugPrivilege	3088	firefox.exe
Token: SeSecurityPrivilege	4820	client32.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
4820	client32.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe
3088	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3088	2412	firefox.exe	83
PID 2412 wrote to memory of 3088	2412	firefox.exe	83
PID 2412 wrote to memory of 3088	2412	firefox.exe	83
PID 2412 wrote to memory of 3088	2412	firefox.exe	83
PID 2412 wrote to memory of 3088	2412	firefox.exe	83
PID 2412 wrote to memory of 3088	2412	firefox.exe	83
PID 2412 wrote to memory of 3088	2412	firefox.exe	83
PID 2412 wrote to memory of 3088	2412	firefox.exe	83
PID 2412 wrote to memory of 3088	2412	firefox.exe	83
PID 2412 wrote to memory of 3088	2412	firefox.exe	83
PID 2412 wrote to memory of 3088	2412	firefox.exe	83
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 2284	3088	firefox.exe	84
PID 3088 wrote to memory of 3684	3088	firefox.exe	85
PID 3088 wrote to memory of 3684	3088	firefox.exe	85
PID 3088 wrote to memory of 3684	3088	firefox.exe	85
PID 3088 wrote to memory of 3684	3088	firefox.exe	85
PID 3088 wrote to memory of 3684	3088	firefox.exe	85
PID 3088 wrote to memory of 3684	3088	firefox.exe	85
PID 3088 wrote to memory of 3684	3088	firefox.exe	85
PID 3088 wrote to memory of 3684	3088	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.4sync.com/web/directDownload/RPjWS2ET/tBq1mUpE.f0fa2e9d3a71d39b343bad0edd034306"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.4sync.com/web/directDownload/RPjWS2ET/tBq1mUpE.f0fa2e9d3a71d39b343bad0edd034306
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e757a2c-a8af-48eb-b207-2ae5c181d404} 3088 "\\.\pipe\gecko-crash-server-pipe.3088" gpu
    3⤵
    PID:2284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2316 -parentBuildID 20240401114208 -prefsHandle 2320 -prefMapHandle 2308 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a66994cf-de24-4b98-82ce-9a5ff82d1e1e} 3088 "\\.\pipe\gecko-crash-server-pipe.3088" socket
    3⤵
    PID:3684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3240 -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 3020 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {073c9d13-36c5-4a34-9559-5ac7fefdc4da} 3088 "\\.\pipe\gecko-crash-server-pipe.3088" tab
    3⤵
    PID:4408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3680 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 1444 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78558c11-2bea-4e0f-985b-925f514a0c9b} 3088 "\\.\pipe\gecko-crash-server-pipe.3088" tab
    3⤵
    PID:1664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4728 -prefMapHandle 4724 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {931cf57c-d8c0-4553-972d-5575659016c1} 3088 "\\.\pipe\gecko-crash-server-pipe.3088" utility
    3⤵
    - Checks processor information in registry
    PID:2392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 3 -isForBrowser -prefsHandle 5612 -prefMapHandle 5620 -prefsLen 27218 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22e76d01-db1e-494e-b760-d35ac8efa975} 3088 "\\.\pipe\gecko-crash-server-pipe.3088" tab
    3⤵
    PID:760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5660 -childID 4 -isForBrowser -prefsHandle 5644 -prefMapHandle 5640 -prefsLen 27218 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77e45c93-8f1c-45bd-aaac-5b2a3b119225} 3088 "\\.\pipe\gecko-crash-server-pipe.3088" tab
    3⤵
    PID:2372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6068 -childID 5 -isForBrowser -prefsHandle 6060 -prefMapHandle 6056 -prefsLen 27218 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e542edda-bd7d-433b-8559-547c2f198fe4} 3088 "\\.\pipe\gecko-crash-server-pipe.3088" tab
    3⤵
    PID:956

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Payment_35.js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
PID:1196
- C:\ProgramData\diavwfl\client32.exe
  "C:\ProgramData\diavwfl\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\diavwfl.zip

Filesize
6.4MB

MD5
18605ec1a9b44bd056dfbeef79a27f89

SHA1
a67fccff3666f82dc3b517a0bb9a76604c33c9f2

SHA256
5d5e67fb50030d44113ab3fff345319a7fc366957c7f9368e94264416de2dbf1

SHA512
e839b984a8c06924ef0507050ee406005eb166b8e8edf2c87dc79fecca5750b85d0ef5947183cc8360a3e67c83c33e663f771874b3d643e0150971a9ee056a22

Download Submit
C:\ProgramData\diavwfl\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\ProgramData\diavwfl\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\diavwfl\NSM.LIC

Filesize
195B

MD5
e9609072de9c29dc1963be208948ba44

SHA1
03bbe27d0d1ba651ff43363587d3d6d2e170060f

SHA256
dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747

SHA512
f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0

Download Submit
C:\ProgramData\diavwfl\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\ProgramData\diavwfl\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\ProgramData\diavwfl\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\ProgramData\diavwfl\client32.ini

Filesize
675B

MD5
c2f1650f30a58d315d63afcb41477e2c

SHA1
07e4bc45bee544addb3adede9707eabdec07e59f

SHA256
42c08ee408c75ed058844294e303143012063e6d0689d3b5ad7d8932be159803

SHA512
a5acef1bfe7bdb81cb5361654c869a41fd14436e3de0aeffb1388dad1ee3b0bfb02cdeafe61c48395c696e4dcc2eea298bca38527144c35ee1180126b95b1137

Download Submit
C:\ProgramData\diavwfl\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\ProgramData\diavwfl\settings\apprun.dll

Filesize
740KB

MD5
975ea37829f057463e66b3c237f1c27a

SHA1
972cb78912f7e975383a8137a2e982b25333e633

SHA256
8b496688cf2d963eca198f0291d1448b0f357fbd764e22db7dcc7b252bd71562

SHA512
8463210ed0238785848a65b0d51fbe6b0f67e01a1659a0db5ee9493a1ef3ea9fcd504246e3fde5898ad60692d106319845ebedf6bd9dc159e6b2bfe307ff3d8a

Download Submit
C:\ProgramData\diavwfl\settings\avcodec-53.dll

Filesize
1.0MB

MD5
bba1fe328cea501fcce1e5df16276439

SHA1
ed4ad3a8d6f0e3dd86abb19bc18127f960ea2131

SHA256
f5522d2c936de8d53f97a6ec439d8f8391cb50a0bc6008a399f9454c00929d35

SHA512
8f585d57baa39d3e5e6b62efea53b6b3797319ae86c0c4373774d08e284a49c0bd005e200ae4fabc789470b3f100f98c8ce503fd4702f79dcbf4be4aabc58a9e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
6ccf4aadc6a7de4eb51e895a0ee5c1ce

SHA1
7042ba1c0995141acb1eb8dfbc03537e507db521

SHA256
f1aea48c6487f04f744a817894c583acbe6cc1581d20c88ce2a7d4d08bd423c5

SHA512
52276e108417c565ebd11e9e2baa9390559866f4697d63b055009d5d867bd37839c825a315bf727376205fb46f73b238df08ed86fd6ba12425b1af224f3658e9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
6KB

MD5
466f30131a240314e5925c8de5bdd4d8

SHA1
01e34505f4ba5c7b52a8ebdad597e779a1e0b687

SHA256
c95f69eb895fa9adbaf60d225dca68f0415781a2861c9109cae88a299847a4b9

SHA512
5fbafa42372ed9bbaeba3f8d62b994aa1bd8ee39f802848d817b9ac0e66bb4845cb65cb202faae373ad066fb740a6e208f1fd4c8e6dbfa96e7b32a70211572b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
6KB

MD5
5a83a7fd3ff4dcba10cfcbaaa31c1c1d

SHA1
dc4a115f0e6abeab7d868d94ea37e728c0bee238

SHA256
94076ad5bc69c601ff9953b21c5e7f801d27c099020315ac5b9765db941587da

SHA512
eeb24100625a4ed34fa04dff2fd611f278f47c0fd780a860aa15718fcda69fa78cfc60f41b0b9819250d6cc3f7a51192d4b465ac4be7c21b89ef2912cac0ab67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
8KB

MD5
8c77d5b201e0a74ee164cdccaa262911

SHA1
36f5c4f27575973af402b8b3ca89734a5791dba8

SHA256
8fae4484b1c1b8cbf1080958b643185e0afeca12621870cfa6bba0f90d22e2c3

SHA512
bac399844bd6b87b5ecf241a4c3728e52df9d5440f5e1d3b382316d8541dbeecf3b5c847bbe1d66875ebfe5cf485c08577286fe27f317b932b2f62a93e5585ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
4ddd2f0ad9f6072f35f74075e82dc0c0

SHA1
5e3de8154688f83b5d0a443a3df564ac2727d0f5

SHA256
9a2e9023eaa4f329539bd4e24ead18d78a03be449c7fbc10032971de3e10879a

SHA512
42925e537d68ac3268bf27533c44da31c4c1ff6e41b33dc892dd4825ee98e3e0583c9dba063c037e959b0bb889f6bb3e345abf5a87dbbd8ede66231d04cd3bf5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\34f161b9-9bdc-4c7c-a761-d50c9ef04337

Filesize
982B

MD5
007d55a0c15c3072a50b898ce40f5f8a

SHA1
e6cf66fc75e6164bd30cfb0c58d7f436438929a2

SHA256
d43dfbdd968072cdc6773a3a8882800fc91a4bf44336ecbd4bc0724dcc45ad6f

SHA512
8e97c178772c51b4676cc00072eee5675efa4c794cfb0b43ded786f8f6681f9ccfcdd6c4ce72f05ca647806a812b64690c73f3e311647828de87b48166e013bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\6613c41b-9b94-4949-a98a-01a46099f028

Filesize
26KB

MD5
0ca0716700c1a01310844f29f2bfeb57

SHA1
2c55c26c93f922327fccfd94544d62a131cf58fe

SHA256
0068b01d8cc7539d7811e524282e6553a3d271bca853ce645b93d3f542f093ff

SHA512
1b8d2d8db4e4b8f585eae28c51fd622f0034644b775be15f0436d8ebfc5a9c7b4049743f45b7b0176345f0842f5c042600fb0012a95f6839e17b35cbef099d88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\ac04c063-db24-4a39-a406-5b4843316b5d

Filesize
671B

MD5
21a0fa385a4629217e5a64b728468a41

SHA1
ad73938fabf0bce2a548d71bb93e53df3166bcb1

SHA256
f380c98a68ce8301cab0ea3b41236cd1a9d10d75712b8b8f1980b5373f19b438

SHA512
798a3da44c98b1cb37f6c1913d6d0080acbc5139711307b77fa2d2515f6e260c28b02002392abf523114e188b0e257f6442a3bc2d9bdccd0bfe57bda7e86bd97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs-1.js

Filesize
10KB

MD5
645a8ab0e5b189bf46fcd660730ae1ca

SHA1
4469118156cf1b88d8434e2308484a35c3e12cf5

SHA256
85a8415d4925ad43320126c59969c49e7691138041d85df23c6d05af85a24ec3

SHA512
d36c48b463823400b078f98f6fba0163ea259d7ac223d11056b9f458f16dfe4cdab16cb098d60680ca0358fa553f83945b213c77e6885006fe144455ac0d5271

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

Filesize
10KB

MD5
cf1618c087f78895599b966794c78382

SHA1
de8fe7bf2ca22968cc861b484a84fae815663748

SHA256
26bd4bb1dd5cb03b8fdba9dfceb58e60e6e432e78d43a9f07767ab138d7214ab

SHA512
b6454b82a8b9b28558b641e94c8466d0e07b1193ee7fd0c344583c8655262ef35aaad996fb8a1277654832ec1d5b9f4614fa839908e891616322c4727b6f2692

Download Submit
C:\Users\Admin\Downloads\Payment_35.AtH9OsS8.js.part

Filesize
4.0MB

MD5
aa22b147ea79a429797315b0282a57b1

SHA1
9c3df87d03afc87a88b92ca9e52bc4593c1fc42e

SHA256
18b281c467bde8cf246990bf8bacf1e8fd8d70107a04aa528f9f56343f15b690

SHA512
6b665a7c648e352ef0e0ba79c1c0ca90d35c5036af8c2b476fde41a87df140f38ae5f9bde881f9c7da3714f6af6b3e883bc997e9efd2694224ff047e9ef1e563

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads