Analysis
-
max time kernel
290s -
max time network
322s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 14:01
Static task
static1
Behavioral task
behavioral1
Sample
crashpad_handler.exe
Resource
win10v2004-20240802-en
General
-
Target
crashpad_handler.exe
-
Size
615KB
-
MD5
9f12b93fbe757f35df3cb953a52c593f
-
SHA1
74e3808a94a78ccecdee9cb8b02eb0ee23ac9a81
-
SHA256
d7fdaa84062bd7594fc5fc9a9eef37afe07f25a6c2e332e88bac1b35becb4c81
-
SHA512
798b46eb29f0d3f849ee1c57ed16ebd0d4fa63f9ba10edefa8a26683b5baf43afe2213f46e5da4ce391af56fb3310c89e938f48738168c48dd0718494eaef203
-
SSDEEP
12288:PWHL42mwBOrsD7AVFO5rxLEuuOdfj/Tua/rRe408RIE:OUzwBUsD7AVFO5rxLEuuOdfj/Tua/9ep
Malware Config
Extracted
crimsonrat
185.136.161.124
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
Processes:
ButterflyOnDesktop.exedescription ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe -
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
Processes:
resource yara_rule behavioral1/memory/6176-1572-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
CrimsonRAT main payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0007000000023630-1109.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Fagot.a.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe" Fagot.a.exe -
Processes:
reg.exereg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (3280) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 4560 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Remcos.exeCrimsonRAT.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation Remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe -
Drops startup file 3 IoCs
Processes:
NJRat.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:Zone.Identifier:$DATA NJRat.exe -
Executes dropped EXE 12 IoCs
Processes:
Remcos.exeUserdata.exeCrimsonRAT.exedlrarhsiva.exebutterflyondesktop.exebutterflyondesktop.tmpButterflyOnDesktop.exeHawkEye.exeNJRat.exeGas.exeNetres.a.exeFagot.a.exepid Process 5208 Remcos.exe 3712 Userdata.exe 1540 CrimsonRAT.exe 3860 dlrarhsiva.exe 6036 butterflyondesktop.exe 2768 butterflyondesktop.tmp 3400 ButterflyOnDesktop.exe 6176 HawkEye.exe 5556 NJRat.exe 1540 Gas.exe 6292 Netres.a.exe 5724 Fagot.a.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
Processes:
Fagot.a.exedescription ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Fagot.a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
Remcos.exeUserdata.exebutterflyondesktop.tmpNJRat.exeFagot.a.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\"" Remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\"" Userdata.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop butterflyondesktop.tmp Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe" Fagot.a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 27 IoCs
Processes:
ButterflyOnDesktop.exedescription ioc Process File opened for modification C:\Users\Admin\Pictures\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\Videos\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Music\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\Documents\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\Music\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Program Files\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Links\desktop.ini ButterflyOnDesktop.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 132 raw.githubusercontent.com 133 raw.githubusercontent.com 130 raw.githubusercontent.com 131 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 279 bot.whatismyipaddress.com -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Fagot.a.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe -
Drops file in System32 directory 47 IoCs
Processes:
Fagot.a.exeRemcos.exeUserdata.exedescription ioc Process File created C:\windows\SysWOW64\systray.exe Fagot.a.exe File created C:\windows\SysWOW64\win.exe Fagot.a.exe File created C:\Windows\SysWOW64\wowexec.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\wuauclt.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\regedit.exe Fagot.a.exe File created C:\windows\SysWOW64\ntoskrnl.exe Fagot.a.exe File created C:\windows\SysWOW64\autochk.exe Fagot.a.exe File created C:\windows\SysWOW64\chkntfs.exe Fagot.a.exe File created C:\windows\SysWOW64\dumprep.exe Fagot.a.exe File created C:\Windows\SysWOW64\dumprep.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\services.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\wowexec.exe Fagot.a.exe File created C:\Windows\SysWOW64\Userdata\Userdata.exe:Zone.Identifier:$DATA Remcos.exe File opened for modification C:\Windows\SysWOW64\remcos\logs.dat Userdata.exe File created C:\Windows\SysWOW64\dllhost32.exe Fagot.a.exe File created C:\Windows\SysWOW64\ntkrnlpa.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\win.exe:Zone.Identifier:$DATA Fagot.a.exe File opened for modification C:\Windows\SysWOW64\userinit32.exe Fagot.a.exe File created C:\Windows\SysWOW64\dllhost32.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\shutdown.exe Fagot.a.exe File created C:\windows\SysWOW64\logon.exe Fagot.a.exe File created C:\Windows\SysWOW64\logon.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\recover.exe Fagot.a.exe File created C:\windows\SysWOW64\wuauclt.exe Fagot.a.exe File created C:\Windows\SysWOW64\ntoskrnl.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\ctfmon.exe Fagot.a.exe File created C:\Windows\SysWOW64\imapi.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\remcos\logs.dat Userdata.exe File created C:\Windows\SysWOW64\userinit32.exe Fagot.a.exe File created C:\Windows\SysWOW64\progman.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\chcp.exe Fagot.a.exe File created C:\Windows\SysWOW64\chcp.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\Userdata\Userdata.exe Remcos.exe File opened for modification C:\Windows\SysWOW64\Userdata\Userdata.exe Remcos.exe File opened for modification C:\Windows\SysWOW64\Userdata Remcos.exe File created C:\windows\SysWOW64\MDM.exe Fagot.a.exe File created C:\windows\SysWOW64\imapi.exe Fagot.a.exe File created C:\windows\SysWOW64\services.exe Fagot.a.exe File created C:\windows\SysWOW64\alg.exe Fagot.a.exe File created C:\Windows\SysWOW64\alg.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\userinit32.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\WINDOWS\SysWOW64\userinit.exe Fagot.a.exe File created C:\windows\SysWOW64\ntkrnlpa.exe Fagot.a.exe File created C:\Windows\SysWOW64\MDM.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\progman.exe Fagot.a.exe File created C:\windows\SysWOW64\bootok.exe Fagot.a.exe File created C:\Windows\SysWOW64\bootok.exe:Zone.Identifier:$DATA Fagot.a.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ButterflyOnDesktop.exedescription ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200_contrast-white.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\Cavalier.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-64_altform-unplated.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40_altform-lightunplated.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_wel_motionAsset.m4v ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.HCWhite.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\pages\wefgalleryonenoteinsertwinrt.htm ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\ui-strings.js ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-200.png ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_3.m4a ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-100.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-400_contrast-black.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppStoreLogo.scale-125.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100.png ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview_selected.svg ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fr_get.svg ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-256.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\NoConnection.scale-100.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-30.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-250.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\MedTile.scale-100.png ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\ui-strings.js ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\ui-strings.js ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\microsoft-logo-white.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-lightunplated.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-150.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\tzdb.dat ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-125.png ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\sample-thumb.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsStoreLogo.scale-100.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\ui-strings.js ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\189.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreWideTile.scale-200.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-40_altform-unplated.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-300.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlFrontIndicatorHover.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\31.jpg ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js ButterflyOnDesktop.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-100.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Reconnected_Loud.m4a ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\ui-strings.js ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-125.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-lightunplated.png ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-white_scale-125.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.scale-100_contrast-black.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-20_altform-unplated_contrast-white.png ButterflyOnDesktop.exe -
Drops file in Windows directory 1 IoCs
Processes:
Fagot.a.exedescription ioc Process File created C:\Windows\NOTEPAD.EXE Fagot.a.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 9 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
Processes:
firefox.exedescription ioc Process File created C:\Users\Admin\Downloads\Gas.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Netres.a.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Remcos.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exereg.execmd.exebutterflyondesktop.exenetsh.exeFagot.a.exeRemcos.exebutterflyondesktop.tmpButterflyOnDesktop.exeIEXPLORE.EXENJRat.exeGas.exeNetres.a.execmd.exereg.exeUserdata.exeHawkEye.exePING.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NJRat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Netres.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Userdata.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HawkEye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exeFagot.a.exefirefox.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
Processes:
Fagot.a.exemsedge.exedescription ioc Process Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe -
Processes:
iexplore.exeIEXPLORE.EXEFagot.a.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2173592293" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2172154563" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31125879" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0ff768277f1da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d1c6f3067c0c84abb3839afa92ebb0f000000000200000000001066000000010000200000005ca932f1a4674c0bddda0ab1049411a5313824f1eebc4a389d56d63f6ec57c6b000000000e8000000002000020000000a16d604e689c52f6a15f1c6c234cb4a1693e237b309cf188ab54b7b6111b73b32000000077073512d6d6493551e61faec376bc47fafbefa4636dd6f7e1e9a863a70dae49400000001a35203cd76f491c7743d84e85ba89ea5ad0c9b0fffc38bc67f556ef6008514faf48a56a2dbeced0eb21f26fc76f4f5d60447f0f81d38ac7a9b5f9340aafc7bb iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2172154563" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d1c6f3067c0c84abb3839afa92ebb0f00000000020000000000106600000001000020000000a309a46242d19034dba446af310112f3bf08badf84f7c64d2b06b9002a1093bb000000000e8000000002000020000000e22c229369238521e5f11eba70f5a368b2237675c7d6031991bcfbb274233a74200000001335ac75da4254fde275fb9e8ac0ca53e3117ac5b366a73cea797c893be628f34000000075d530f225d23705e216abb7d7044b1d0c8624354da6f574307ddb7ef63f40c3ce574f7d8448c91cb05e737706525c0064e46590adf49c0cc43af14cb1341854 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31125879" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430754797" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main Fagot.a.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31125879" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AD145D5D-5D6A-11EF-939B-4A4A300BA5D9} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0626d8277f1da01 iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
Fagot.a.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com" Fagot.a.exe -
Modifies registry class 64 IoCs
Processes:
Fagot.a.exedescription ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ProxyStubClsid Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5104D3E9-5038-517E-9CF6-28C106CEE038} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4466E0F-C942-4C9C-98EF-B31A17AEAF1E} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5477469E-83B1-11D2-8B49-00A0C9B7C9C4}\2.4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE7C4271-210C-448D-9F54-76DAB7047B28}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3F22039-E3CF-4FC4-9A30-426A46056B8C}\ProxyStubClsid Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A957A2DA-0158-411E-8A77-C2EB64D89361} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6F4670BB-CDF1-4FB7-8D5C-46C9200DFBF3} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WScript.Network Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62776AC3-A015-4BA5-A1C7-DCD765881249}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA3AD8C8-6BA4-4AB2-8D21-BC6B09C77564}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D320710-06C0-437B-A55F-826F48CC7EE7}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{156A0971-F6E2-4767-B7CE-D33E2798037E}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F50C7D0-D1AF-4A97-AD81-7FDD5934AD32} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CFCEF9A8-F1EF-41FE-9C2F-BEE528BDAB75} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BFD074F8-3A54-4FB3-8771-277D3E2031C5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305104B9-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3050F5A5-98B5-11CF-BB82-00AA00BDCE0B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11B48E3F-E93F-4960-8998-F755B4D9C64D} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{eaba9a78-1f52-4fa7-adbd-e0583c197cd3} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305104BD-98B5-11CF-BB82-00AA00BDCE0B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BFD12A4D-D96F-4504-81CB-0FED07AC05BD} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7EF7658-E1EE-480E-97EA-D52CB4D76D17}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B054A561-9833-4AED-9717-4348B21A24B3}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E4FE5A4-3E03-40CB-93F9-31AAAE4E9CFB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B5EEC44-51AA-4210-B84F-1938B8576D8D}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44F8F85F-5514-49A3-8173-6F9C9F1C4832}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{302F0F55-1EDE-4777-9B38-115E1F229D56} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F6F94D0E-78C2-11D2-8FFE-00C04FA38314} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C62F453C-42AF-40A1-8277-692C4D56E24E} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EE-4981-101B-9CA8-9240CE2738AE}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{863A99A0-21BC-11D0-82B4-00A0C90C29C5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CC9A3FD-2236-44D0-BE9E-162E773C73BF} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A1C53C4-8638-4B3E-B518-2773C94556A3}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F134C4B7-B1F8-4E75-B886-74B90943BECB}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59CD1B0F-82BC-4228-898E-B3D1C8304C04}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59720DDE-9DC2-4196-A962-DD6A9320D578}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305106C7-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC40BEC1-C493-11D0-831B-00C04FD5AE38}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B104D8B7-AF19-11D2-922C-00A02448799A}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED25831F-90DB-498D-A7B4-EBCE807D3C23} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{c088cec3-08e5-5f35-a2b9-0900d028c83b} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{461FDA3E-BBA5-11D2-B10F-00C04F72DC32} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20F22571-AA1C-4724-AD0A-BDE2D19D6163}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABBA0019-3075-11D6-88A4-00B0D0200F88} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91590ABC-9C90-49EF-9B02-70F94D2C5544}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A64A872-FC6B-4D4A-926E-3A3689562C1C}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{461FDA3E-BBA5-11D2-B10F-00C04F72DC32}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4291224C-DEFE-485B-8E69-6CF8AA85CB76}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5C861803-B3F1-4956-9BC2-7737BA72C606} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51973C56-CB0C-11D0-B5C9-00A0244A0E7A}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3497CC3C-9BF7-49E6-89BC-4BC88B3FAA01} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30510706-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12C1180E-C257-4485-9800-AF484B699713} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{919AA22C-B9AD-11D3-8D59-0050048384E3}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C627E44-7A53-4938-91C6-F60F3ECBEA94}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D82C119-880A-4A3D-AF6B-DF0BB266518C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5852F5EC-8BF4-11D4-A245-0080C6F74284} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{52E75B61-A7A6-5B3F-8789-47915897E72D}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F3BE369-0B78-4511-91E5-08F9FC5CAE0D}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B482F52-F12D-4BFB-A185-1C5F7774FF37} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BB1A2AE3-A4F9-11CF-8F20-00805F2CD064} Fagot.a.exe -
Modifies registry key 1 TTPs 2 IoCs
-
NTFS ADS 9 IoCs
Processes:
firefox.exedescription ioc Process File created C:\Users\Admin\Downloads\Netres.a.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Gas.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Remcos.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier firefox.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exeNJRat.exepid Process 2104 msedge.exe 2104 msedge.exe 5568 msedge.exe 5568 msedge.exe 6728 identity_helper.exe 6728 identity_helper.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Userdata.exepid Process 3712 Userdata.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid Process 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exeCrimsonRAT.exebutterflyondesktop.tmpHawkEye.exeiexplore.exeIEXPLORE.EXENJRat.exedescription pid Process Token: SeDebugPrivilege 396 firefox.exe Token: SeDebugPrivilege 396 firefox.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 6176 HawkEye.exe Token: SeDebugPrivilege 396 firefox.exe Token: SeDebugPrivilege 396 firefox.exe Token: SeDebugPrivilege 396 firefox.exe Token: SeDebugPrivilege 1964 iexplore.exe Token: SeDebugPrivilege 1964 iexplore.exe Token: SeDebugPrivilege 1964 iexplore.exe Token: SeDebugPrivilege 1964 iexplore.exe Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: SeDebugPrivilege 1964 iexplore.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
Processes:
firefox.exebutterflyondesktop.tmpButterflyOnDesktop.exemsedge.exeiexplore.exepid Process 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 2768 butterflyondesktop.tmp 3400 ButterflyOnDesktop.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 1964 iexplore.exe -
Suspicious use of SendNotifyMessage 45 IoCs
Processes:
firefox.exeButterflyOnDesktop.exemsedge.exepid Process 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 3400 ButterflyOnDesktop.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe -
Suspicious use of SetWindowsHookEx 46 IoCs
Processes:
firefox.exeUserdata.exeiexplore.exeIEXPLORE.EXEpid Process 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 3712 Userdata.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 1964 iexplore.exe 1964 iexplore.exe 4500 IEXPLORE.EXE 4500 IEXPLORE.EXE 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid Process procid_target PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 1380 396 firefox.exe 93 PID 396 wrote to memory of 1380 396 firefox.exe 93 PID 396 wrote to memory of 1380 396 firefox.exe 93 PID 396 wrote to memory of 1380 396 firefox.exe 93 PID 396 wrote to memory of 1380 396 firefox.exe 93 PID 396 wrote to memory of 1380 396 firefox.exe 93 PID 396 wrote to memory of 1380 396 firefox.exe 93 PID 396 wrote to memory of 1380 396 firefox.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\crashpad_handler.exe"C:\Users\Admin\AppData\Local\Temp\crashpad_handler.exe"1⤵PID:4448
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {256181b8-65e3-48c3-812a-55a9d45b7e7c} 396 "\\.\pipe\gecko-crash-server-pipe.396" gpu3⤵PID:2448
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8f02fbb-609d-4388-a65f-b3249aa2819f} 396 "\\.\pipe\gecko-crash-server-pipe.396" socket3⤵PID:1380
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3336 -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3324 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {931c3016-ff52-4b77-bee9-2aa5b0283cf1} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:1800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2660 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebc4c589-2afa-4e91-bf2b-d39bc2e1d6d4} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:3604
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4332 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4292 -prefMapHandle 4336 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb345663-e8fb-4824-a27e-fa217fde2dbc} 396 "\\.\pipe\gecko-crash-server-pipe.396" utility3⤵
- Checks processor information in registry
PID:4572
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 3 -isForBrowser -prefsHandle 2860 -prefMapHandle 5240 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a5c4605-76d4-48a4-b159-74feae699090} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:5800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 4 -isForBrowser -prefsHandle 1520 -prefMapHandle 2976 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ece6d16-9af4-48fe-b1ca-3a1cc943fcee} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:5816
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 5 -isForBrowser -prefsHandle 5880 -prefMapHandle 5808 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfb0c4fe-ccb2-4d01-9dfc-87baba59a7c0} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:5828
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6236 -childID 6 -isForBrowser -prefsHandle 6224 -prefMapHandle 6228 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5617c4b7-dadb-4aa7-a680-6d553f84d3ed} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:5172
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5784 -childID 7 -isForBrowser -prefsHandle 5720 -prefMapHandle 5736 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2301657c-b592-47c0-9b2a-bd9cb433be7c} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:5256
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6332 -childID 8 -isForBrowser -prefsHandle 6112 -prefMapHandle 6364 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e8b257e-7d64-4089-a3a7-ee5ca4838cc7} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:5244
-
-
C:\Users\Admin\Downloads\Remcos.exe"C:\Users\Admin\Downloads\Remcos.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5208 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:6136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 25⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6048
-
-
C:\Windows\SysWOW64\Userdata\Userdata.exe"C:\Windows\SysWOW64\Userdata\Userdata.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3712 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- System Location Discovery: System Language Discovery
PID:1384 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:676
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵PID:2988
-
-
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"4⤵
- Executes dropped EXE
PID:3860
-
-
-
C:\Users\Admin\Downloads\butterflyondesktop.exe"C:\Users\Admin\Downloads\butterflyondesktop.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6036 -
C:\Users\Admin\AppData\Local\Temp\is-GRCCR.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-GRCCR.tmp\butterflyondesktop.tmp" /SL5="$C0046,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2768 -
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"5⤵
- Chimera
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3400 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"6⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1964 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4500
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5568 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff853f146f8,0x7ff853f14708,0x7ff853f147186⤵PID:5752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:26⤵PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:2104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:86⤵PID:2352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:16⤵PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:16⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:16⤵PID:5188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:16⤵PID:3624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:16⤵PID:6208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:16⤵PID:6300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:16⤵PID:6308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:86⤵PID:6608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:6728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:16⤵PID:6740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:16⤵PID:6748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:16⤵PID:6980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:16⤵PID:6988
-
-
-
-
-
C:\Users\Admin\Downloads\HawkEye.exe"C:\Users\Admin\Downloads\HawkEye.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6176
-
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5556 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4560
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4956 -childID 9 -isForBrowser -prefsHandle 2780 -prefMapHandle 2668 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dd7f34f-ec85-4934-b9fd-32ebed29cbc5} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:3560
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1540
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6296 -childID 10 -isForBrowser -prefsHandle 7580 -prefMapHandle 5272 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92ac2e6b-1979-4153-929e-b6eef6e9bae4} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:2936
-
-
C:\Users\Admin\Downloads\Netres.a.exe"C:\Users\Admin\Downloads\Netres.a.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6292
-
-
C:\Users\Admin\Downloads\Fagot.a.exe"C:\Users\Admin\Downloads\Fagot.a.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
PID:5724
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4852
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5836
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
7Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD581aab57e0ef37ddff02d0106ced6b91e
SHA16e3895b350ef1545902bd23e7162dfce4c64e029
SHA256a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287
SHA512a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717
-
Filesize
2KB
MD5014a8639864fcd7bbe969cac86add7e4
SHA1d7078bfd45a886fc9a779c9a71e97397681e68dd
SHA256fb9cc5f7bbd888e920dd5ea422b35eb548eb63215c6f6617805736ea8eb0db77
SHA51283bd3d716637e53f67ea1cce6e92cb60fcdc0c98ee4b0223d95047588ff458e0b76c152dd62822d1fe3cf56260cdc61e999f9e943da4bbe97766cc9cba631f7e
-
Filesize
4KB
MD5358192e6b48de9b5a35057153f3f6f5f
SHA1a13e1f7face1b3c3c610512fdf9bae35e9710864
SHA256d91a016ef8045ea7896abd45c4313ac81d69082cd47b96f5d5594006eccaa568
SHA5120cb8177fa2917cd219314e588e3d76e902289021b436ef08611791679c9f47089f91b0dcb5abd0976b2900262fbba72cdc42893f7c1f15c45bf0d37e37ee4fe2
-
Filesize
4KB
MD56569c316a06004c4d1b134cb5b5a1303
SHA133c83185bdb5e2cf29db373fbddac22c870a6f63
SHA2567e885a46136df0c4f484c5605142dd99756c0fc8adeea9a490dc2c143007b3dc
SHA512abb6f0dc424cbc894111961da9553c7ea67e5cb65a6fc09fd67b141df69ed5e4c18d6d848e6e9649cbb62378e4b1d550161b1b7dfd220c8d86529797d98e10a1
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
57KB
MD53e4eb12184d217df69a3b72241cae36f
SHA114c27638fdfcd87be5f37a7492d2800d3179a9a0
SHA256fb35c696aaa9f80a9b02f78dba875e716a268b12fdba54eba6830492a215da6c
SHA512133f42c65100d0b308c2e2c081d4f0a99e785c3eda48ba49df1945e9c398f8fa64b8897caa15afddc0921a6f7e27cc455dd2a770367f09381dc0cef7f201eeca
-
Filesize
152B
MD50446fcdd21b016db1f468971fb82a488
SHA1726b91562bb75f80981f381e3c69d7d832c87c9d
SHA25662c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222
SHA5121df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31
-
Filesize
152B
MD59b008261dda31857d68792b46af6dd6d
SHA1e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3
SHA2569ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da
SHA51278853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10
-
Filesize
20KB
MD5dd62255c6e72b80ce88a440481d3d22f
SHA117758b8673c033ecf7c194e5d1190bbf9516c825
SHA25616921001068e64b8ac9935d54eaa1dca108647370c5987443732ecd4f0f56249
SHA51219cb0414fa378f59229d6296a4165e3a073fb6c6b812969c7015d3f73e7738c70893346740396986c6148ca1fcd5e7a8021aed775c808eb67ee9d1b301f0ee76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize864B
MD54f1b572ed3536242329ca95399adeb5d
SHA1ca6a429713a747f8c2f03163b7b7ed2755103082
SHA2562ca1379df7d33f17698d34851041761a5a948cec023bb8877049068a541ac508
SHA512d474da315ed04f554769ea4ff37e12e0a9499886f430590bc4d379aa724b3bfa524c31aeebfeefe208401a28b2a9c00188a87d6686788a9da9a1e7cce1863000
-
Filesize
2KB
MD5a4056a92b61a8aad9744fdb4c0dde817
SHA1efa22442b573338643119e5fda2f94bf74ba2bc6
SHA256dac8b9126a47f8e006baaa428512cf118072975913bfabc87c2f262f475f7c16
SHA51298523a2ca23ebb005b1f08c6e37d9f1025c30364eae052b6cb42b6d078fc07c16ff22ee21fc8f441b6836a7c729d7bb50eab752e81d4a823de3cb3ff5c8909f5
-
Filesize
5KB
MD5ab694cedb68698927a1cdc6a9284f6eb
SHA15e8b2b3ab2d3a4cc42aaccfe3775f5b27658ebea
SHA256f21734815da8c323dd248be989223e426b366452df43e2104a28d1997eb184e1
SHA512d49987d10095f3f6231ec9e16780a75e741aa5feac0e194cff7a5a49ebdee16686f54c73935742239c67fa33590a2ee1678c490dc0b18f968ff58e78d6301239
-
Filesize
8KB
MD58e57c847e03b916d6ec69fe5efa1d161
SHA1be9477dc4fcab101cc9452fba948c454fc4b2ac2
SHA256776cd0ff88e9ae042a397126439e29bee75b0867428b17b4ac79a333e93f9d3a
SHA5126a858430706d187b5afc2063991d3da3daf2ba6e5cdea85cd273d50855fba8e834233c2cad40faed0ab672ab03ca95a970a808bf8bcfb16eb94641f19d8779bd
-
Filesize
7KB
MD53b22e96adbdea702d15a619db627b483
SHA1f8fb2b3e4b8b4d0e05e8ec89e213476b6bbc2a82
SHA25630f1633d6f0d239f267653d440ddfd833479c8f593434ce6e47e8d08943eab68
SHA512297bdb6ce320c485c68f627361c686b95b28bd42ec600ed2bd97e46c462a2b115b4e587b7d279ee4ee246a37e678b24f23f0d53a1674b4cb4dbb9417cd712182
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5ebcec5983d98f9f16e4af2b8eedd2964
SHA10b3639b6edfa79b6b784624dcdb7f03e82422c7f
SHA25659382da9425594047ff6a74f02281c0c397e5e6796e5f9b26d90007ad5e51e63
SHA512043e49a67e8076d2696b67c99fa5d10cf037b80ad92b12d90b6a7a741bbf3ea6ad68c0cca8d3801b51eb7d39b124401cd98df8e4e17e89088db3c5dca31262ba
-
Filesize
11KB
MD5d4ef9352f08ef94cda9d0f48bcb6c773
SHA11b65c1a90e7d5ba52233d341eb07ae92805abb7e
SHA256c41d68abc1dff7176e6cea7a941641a5f59322fee7d9b1d0891e294507d96a6e
SHA51237968a2faa2b89af7f8e41841ed3862793f993f3ca03924b0e68e97a4fb6bb210a1ff3a6768468d0517bb84b8943ec4139d20b5ba5ca4f67618aa11fbf02cb4f
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json
Filesize33KB
MD55120d25ae113d269e572def866f5e9fa
SHA16d871ad0514bd79adc3ca775ee0ba40399819d0e
SHA256f5a4b2f9c8fd24ed652c749eac645d718bde338b8577e850aa6e7170bb982a27
SHA512c413d0e36b54654bbbb28a553b8f5f995462f1e02504bc0436e260e3c1f53e7bd2780a8b4e51aa4f07f79042455625264dc92311ae5917bf8adf6038d119a1d3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\959CF48BAAD235E68169923EB0513440CADB4E07
Filesize179KB
MD59f1358363a45f33cc0b5b2a87c6395d4
SHA17f12deca47996fdad35a97974161191e541a518b
SHA25668afb33a889520e95f96881599269bd527192c790937d3e9b517a5d82d6adf9b
SHA5127edda482f3ed27c57662f368171ccf6c35604cdc865d42e04e70c96ad3d6280b3c67ab863fcbdc10709b17181eeb2428d4f2a13de023bf8a04f5bbb224508968
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\jumpListCache\5tOoRgqM2WFj6Vw1c4rO2_+YmkxFZjW5qiS0f5iJu1w=.ico
Filesize25KB
MD56b120367fa9e50d6f91f30601ee58bb3
SHA19a32726e2496f78ef54f91954836b31b9a0faa50
SHA25692c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f
-
Filesize
135B
MD590022f82afe48963cc42547209f18f96
SHA1e60698c77e7df4cccc493f2cfa6d76f7553d71e2
SHA256046509f2b672f0f5da1b5441649873c736d81853701b67094bb319b025afb2cc
SHA5126743f17da515c61ba1ab3df53077929d6f480f84978bcf8ae61880015221f245fde6e3a2ffe3dc937f80b37e8774dcc61838ee4ed461658b3a44f02cc0469208
-
Filesize
688KB
MD5c765336f0dcf4efdcc2101eed67cd30c
SHA1fa0279f59738c5aa3b6b20106e109ccd77f895a7
SHA256c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28
SHA51206a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891
-
Filesize
2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize20KB
MD537b6301d140666b52c0be03805162761
SHA1fb86c061e4a9ab47b5019c5d00a790de2907267f
SHA2564b60d4c650a2b95f8872c9721815f670f058d017fa7df9b862870b1956a65d81
SHA512256b569933ff33b7a6090bfb5a236015998d52debf17e851801c3fb1fdd098c4ccb4cd73f731ea9764f452e6985dd2e949c9b9da466c8a2a7369a1f87c7a7c22
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize19KB
MD5ecd24da2f3a4285235c21f4a4cebb6e4
SHA14df2521318666415ed387eb3519520c445314234
SHA2564a5c33f4a899b93e0697eb01b7b82b9a0bfca53820faab4940c4e823708dde4c
SHA512bcefdb3c16d6df8a4b0130615d3f29d14ebf8cd65cf14f717728c8db2794ab0b1bd0a6e59290d0eb299676f1862fae492e085bff08208fdbaedf8b7c21cbcf0e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin
Filesize7KB
MD54c27f397d4e64efecd06450b26545f16
SHA1975cde2380061a74854b4558a076087b18f16b41
SHA256e77a018d20858bb68789ff659e507f0d3a30b354a2f7dd43493ef335731d0df1
SHA512b45b339612c3972c5ca936f9f56d10b79ce18e7f0e87089d068633c24bef76f55e0e05edfdc5ab471fa6573948f0cbdfa5a0b8c40e29a3dd5ada0d0fa91d3bb3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin
Filesize14KB
MD5b1df77774465e0fd3f802db52acc9af1
SHA1d0eca8115e844f14a2a6709d15527efc98b3f346
SHA256347f3a0d9084f9edd7061d39c2dabe88d1b4752aad972671c6001597c444bf9a
SHA51221b4f41bfbda2397e7e4b58a90ddfbb469b1e15cdac2cf50deb46a93855fd65c6363fc2ad203ae43608bb2b612b6abae410455e4e94e1c0dd4a145aa3bd14bbd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin
Filesize13KB
MD50cd9bdd4ab3ef8784f254f121c2f11bf
SHA13d20c604c233ef95a7178cf63b980ad582a5f005
SHA2569abb6b0afc8eb3c101796a79249a05b13113daae786cb93ffea8f84f49939dc8
SHA5127e820658e5eb8122eba68069c96afd81dc91dfc40a57c63dab34f5dc2935a349019bc373907a151187f72d26065ef59589a157c40c7c02e593bfbf0ba7987aa0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin
Filesize17KB
MD5ed4874d418581d64c528459578bf329f
SHA12becea961540722621d16803ecae9e1097a8876b
SHA256dae3e30dc25d0a15aaf1fae5ecaf5f111246efa261ac884b0bd79911ef0b312e
SHA5127e531674a64f299591553a286e8231c732a62654d90aac85221646b3f2fd1cf76592e084cf22240286abd9e3d6a7b9f166144de15073ca2b939254f3e154f979
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\SiteSecurityServiceState.bin
Filesize3KB
MD50198f27014b1c11d06085579e54dce44
SHA11527bde0713ba9f847ea948b667585f9106a4bcf
SHA256bcf664200430af7a00c14e06bf8e6b0ec9e087705e0ae4464bf25ba16b9aaa8a
SHA512fdd614af688e32b451678e2d734f85a35f350fc2283d1515dfe53cd9d0bc8cdeeaa78f993ba96ead230674019aac6a0cdd755ca4d5398780f4e60156b0c73786
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.bin
Filesize7KB
MD5b7f2aeeb357e813d0070fe7081d27bb8
SHA124d71c4ebb183c70aff9a55925554d9d6cb31a64
SHA256a977931f200b966488e063e6373ad2cc8efbe691a90ed2eed37365869ba95586
SHA51299b4a3e1ef562ff5669aef55c571f8057bcb2aa30b72eda9c0de169da91ea039523c12e0977cc453e3ba6e043855bef086a86d2ea1876f0cb9738e6adcc1a6c4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5c02ed35a4c2c1acffb1a3accd5cecae1
SHA1d73b4e80ea69797b1bdaecc5c3683ec01e671bcf
SHA256945dd0d1c59066d4589547bd14b39d9e058683ba218d2db1b69489afd0eec7f1
SHA51235cb5f3538dc08960b6ee08a37c6eab4921a8fd7b8883d154ed7f151ef184682d7af74bba87cd3fb85a29fba10fcaa38f963867baa512d7bf2e54a38febef69c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD573bd1e2e4b04a0e6cce88672e61d8ccb
SHA1ac53403e1fc752e2fd72bbf17f6e83501bd1e2eb
SHA256f93361746d5bab05b7089521612476650cedb5dd57aaf8438fc1b2a3e34bec53
SHA512029073071bcb700513b5b6f2916b351d5d5665fcd54c6adfcd04e89e5d16f2996e418eeec071357a47c65ffcc5add1dfc05918bb82cdfeedc4d4a7e837e0b9a1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD52650a0ba839eaaa4a516a991a71dd217
SHA14f09d5a09dbe9ca3d3dc865ab67b1ad8cb9ab078
SHA256efe0670fb7382e5e9507c3bd869305dcc523148b9abad7d7ebdcce8947bcb003
SHA512525365b2ed2fd2c9d3b6979d157d286dc91aae084968d4a15e6c447f59b4d6e0be4a0850c83aebf5a0f84f029890d05e141dc35f04acb8611dca91938a41aad1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize55KB
MD52daa9bdb4ecfac0f2578c1a37a7b852f
SHA1e4dfab5ac13c74a3e65f6be371a90fa788526ff4
SHA25616be09a9221eef2c1062b76d7376aefd7a98fb1b5cf575f0fdb5ab666013b075
SHA51239f8d754296d87e33cf07086bd250f71b2576ae99859cafa06c989ac543a1b15e18b740f2f6040f1630fd6c1901d448f4ece13feef8b9b136282f4558ab58399
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize55KB
MD5e79b6610d8dcd0b1079f8cab10b8b6df
SHA10e672b670201622a8eb11c467942d2f66ded1b39
SHA2563cfd583f837a278bcca231eda8b18f02cc05935d9af34eb0b27591280295b4a9
SHA512c65ce3c39f2c55e7e15f98ce51c4b34298fed2c70257ad606f9c28e96f7188054f0a94c4bd9ab39ba730d63a09488b5eca2bb06f0ed7e4740d6465853fc9e04f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize58KB
MD5e24807ec01764abd2564db396f8085ec
SHA1eb1ee114a8848491f1497e9db1225c180805ccbe
SHA2566098b421e03ba700e892c56e610c024226a017ab0327211b7fd42326592f95eb
SHA512a13c2fabcb470c4b10acc98d1c098c0b2f19ae23ef08837d81c7714180b8ff5059f40e941e71f5552136a08a2eaecfd26de57c7f7a73980de72c7fae86ae0bee
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\events\events
Filesize2KB
MD577d6a0599a15cc6e1a5e9af7f3e6d591
SHA11d3917d2588903daaf549c8ba41af70cad326c5b
SHA2563ec4cbff03ed2439e5646249485e51513044fbcd6db26e9ea37e3770fdc84aa9
SHA5128c71d289f2c7147e376f38c0750eb1dba3a8751fa1f23ba2cc1a14f127454ced7ffe684e9fa41277579130961417d6b4d71628ac27b4ca810bb0131ee8f59efe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\3a335481-108c-4aa3-81b6-8aebc7cd5a6b
Filesize671B
MD597d55ae547b08aec3186336d970d5a09
SHA1ebeabff8c5576b12a1af116cbde012984a0bb0dc
SHA2565db53c5ae8049f7f6464b372b4e630d944276d92efdf08b15f8661d06e6e3192
SHA512e6b73eecbed7347e6dd23592a3095dabe305cc02d7e854bb74cb67f51c5da4fb98a4363eb441c1bf72e2603bf7b16104ec6e189a4a798f3152f275eb738c4456
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\4bd3c9d2-e6af-42ed-b781-501730d0de83
Filesize847B
MD5e34c393a22da386a44b3016cd13c29ab
SHA1fdb7e71c42ff3d45e2ff6f153d9be681b5a6bb0b
SHA2563f4085a6649d125cd4b9f4b393d2934522497613206ce82d72939fac849e9924
SHA5120779a5c428b32d3528df9ba9731698e5d296ca9fb64f6b02af836ab59e8a778fd4619405ef9981204f7943965ef64b259a88e21c2b21d8eaff38749fbfa22df1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\921e5dd5-d8da-45df-8261-aa91b5e28d97
Filesize4KB
MD505a4566eac2b9dc76fdb9d48b11b5fc4
SHA18303b86df537618ed9dbee77b9b4d117c554c8c9
SHA256e255d2a511bd5c2744c749a0ff486725db40241dc049fdc7414146322b868776
SHA512f3b66571be792a7c64b1d9155808a1273ff5980da97d582aeff5394d5ca068d45221c92e6f9122ccb7aa0b34dd592ed18803bde7f230e0f16279930e03ad2988
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\c68c5061-ac17-4626-bc4c-f9290078ce5e
Filesize982B
MD54e8d9e3e9c59466fb0fb9d4b8d1177b6
SHA15efb2c0a678a952785e31b62b9032a5dafbdb4c2
SHA256537b5cf6840079b24c2b96b8bdac36c27e924976990f062759d415349573ccd2
SHA512281ed6a784a5327bdeb5a5c622a9a8ffd9f73bba6e5e9c713596fd664e4e3bc65c1cb8e222a1b7d876aa8908f99b231063d96aa22e48a3310ccec9b3a734f405
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\d1f61ab8-a5be-4d98-a37e-82acdbe7919a
Filesize28KB
MD50509abea012c97b939d99a928368b671
SHA144ebe0e2ab012d5a71c39a6eb5a22ddab70b1dee
SHA2564e57665955dd33ec96b514304aceea1f924725d5b24f2e022f1d75cf6da96d05
SHA512776bddf0597d9f475349a3f83263e01f79872355d504ff0a89f2b9382eccb13da31eaf4174c29ece0d4b06bbec593c22b0dbc68f66239e000b885c40c6fe6d96
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt
Filesize1KB
MD5445832e68cbe83e8478e025ede8ae9f1
SHA1c70b2afbb5325698ea4c0ed48ab5eea2b5b2102c
SHA256f02d2a10cfa68ef45da56d24e59e4cc43806d61111ef7c4055b2ae343aa52459
SHA51204cc9c1886c8ead9bfd7317fe656ff0637a1cf8ef81a4caacc5c9a481906962ad3374ab524a951cfa5b4a6d84ce931b72e3ad45a537ddbdcbae1cff40ead402d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD55334f27f0a168922eecf5421b0a9e8be
SHA1f83b1c915dca03e5ce2ee19978f34ec23463495c
SHA256e8ca418cc1b81b9635da38406c087b76cacae5fa0fa56cd605474ce43cc9ccb5
SHA5123a60b6bf413f6532642f20a2206532397893845255413e6bbb38dcfd8b7e2d979e146b0a6aa66dd8c1fce3d770bcebf9abbd856810a147a5ebfbb6df6a080488
-
Filesize
12KB
MD59cdd24ea13d68584267a46410507846c
SHA1100799e2d60a5eb526336d15ef9a80a31feba909
SHA256ab1df8c7123909cc75eb9528662c665583d84512a0c5634e21fb031190900195
SHA5123f94b92f79c292ff14ac7bc9a9ccd8cac24ca4cb37d94bc11638ccb336763990bdc98697ccdc42419a34c6dda1f814418a1f9b0be3aaf9889a488143644f415a
-
Filesize
11KB
MD5208d382607dde2e3fa18b6da5ec175aa
SHA1e8cf87292f1a7b7e41b23b425e5e3be62dfe1d57
SHA25643d4e4f3d3dcc2a0a18d4025480e144b6533790554fbe9a2040993ad482ac3a5
SHA5129eaf61740b1d0835511398b726d99272390e94c88859197408c1acfc73609a94c3925155ea81718ffcbee98bdbd09507239ee48171cbfe757cd1b61184725de3
-
Filesize
13KB
MD5f19cb74fcf3d3364fef85c78996d95f9
SHA12b6226394897c4dec7c7017155098346814c9bdf
SHA2569ea078f3bd7f9aaadbc03d48ad6ad1c34121a4354bbf4b5a6511d93848137362
SHA51202747efac95339a0af97f2904c51cfdd19ae76c598adf199bad2a340155a3f78b0434c6dc73801126a526ad9c141bd1c83b93e20f622cd3b55e522d650104329
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD556d3e346a3e0c57ecde3e64a64dfa23b
SHA189461c146aa4676f2736c62e68f96c528c86e582
SHA256e2f2ee9ff2df8b5d631077365d9a3fb2ad9a7b0fadfea751da3c481d8426b86e
SHA51236441432967cf207cd7ffab3752846acd77a4c1aec02ef0f4ef2ee70dfc196479d8566119d3e25bf81a5d21cf60fc297c61d9b5d5eb3d9660b1d69e168ce88bd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD5ae41149f86ac89d6998c998ede538185
SHA1e143580a0e214a143830a108e9a177812470fe61
SHA2565345cce7a2e14237f45bbd574771dbbe45086569659b40722eaa953b0d313f3b
SHA512ffdbe3b2721613c95ed7e99c83b4f323db127a6512f99fc825f5adc9f14818cf53829552b8276ba844fb299b162b0846bc54a3573b4064ac9f2c12d4edd955b7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD54e538180f8751d62be8da0b705eafbd5
SHA16ab027c9b7a5bdeed151c80c65b84c0645495115
SHA256e85e7c63f749355116189759861ebfd0a1a1841860368cb721ab234f818b0876
SHA512319b059429597184936c3096905ed3ac2238b64c32faea407ffb90f74b1899aa4c82439d0a9ccf9796b3e1b7fed6251c6224b0bfb37b9920fae8ed24e9256704
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD55494a0bf0ae5d9e70f24654990386e6f
SHA10fa20d232dec997785d79b6ef706e13e7cd6c027
SHA256988ba3f1936b72e48b8b86950092c4604c535916d40934e68745fddf3862b7a7
SHA5129ef2825edf6fd5874d9d6ca1b824cec8a362261c25e7201a5d52a37c353a480189b246acd6f2616d40f161e099b177a78200603f5cb1c82f007a2ca270e0a079
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD580e2d0a4254b9a97436e5f125ee68002
SHA1a3f0818fbe51286d1820360959e968d1143ea262
SHA256c749ac55f328e283fc9590b8cc6821fba60faa7cf5858445ec61d71bbf15ecd4
SHA512305683a1c72ebfc82c1e329968c85e26ae4a37ee070e7ca38a45eb3056268d443807ca43cf00c3349ef6e3c77be40ab79e0a8bdb4bfeb8acd6fe14fbe3797cfb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD5b58cbf4bd216a6c54cd835a125de515c
SHA189fab78862d210dea72f03092fcd8d988d044cd0
SHA256885177e588156b69ad94d237b4a035beea17b0367d3d934acfd685ed421934a9
SHA51255d8ef0345f33978e5e9ed83afebf078231ec7435a656a3dc500552f1472c57863779095e1de69ad08e5c5fa65671b39026b38eed3c9eb78d09b87e9231d4880
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD5684c146fedbe092fd06efc181d39eb16
SHA18e4a42b68b3db528568bbf1497118ea9376f2ff2
SHA256c6820080116e9111cb50dd78918ab12a5428aacff1f873464833c29853d1a1e6
SHA51229d6b5809ab997c1815a83148b69361889a7c2c45deb25eb1fa3ed5c7d209d72bc95609e691f3be5a3f313b61a391b571aa730674b083544110c631cb28ed782
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD57f0b792e816503185753bf77ab204258
SHA1ac8cf000fd3076d7b2d4c7a61a35ca1481d7d0e4
SHA256a2d793962c340b9cf0c30cfdcf3ac8d2ac842e5e70c56bf845f80ae758c47289
SHA512ba95ceaf47da3948076c72d1e4f719a8bc49763f6ddf5efd0acc5f94084c81afc7acd61c814398ea1fc83439f6778d36f37958968902299e3863875a65697f2e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD571bc7a563f46bedba3cf99203cc0007b
SHA171f03ec824a124d0465fdd59583cbe05eaec07e3
SHA256eb9fcd4dc84847da5320d11980923f4ccfed7451acd9fef8b32725153d260939
SHA512ef0f8028d558d4d2f8d8325ae96912e1e38f6b43d610e6ca881cb01d616493a639c2d4e9a37bd8cd3540d77fc8a7fa8cc2d917f323d0277bab74efd832300499
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD5c0aba4d1b64fb9da68795a4ad1ed5451
SHA1f90340731708600785eb1d07f8a94b5fdc77174a
SHA256edac3b1d67ba83ebe67224a89f2f0e36fefb49c0b9c760092bb5fcd1ddefe439
SHA5126e7ff9611e6c91d5e2b5431a81c6b334f3e793d0aad44455122a9bfd1039dfd32ed591ca5af33735fad6633657308e3039f445823a2f9f437882ebddf8e006a1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD5d24ae6ea332bf15723be18774118204c
SHA1d861471108095ea17a62e849ca2b89078c1a5cde
SHA25682ef3b680c01dcde089460bb5b5084c05a69c5bab3c9a51e866e5b0e05b7f88f
SHA51284031ccbba636d588cbde3e7ae9f25f6c36079551eb9ebefee90f6efa6a66650200ebd2b40b8ed50cc2069ba96496ce17fd0a6a737489551ae182d8a5495ec74
-