Analysis
-
max time kernel
290s -
max time network
322s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 14:01
Static task
static1
Behavioral task
behavioral1
Sample
crashpad_handler.exe
Resource
win10v2004-20240802-en
General
-
Target
crashpad_handler.exe
-
Size
615KB
-
MD5
9f12b93fbe757f35df3cb953a52c593f
-
SHA1
74e3808a94a78ccecdee9cb8b02eb0ee23ac9a81
-
SHA256
d7fdaa84062bd7594fc5fc9a9eef37afe07f25a6c2e332e88bac1b35becb4c81
-
SHA512
798b46eb29f0d3f849ee1c57ed16ebd0d4fa63f9ba10edefa8a26683b5baf43afe2213f46e5da4ce391af56fb3310c89e938f48738168c48dd0718494eaef203
-
SSDEEP
12288:PWHL42mwBOrsD7AVFO5rxLEuuOdfj/Tua/rRe408RIE:OUzwBUsD7AVFO5rxLEuuOdfj/Tua/9ep
Malware Config
Extracted
crimsonrat
185.136.161.124
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe -
Chimera Ransomware Loader DLL 1 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral1/memory/6176-1572-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll -
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000023630-1109.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe" Fagot.a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Renames multiple (3280) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4560 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation Remcos.exe Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe NJRat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:Zone.Identifier:$DATA NJRat.exe -
Executes dropped EXE 12 IoCs
pid Process 5208 Remcos.exe 3712 Userdata.exe 1540 CrimsonRAT.exe 3860 dlrarhsiva.exe 6036 butterflyondesktop.exe 2768 butterflyondesktop.tmp 3400 ButterflyOnDesktop.exe 6176 HawkEye.exe 5556 NJRat.exe 1540 Gas.exe 6292 Netres.a.exe 5724 Fagot.a.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Fagot.a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\"" Remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\"" Userdata.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop butterflyondesktop.tmp Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .." NJRat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe" Fagot.a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 27 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\Videos\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Music\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\Documents\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\Music\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Public\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Program Files\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ButterflyOnDesktop.exe File opened for modification C:\Users\Admin\Links\desktop.ini ButterflyOnDesktop.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 132 raw.githubusercontent.com 133 raw.githubusercontent.com 130 raw.githubusercontent.com 131 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 279 bot.whatismyipaddress.com -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe -
Drops file in System32 directory 47 IoCs
description ioc Process File created C:\windows\SysWOW64\systray.exe Fagot.a.exe File created C:\windows\SysWOW64\win.exe Fagot.a.exe File created C:\Windows\SysWOW64\wowexec.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\wuauclt.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\regedit.exe Fagot.a.exe File created C:\windows\SysWOW64\ntoskrnl.exe Fagot.a.exe File created C:\windows\SysWOW64\autochk.exe Fagot.a.exe File created C:\windows\SysWOW64\chkntfs.exe Fagot.a.exe File created C:\windows\SysWOW64\dumprep.exe Fagot.a.exe File created C:\Windows\SysWOW64\dumprep.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\services.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\wowexec.exe Fagot.a.exe File created C:\Windows\SysWOW64\Userdata\Userdata.exe:Zone.Identifier:$DATA Remcos.exe File opened for modification C:\Windows\SysWOW64\remcos\logs.dat Userdata.exe File created C:\Windows\SysWOW64\dllhost32.exe Fagot.a.exe File created C:\Windows\SysWOW64\ntkrnlpa.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\win.exe:Zone.Identifier:$DATA Fagot.a.exe File opened for modification C:\Windows\SysWOW64\userinit32.exe Fagot.a.exe File created C:\Windows\SysWOW64\dllhost32.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\shutdown.exe Fagot.a.exe File created C:\windows\SysWOW64\logon.exe Fagot.a.exe File created C:\Windows\SysWOW64\logon.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\recover.exe Fagot.a.exe File created C:\windows\SysWOW64\wuauclt.exe Fagot.a.exe File created C:\Windows\SysWOW64\ntoskrnl.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\ctfmon.exe Fagot.a.exe File created C:\Windows\SysWOW64\imapi.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\remcos\logs.dat Userdata.exe File created C:\Windows\SysWOW64\userinit32.exe Fagot.a.exe File created C:\Windows\SysWOW64\progman.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\chcp.exe Fagot.a.exe File created C:\Windows\SysWOW64\chcp.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\Userdata\Userdata.exe Remcos.exe File opened for modification C:\Windows\SysWOW64\Userdata\Userdata.exe Remcos.exe File opened for modification C:\Windows\SysWOW64\Userdata Remcos.exe File created C:\windows\SysWOW64\MDM.exe Fagot.a.exe File created C:\windows\SysWOW64\imapi.exe Fagot.a.exe File created C:\windows\SysWOW64\services.exe Fagot.a.exe File created C:\windows\SysWOW64\alg.exe Fagot.a.exe File created C:\Windows\SysWOW64\alg.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\Windows\SysWOW64\userinit32.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\WINDOWS\SysWOW64\userinit.exe Fagot.a.exe File created C:\windows\SysWOW64\ntkrnlpa.exe Fagot.a.exe File created C:\Windows\SysWOW64\MDM.exe:Zone.Identifier:$DATA Fagot.a.exe File created C:\windows\SysWOW64\progman.exe Fagot.a.exe File created C:\windows\SysWOW64\bootok.exe Fagot.a.exe File created C:\Windows\SysWOW64\bootok.exe:Zone.Identifier:$DATA Fagot.a.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200_contrast-white.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\Cavalier.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-64_altform-unplated.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40_altform-lightunplated.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_wel_motionAsset.m4v ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.HCWhite.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\pages\wefgalleryonenoteinsertwinrt.htm ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\ui-strings.js ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-200.png ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_3.m4a ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-100.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-400_contrast-black.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleAppStoreLogo.scale-125.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSmallTile.scale-100.png ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview_selected.svg ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fr_get.svg ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-256.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\NoConnection.scale-100.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-30.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-250.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\MedTile.scale-100.png ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\ui-strings.js ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\ui-strings.js ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\microsoft-logo-white.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-lightunplated.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-150.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\tzdb.dat ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-125.png ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\sample-thumb.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsStoreLogo.scale-100.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\ui-strings.js ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-125_contrast-black.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\189.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreWideTile.scale-200.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-40_altform-unplated.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-300.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlFrontIndicatorHover.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\31.jpg ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js ButterflyOnDesktop.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-100.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Reconnected_Loud.m4a ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\ui-strings.js ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupWideTile.scale-125.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80_altform-lightunplated.png ButterflyOnDesktop.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-white_scale-125.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.scale-100_contrast-black.png ButterflyOnDesktop.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-20_altform-unplated_contrast-white.png ButterflyOnDesktop.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\NOTEPAD.EXE Fagot.a.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 9 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\Downloads\Gas.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Netres.a.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Remcos.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier firefox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Remcos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language butterflyondesktop.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ButterflyOnDesktop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NJRat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Netres.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Userdata.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HawkEye.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 6048 PING.EXE -
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2173592293" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2172154563" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31125879" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0ff768277f1da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d1c6f3067c0c84abb3839afa92ebb0f000000000200000000001066000000010000200000005ca932f1a4674c0bddda0ab1049411a5313824f1eebc4a389d56d63f6ec57c6b000000000e8000000002000020000000a16d604e689c52f6a15f1c6c234cb4a1693e237b309cf188ab54b7b6111b73b32000000077073512d6d6493551e61faec376bc47fafbefa4636dd6f7e1e9a863a70dae49400000001a35203cd76f491c7743d84e85ba89ea5ad0c9b0fffc38bc67f556ef6008514faf48a56a2dbeced0eb21f26fc76f4f5d60447f0f81d38ac7a9b5f9340aafc7bb iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2172154563" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003d1c6f3067c0c84abb3839afa92ebb0f00000000020000000000106600000001000020000000a309a46242d19034dba446af310112f3bf08badf84f7c64d2b06b9002a1093bb000000000e8000000002000020000000e22c229369238521e5f11eba70f5a368b2237675c7d6031991bcfbb274233a74200000001335ac75da4254fde275fb9e8ac0ca53e3117ac5b366a73cea797c893be628f34000000075d530f225d23705e216abb7d7044b1d0c8624354da6f574307ddb7ef63f40c3ce574f7d8448c91cb05e737706525c0064e46590adf49c0cc43af14cb1341854 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31125879" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430754797" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main Fagot.a.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31125879" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AD145D5D-5D6A-11EF-939B-4A4A300BA5D9} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0626d8277f1da01 iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com" Fagot.a.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8D46C1B6-BBAB-450D-A61F-4DDC898B21D4}\ProxyStubClsid Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5104D3E9-5038-517E-9CF6-28C106CEE038} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4466E0F-C942-4C9C-98EF-B31A17AEAF1E} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5477469E-83B1-11D2-8B49-00A0C9B7C9C4}\2.4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE7C4271-210C-448D-9F54-76DAB7047B28}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3F22039-E3CF-4FC4-9A30-426A46056B8C}\ProxyStubClsid Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A957A2DA-0158-411E-8A77-C2EB64D89361} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6F4670BB-CDF1-4FB7-8D5C-46C9200DFBF3} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WScript.Network Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{62776AC3-A015-4BA5-A1C7-DCD765881249}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EA3AD8C8-6BA4-4AB2-8D21-BC6B09C77564}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D320710-06C0-437B-A55F-826F48CC7EE7}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{156A0971-F6E2-4767-B7CE-D33E2798037E}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F50C7D0-D1AF-4A97-AD81-7FDD5934AD32} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CFCEF9A8-F1EF-41FE-9C2F-BEE528BDAB75} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BFD074F8-3A54-4FB3-8771-277D3E2031C5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305104B9-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3050F5A5-98B5-11CF-BB82-00AA00BDCE0B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11B48E3F-E93F-4960-8998-F755B4D9C64D} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{eaba9a78-1f52-4fa7-adbd-e0583c197cd3} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305104BD-98B5-11CF-BB82-00AA00BDCE0B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BFD12A4D-D96F-4504-81CB-0FED07AC05BD} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7EF7658-E1EE-480E-97EA-D52CB4D76D17}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B054A561-9833-4AED-9717-4348B21A24B3}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E4FE5A4-3E03-40CB-93F9-31AAAE4E9CFB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B5EEC44-51AA-4210-B84F-1938B8576D8D}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44F8F85F-5514-49A3-8173-6F9C9F1C4832}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{302F0F55-1EDE-4777-9B38-115E1F229D56} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F6F94D0E-78C2-11D2-8FFE-00C04FA38314} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C62F453C-42AF-40A1-8277-692C4D56E24E} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3EE-4981-101B-9CA8-9240CE2738AE}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{863A99A0-21BC-11D0-82B4-00A0C90C29C5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6CC9A3FD-2236-44D0-BE9E-162E773C73BF} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A1C53C4-8638-4B3E-B518-2773C94556A3}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F134C4B7-B1F8-4E75-B886-74B90943BECB}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59CD1B0F-82BC-4228-898E-B3D1C8304C04}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59720DDE-9DC2-4196-A962-DD6A9320D578}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305106C7-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC40BEC1-C493-11D0-831B-00C04FD5AE38}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B104D8B7-AF19-11D2-922C-00A02448799A}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ED25831F-90DB-498D-A7B4-EBCE807D3C23} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{c088cec3-08e5-5f35-a2b9-0900d028c83b} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{461FDA3E-BBA5-11D2-B10F-00C04F72DC32} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20F22571-AA1C-4724-AD0A-BDE2D19D6163}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ABBA0019-3075-11D6-88A4-00B0D0200F88} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91590ABC-9C90-49EF-9B02-70F94D2C5544}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A64A872-FC6B-4D4A-926E-3A3689562C1C}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{461FDA3E-BBA5-11D2-B10F-00C04F72DC32}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4291224C-DEFE-485B-8E69-6CF8AA85CB76}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5C861803-B3F1-4956-9BC2-7737BA72C606} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51973C56-CB0C-11D0-B5C9-00A0244A0E7A}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3497CC3C-9BF7-49E6-89BC-4BC88B3FAA01} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30510706-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{12C1180E-C257-4485-9800-AF484B699713} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9F2FE81-F764-4BD0-AFA5-5DE841DDB625} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{919AA22C-B9AD-11D3-8D59-0050048384E3}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9C627E44-7A53-4938-91C6-F60F3ECBEA94}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D82C119-880A-4A3D-AF6B-DF0BB266518C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5852F5EC-8BF4-11D4-A245-0080C6F74284} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{52E75B61-A7A6-5B3F-8789-47915897E72D}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F3BE369-0B78-4511-91E5-08F9FC5CAE0D}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B482F52-F12D-4BFB-A185-1C5F7774FF37} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BB1A2AE3-A4F9-11CF-8F20-00805F2CD064} Fagot.a.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 6136 reg.exe 676 reg.exe -
NTFS ADS 9 IoCs
description ioc Process File created C:\Users\Admin\Downloads\Netres.a.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Gas.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\Remcos.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier firefox.exe File created C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier firefox.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 6048 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2104 msedge.exe 2104 msedge.exe 5568 msedge.exe 5568 msedge.exe 6728 identity_helper.exe 6728 identity_helper.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe 5556 NJRat.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3712 Userdata.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 396 firefox.exe Token: SeDebugPrivilege 396 firefox.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 1540 CrimsonRAT.exe Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 2768 butterflyondesktop.tmp Token: SeDebugPrivilege 6176 HawkEye.exe Token: SeDebugPrivilege 396 firefox.exe Token: SeDebugPrivilege 396 firefox.exe Token: SeDebugPrivilege 396 firefox.exe Token: SeDebugPrivilege 1964 iexplore.exe Token: SeDebugPrivilege 1964 iexplore.exe Token: SeDebugPrivilege 1964 iexplore.exe Token: SeDebugPrivilege 1964 iexplore.exe Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 4500 IEXPLORE.EXE Token: SeDebugPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: SeDebugPrivilege 1964 iexplore.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe Token: 33 5556 NJRat.exe Token: SeIncBasePriorityPrivilege 5556 NJRat.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
pid Process 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 2768 butterflyondesktop.tmp 3400 ButterflyOnDesktop.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 1964 iexplore.exe -
Suspicious use of SendNotifyMessage 45 IoCs
pid Process 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 3400 ButterflyOnDesktop.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe 5568 msedge.exe -
Suspicious use of SetWindowsHookEx 46 IoCs
pid Process 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 3712 Userdata.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 1964 iexplore.exe 1964 iexplore.exe 4500 IEXPLORE.EXE 4500 IEXPLORE.EXE 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe 396 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 4244 wrote to memory of 396 4244 firefox.exe 91 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 2448 396 firefox.exe 92 PID 396 wrote to memory of 1380 396 firefox.exe 93 PID 396 wrote to memory of 1380 396 firefox.exe 93 PID 396 wrote to memory of 1380 396 firefox.exe 93 PID 396 wrote to memory of 1380 396 firefox.exe 93 PID 396 wrote to memory of 1380 396 firefox.exe 93 PID 396 wrote to memory of 1380 396 firefox.exe 93 PID 396 wrote to memory of 1380 396 firefox.exe 93 PID 396 wrote to memory of 1380 396 firefox.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\crashpad_handler.exe"C:\Users\Admin\AppData\Local\Temp\crashpad_handler.exe"1⤵PID:4448
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {256181b8-65e3-48c3-812a-55a9d45b7e7c} 396 "\\.\pipe\gecko-crash-server-pipe.396" gpu3⤵PID:2448
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8f02fbb-609d-4388-a65f-b3249aa2819f} 396 "\\.\pipe\gecko-crash-server-pipe.396" socket3⤵PID:1380
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3336 -childID 1 -isForBrowser -prefsHandle 3292 -prefMapHandle 3324 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {931c3016-ff52-4b77-bee9-2aa5b0283cf1} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:1800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2660 -childID 2 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ebc4c589-2afa-4e91-bf2b-d39bc2e1d6d4} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:3604
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4332 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4292 -prefMapHandle 4336 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb345663-e8fb-4824-a27e-fa217fde2dbc} 396 "\\.\pipe\gecko-crash-server-pipe.396" utility3⤵
- Checks processor information in registry
PID:4572
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 3 -isForBrowser -prefsHandle 2860 -prefMapHandle 5240 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a5c4605-76d4-48a4-b159-74feae699090} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:5800
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 4 -isForBrowser -prefsHandle 1520 -prefMapHandle 2976 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ece6d16-9af4-48fe-b1ca-3a1cc943fcee} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:5816
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 5 -isForBrowser -prefsHandle 5880 -prefMapHandle 5808 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bfb0c4fe-ccb2-4d01-9dfc-87baba59a7c0} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:5828
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6236 -childID 6 -isForBrowser -prefsHandle 6224 -prefMapHandle 6228 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5617c4b7-dadb-4aa7-a680-6d553f84d3ed} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:5172
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5784 -childID 7 -isForBrowser -prefsHandle 5720 -prefMapHandle 5736 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2301657c-b592-47c0-9b2a-bd9cb433be7c} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:5256
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6332 -childID 8 -isForBrowser -prefsHandle 6112 -prefMapHandle 6364 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e8b257e-7d64-4089-a3a7-ee5ca4838cc7} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:5244
-
-
C:\Users\Admin\Downloads\Remcos.exe"C:\Users\Admin\Downloads\Remcos.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5208 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:6136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 25⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6048
-
-
C:\Windows\SysWOW64\Userdata\Userdata.exe"C:\Windows\SysWOW64\Userdata\Userdata.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3712 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- System Location Discovery: System Language Discovery
PID:1384 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:676
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵PID:2988
-
-
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"4⤵
- Executes dropped EXE
PID:3860
-
-
-
C:\Users\Admin\Downloads\butterflyondesktop.exe"C:\Users\Admin\Downloads\butterflyondesktop.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6036 -
C:\Users\Admin\AppData\Local\Temp\is-GRCCR.tmp\butterflyondesktop.tmp"C:\Users\Admin\AppData\Local\Temp\is-GRCCR.tmp\butterflyondesktop.tmp" /SL5="$C0046,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2768 -
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"5⤵
- Chimera
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3400 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"6⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1964 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4500
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5568 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff853f146f8,0x7ff853f14708,0x7ff853f147186⤵PID:5752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:26⤵PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:2104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:86⤵PID:2352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:16⤵PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:16⤵PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:16⤵PID:5188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:16⤵PID:3624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:16⤵PID:6208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:16⤵PID:6300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:16⤵PID:6308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:86⤵PID:6608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:6728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:16⤵PID:6740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:16⤵PID:6748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:16⤵PID:6980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13131338518801510742,12304318506473561996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:16⤵PID:6988
-
-
-
-
-
C:\Users\Admin\Downloads\HawkEye.exe"C:\Users\Admin\Downloads\HawkEye.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6176
-
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5556 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4560
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4956 -childID 9 -isForBrowser -prefsHandle 2780 -prefMapHandle 2668 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dd7f34f-ec85-4934-b9fd-32ebed29cbc5} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:3560
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1540
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6296 -childID 10 -isForBrowser -prefsHandle 7580 -prefMapHandle 5272 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1196 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {92ac2e6b-1979-4153-929e-b6eef6e9bae4} 396 "\\.\pipe\gecko-crash-server-pipe.396" tab3⤵PID:2936
-
-
C:\Users\Admin\Downloads\Netres.a.exe"C:\Users\Admin\Downloads\Netres.a.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6292
-
-
C:\Users\Admin\Downloads\Fagot.a.exe"C:\Users\Admin\Downloads\Fagot.a.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
PID:5724
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4852
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5836
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
7Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD581aab57e0ef37ddff02d0106ced6b91e
SHA16e3895b350ef1545902bd23e7162dfce4c64e029
SHA256a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287
SHA512a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717
-
Filesize
2KB
MD5014a8639864fcd7bbe969cac86add7e4
SHA1d7078bfd45a886fc9a779c9a71e97397681e68dd
SHA256fb9cc5f7bbd888e920dd5ea422b35eb548eb63215c6f6617805736ea8eb0db77
SHA51283bd3d716637e53f67ea1cce6e92cb60fcdc0c98ee4b0223d95047588ff458e0b76c152dd62822d1fe3cf56260cdc61e999f9e943da4bbe97766cc9cba631f7e
-
Filesize
4KB
MD5358192e6b48de9b5a35057153f3f6f5f
SHA1a13e1f7face1b3c3c610512fdf9bae35e9710864
SHA256d91a016ef8045ea7896abd45c4313ac81d69082cd47b96f5d5594006eccaa568
SHA5120cb8177fa2917cd219314e588e3d76e902289021b436ef08611791679c9f47089f91b0dcb5abd0976b2900262fbba72cdc42893f7c1f15c45bf0d37e37ee4fe2
-
Filesize
4KB
MD56569c316a06004c4d1b134cb5b5a1303
SHA133c83185bdb5e2cf29db373fbddac22c870a6f63
SHA2567e885a46136df0c4f484c5605142dd99756c0fc8adeea9a490dc2c143007b3dc
SHA512abb6f0dc424cbc894111961da9553c7ea67e5cb65a6fc09fd67b141df69ed5e4c18d6d848e6e9649cbb62378e4b1d550161b1b7dfd220c8d86529797d98e10a1
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
57KB
MD53e4eb12184d217df69a3b72241cae36f
SHA114c27638fdfcd87be5f37a7492d2800d3179a9a0
SHA256fb35c696aaa9f80a9b02f78dba875e716a268b12fdba54eba6830492a215da6c
SHA512133f42c65100d0b308c2e2c081d4f0a99e785c3eda48ba49df1945e9c398f8fa64b8897caa15afddc0921a6f7e27cc455dd2a770367f09381dc0cef7f201eeca
-
Filesize
152B
MD50446fcdd21b016db1f468971fb82a488
SHA1726b91562bb75f80981f381e3c69d7d832c87c9d
SHA25662c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222
SHA5121df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31
-
Filesize
152B
MD59b008261dda31857d68792b46af6dd6d
SHA1e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3
SHA2569ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da
SHA51278853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10
-
Filesize
20KB
MD5dd62255c6e72b80ce88a440481d3d22f
SHA117758b8673c033ecf7c194e5d1190bbf9516c825
SHA25616921001068e64b8ac9935d54eaa1dca108647370c5987443732ecd4f0f56249
SHA51219cb0414fa378f59229d6296a4165e3a073fb6c6b812969c7015d3f73e7738c70893346740396986c6148ca1fcd5e7a8021aed775c808eb67ee9d1b301f0ee76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize864B
MD54f1b572ed3536242329ca95399adeb5d
SHA1ca6a429713a747f8c2f03163b7b7ed2755103082
SHA2562ca1379df7d33f17698d34851041761a5a948cec023bb8877049068a541ac508
SHA512d474da315ed04f554769ea4ff37e12e0a9499886f430590bc4d379aa724b3bfa524c31aeebfeefe208401a28b2a9c00188a87d6686788a9da9a1e7cce1863000
-
Filesize
2KB
MD5a4056a92b61a8aad9744fdb4c0dde817
SHA1efa22442b573338643119e5fda2f94bf74ba2bc6
SHA256dac8b9126a47f8e006baaa428512cf118072975913bfabc87c2f262f475f7c16
SHA51298523a2ca23ebb005b1f08c6e37d9f1025c30364eae052b6cb42b6d078fc07c16ff22ee21fc8f441b6836a7c729d7bb50eab752e81d4a823de3cb3ff5c8909f5
-
Filesize
5KB
MD5ab694cedb68698927a1cdc6a9284f6eb
SHA15e8b2b3ab2d3a4cc42aaccfe3775f5b27658ebea
SHA256f21734815da8c323dd248be989223e426b366452df43e2104a28d1997eb184e1
SHA512d49987d10095f3f6231ec9e16780a75e741aa5feac0e194cff7a5a49ebdee16686f54c73935742239c67fa33590a2ee1678c490dc0b18f968ff58e78d6301239
-
Filesize
8KB
MD58e57c847e03b916d6ec69fe5efa1d161
SHA1be9477dc4fcab101cc9452fba948c454fc4b2ac2
SHA256776cd0ff88e9ae042a397126439e29bee75b0867428b17b4ac79a333e93f9d3a
SHA5126a858430706d187b5afc2063991d3da3daf2ba6e5cdea85cd273d50855fba8e834233c2cad40faed0ab672ab03ca95a970a808bf8bcfb16eb94641f19d8779bd
-
Filesize
7KB
MD53b22e96adbdea702d15a619db627b483
SHA1f8fb2b3e4b8b4d0e05e8ec89e213476b6bbc2a82
SHA25630f1633d6f0d239f267653d440ddfd833479c8f593434ce6e47e8d08943eab68
SHA512297bdb6ce320c485c68f627361c686b95b28bd42ec600ed2bd97e46c462a2b115b4e587b7d279ee4ee246a37e678b24f23f0d53a1674b4cb4dbb9417cd712182
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5ebcec5983d98f9f16e4af2b8eedd2964
SHA10b3639b6edfa79b6b784624dcdb7f03e82422c7f
SHA25659382da9425594047ff6a74f02281c0c397e5e6796e5f9b26d90007ad5e51e63
SHA512043e49a67e8076d2696b67c99fa5d10cf037b80ad92b12d90b6a7a741bbf3ea6ad68c0cca8d3801b51eb7d39b124401cd98df8e4e17e89088db3c5dca31262ba
-
Filesize
11KB
MD5d4ef9352f08ef94cda9d0f48bcb6c773
SHA11b65c1a90e7d5ba52233d341eb07ae92805abb7e
SHA256c41d68abc1dff7176e6cea7a941641a5f59322fee7d9b1d0891e294507d96a6e
SHA51237968a2faa2b89af7f8e41841ed3862793f993f3ca03924b0e68e97a4fb6bb210a1ff3a6768468d0517bb84b8943ec4139d20b5ba5ca4f67618aa11fbf02cb4f
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json
Filesize33KB
MD55120d25ae113d269e572def866f5e9fa
SHA16d871ad0514bd79adc3ca775ee0ba40399819d0e
SHA256f5a4b2f9c8fd24ed652c749eac645d718bde338b8577e850aa6e7170bb982a27
SHA512c413d0e36b54654bbbb28a553b8f5f995462f1e02504bc0436e260e3c1f53e7bd2780a8b4e51aa4f07f79042455625264dc92311ae5917bf8adf6038d119a1d3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\cache2\entries\959CF48BAAD235E68169923EB0513440CADB4E07
Filesize179KB
MD59f1358363a45f33cc0b5b2a87c6395d4
SHA17f12deca47996fdad35a97974161191e541a518b
SHA25668afb33a889520e95f96881599269bd527192c790937d3e9b517a5d82d6adf9b
SHA5127edda482f3ed27c57662f368171ccf6c35604cdc865d42e04e70c96ad3d6280b3c67ab863fcbdc10709b17181eeb2428d4f2a13de023bf8a04f5bbb224508968
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\jumpListCache\5tOoRgqM2WFj6Vw1c4rO2_+YmkxFZjW5qiS0f5iJu1w=.ico
Filesize25KB
MD56b120367fa9e50d6f91f30601ee58bb3
SHA19a32726e2496f78ef54f91954836b31b9a0faa50
SHA25692c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0
SHA512c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f
-
Filesize
135B
MD590022f82afe48963cc42547209f18f96
SHA1e60698c77e7df4cccc493f2cfa6d76f7553d71e2
SHA256046509f2b672f0f5da1b5441649873c736d81853701b67094bb319b025afb2cc
SHA5126743f17da515c61ba1ab3df53077929d6f480f84978bcf8ae61880015221f245fde6e3a2ffe3dc937f80b37e8774dcc61838ee4ed461658b3a44f02cc0469208
-
Filesize
688KB
MD5c765336f0dcf4efdcc2101eed67cd30c
SHA1fa0279f59738c5aa3b6b20106e109ccd77f895a7
SHA256c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28
SHA51206a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891
-
Filesize
2.8MB
MD51535aa21451192109b86be9bcc7c4345
SHA11af211c686c4d4bf0239ed6620358a19691cf88c
SHA2564641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6
SHA5121762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize20KB
MD537b6301d140666b52c0be03805162761
SHA1fb86c061e4a9ab47b5019c5d00a790de2907267f
SHA2564b60d4c650a2b95f8872c9721815f670f058d017fa7df9b862870b1956a65d81
SHA512256b569933ff33b7a6090bfb5a236015998d52debf17e851801c3fb1fdd098c4ccb4cd73f731ea9764f452e6985dd2e949c9b9da466c8a2a7369a1f87c7a7c22
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize19KB
MD5ecd24da2f3a4285235c21f4a4cebb6e4
SHA14df2521318666415ed387eb3519520c445314234
SHA2564a5c33f4a899b93e0697eb01b7b82b9a0bfca53820faab4940c4e823708dde4c
SHA512bcefdb3c16d6df8a4b0130615d3f29d14ebf8cd65cf14f717728c8db2794ab0b1bd0a6e59290d0eb299676f1862fae492e085bff08208fdbaedf8b7c21cbcf0e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin
Filesize7KB
MD54c27f397d4e64efecd06450b26545f16
SHA1975cde2380061a74854b4558a076087b18f16b41
SHA256e77a018d20858bb68789ff659e507f0d3a30b354a2f7dd43493ef335731d0df1
SHA512b45b339612c3972c5ca936f9f56d10b79ce18e7f0e87089d068633c24bef76f55e0e05edfdc5ab471fa6573948f0cbdfa5a0b8c40e29a3dd5ada0d0fa91d3bb3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin
Filesize14KB
MD5b1df77774465e0fd3f802db52acc9af1
SHA1d0eca8115e844f14a2a6709d15527efc98b3f346
SHA256347f3a0d9084f9edd7061d39c2dabe88d1b4752aad972671c6001597c444bf9a
SHA51221b4f41bfbda2397e7e4b58a90ddfbb469b1e15cdac2cf50deb46a93855fd65c6363fc2ad203ae43608bb2b612b6abae410455e4e94e1c0dd4a145aa3bd14bbd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin
Filesize13KB
MD50cd9bdd4ab3ef8784f254f121c2f11bf
SHA13d20c604c233ef95a7178cf63b980ad582a5f005
SHA2569abb6b0afc8eb3c101796a79249a05b13113daae786cb93ffea8f84f49939dc8
SHA5127e820658e5eb8122eba68069c96afd81dc91dfc40a57c63dab34f5dc2935a349019bc373907a151187f72d26065ef59589a157c40c7c02e593bfbf0ba7987aa0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin
Filesize17KB
MD5ed4874d418581d64c528459578bf329f
SHA12becea961540722621d16803ecae9e1097a8876b
SHA256dae3e30dc25d0a15aaf1fae5ecaf5f111246efa261ac884b0bd79911ef0b312e
SHA5127e531674a64f299591553a286e8231c732a62654d90aac85221646b3f2fd1cf76592e084cf22240286abd9e3d6a7b9f166144de15073ca2b939254f3e154f979
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\SiteSecurityServiceState.bin
Filesize3KB
MD50198f27014b1c11d06085579e54dce44
SHA11527bde0713ba9f847ea948b667585f9106a4bcf
SHA256bcf664200430af7a00c14e06bf8e6b0ec9e087705e0ae4464bf25ba16b9aaa8a
SHA512fdd614af688e32b451678e2d734f85a35f350fc2283d1515dfe53cd9d0bc8cdeeaa78f993ba96ead230674019aac6a0cdd755ca4d5398780f4e60156b0c73786
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.bin
Filesize7KB
MD5b7f2aeeb357e813d0070fe7081d27bb8
SHA124d71c4ebb183c70aff9a55925554d9d6cb31a64
SHA256a977931f200b966488e063e6373ad2cc8efbe691a90ed2eed37365869ba95586
SHA51299b4a3e1ef562ff5669aef55c571f8057bcb2aa30b72eda9c0de169da91ea039523c12e0977cc453e3ba6e043855bef086a86d2ea1876f0cb9738e6adcc1a6c4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5c02ed35a4c2c1acffb1a3accd5cecae1
SHA1d73b4e80ea69797b1bdaecc5c3683ec01e671bcf
SHA256945dd0d1c59066d4589547bd14b39d9e058683ba218d2db1b69489afd0eec7f1
SHA51235cb5f3538dc08960b6ee08a37c6eab4921a8fd7b8883d154ed7f151ef184682d7af74bba87cd3fb85a29fba10fcaa38f963867baa512d7bf2e54a38febef69c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD573bd1e2e4b04a0e6cce88672e61d8ccb
SHA1ac53403e1fc752e2fd72bbf17f6e83501bd1e2eb
SHA256f93361746d5bab05b7089521612476650cedb5dd57aaf8438fc1b2a3e34bec53
SHA512029073071bcb700513b5b6f2916b351d5d5665fcd54c6adfcd04e89e5d16f2996e418eeec071357a47c65ffcc5add1dfc05918bb82cdfeedc4d4a7e837e0b9a1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD52650a0ba839eaaa4a516a991a71dd217
SHA14f09d5a09dbe9ca3d3dc865ab67b1ad8cb9ab078
SHA256efe0670fb7382e5e9507c3bd869305dcc523148b9abad7d7ebdcce8947bcb003
SHA512525365b2ed2fd2c9d3b6979d157d286dc91aae084968d4a15e6c447f59b4d6e0be4a0850c83aebf5a0f84f029890d05e141dc35f04acb8611dca91938a41aad1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize55KB
MD52daa9bdb4ecfac0f2578c1a37a7b852f
SHA1e4dfab5ac13c74a3e65f6be371a90fa788526ff4
SHA25616be09a9221eef2c1062b76d7376aefd7a98fb1b5cf575f0fdb5ab666013b075
SHA51239f8d754296d87e33cf07086bd250f71b2576ae99859cafa06c989ac543a1b15e18b740f2f6040f1630fd6c1901d448f4ece13feef8b9b136282f4558ab58399
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize55KB
MD5e79b6610d8dcd0b1079f8cab10b8b6df
SHA10e672b670201622a8eb11c467942d2f66ded1b39
SHA2563cfd583f837a278bcca231eda8b18f02cc05935d9af34eb0b27591280295b4a9
SHA512c65ce3c39f2c55e7e15f98ce51c4b34298fed2c70257ad606f9c28e96f7188054f0a94c4bd9ab39ba730d63a09488b5eca2bb06f0ed7e4740d6465853fc9e04f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp
Filesize58KB
MD5e24807ec01764abd2564db396f8085ec
SHA1eb1ee114a8848491f1497e9db1225c180805ccbe
SHA2566098b421e03ba700e892c56e610c024226a017ab0327211b7fd42326592f95eb
SHA512a13c2fabcb470c4b10acc98d1c098c0b2f19ae23ef08837d81c7714180b8ff5059f40e941e71f5552136a08a2eaecfd26de57c7f7a73980de72c7fae86ae0bee
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\events\events
Filesize2KB
MD577d6a0599a15cc6e1a5e9af7f3e6d591
SHA11d3917d2588903daaf549c8ba41af70cad326c5b
SHA2563ec4cbff03ed2439e5646249485e51513044fbcd6db26e9ea37e3770fdc84aa9
SHA5128c71d289f2c7147e376f38c0750eb1dba3a8751fa1f23ba2cc1a14f127454ced7ffe684e9fa41277579130961417d6b4d71628ac27b4ca810bb0131ee8f59efe
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\3a335481-108c-4aa3-81b6-8aebc7cd5a6b
Filesize671B
MD597d55ae547b08aec3186336d970d5a09
SHA1ebeabff8c5576b12a1af116cbde012984a0bb0dc
SHA2565db53c5ae8049f7f6464b372b4e630d944276d92efdf08b15f8661d06e6e3192
SHA512e6b73eecbed7347e6dd23592a3095dabe305cc02d7e854bb74cb67f51c5da4fb98a4363eb441c1bf72e2603bf7b16104ec6e189a4a798f3152f275eb738c4456
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\4bd3c9d2-e6af-42ed-b781-501730d0de83
Filesize847B
MD5e34c393a22da386a44b3016cd13c29ab
SHA1fdb7e71c42ff3d45e2ff6f153d9be681b5a6bb0b
SHA2563f4085a6649d125cd4b9f4b393d2934522497613206ce82d72939fac849e9924
SHA5120779a5c428b32d3528df9ba9731698e5d296ca9fb64f6b02af836ab59e8a778fd4619405ef9981204f7943965ef64b259a88e21c2b21d8eaff38749fbfa22df1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\921e5dd5-d8da-45df-8261-aa91b5e28d97
Filesize4KB
MD505a4566eac2b9dc76fdb9d48b11b5fc4
SHA18303b86df537618ed9dbee77b9b4d117c554c8c9
SHA256e255d2a511bd5c2744c749a0ff486725db40241dc049fdc7414146322b868776
SHA512f3b66571be792a7c64b1d9155808a1273ff5980da97d582aeff5394d5ca068d45221c92e6f9122ccb7aa0b34dd592ed18803bde7f230e0f16279930e03ad2988
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\c68c5061-ac17-4626-bc4c-f9290078ce5e
Filesize982B
MD54e8d9e3e9c59466fb0fb9d4b8d1177b6
SHA15efb2c0a678a952785e31b62b9032a5dafbdb4c2
SHA256537b5cf6840079b24c2b96b8bdac36c27e924976990f062759d415349573ccd2
SHA512281ed6a784a5327bdeb5a5c622a9a8ffd9f73bba6e5e9c713596fd664e4e3bc65c1cb8e222a1b7d876aa8908f99b231063d96aa22e48a3310ccec9b3a734f405
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\d1f61ab8-a5be-4d98-a37e-82acdbe7919a
Filesize28KB
MD50509abea012c97b939d99a928368b671
SHA144ebe0e2ab012d5a71c39a6eb5a22ddab70b1dee
SHA2564e57665955dd33ec96b514304aceea1f924725d5b24f2e022f1d75cf6da96d05
SHA512776bddf0597d9f475349a3f83263e01f79872355d504ff0a89f2b9382eccb13da31eaf4174c29ece0d4b06bbec593c22b0dbc68f66239e000b885c40c6fe6d96
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt
Filesize1KB
MD5445832e68cbe83e8478e025ede8ae9f1
SHA1c70b2afbb5325698ea4c0ed48ab5eea2b5b2102c
SHA256f02d2a10cfa68ef45da56d24e59e4cc43806d61111ef7c4055b2ae343aa52459
SHA51204cc9c1886c8ead9bfd7317fe656ff0637a1cf8ef81a4caacc5c9a481906962ad3374ab524a951cfa5b4a6d84ce931b72e3ad45a537ddbdcbae1cff40ead402d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
12KB
MD55334f27f0a168922eecf5421b0a9e8be
SHA1f83b1c915dca03e5ce2ee19978f34ec23463495c
SHA256e8ca418cc1b81b9635da38406c087b76cacae5fa0fa56cd605474ce43cc9ccb5
SHA5123a60b6bf413f6532642f20a2206532397893845255413e6bbb38dcfd8b7e2d979e146b0a6aa66dd8c1fce3d770bcebf9abbd856810a147a5ebfbb6df6a080488
-
Filesize
12KB
MD59cdd24ea13d68584267a46410507846c
SHA1100799e2d60a5eb526336d15ef9a80a31feba909
SHA256ab1df8c7123909cc75eb9528662c665583d84512a0c5634e21fb031190900195
SHA5123f94b92f79c292ff14ac7bc9a9ccd8cac24ca4cb37d94bc11638ccb336763990bdc98697ccdc42419a34c6dda1f814418a1f9b0be3aaf9889a488143644f415a
-
Filesize
11KB
MD5208d382607dde2e3fa18b6da5ec175aa
SHA1e8cf87292f1a7b7e41b23b425e5e3be62dfe1d57
SHA25643d4e4f3d3dcc2a0a18d4025480e144b6533790554fbe9a2040993ad482ac3a5
SHA5129eaf61740b1d0835511398b726d99272390e94c88859197408c1acfc73609a94c3925155ea81718ffcbee98bdbd09507239ee48171cbfe757cd1b61184725de3
-
Filesize
13KB
MD5f19cb74fcf3d3364fef85c78996d95f9
SHA12b6226394897c4dec7c7017155098346814c9bdf
SHA2569ea078f3bd7f9aaadbc03d48ad6ad1c34121a4354bbf4b5a6511d93848137362
SHA51202747efac95339a0af97f2904c51cfdd19ae76c598adf199bad2a340155a3f78b0434c6dc73801126a526ad9c141bd1c83b93e20f622cd3b55e522d650104329
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize5KB
MD556d3e346a3e0c57ecde3e64a64dfa23b
SHA189461c146aa4676f2736c62e68f96c528c86e582
SHA256e2f2ee9ff2df8b5d631077365d9a3fb2ad9a7b0fadfea751da3c481d8426b86e
SHA51236441432967cf207cd7ffab3752846acd77a4c1aec02ef0f4ef2ee70dfc196479d8566119d3e25bf81a5d21cf60fc297c61d9b5d5eb3d9660b1d69e168ce88bd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD5ae41149f86ac89d6998c998ede538185
SHA1e143580a0e214a143830a108e9a177812470fe61
SHA2565345cce7a2e14237f45bbd574771dbbe45086569659b40722eaa953b0d313f3b
SHA512ffdbe3b2721613c95ed7e99c83b4f323db127a6512f99fc825f5adc9f14818cf53829552b8276ba844fb299b162b0846bc54a3573b4064ac9f2c12d4edd955b7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD54e538180f8751d62be8da0b705eafbd5
SHA16ab027c9b7a5bdeed151c80c65b84c0645495115
SHA256e85e7c63f749355116189759861ebfd0a1a1841860368cb721ab234f818b0876
SHA512319b059429597184936c3096905ed3ac2238b64c32faea407ffb90f74b1899aa4c82439d0a9ccf9796b3e1b7fed6251c6224b0bfb37b9920fae8ed24e9256704
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD55494a0bf0ae5d9e70f24654990386e6f
SHA10fa20d232dec997785d79b6ef706e13e7cd6c027
SHA256988ba3f1936b72e48b8b86950092c4604c535916d40934e68745fddf3862b7a7
SHA5129ef2825edf6fd5874d9d6ca1b824cec8a362261c25e7201a5d52a37c353a480189b246acd6f2616d40f161e099b177a78200603f5cb1c82f007a2ca270e0a079
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD580e2d0a4254b9a97436e5f125ee68002
SHA1a3f0818fbe51286d1820360959e968d1143ea262
SHA256c749ac55f328e283fc9590b8cc6821fba60faa7cf5858445ec61d71bbf15ecd4
SHA512305683a1c72ebfc82c1e329968c85e26ae4a37ee070e7ca38a45eb3056268d443807ca43cf00c3349ef6e3c77be40ab79e0a8bdb4bfeb8acd6fe14fbe3797cfb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD5b58cbf4bd216a6c54cd835a125de515c
SHA189fab78862d210dea72f03092fcd8d988d044cd0
SHA256885177e588156b69ad94d237b4a035beea17b0367d3d934acfd685ed421934a9
SHA51255d8ef0345f33978e5e9ed83afebf078231ec7435a656a3dc500552f1472c57863779095e1de69ad08e5c5fa65671b39026b38eed3c9eb78d09b87e9231d4880
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD5684c146fedbe092fd06efc181d39eb16
SHA18e4a42b68b3db528568bbf1497118ea9376f2ff2
SHA256c6820080116e9111cb50dd78918ab12a5428aacff1f873464833c29853d1a1e6
SHA51229d6b5809ab997c1815a83148b69361889a7c2c45deb25eb1fa3ed5c7d209d72bc95609e691f3be5a3f313b61a391b571aa730674b083544110c631cb28ed782
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD57f0b792e816503185753bf77ab204258
SHA1ac8cf000fd3076d7b2d4c7a61a35ca1481d7d0e4
SHA256a2d793962c340b9cf0c30cfdcf3ac8d2ac842e5e70c56bf845f80ae758c47289
SHA512ba95ceaf47da3948076c72d1e4f719a8bc49763f6ddf5efd0acc5f94084c81afc7acd61c814398ea1fc83439f6778d36f37958968902299e3863875a65697f2e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD571bc7a563f46bedba3cf99203cc0007b
SHA171f03ec824a124d0465fdd59583cbe05eaec07e3
SHA256eb9fcd4dc84847da5320d11980923f4ccfed7451acd9fef8b32725153d260939
SHA512ef0f8028d558d4d2f8d8325ae96912e1e38f6b43d610e6ca881cb01d616493a639c2d4e9a37bd8cd3540d77fc8a7fa8cc2d917f323d0277bab74efd832300499
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD5c0aba4d1b64fb9da68795a4ad1ed5451
SHA1f90340731708600785eb1d07f8a94b5fdc77174a
SHA256edac3b1d67ba83ebe67224a89f2f0e36fefb49c0b9c760092bb5fcd1ddefe439
SHA5126e7ff9611e6c91d5e2b5431a81c6b334f3e793d0aad44455122a9bfd1039dfd32ed591ca5af33735fad6633657308e3039f445823a2f9f437882ebddf8e006a1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD5d24ae6ea332bf15723be18774118204c
SHA1d861471108095ea17a62e849ca2b89078c1a5cde
SHA25682ef3b680c01dcde089460bb5b5084c05a69c5bab3c9a51e866e5b0e05b7f88f
SHA51284031ccbba636d588cbde3e7ae9f25f6c36079551eb9ebefee90f6efa6a66650200ebd2b40b8ed50cc2069ba96496ce17fd0a6a737489551ae182d8a5495ec74
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD5a6fd7edefed67c85677704329c6245bd
SHA150a67c783b330c5804bb1b86fbf3e96dccb9a760
SHA256b00bdfd9b7b941c622cc320efd99d82b2f5ebca9f65a0e4ddaa6b8b33c2adf95
SHA512294351ee19f592fd7dcf6f615f1e00ebbc2910326fbad5e452aa02277bd84889aa170da5c26994f208504a2313fab0dc23c8725701afa243c15d7410428cb91d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize8KB
MD5437087237acebefb1b4ca12d1022fcf7
SHA189771a39d15121663294b36d725d68fa2ffbc4b0
SHA256c82b3c17a0c42cb08df340330a73d296ff9ed8a5cb53311b44ecc2fef3fe76cc
SHA51213641bb24c30bf4d2e55307d024266b141cf1976d8742df1a066faa8391490ce97777d6e193dce54e9c935c7e12c8ab9341becfd8d3339374d818b641c54adc2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD5d33170276bcb80350708882464354db0
SHA1e5ad3ce052041e99db22a9d2441b846ae1031cb4
SHA2560047695c4a6c5ef31ec5afe820a5533c7bfbc0d26b77b084a208d78f749b2652
SHA512dab73ebe42eeebdfaa23ef8256397d156ed7ae91f6fe343f99a61031b42b51e55f1900a1c6c48d0a1ad12d640f8cec0b424a721ad03b0b2fcb7f7872a3d09373
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD5121a5b5a449d87d609cb6b38b42c24cb
SHA1ba469fa3d970de84c7b75cc89a3fef6345e071bd
SHA25659d2cdc63b4c60e7fcf72568003ab8ed635452bc03508f6674d21573bb40ed61
SHA512df262cf66a69d1c64147d7beb73ecb866cf389f0e906d50617643b224228ef6ccdc9212d308f2e4d815056df5b0811624e410d9160d7240624cec418cc618ff6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD5bd0c0070d38c57640787e3dd9235dd4b
SHA1b224ce1551b743a8444164756ed0ac794cd35ce5
SHA256f11243e28c08ad093ab53389512c66ad23443009f0ce84b48bb3f39f652283b3
SHA512c62595c3f590fb6d6923008f06a2ba5d7982d58e8c941f915a761ded94cec19a057b922970df30ed3ff044f980a7b48cf417e68d665377c191c9d43d37042b91
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\sessionstore-backups\recovery.baklz4
Filesize10KB
MD5d078a44f324c2dcee0342bbbe1289fbe
SHA143c781c013517430791746105ae3b0490f489d80
SHA25639f88ae3814bae17048d8a959e13e2119eb48defbd03397771bcd4f399e80bd4
SHA512d566f398a3c6c3beef37ba5ddd6b240b87a7bd4fda2cee0981cdc0497f20678de16db32d48abdcc53c75fb01e2edeb71b86f780cc67f80c8ac1697a0cc928ae8
-
Filesize
20.8MB
MD542d034ba4b698b676abdc012ce4f33a7
SHA1583996727c49bf69cd4f25608e9afa3576a72eff
SHA256aefe8934a78b62bfa2413a55cff440d6d6581b196f6095853d68343544b58e31
SHA512894af4b24fb7a86ca6c42c87b5e3d3596717c80bc2ec65e0969365100673a93abe767bf5333d57140287e327a5d7dc2bef636e7d18d4390b04f8428ee4dffeac
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
-
Filesize
50B
MD5dce5191790621b5e424478ca69c47f55
SHA1ae356a67d337afa5933e3e679e84854deeace048
SHA25686a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8
SHA512a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641
-
Filesize
373KB
MD530cdab5cf1d607ee7b34f44ab38e9190
SHA1d4823f90d14eba0801653e8c970f47d54f655d36
SHA2561517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f
SHA512b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3
-
Filesize
18KB
MD5e7af185503236e623705368a443a17d9
SHA1863084d6e7f3ed1ba6cc43f0746445b9ad218474
SHA256da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a
SHA5128db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3
-
Filesize
232KB
MD560fabd1a2509b59831876d5e2aa71a6b
SHA18b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA2561dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA5123e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
-
Filesize
31KB
MD529a37b6532a7acefa7580b826f23f6dd
SHA1a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f
SHA2567a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69
SHA512a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818
-
Filesize
372KB
MD5d543f8d2644b09445d9bc4a8a4b1a8c0
SHA172a7b4fb767c47f15280c053fba80de1e44d7173
SHA2561c0e2b7981ffa9e86185b7a7aac93f13629d92d8f58769569483202b3a926ce5
SHA5129cd77db4a1fe1f0ec7779151714371c21ed798091d9022cec6643c79b2f3c87554a0b7f01c4014e59d0d1a131922a801413d37236ef1c49506f8e1aa5b96e167
-
Filesize
92KB
MD5fb598b93c04baafe98683dc210e779c9
SHA1c7ccd43a721a508b807c9bf6d774344df58e752f
SHA256c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4
SHA5121185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
3KB
MD5dfcc58f60b4359027e11a96da9a16988
SHA13bbdc6f6a1bbc72b8a55810b40321436f98c407a
SHA256ce598a4f3dfb6b9598c0f0bb192a95948a7eb2917ce6b01f47340a50acee1ce9
SHA512a057afa34b9f79aaf643c4a64b2a83e37c96c2f96737a12e4eed30b2b6ec9aeacf246bf6e4e47902f20cffe38a3be908be1878bed00009d5b8e0a2fa37b05097
-
Filesize
3KB
MD5e63ac566fd0249c301960ddfd06c3436
SHA15c8027eb92b1a31b035e6222dc42b30f4218526a
SHA256102a969f5f334480cb997cae16bd28ca785d226ef830bb2d3e704d5f6c95a184
SHA512ca5721b115ced4fad6af7e6a2c44a2b40287f009ba6bc1655dc972efcc398f15dcae0cc23fd2feae7e8e5d64de388be505177b9e9c37e8b5ead2ea37836b6153
-
Filesize
3KB
MD589ac514777322dea5daf83f517c64f76
SHA1306899da4c2e1383c43d331df65a27bcb18d7c98
SHA256a4b82013aad304a1fb661fe4d3e775a9e4001a1c35a38f9861416af19951fb52
SHA512924030ea3d4f6262cd75a7c823ebb40134ca5707547b533ada5c76e8a30015f69e874f830998c313946f3463d2916acb5daec4957bd7af8bf7a3d0e273430005
-
Filesize
540B
MD55afff9111fbccb03cb861ecde2acefaf
SHA1632370c7f9a7a05a411082ebddeabf80de38373b
SHA256ab0c95ec139b18f699c5571cfd43d29f8e522013b33e6fbd5ec299e9a42f87d3
SHA51205c4bf1ad0f46488bd8e323626c2823f98aa072f6a3f5e08604dc0ffe7f10d0a19a5ab8c228c0b5071e0a7e49f193236841ef44d8e608c8ee519b3d35e7f9512
-
Filesize
632B
MD50f578fdca0e0bcd7e67041291ef0bd86
SHA110c8d2a9e99a2b76300dd394773a5df2a066de06
SHA2562d606be665a721f1b220ec8c4baf2de5f94389e9dd64a64423c7c1a92bdec5f2
SHA512323be94190b8428fea71457ac570390bbcf1eb96c38c647315df8783287693dbab63d80d45187ba6f74e293b4ef1199bc77ea06aa3cae51e27884183afaade7d
-
Filesize
756B
MD5da5dbd7a7189d3b45da7589e0d5e5c88
SHA10f551d0c9150a64d9c2cbe2aaba6065941603c14
SHA256818fa377a2a574b1e74eada83cca6d5dd0d582e301250c8bc06e7fd290105647
SHA512211933903168800b5b3d4bbd294b2295addedd7a97bf52dad5a4ea1056949a680acf9ac78528a33e0b2e71c248b50a9deec8c8ab3e32f25bd8a51ea67d0721f9
-
Filesize
1015B
MD5dd2d1c91e3d2eaebb870c84747c3f41d
SHA1cbd6ddec8359cf5f0a37bd1b1baaedf8c86978a7
SHA256545cc8a075da622f041d495deffbe328502fc9ad4e3a7f232ba242787cfbe410
SHA512c9808215c95976c982c80191a5c28a5a95a84edb71c96a800cc8e817d3c357518f88629d3da209e1b308d04060ea83bb7fc9aba9b2e25921c0cae06f3f53cb57
-
Filesize
1KB
MD51659927032ec3b538befa6335908a88f
SHA117d5ae13eef4649400c72f5c2a92c7c28b368e2c
SHA256fe934c5988988d990a0c9c7438cc73245b2ec2e99278b4abfe8c797d20a8e556
SHA51261a90aa16bf2f17c813cb3a0582d16e3e53e456bdffa21a1c44b6f326a35ce9ec5024aaa083ea3dfe31f933b3794af05f312ec3de7f84faec4bb39b0a508b91e
-
Filesize
1KB
MD55df4e989411c264820bca0f34131dca4
SHA1bd456d22d47da432767a86eca15f74faf8a5d8db
SHA2565b482d9e0cd1f1cb10439ce6e56de89c2bce645ffda0d9f174527d0da899ed01
SHA512683d81659ec482bc94d05be41982dc77aee4ea2554f0915b3095c7d9335567860c7d97b2b59974e591d5f69e3ba64870e5e6c11601cce78b8073610ce6918cb6
-
Filesize
1KB
MD505e541111aada60d658b9b6a0b2317c7
SHA1a2ed633ceecc1d076fa6926091815df0442e0fbd
SHA25647f1826b134231cc563d29c0ffcf51a9a94238c52525c9fbc9d8bb90bb55801f
SHA512f98793fb4a35d7828e717340bce70120416c8bd43ae2eef9ffed5a4ce5e7c99506dd1d8d80e4afa3fa19efc1b9ad59168c9e7381c4bea41965ceae185d3b8bec
-
Filesize
1KB
MD57fa1705af127ecd3d6653e3138d942f6
SHA10f6de124b9429b6e489451581df6f790b46ac282
SHA256739774aadf60643820a3e31d1b98f0b8f434849ea31fd9a7fa8a03379ea33fba
SHA5124dd82b707c8d668a2abd8ebb8d20ad39fcdb255758f6ae117631b2482bbd2d9609e543515672d972ed532b2dc301f0bbddbf391d7b137552dcb3b42e73731d90
-
Filesize
1KB
MD561ffa265d133a2fd9ed490ffdc3cc09c
SHA1bd46712cbe555a905b6d88c08176ae7436ac9b8a
SHA256fb466fd55bf047616cd2893f10b463e5738b8175310e7b6e9024fef1a0c4c51e
SHA512820047dcbc16a61952866663eab68dffd7d2a08c80e89d09ec5807689899a0c29b8deced113bf7162ce2467dbcf57e9a50d85844a48a9a9775b7ba81e892d143
-
Filesize
2KB
MD5c1f8187129e4c3b140f3ac892e42423d
SHA1f340df309e909eb888c7151cf1b7ee212db17e68
SHA256625653967c2d918d86a3bbce28755ac012216afe63af3ce411576b6cda14a32a
SHA5123fd69f5e91d7aa2d03e56b01bd20634431c6f1023132954c60cd1dc762b8016922b0e2e3ad1ea96da7132559356591733799502cd19201a3b401bb7113bf2890
-
Filesize
2KB
MD5a8edf9b93463ad019377d79939fb3454
SHA1a796277de9c9c6cc74e7d8ce6746bcb56931379d
SHA256a00ca26068b0173296721bf9489873304b65f4625e750f6663944b9f53f4d8ce
SHA5122c368aac141ee77575f571ecfd3ebaedb5e5047bb3dfb90877176f7d3018d4f3f044747b36ff15fda8b0296f579686d458299e2df6547e66be4dd6f30176e1c6
-
Filesize
2KB
MD52ab328c0f341472dac15978c62b82f14
SHA1b0324b43ebdd79cf95aa8fe85502ae69732436cb
SHA256b49dd8a6518c09a93afc1b0058f073379b179c54376dfc071fe2812376c3109f
SHA512bf6d2d6cac8d1aeafb5c077f0320b3c97946a789f38810907cdccf439fff00c0393377e73d19937db7b661377a74b36aa9194aafc8275bb1b8c7b57df134d926
-
Filesize
2KB
MD5ac006c8e289ac719593c3245a7f8bc1e
SHA1d368c3dc291f9be6c42f3f4d69e966d54d6d1df1
SHA256125f54c71d348bf7de7f8b91c5321d109aa80960e3c432d824d2e262ac383eff
SHA512475889e8316603bca3c5e6bfdfbfa490de7b704bd300d693edb97fc580329eeece276561fa9053a5f07f6a154eb0abe9caffb3f38ecf4cc7cef08b42c44c6dbd
-
Filesize
3KB
MD541f74dc627b1a01b33c8fd2d3011a1a2
SHA190b6b91f2b2344f80f2900918131ecc82e304099
SHA256a0876c2f07989d5ead4a6bf6568ad934df65c7a758d2bdc3b2d3909da9aa27f5
SHA512b72980bde2c90e195b4e1cf81307328fff47b729f95221865acb30dadfd19cdcfaf87780ab4c4115914f69e19ef250c75ca7522d5355b64525fc9d0c05b31333
-
Filesize
3KB
MD57dadca73757c37ed6dc22290ed3885d7
SHA1a9c2d9fc700126a3d871ac384c6b0c48c0081962
SHA2567f545ce1a0c85bebd3bf78574e09be2e6b3b600f3425bd95453fa6acb7935ae8
SHA5127540612dbe8516f6eafecb32ec85bfac3462287caa859410825c6eaaa1674c4404a3fbac561c603703d4d3511ecc23d1a35976a72aa2a63d55b93ea0780f9077
-
Filesize
3KB
MD57148e1503505e227f3e7ea6a5ee538a1
SHA190dc8edef4132911342454187a158fc1cf078f56
SHA256c6640e33c67221bd05ca858591a91b4a69cde9c612151447111061aa66124f1b
SHA512e9095164f3ee6760e6e49071df174ccee84ba9d78c93717b1d725120842696313bf5cca49e957b9fdd337793ebd04eb5890994a22f8b5e34b21f2eaeb075a268